{"id": "F5:K10515241", "bulletinFamily": "software", "title": "Linux kernel vulnerabilities CVE-2016-1583 and CVE-2016-2143", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.1.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "published": "2017-03-07T20:55:00", "modified": "2017-09-28T00:31:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K10515241", "reporter": "f5", "references": [], "cvelist": ["CVE-2016-1583", "CVE-2016-2143"], "type": "f5", "lastseen": "2019-02-13T22:31:14", "edition": 1, "viewCount": 9, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-1583", "CVE-2016-2143"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310851342", "OPENVAS:1361412562310882598", "OPENVAS:1361412562310871644", "OPENVAS:1361412562310808914", "OPENVAS:1361412562310842798", "OPENVAS:1361412562310871677", "OPENVAS:1361412562310882585", "OPENVAS:1361412562310871717", "OPENVAS:1361412562310882536", "OPENVAS:1361412562310842789"]}, {"type": "centos", "idList": ["CESA-2016:1539", "CESA-2016:2766", "CESA-2016:2124"]}, {"type": "redhat", "idList": ["RHSA-2016:2124", "RHSA-2017:2760", "RHSA-2016:1539", "RHSA-2016:2766"]}, {"type": "nessus", "idList": ["UBUNTU_USN-2999-1.NASL", "REDHAT-RHSA-2016-2766.NASL", "REDHAT-RHSA-2017-2760.NASL", "SL_20161115_KERNEL_ON_SL6_X.NASL", "ORACLELINUX_ELSA-2016-3635.NASL", "ORACLELINUX_ELSA-2016-3636.NASL", "ORACLELINUX_ELSA-2016-2766.NASL", "CENTOS_RHSA-2016-2766.NASL", "UBUNTU_USN-3008-1.NASL", "ORACLEVM_OVMSA-2016-0154.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-3644", "ELSA-2016-1539", "ELSA-2016-2124-1", "ELSA-2019-4644", "ELSA-2016-3646", "ELSA-2016-2766", "ELSA-2016-3636", "ELSA-2016-3635", "ELSA-2016-2124"]}, {"type": "ubuntu", "idList": ["USN-3005-1", "USN-2999-1", "USN-3007-1", "USN-3006-1", "USN-3008-1"]}, {"type": "suse", "idList": ["SUSE-SU-2016:2010-1", "SUSE-SU-2016:1019-1", "SUSE-SU-2016:2002-1", "SUSE-SU-2016:2014-1", "SUSE-SU-2016:2000-1", "SUSE-SU-2016:1961-1", "SUSE-SU-2016:2007-1", "SUSE-SU-2016:2009-1", "SUSE-SU-2016:1596-1", "SUSE-SU-2016:2006-1"]}, {"type": "zdt", "idList": ["1337DAY-ID-25603"]}, {"type": "exploitdb", "idList": ["EDB-ID:39992"]}, {"type": "virtuozzo", "idList": ["VZA-2016-104"]}, {"type": "fedora", "idList": ["FEDORA:F325C6013F0A", "FEDORA:4F34C605E513", "FEDORA:EE2EE6087A58"]}], "modified": "2019-02-13T22:31:14", "rev": 2}, "score": {"value": 6.2, "vector": "NONE", "modified": "2019-02-13T22:31:14", "rev": 2}, "vulnersScore": 6.2}, "affectedSoftware": []}

{"cve": [{"lastseen": "2020-10-03T12:10:43", "description": "The fork implementation in the Linux kernel before 4.5 on s390 platforms mishandles the case of four page-table levels, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-04-27T17:59:00", "title": "CVE-2016-2143", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2143"], "modified": "2018-01-05T02:30:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:linux:linux_kernel:4.4", "cpe:/o:debian:debian_linux:7.0"], "id": "CVE-2016-2143", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2143", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.4:rc8:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:35", "description": "The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to gain privileges or cause a denial of service (stack memory consumption) via vectors involving crafted mmap calls for /proc pathnames, leading to recursive pagefault handling.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-06-27T10:59:00", "title": "CVE-2016-1583", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1583"], "modified": "2018-12-06T22:29:00", "cpe": ["cpe:/o:novell:suse_linux_enterprise_live_patching:12.0", "cpe:/o:novell:suse_linux_enterprise_server:11.0", "cpe:/o:novell:suse_linux_enterprise_server:12.0", "cpe:/o:linux:linux_kernel:4.6.2", "cpe:/o:novell:suse_linux_enterprise_desktop:12.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:novell:suse_linux_enterprise_workstation_extension:12.0", "cpe:/o:novell:suse_linux_enterprise_debuginfo:11.0", "cpe:/o:novell:suse_linux_enterprise_module_for_public_cloud:12", "cpe:/o:novell:suse_linux_enterprise_software_development_kit:12.0", "cpe:/a:novell:suse_linux_enterprise_software_development_kit:11.0", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2016-1583", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1583", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0:sp1:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_server:11.0:sp4:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_module_for_public_cloud:12:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.6.2:*:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_server:11.0:extra:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:12.0:sp1:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_desktop:12.0:sp1:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_software_development_kit:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_debuginfo:11.0:sp4:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:a:novell:suse_linux_enterprise_software_development_kit:11.0:sp4:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_workstation_extension:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_server:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_live_patching:12.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:o:novell:suse_linux_enterprise_server:12.0:sp1:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:35:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583", "CVE-2016-2143"], "description": "Check for the Version of kernel", "modified": "2019-03-08T00:00:00", "published": "2016-11-20T00:00:00", "id": "OPENVAS:1361412562310882598", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882598", "type": "openvas", "title": "CentOS Update for kernel CESA-2016:2766 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kernel CESA-2016:2766 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882598\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-20 05:37:30 +0100 (Sun, 20 Nov 2016)\");\n script_cve_id(\"CVE-2016-1583\", \"CVE-2016-2143\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for kernel CESA-2016:2766 centos6\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux kernel,\nthe core of any Linux operating system.\n\nSecurity Fix(es):\n\n * It was found that stacking a file system over procfs in the Linux kernel\ncould lead to a kernel stack overflow due to deep nesting, as demonstrated\nby mounting ecryptfs over procfs and creating a recursion by mapping\n/proc/environ. An unprivileged, local user could potentially use this flaw\nto escalate their privileges on the system. (CVE-2016-1583, Important)\n\n * It was reported that on s390x, the fork of a process with four page table\nlevels will cause memory corruption with a variety of symptoms. All\nprocesses are created with three level page table and a limit of 4TB for\nthe address space. If the parent process has four page table levels with a\nlimit of 8PB, the function that duplicates the address space will try to\ncopy memory areas outside of the address space limit for the child process.\n(CVE-2016-2143, Moderate)\n\nBug Fix(es):\n\n * Use of a multi-threaded workload with high memory mappings sometimes\ncaused a kernel panic, due to a race condition between the context switch\nand the pagetable upgrade. This update fixes the switch_mm() by using the\ncomplete asce parameter instead of the asce_bits parameter. As a result,\nthe kernel no longer panics in the described scenario. (BZ#1377472)\n\n * When iptables created the Transmission Control Protocol (TCP) reset\npacket, a kernel crash could occur due to uninitialized pointer to the TCP\nheader within the Socket Buffer (SKB). This update fixes the transport\nheader pointer in TCP reset for both IPv4 and IPv6, and the kernel no\nlonger crashes in the described situation.(BZ#1372266)\n\n * Previously, when the Enhanced Error Handling (EEH) mechanism did not\nblock the PCI configuration space access and an error was detected, a\nkernel panic occurred. This update fixes EEH to fix this problem. As a\nresult, the kernel no longer panics in the described scenario. (BZ#1379596)\n\n * When the lockd service failed to start up completely, the notifier blocks\nwere in some cases registered on a notification chain multiple times, which\ncaused the occurrence of a circular list on the notification chain.\nConsequently, a soft lock-up or a kernel oops occurred. With this update,\nthe notifier blocks are unregistered if lockd fails to start up completely,\nand the soft lock-ups or the kernel oopses no longer occur under the\ndescribed circumstances. (BZ#1375637)\n\n * When the Fibre Channel over Ethernet (FCoE) was configured, the FCoE\nMaxFrameSize parameter was incorrectly restricted to 1452. With this\nupdate, the NETIF_F_ALL_FCOE symbol\nis no longer ignored, which fixes this bug. ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"kernel on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:2766\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-November/022153.html\");\n script_tag(name:\"summary\", value:\"Check for the Version of kernel\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.32~642.11.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~2.6.32~642.11.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.32~642.11.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.32~642.11.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.32~642.11.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.32~642.11.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-firmware\", rpm:\"kernel-firmware~2.6.32~642.11.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.32~642.11.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~2.6.32~642.11.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~2.6.32~642.11.1.el6\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583", "CVE-2016-2143"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-11-16T00:00:00", "id": "OPENVAS:1361412562310871717", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871717", "type": "openvas", "title": "RedHat Update for kernel RHSA-2016:2766-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2016:2766-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871717\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-16 05:07:05 +0100 (Wed, 16 Nov 2016)\");\n script_cve_id(\"CVE-2016-1583\", \"CVE-2016-2143\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2016:2766-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es):\n\n * It was found that stacking a file system over procfs in the Linux kernel\ncould lead to a kernel stack overflow due to deep nesting, as demonstrated\nby mounting ecryptfs over procfs and creating a recursion by mapping\n/proc/environ. An unprivileged, local user could potentially use this flaw\nto escalate their privileges on the system. (CVE-2016-1583, Important)\n\n * It was reported that on s390x, the fork of a process with four page table\nlevels will cause memory corruption with a variety of symptoms. All\nprocesses are created with three level page table and a limit of 4TB for\nthe address space. If the parent process has four page table levels with a\nlimit of 8PB, the function that duplicates the address space will try to\ncopy memory areas outside of the address space limit for the child process.\n(CVE-2016-2143, Moderate)\n\nBug Fix(es):\n\n * Use of a multi-threaded workload with high memory mappings sometimes\ncaused a kernel panic, due to a race condition between the context switch\nand the pagetable upgrade. This update fixes the switch_mm() by using the\ncomplete asce parameter instead of the asce_bits parameter. As a result,\nthe kernel no longer panics in the described scenario. (BZ#1377472)\n\n * When iptables created the Transmission Control Protocol (TCP) reset\npacket, a kernel crash could occur due to uninitialized pointer to the TCP\nheader within the Socket Buffer (SKB). This update fixes the transport\nheader pointer in TCP reset for both IPv4 and IPv6, and the kernel no\nlonger crashes in the described situation.(BZ#1372266)\n\n * Previously, when the Enhanced Error Handling (EEH) mechanism did not\nblock the PCI configuration space access and an error was detected, a\nkernel panic occurred. This update fixes EEH to fix this problem. As a\nresult, the kernel no longer panics in the described scenario. (BZ#1379596)\n\n * When the lockd service failed to start up completely, the notifier blocks\nwere in some cases registered on a notification chain multiple times, which\ncaused the occurrence of a circular list on the notification chain.\nConsequently, a soft lock-up or a kernel oops occurred. With this update,\nthe notifier blocks are unregistered if lockd fails to start up completely,\nand the soft lock-ups or the kernel oopses no longer occur under the\ndescribed circumstances. (BZ#1375637)\n\n * When the Fibre Channel over Ethernet (FCoE) was configured, the FCoE\nMaxFrameSize parameter was in ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"kernel on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:2766-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-November/msg00072.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.32~642.11.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.32~642.11.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~2.6.32~642.11.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.32~642.11.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~2.6.32~642.11.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-i686\", rpm:\"kernel-debuginfo-common-i686~2.6.32~642.11.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.32~642.11.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.32~642.11.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~2.6.32~642.11.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~2.6.32~642.11.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf-debuginfo\", rpm:\"python-perf-debuginfo~2.6.32~642.11.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~2.6.32~642.11.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.32~642.11.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-firmware\", rpm:\"kernel-firmware~2.6.32~642.11.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~2.6.32~642.11.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-06-11T00:00:00", "id": "OPENVAS:1361412562310842789", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842789", "type": "openvas", "title": "Ubuntu Update for linux USN-2999-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-2999-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842789\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-11 05:26:11 +0200 (Sat, 11 Jun 2016)\");\n script_cve_id(\"CVE-2016-1583\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-2999-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Jann Horn discovered that eCryptfs improperly attempted to use the mmap()\nhandler of a lower filesystem that did not implement one, causing a\nrecursive page fault to occur. A local unprivileged attacker could use to\ncause a denial of service (system crash) or possibly execute arbitrary code\nwith administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"2999-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2999-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-88-generic\", ver:\"3.13.0-88.135\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-88-generic-lpae\", ver:\"3.13.0-88.135\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-88-lowlatency\", ver:\"3.13.0-88.135\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-88-powerpc-e500\", ver:\"3.13.0-88.135\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-88-powerpc-e500mc\", ver:\"3.13.0-88.135\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-88-powerpc-smp\", ver:\"3.13.0-88.135\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-88-powerpc64-emb\", ver:\"3.13.0-88.135\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-88-powerpc64-smp\", ver:\"3.13.0-88.135\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:34:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2016-06-17T00:00:00", "id": "OPENVAS:1361412562310851342", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851342", "type": "openvas", "title": "SUSE: Security Advisory for kernel (SUSE-SU-2016:1596-1)", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851342\");\n script_version(\"2020-01-31T07:58:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 07:58:03 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-06-17 05:20:40 +0200 (Fri, 17 Jun 2016)\");\n script_cve_id(\"CVE-2016-1583\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SUSE: Security Advisory for kernel (SUSE-SU-2016:1596-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The SUSE Linux Enterprise 12 GA kernel was updated to fix one security\n issue.\n\n The following security bug was fixed:\n\n - CVE-2016-1583: Prevent the usage of mmap when the lower file system does\n not allow it. This could have lead to local privilege escalation when\n ecryptfs-utils was installed and /sbin/mount.ecryptfs_private was setuid\n (bsc#983143).\");\n\n script_tag(name:\"affected\", value:\"kernel on SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Desktop 12\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"SUSE-SU\", value:\"2016:1596-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(SLED12\\.0SP0|SLES12\\.0SP0)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"SLED12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.12.55~52.45.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~3.12.55~52.45.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~3.12.55~52.45.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.12.55~52.45.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-extra\", rpm:\"kernel-default-extra~3.12.55~52.45.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-extra-debuginfo\", rpm:\"kernel-default-extra-debuginfo~3.12.55~52.45.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.12.55~52.45.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.12.55~52.45.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~3.12.55~52.45.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~3.12.55~52.45.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.12.55~52.45.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.12.55~52.45.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~3.12.55~52.45.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.12.55~52.45.1\", rls:\"SLED12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"SLES12.0SP0\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base-debuginfo\", rpm:\"kernel-xen-base-debuginfo~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-man\", rpm:\"kernel-default-man~3.12.55~52.45.1\", rls:\"SLES12.0SP0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-06-11T00:00:00", "id": "OPENVAS:1361412562310842798", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842798", "type": "openvas", "title": "Ubuntu Update for linux-snapdragon USN-3008-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux-snapdragon USN-3008-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842798\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-11 05:28:15 +0200 (Sat, 11 Jun 2016)\");\n script_cve_id(\"CVE-2016-1583\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-snapdragon USN-3008-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-snapdragon'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Jann Horn discovered that eCryptfs improperly attempted to use the mmap()\nhandler of a lower filesystem that did not implement one, causing a\nrecursive page fault to occur. A local unprivileged attacker could use to\ncause a denial of service (system crash) or possibly execute arbitrary code\nwith administrative privileges.\");\n script_tag(name:\"affected\", value:\"linux-snapdragon on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3008-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3008-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1015-snapdragon\", ver:\"4.4.0-1015.18\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583", "CVE-2016-5195"], "description": "Check the version of kernel", "modified": "2019-03-08T00:00:00", "published": "2016-11-08T00:00:00", "id": "OPENVAS:1361412562310882585", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882585", "type": "openvas", "title": "CentOS Update for kernel CESA-2016:2124 centos5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kernel CESA-2016:2124 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882585\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-08 15:52:50 +0530 (Tue, 08 Nov 2016)\");\n script_cve_id(\"CVE-2016-1583\", \"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for kernel CESA-2016:2124 centos5\");\n script_tag(name:\"summary\", value:\"Check the version of kernel\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux kernel,\nthe core of any Linux operating system.\n\nSecurity Fix(es):\n\n * A race condition was found in the way the Linux kernel's memory subsystem\nhandled the copy-on-write (COW) breakage of private read-only memory\nmappings. An unprivileged, local user could use this flaw to gain write\naccess to otherwise read-only memory mappings and thus increase their\nprivileges on the system. (CVE-2016-5195, Important)\n\n * It was found that stacking a file system over procfs in the Linux kernel\ncould lead to a kernel stack overflow due to deep nesting, as demonstrated\nby mounting ecryptfs over procfs and creating a recursion by mapping\n/proc/environ. An unprivileged, local user could potentially use this flaw\nto escalate their privileges on the system. (CVE-2016-1583, Important)\n\nRed Hat would like to thank Phil Oester for reporting CVE-2016-5195.\n\nBug Fix(es):\n\n * In some cases, a kernel crash or file system corruption occurred when\nrunning journal mode 'ordered'. The kernel crash was caused by a null\npointer dereference due to a race condition between two journal functions.\nThe file system corruption occurred due to a race condition between the\ndo_get_write_access() function and buffer writeout. This update fixes both\nrace conditions. As a result, neither the kernel crash, nor the file system\ncorruption now occur. (BZ#1067708)\n\n * Prior to this update, some Global File System 2 (GFS2) files had\nincorrect time stamp values due to two problems with handling time stamps\nof such files. The first problem concerned the atime time stamp, which\nended up with an arbitrary value ahead of the actual value, when a GFS2\nfile was accessed. The second problem was related to the mtime and ctime\ntime stamp updates, which got lost when a GFS2 file was written to from one\nnode and read from or written to from another node. With this update, a set\nof patches has been applied that fix these problems. As a result, the time\nstamps of GFS2 files are now handled correctly. (BZ#1374861)\");\n script_tag(name:\"affected\", value:\"kernel on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:2124\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-October/022135.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.18~416.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.18~416.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.18~416.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.18~416.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.18~416.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.18~416.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE\", rpm:\"kernel-PAE~2.6.18~416.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE-devel\", rpm:\"kernel-PAE-devel~2.6.18~416.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~2.6.18~416.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~2.6.18~416.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583", "CVE-2016-5195"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-11-08T00:00:00", "id": "OPENVAS:1361412562310871677", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871677", "type": "openvas", "title": "RedHat Update for kernel RHSA-2016:2124-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2016:2124-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871677\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-08 15:52:41 +0530 (Tue, 08 Nov 2016)\");\n script_cve_id(\"CVE-2016-1583\", \"CVE-2016-5195\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2016:2124-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux\nkernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n * A race condition was found in the way the Linux kernel's memory subsystem\nhandled the copy-on-write (COW) breakage of private read-only memory\nmappings. An unprivileged, local user could use this flaw to gain write\naccess to otherwise read-only memory mappings and thus increase their\nprivileges on the system. (CVE-2016-5195, Important)\n\n * It was found that stacking a file system over procfs in the Linux kernel\ncould lead to a kernel stack overflow due to deep nesting, as demonstrated\nby mounting ecryptfs over procfs and creating a recursion by mapping\n/proc/environ. An unprivileged, local user could potentially use this flaw\nto escalate their privileges on the system. (CVE-2016-1583, Important)\n\nRed Hat would like to thank Phil Oester for reporting CVE-2016-5195.\n\nBug Fix(es):\n\n * In some cases, a kernel crash or file system corruption occurred when\nrunning journal mode 'ordered'. The kernel crash was caused by a null\npointer dereference due to a race condition between two journal functions.\nThe file system corruption occurred due to a race condition between the\ndo_get_write_access() function and buffer writeout. This update fixes both\nrace conditions. As a result, neither the kernel crash, nor the file system\ncorruption now occur. (BZ#1067708)\n\n * Prior to this update, some Global File System 2 (GFS2) files had\nincorrect time stamp values due to two problems with handling time stamps\nof such files. The first problem concerned the atime time stamp, which\nended up with an arbitrary value ahead of the actual value, when a GFS2\nfile was accessed. The second problem was related to the mtime and ctime\ntime stamp updates, which got lost when a GFS2 file was written to from one\nnode and read from or written to from another node. With this update, a set\nof patches has been applied that fix these problems. As a result, the time\nstamps of GFS2 files are now handled correctly. (BZ#1374861)\");\n script_tag(name:\"affected\", value:\"kernel on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:2124-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-October/msg00062.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.18~416.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE\", rpm:\"kernel-PAE~2.6.18~416.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE-debuginfo\", rpm:\"kernel-PAE-debuginfo~2.6.18~416.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-PAE-devel\", rpm:\"kernel-PAE-devel~2.6.18~416.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.18~416.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~2.6.18~416.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.18~416.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~2.6.18~416.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common\", rpm:\"kernel-debuginfo-common~2.6.18~416.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.18~416.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.18~416.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~2.6.18~416.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~2.6.18~416.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~2.6.18~416.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.18~416.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8660", "CVE-2016-2143", "CVE-2016-4470"], "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2016-08-04T00:00:00", "id": "OPENVAS:1361412562310871644", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871644", "type": "openvas", "title": "RedHat Update for kernel RHSA-2016:1539-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for kernel RHSA-2016:1539-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871644\");\n script_version(\"$Revision: 12380 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:03:48 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-04 16:27:46 +0530 (Thu, 04 Aug 2016)\");\n script_cve_id(\"CVE-2015-8660\", \"CVE-2016-2143\", \"CVE-2016-4470\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2016:1539-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux kernel,\nthe core of any Linux operating system.\n\nThese updated kernel packages include several security issues and numerous\nbug fixes, some of which you can see below. Space precludes documenting\nall of these bug fixes in this advisory. To see the complete list of bug\nfixes, users are directed to the related Knowledge Article.\n\nSecurity Fix(es):\n\n * A flaw was found in the Linux kernel's keyring handling code, where in\nkey_reject_and_link() an uninitialised variable would eventually lead to\narbitrary free address which could allow attacker to use a use-after-free\nstyle attack. (CVE-2016-4470, Important)\n\n * The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel\nthrough 4.3.3 attempts to merge distinct setattr operations, which allows\nlocal users to bypass intended access restrictions and modify the\nattributes of arbitrary overlay files via a crafted application.\n(CVE-2015-8660, Moderate)\n\n * It was reported that on s390x, the fork of a process with four page table\nlevels will cause memory corruption with a variety of symptoms. All\nprocesses are created with three level page table and a limit of 4TB for\nthe address space. If the parent process has four page table levels with a\nlimit of 8PB, the function that duplicates the address space will try to\ncopy memory areas outside of the address space limit for the child process.\n(CVE-2016-2143, Moderate)\n\nRed Hat would like to thank Nathan Williams for reporting CVE-2015-8660.\nThe CVE-2016-4470 issue was discovered by David Howells (Red Hat Inc.).\n\nBug Fix(es):\n\n * The glibc headers and the Linux headers share certain definitions of\nkey structures that are required to be defined in kernel and in userspace.\nIn some instances both userspace and sanitized kernel headers have to be\nincluded in order to get the structure definitions required by the user\nprogram. Unfortunately because the glibc and Linux headers don't\ncoordinate this can result in compilation errors. The glibc headers have\ntherefore been fixed to coordinate with Linux UAPI-based headers. With\nthe header coordination compilation errors no longer occur. (BZ#1331285)\n\n * When running the TCP/IPv6 traffic over the mlx4_en networking interface\non the big endian architectures, call traces reporting about a 'hw csum\nfailure' could occur. With this update, the mlx4_en driver has been fixed\nby correction of the checksum calculation for the big endian\narchitectures. As a result, the call trace error no longer app ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"kernel on Red Hat Enterprise Linux\n Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:1539-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-August/msg00004.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n script_xref(name:\"URL\", value:\"https://access.redhat.com/articles/2460971\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-debuginfo\", rpm:\"kernel-tools-debuginfo~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf-debuginfo\", rpm:\"python-perf-debuginfo~3.10.0~327.28.2.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8660", "CVE-2016-2143", "CVE-2016-4470"], "description": "Check the version of kernel", "modified": "2019-03-11T00:00:00", "published": "2016-08-08T00:00:00", "id": "OPENVAS:1361412562310882536", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882536", "type": "openvas", "title": "CentOS Update for kernel CESA-2016:1539 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for kernel CESA-2016:1539 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882536\");\n script_version(\"$Revision: 14095 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-11 14:54:56 +0100 (Mon, 11 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-08 15:11:55 +0530 (Mon, 08 Aug 2016)\");\n script_cve_id(\"CVE-2015-8660\", \"CVE-2016-2143\", \"CVE-2016-4470\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for kernel CESA-2016:1539 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of kernel\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux kernel,\nthe core of any Linux operating system.\n\nThese updated kernel packages include several security issues and numerous\nbug fixes, some of which you can see below. Space precludes documenting\nall of these bug fixes in this advisory. To see the complete list of bug\nfixes, users are directed to the linked Knowledge Article.\n\nSecurity Fix(es):\n\n * A flaw was found in the Linux kernel's keyring handling code, where in\nkey_reject_and_link() an uninitialised variable would eventually lead to\narbitrary free address which could allow attacker to use a use-after-free\nstyle attack. (CVE-2016-4470, Important)\n\n * The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel\nthrough 4.3.3 attempts to merge distinct setattr operations, which allows\nlocal users to bypass intended access restrictions and modify the\nattributes of arbitrary overlay files via a crafted application.\n(CVE-2015-8660, Moderate)\n\n * It was reported that on s390x, the fork of a process with four page table\nlevels will cause memory corruption with a variety of symptoms. All\nprocesses are created with three level page table and a limit of 4TB for\nthe address space. If the parent process has four page table levels with a\nlimit of 8PB, the function that duplicates the address space will try to\ncopy memory areas outside of the address space limit for the child process.\n(CVE-2016-2143, Moderate)\n\nRed Hat would like to thank Nathan Williams for reporting CVE-2015-8660.\nThe CVE-2016-4470 issue was discovered by David Howells (Red Hat Inc.).\n\nBug Fix(es):\n\n * The glibc headers and the Linux headers share certain definitions of\nkey structures that are required to be defined in kernel and in userspace.\nIn some instances both userspace and sanitized kernel headers have to be\nincluded in order to get the structure definitions required by the user\nprogram. Unfortunately because the glibc and Linux headers don't\ncoordinate this can result in compilation errors. The glibc headers have\ntherefore been fixed to coordinate with Linux UAPI-based headers. With\nthe header coordination compilation errors no longer occur. (BZ#1331285)\n\n * When running the TCP/IPv6 traffic over the mlx4_en networking interface\non the big endian architectures, call traces reporting about a 'hw csum\nfailure' could occur. With this update, the mlx4_en driver has been fixed\nby correction of the checksum calculation for the big endian\narchitectures. As a result, the call trace error no longer appears\nin the log messages. (BZ# ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"kernel on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"CESA\", value:\"2016:1539\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2016-August/022025.html\");\n script_xref(name:\"URL\", value:\"https://access.redhat.com/articles/2460971\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~327.28.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~327.28.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~327.28.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~327.28.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~327.28.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~327.28.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~327.28.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~327.28.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~327.28.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~3.10.0~327.28.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~327.28.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~327.28.2.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583", "CVE-2016-4997", "CVE-2016-4470", "CVE-2016-4998"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-08-02T00:00:00", "id": "OPENVAS:1361412562310808914", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808914", "type": "openvas", "title": "Fedora Update for kernel FEDORA-2016-63ee0999e4", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2016-63ee0999e4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808914\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-02 10:54:58 +0530 (Tue, 02 Aug 2016)\");\n script_cve_id(\"CVE-2016-4470\", \"CVE-2016-1583\", \"CVE-2016-4998\", \"CVE-2016-4997\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2016-63ee0999e4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-63ee0999e4\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/57USMCT2MVQZR6AHRMSAA74YEHCO2OKA\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.4.14~200.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2019-12-20T18:25:50", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583", "CVE-2016-2143"], "description": "**CentOS Errata and Security Advisory** CESA-2016:2766\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system. (CVE-2016-1583, Important)\n\n* It was reported that on s390x, the fork of a process with four page table levels will cause memory corruption with a variety of symptoms. All processes are created with three level page table and a limit of 4TB for the address space. If the parent process has four page table levels with a limit of 8PB, the function that duplicates the address space will try to copy memory areas outside of the address space limit for the child process. (CVE-2016-2143, Moderate)\n\nBug Fix(es):\n\n* Use of a multi-threaded workload with high memory mappings sometiems caused a kernel panic, due to a race condition between the context switch and the pagetable upgrade. This update fixes the switch_mm() by using the complete asce parameter instead of the asce_bits parameter. As a result, the kernel no longer panics in the described scenario. (BZ#1377472)\n\n* When iptables created the Transmission Control Protocol (TCP) reset packet, a kernel crash could occur due to uninitialized pointer to the TCP header within the Socket Buffer (SKB). This update fixes the transport header pointer in TCP reset for both IPv4 and IPv6, and the kernel no longer crashes in the described situation.(BZ#1372266)\n\n* Previously, when the Enhanced Error Handling (EEH) mechanism did not block the PCI configuration space access and an error was detected, a kernel panic occurred. This update fixes EEH to fix this problem. As a result, the kernel no longer panics in the described scenario. (BZ#1379596)\n\n* When the lockd service failed to start up completely, the notifier blocks were in some cases registered on a notification chain multiple times, which caused the occurrence of a circular list on the notification chain. Consequently, a soft lock-up or a kernel oops occurred. With this update, the notifier blocks are unregistered if lockd fails to start up completely, and the soft lock-ups or the kernel oopses no longer occur under the described circumstances. (BZ#1375637)\n\n* When the Fibre Channel over Ethernet (FCoE) was configured, the FCoE MaxFrameSize parameter was incorrectly restricted to 1452. With this update, the NETIF_F_ALL_FCOE symbol\nis no longer ignored, which fixes this bug. MaxFrameSize is now restricted to 2112, which is the correct value. (BZ#1381592)\n\n* When the fnic driver was installed on Cisco UCS Blade Server, the discs were under certain circumstances put into the offline state with the following error message: \"Medium access timeout failure. Offlining disk!\". This update fixes fnic to set the Small Computer System Interface (SCSI) status as DID_ABORT after a successful abort operation. As a result, the discs are no longer put into the offlined state in the described situation. (BZ#1382620)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-November/034191.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-firmware\nkernel-headers\nperf\npython-perf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2766.html", "edition": 3, "modified": "2016-11-19T11:25:33", "published": "2016-11-19T11:25:33", "href": "http://lists.centos.org/pipermail/centos-announce/2016-November/034191.html", "id": "CESA-2016:2766", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:26:34", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583", "CVE-2016-5195"], "description": "**CentOS Errata and Security Advisory** CESA-2016:2124\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating\nsystem.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem\nhandled the copy-on-write (COW) breakage of private read-only memory mappings.\nAn unprivileged, local user could use this flaw to gain write access to\notherwise read-only memory mappings and thus increase their privileges on the\nsystem. (CVE-2016-5195, Important)\n\n* It was found that stacking a file system over procfs in the Linux kernel could\nlead to a kernel stack overflow due to deep nesting, as demonstrated by mounting\necryptfs over procfs and creating a recursion by mapping /proc/environ. An\nunprivileged, local user could potentially use this flaw to escalate their\nprivileges on the system. (CVE-2016-1583, Important)\n\nRed Hat would like to thank Phil Oester for reporting CVE-2016-5195.\n\nBug Fix(es):\n\n* In some cases, a kernel crash or file system corruption occurred when running\njournal mode 'ordered'. The kernel crash was caused by a null pointer\ndereference due to a race condition between two journal functions. The file\nsystem corruption occurred due to a race condition between the\ndo_get_write_access() function and buffer writeout. This update fixes both race\nconditions. As a result, neither the kernel crash, nor the file system\ncorruption now occur. (BZ#1067708)\n\n* Prior to this update, some Global File System 2 (GFS2) files had incorrect\ntime stamp values due to two problems with handling time stamps of such files.\nThe first problem concerned the atime time stamp, which ended up with an\narbitrary value ahead of the actual value, when a GFS2 file was accessed. The\nsecond problem was related to the mtime and ctime time stamp updates, which got\nlost when a GFS2 file was written to from one node and read from or written to\nfrom another node. With this update, a set of patches has been applied that fix\nthese problems. As a result, the time stamps of GFS2 files are now handled\ncorrectly. (BZ#1374861)\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-October/034173.html\n\n**Affected packages:**\nkernel\nkernel-PAE\nkernel-PAE-devel\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-xen\nkernel-xen-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2124.html", "edition": 3, "modified": "2016-10-28T13:34:09", "published": "2016-10-28T13:34:09", "href": "http://lists.centos.org/pipermail/centos-announce/2016-October/034173.html", "id": "CESA-2016:2124", "title": "kernel security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:28:29", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8660", "CVE-2016-2143", "CVE-2016-4470"], "description": "**CentOS Errata and Security Advisory** CESA-2016:1539\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThese updated kernel packages include several security issues and numerous\nbug fixes, some of which you can see below. Space precludes documenting\nall of these bug fixes in this advisory. To see the complete list of bug\nfixes, users are directed to the related Knowledge Article:\nhttps://access.redhat.com/articles/2460971.\n\nSecurity Fix(es):\n\n* A flaw was found in the Linux kernel's keyring handling code, where in\nkey_reject_and_link() an uninitialised variable would eventually lead to\narbitrary free address which could allow attacker to use a use-after-free\nstyle attack. (CVE-2016-4470, Important)\n\n* The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel\nthrough 4.3.3 attempts to merge distinct setattr operations, which allows\nlocal users to bypass intended access restrictions and modify the\nattributes of arbitrary overlay files via a crafted application.\n(CVE-2015-8660, Moderate)\n\n* It was reported that on s390x, the fork of a process with four page table\nlevels will cause memory corruption with a variety of symptoms. All\nprocesses are created with three level page table and a limit of 4TB for\nthe address space. If the parent process has four page table levels with a\nlimit of 8PB, the function that duplicates the address space will try to\ncopy memory areas outside of the address space limit for the child process.\n(CVE-2016-2143, Moderate)\n\nRed Hat would like to thank Nathan Williams for reporting CVE-2015-8660.\nThe CVE-2016-4470 issue was discovered by David Howells (Red Hat Inc.).\n\nBug Fix(es):\n\n* The glibc headers and the Linux headers share certain definitions of\nkey structures that are required to be defined in kernel and in userspace.\nIn some instances both userspace and sanitized kernel headers have to be\nincluded in order to get the structure definitions required by the user\nprogram. Unfortunately because the glibc and Linux headers don't\ncoordinate this can result in compilation errors. The glibc headers have\ntherefore been fixed to coordinate with Linux UAPI-based headers. With\nthe header coordination compilation errors no longer occur. (BZ#1331285)\n\n* When running the TCP/IPv6 traffic over the mlx4_en networking interface\non the big endian architectures, call traces reporting about a \"hw csum\nfailure\" could occur. With this update, the mlx4_en driver has been fixed\nby correction of the checksum calculation for the big endian\narchitectures. As a result, the call trace error no longer appears\nin the log messages. (BZ#1337431)\n\n* Under significant load, some applications such as logshifter could\ngenerate bursts of log messages too large for the system logger to spool.\nDue to a race condition, log messages from that application could then be\nlost even after the log volume dropped to manageable levels. This update\nfixes the kernel mechanism used to notify the transmitter end of the\nsocket used by the system logger that more space is available on the\nreceiver side, removing a race condition which previously caused the\nsender to stop transmitting new messages and allowing all log messages\nto be processed correctly. (BZ#1337513)\n\n* Previously, after heavy open or close of the Accelerator Function Unit\n(AFU) contexts, the interrupt packet went out and the AFU context did not\nsee any interrupts. Consequently, a kernel panic could occur. The provided\npatch set fixes handling of the interrupt requests, and kernel panic no\nlonger occurs in the described situation. (BZ#1338886)\n\n* net: recvfrom would fail on short buffer. (BZ#1339115)\n* Backport rhashtable changes from upstream. (BZ#1343639)\n* Server Crashing after starting Glusterd & creating volumes. (BZ#1344234)\n* RAID5 reshape deadlock fix. (BZ#1344313)\n* BDX perf uncore support fix. (BZ#1347374)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-August/034063.html\n\n**Affected packages:**\nkernel\nkernel-abi-whitelists\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-doc\nkernel-headers\nkernel-tools\nkernel-tools-libs\nkernel-tools-libs-devel\nperf\npython-perf\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-1539.html", "edition": 3, "modified": "2016-08-03T14:05:49", "published": "2016-08-03T14:05:49", "href": "http://lists.centos.org/pipermail/centos-announce/2016-August/034063.html", "id": "CESA-2016:1539", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:44:51", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583", "CVE-2016-2143"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system. (CVE-2016-1583, Important)\n\n* It was reported that on s390x, the fork of a process with four page table levels will cause memory corruption with a variety of symptoms. All processes are created with three level page table and a limit of 4TB for the address space. If the parent process has four page table levels with a limit of 8PB, the function that duplicates the address space will try to copy memory areas outside of the address space limit for the child process. (CVE-2016-2143, Moderate)\n\nBug Fix(es):\n\n* Use of a multi-threaded workload with high memory mappings sometiems caused a kernel panic, due to a race condition between the context switch and the pagetable upgrade. This update fixes the switch_mm() by using the complete asce parameter instead of the asce_bits parameter. As a result, the kernel no longer panics in the described scenario. (BZ#1377472)\n\n* When iptables created the Transmission Control Protocol (TCP) reset packet, a kernel crash could occur due to uninitialized pointer to the TCP header within the Socket Buffer (SKB). This update fixes the transport header pointer in TCP reset for both IPv4 and IPv6, and the kernel no longer crashes in the described situation.(BZ#1372266)\n\n* Previously, when the Enhanced Error Handling (EEH) mechanism did not block the PCI configuration space access and an error was detected, a kernel panic occurred. This update fixes EEH to fix this problem. As a result, the kernel no longer panics in the described scenario. (BZ#1379596)\n\n* When the lockd service failed to start up completely, the notifier blocks were in some cases registered on a notification chain multiple times, which caused the occurrence of a circular list on the notification chain. Consequently, a soft lock-up or a kernel oops occurred. With this update, the notifier blocks are unregistered if lockd fails to start up completely, and the soft lock-ups or the kernel oopses no longer occur under the described circumstances. (BZ#1375637)\n\n* When the Fibre Channel over Ethernet (FCoE) was configured, the FCoE MaxFrameSize parameter was incorrectly restricted to 1452. With this update, the NETIF_F_ALL_FCOE symbol\nis no longer ignored, which fixes this bug. MaxFrameSize is now restricted to 2112, which is the correct value. (BZ#1381592)\n\n* When the fnic driver was installed on Cisco UCS Blade Server, the discs were under certain circumstances put into the offline state with the following error message: \"Medium access timeout failure. Offlining disk!\". This update fixes fnic to set the Small Computer System Interface (SCSI) status as DID_ABORT after a successful abort operation. As a result, the discs are no longer put into the offlined state in the described situation. (BZ#1382620)", "modified": "2018-06-06T20:24:31", "published": "2016-11-15T21:21:01", "id": "RHSA-2016:2766", "href": "https://access.redhat.com/errata/RHSA-2016:2766", "type": "redhat", "title": "(RHSA-2016:2766) Important: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system. (CVE-2016-1583, Important)\n\nBug Fix(es):\n\n* Previously, while the MAP_GROWSDOWN flag was set, writing to the memory which was mapped with the mmap system call failed with the SIGBUS signal. This update fixes memory management in the Linux kernel by backporting an upstream patch that enlarges the stack guard page gap. As a result, mmap now works as expected under the described circumstances. (BZ#1474721)", "modified": "2017-09-19T11:07:12", "published": "2017-09-19T10:59:07", "id": "RHSA-2017:2760", "href": "https://access.redhat.com/errata/RHSA-2017:2760", "type": "redhat", "title": "(RHSA-2017:2760) Important: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583", "CVE-2016-5195"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating\nsystem.\n\nSecurity Fix(es):\n\n* A race condition was found in the way the Linux kernel's memory subsystem\nhandled the copy-on-write (COW) breakage of private read-only memory mappings.\nAn unprivileged, local user could use this flaw to gain write access to\notherwise read-only memory mappings and thus increase their privileges on the\nsystem. (CVE-2016-5195, Important)\n\n* It was found that stacking a file system over procfs in the Linux kernel could\nlead to a kernel stack overflow due to deep nesting, as demonstrated by mounting\necryptfs over procfs and creating a recursion by mapping /proc/environ. An\nunprivileged, local user could potentially use this flaw to escalate their\nprivileges on the system. (CVE-2016-1583, Important)\n\nRed Hat would like to thank Phil Oester for reporting CVE-2016-5195.\n\nBug Fix(es):\n\n* In some cases, a kernel crash or file system corruption occurred when running\njournal mode 'ordered'. The kernel crash was caused by a null pointer\ndereference due to a race condition between two journal functions. The file\nsystem corruption occurred due to a race condition between the\ndo_get_write_access() function and buffer writeout. This update fixes both race\nconditions. As a result, neither the kernel crash, nor the file system\ncorruption now occur. (BZ#1067708)\n\n* Prior to this update, some Global File System 2 (GFS2) files had incorrect\ntime stamp values due to two problems with handling time stamps of such files.\nThe first problem concerned the atime time stamp, which ended up with an\narbitrary value ahead of the actual value, when a GFS2 file was accessed. The\nsecond problem was related to the mtime and ctime time stamp updates, which got\nlost when a GFS2 file was written to from one node and read from or written to\nfrom another node. With this update, a set of patches has been applied that fix\nthese problems. As a result, the time stamps of GFS2 files are now handled\ncorrectly. (BZ#1374861)\n", "modified": "2017-09-08T12:20:04", "published": "2016-10-28T04:00:00", "id": "RHSA-2016:2124", "href": "https://access.redhat.com/errata/RHSA-2016:2124", "type": "redhat", "title": "(RHSA-2016:2124) Important: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:06", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8660", "CVE-2016-2143", "CVE-2016-4470"], "description": "The kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThese updated kernel packages include several security issues and numerous\nbug fixes, some of which you can see below. Space precludes documenting\nall of these bug fixes in this advisory. To see the complete list of bug\nfixes, users are directed to the related Knowledge Article:\nhttps://access.redhat.com/articles/2460971.\n\nSecurity Fix(es):\n\n* A flaw was found in the Linux kernel's keyring handling code, where in\nkey_reject_and_link() an uninitialised variable would eventually lead to\narbitrary free address which could allow attacker to use a use-after-free\nstyle attack. (CVE-2016-4470, Important)\n\n* The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel\nthrough 4.3.3 attempts to merge distinct setattr operations, which allows\nlocal users to bypass intended access restrictions and modify the\nattributes of arbitrary overlay files via a crafted application.\n(CVE-2015-8660, Moderate)\n\n* It was reported that on s390x, the fork of a process with four page table\nlevels will cause memory corruption with a variety of symptoms. All\nprocesses are created with three level page table and a limit of 4TB for\nthe address space. If the parent process has four page table levels with a\nlimit of 8PB, the function that duplicates the address space will try to\ncopy memory areas outside of the address space limit for the child process.\n(CVE-2016-2143, Moderate)\n\nRed Hat would like to thank Nathan Williams for reporting CVE-2015-8660.\nThe CVE-2016-4470 issue was discovered by David Howells (Red Hat Inc.).\n\nBug Fix(es):\n\n* The glibc headers and the Linux headers share certain definitions of\nkey structures that are required to be defined in kernel and in userspace.\nIn some instances both userspace and sanitized kernel headers have to be\nincluded in order to get the structure definitions required by the user\nprogram. Unfortunately because the glibc and Linux headers don't\ncoordinate this can result in compilation errors. The glibc headers have\ntherefore been fixed to coordinate with Linux UAPI-based headers. With\nthe header coordination compilation errors no longer occur. (BZ#1331285)\n\n* When running the TCP/IPv6 traffic over the mlx4_en networking interface\non the big endian architectures, call traces reporting about a \"hw csum\nfailure\" could occur. With this update, the mlx4_en driver has been fixed\nby correction of the checksum calculation for the big endian\narchitectures. As a result, the call trace error no longer appears\nin the log messages. (BZ#1337431)\n\n* Under significant load, some applications such as logshifter could\ngenerate bursts of log messages too large for the system logger to spool.\nDue to a race condition, log messages from that application could then be\nlost even after the log volume dropped to manageable levels. This update\nfixes the kernel mechanism used to notify the transmitter end of the\nsocket used by the system logger that more space is available on the\nreceiver side, removing a race condition which previously caused the\nsender to stop transmitting new messages and allowing all log messages\nto be processed correctly. (BZ#1337513)\n\n* Previously, after heavy open or close of the Accelerator Function Unit\n(AFU) contexts, the interrupt packet went out and the AFU context did not\nsee any interrupts. Consequently, a kernel panic could occur. The provided\npatch set fixes handling of the interrupt requests, and kernel panic no\nlonger occurs in the described situation. (BZ#1338886)\n\n* net: recvfrom would fail on short buffer. (BZ#1339115)\n* Backport rhashtable changes from upstream. (BZ#1343639)\n* Server Crashing after starting Glusterd & creating volumes. (BZ#1344234)\n* RAID5 reshape deadlock fix. (BZ#1344313)\n* BDX perf uncore support fix. (BZ#1347374)", "modified": "2018-04-12T03:32:44", "published": "2016-08-02T17:46:40", "id": "RHSA-2016:1539", "href": "https://access.redhat.com/errata/RHSA-2016:1539", "type": "redhat", "title": "(RHSA-2016:1539) Important: kernel security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-06T09:30:53", "description": "An update for kernel is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* It was found that stacking a file system over procfs in the Linux\nkernel could lead to a kernel stack overflow due to deep nesting, as\ndemonstrated by mounting ecryptfs over procfs and creating a recursion\nby mapping /proc/ environ. An unprivileged, local user could\npotentially use this flaw to escalate their privileges on the system.\n(CVE-2016-1583, Important)\n\n* It was reported that on s390x, the fork of a process with four page\ntable levels will cause memory corruption with a variety of symptoms.\nAll processes are created with three level page table and a limit of\n4TB for the address space. If the parent process has four page table\nlevels with a limit of 8PB, the function that duplicates the address\nspace will try to copy memory areas outside of the address space limit\nfor the child process. (CVE-2016-2143, Moderate)\n\nBug Fix(es) :\n\n* Use of a multi-threaded workload with high memory mappings sometiems\ncaused a kernel panic, due to a race condition between the context\nswitch and the pagetable upgrade. This update fixes the switch_mm() by\nusing the complete asce parameter instead of the asce_bits parameter.\nAs a result, the kernel no longer panics in the described scenario.\n(BZ#1377472)\n\n* When iptables created the Transmission Control Protocol (TCP) reset\npacket, a kernel crash could occur due to uninitialized pointer to the\nTCP header within the Socket Buffer (SKB). This update fixes the\ntransport header pointer in TCP reset for both IPv4 and IPv6, and the\nkernel no longer crashes in the described situation.(BZ#1372266)\n\n* Previously, when the Enhanced Error Handling (EEH) mechanism did not\nblock the PCI configuration space access and an error was detected, a\nkernel panic occurred. This update fixes EEH to fix this problem. As a\nresult, the kernel no longer panics in the described scenario.\n(BZ#1379596)\n\n* When the lockd service failed to start up completely, the notifier\nblocks were in some cases registered on a notification chain multiple\ntimes, which caused the occurrence of a circular list on the\nnotification chain. Consequently, a soft lock-up or a kernel oops\noccurred. With this update, the notifier blocks are unregistered if\nlockd fails to start up completely, and the soft lock-ups or the\nkernel oopses no longer occur under the described circumstances.\n(BZ#1375637)\n\n* When the Fibre Channel over Ethernet (FCoE) was configured, the FCoE\nMaxFrameSize parameter was incorrectly restricted to 1452. With this\nupdate, the NETIF_F_ALL_FCOE symbol is no longer ignored, which fixes\nthis bug. MaxFrameSize is now restricted to 2112, which is the correct\nvalue. (BZ#1381592)\n\n* When the fnic driver was installed on Cisco UCS Blade Server, the\ndiscs were under certain circumstances put into the offline state with\nthe following error message: 'Medium access timeout failure. Offlining\ndisk!'. This update fixes fnic to set the Small Computer System\nInterface (SCSI) status as DID_ABORT after a successful abort\noperation. As a result, the discs are no longer put into the offlined\nstate in the described situation. (BZ#1382620)", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-21T00:00:00", "title": "CentOS 6 : kernel (CESA-2016:2766)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583", "CVE-2016-2143"], "modified": "2016-11-21T00:00:00", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:perf", "p-cpe:/a:centos:centos:python-perf", "p-cpe:/a:centos:centos:kernel-doc", "p-cpe:/a:centos:centos:kernel-devel", "p-cpe:/a:centos:centos:kernel", "p-cpe:/a:centos:centos:kernel-debug", "p-cpe:/a:centos:centos:kernel-headers", "p-cpe:/a:centos:centos:kernel-firmware", "p-cpe:/a:centos:centos:kernel-abi-whitelists", "p-cpe:/a:centos:centos:kernel-debug-devel"], "id": "CENTOS_RHSA-2016-2766.NASL", "href": "https://www.tenable.com/plugins/nessus/94980", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2766 and \n# CentOS Errata and Security Advisory 2016:2766 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94980);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-1583\", \"CVE-2016-2143\");\n script_xref(name:\"RHSA\", value:\"2016:2766\");\n\n script_name(english:\"CentOS 6 : kernel (CESA-2016:2766)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* It was found that stacking a file system over procfs in the Linux\nkernel could lead to a kernel stack overflow due to deep nesting, as\ndemonstrated by mounting ecryptfs over procfs and creating a recursion\nby mapping /proc/ environ. An unprivileged, local user could\npotentially use this flaw to escalate their privileges on the system.\n(CVE-2016-1583, Important)\n\n* It was reported that on s390x, the fork of a process with four page\ntable levels will cause memory corruption with a variety of symptoms.\nAll processes are created with three level page table and a limit of\n4TB for the address space. If the parent process has four page table\nlevels with a limit of 8PB, the function that duplicates the address\nspace will try to copy memory areas outside of the address space limit\nfor the child process. (CVE-2016-2143, Moderate)\n\nBug Fix(es) :\n\n* Use of a multi-threaded workload with high memory mappings sometiems\ncaused a kernel panic, due to a race condition between the context\nswitch and the pagetable upgrade. This update fixes the switch_mm() by\nusing the complete asce parameter instead of the asce_bits parameter.\nAs a result, the kernel no longer panics in the described scenario.\n(BZ#1377472)\n\n* When iptables created the Transmission Control Protocol (TCP) reset\npacket, a kernel crash could occur due to uninitialized pointer to the\nTCP header within the Socket Buffer (SKB). This update fixes the\ntransport header pointer in TCP reset for both IPv4 and IPv6, and the\nkernel no longer crashes in the described situation.(BZ#1372266)\n\n* Previously, when the Enhanced Error Handling (EEH) mechanism did not\nblock the PCI configuration space access and an error was detected, a\nkernel panic occurred. This update fixes EEH to fix this problem. As a\nresult, the kernel no longer panics in the described scenario.\n(BZ#1379596)\n\n* When the lockd service failed to start up completely, the notifier\nblocks were in some cases registered on a notification chain multiple\ntimes, which caused the occurrence of a circular list on the\nnotification chain. Consequently, a soft lock-up or a kernel oops\noccurred. With this update, the notifier blocks are unregistered if\nlockd fails to start up completely, and the soft lock-ups or the\nkernel oopses no longer occur under the described circumstances.\n(BZ#1375637)\n\n* When the Fibre Channel over Ethernet (FCoE) was configured, the FCoE\nMaxFrameSize parameter was incorrectly restricted to 1452. With this\nupdate, the NETIF_F_ALL_FCOE symbol is no longer ignored, which fixes\nthis bug. MaxFrameSize is now restricted to 2112, which is the correct\nvalue. (BZ#1381592)\n\n* When the fnic driver was installed on Cisco UCS Blade Server, the\ndiscs were under certain circumstances put into the offline state with\nthe following error message: 'Medium access timeout failure. Offlining\ndisk!'. This update fixes fnic to set the Small Computer System\nInterface (SCSI) status as DID_ABORT after a successful abort\noperation. As a result, the discs are no longer put into the offlined\nstate in the described situation. (BZ#1382620)\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2016-November/022153.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?de352231\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-1583\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-abi-whitelists-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-debug-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-debug-devel-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-devel-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-doc-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-firmware-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"kernel-headers-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"perf-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"python-perf-2.6.32-642.11.1.el6\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / kernel-debug-devel / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T18:23:29", "description": "Security Fix(es) :\n\n - It was found that stacking a file system over procfs in\n the Linux kernel could lead to a kernel stack overflow\n due to deep nesting, as demonstrated by mounting\n ecryptfs over procfs and creating a recursion by mapping\n /proc/environ. An unprivileged, local user could\n potentially use this flaw to escalate their privileges\n on the system. (CVE-2016-1583, Important)\n\n - It was reported that on s390x, the fork of a process\n with four page table levels will cause memory corruption\n with a variety of symptoms. All processes are created\n with three level page table and a limit of 4TB for the\n address space. If the parent process has four page table\n levels with a limit of 8PB, the function that duplicates\n the address space will try to copy memory areas outside\n of the address space limit for the child process.\n (CVE-2016-2143, Moderate)\n\nBug Fix(es) :\n\n - Use of a multi-threaded workload with high memory\n mappings sometiems caused a kernel panic, due to a race\n condition between the context switch and the pagetable\n upgrade. This update fixes the switch_mm() by using the\n complete asce parameter instead of the asce_bits\n parameter. As a result, the kernel no longer panics in\n the described scenario.\n\n - When iptables created the Transmission Control Protocol\n (TCP) reset packet, a kernel crash could occur due to\n uninitialized pointer to the TCP header within the\n Socket Buffer (SKB). This update fixes the transport\n header pointer in TCP reset for both IPv4 and IPv6, and\n the kernel no longer crashes in the described situation.\n\n - Previously, when the Enhanced Error Handling (EEH)\n mechanism did not block the PCI configuration space\n access and an error was detected, a kernel panic\n occurred. This update fixes EEH to fix this problem. As\n a result, the kernel no longer panics in the described\n scenario.\n\n - When the lockd service failed to start up completely,\n the notifier blocks were in some cases registered on a\n notification chain multiple times, which caused the\n occurrence of a circular list on the notification chain.\n Consequently, a soft lock-up or a kernel oops occurred.\n With this update, the notifier blocks are unregistered\n if lockd fails to start up completely, and the soft\n lock-ups or the kernel oopses no longer occur under the\n described circumstances.\n\n - When the Fibre Channel over Ethernet (FCoE) was\n configured, the FCoE MaxFrameSize parameter was\n incorrectly restricted to 1452. With this update, the\n NETIF_F_ALL_FCOE symbol is no longer ignored, which\n fixes this bug. MaxFrameSize is now restricted to 2112,\n which is the correct value.\n\n - When the fnic driver was installed on Cisco UCS Blade\n Server, the discs were under certain circumstances put\n into the offline state with the following error message:\n 'Medium access timeout failure. Offlining disk!'. This\n update fixes fnic to set the Small Computer System\n Interface (SCSI) status as DID_ABORT after a successful\n abort operation. As a result, the discs are no longer\n put into the offlined state in the described situation.", "edition": 14, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-22T00:00:00", "title": "Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20161115)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583", "CVE-2016-2143"], "modified": "2016-11-22T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists", "p-cpe:/a:fermilab:scientific_linux:kernel", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo", "p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debug", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-i686", "p-cpe:/a:fermilab:scientific_linux:kernel-firmware", "p-cpe:/a:fermilab:scientific_linux:kernel-headers", "p-cpe:/a:fermilab:scientific_linux:python-perf", "p-cpe:/a:fermilab:scientific_linux:kernel-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:kernel-doc", "p-cpe:/a:fermilab:scientific_linux:perf"], "id": "SL_20161115_KERNEL_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/95050", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95050);\n script_version(\"2.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/25\");\n\n script_cve_id(\"CVE-2016-1583\", \"CVE-2016-2143\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20161115)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - It was found that stacking a file system over procfs in\n the Linux kernel could lead to a kernel stack overflow\n due to deep nesting, as demonstrated by mounting\n ecryptfs over procfs and creating a recursion by mapping\n /proc/environ. An unprivileged, local user could\n potentially use this flaw to escalate their privileges\n on the system. (CVE-2016-1583, Important)\n\n - It was reported that on s390x, the fork of a process\n with four page table levels will cause memory corruption\n with a variety of symptoms. All processes are created\n with three level page table and a limit of 4TB for the\n address space. If the parent process has four page table\n levels with a limit of 8PB, the function that duplicates\n the address space will try to copy memory areas outside\n of the address space limit for the child process.\n (CVE-2016-2143, Moderate)\n\nBug Fix(es) :\n\n - Use of a multi-threaded workload with high memory\n mappings sometiems caused a kernel panic, due to a race\n condition between the context switch and the pagetable\n upgrade. This update fixes the switch_mm() by using the\n complete asce parameter instead of the asce_bits\n parameter. As a result, the kernel no longer panics in\n the described scenario.\n\n - When iptables created the Transmission Control Protocol\n (TCP) reset packet, a kernel crash could occur due to\n uninitialized pointer to the TCP header within the\n Socket Buffer (SKB). This update fixes the transport\n header pointer in TCP reset for both IPv4 and IPv6, and\n the kernel no longer crashes in the described situation.\n\n - Previously, when the Enhanced Error Handling (EEH)\n mechanism did not block the PCI configuration space\n access and an error was detected, a kernel panic\n occurred. This update fixes EEH to fix this problem. As\n a result, the kernel no longer panics in the described\n scenario.\n\n - When the lockd service failed to start up completely,\n the notifier blocks were in some cases registered on a\n notification chain multiple times, which caused the\n occurrence of a circular list on the notification chain.\n Consequently, a soft lock-up or a kernel oops occurred.\n With this update, the notifier blocks are unregistered\n if lockd fails to start up completely, and the soft\n lock-ups or the kernel oopses no longer occur under the\n described circumstances.\n\n - When the Fibre Channel over Ethernet (FCoE) was\n configured, the FCoE MaxFrameSize parameter was\n incorrectly restricted to 1452. With this update, the\n NETIF_F_ALL_FCOE symbol is no longer ignored, which\n fixes this bug. MaxFrameSize is now restricted to 2112,\n which is the correct value.\n\n - When the fnic driver was installed on Cisco UCS Blade\n Server, the discs were under certain circumstances put\n into the offline state with the following error message:\n 'Medium access timeout failure. Offlining disk!'. This\n update fixes fnic to set the Small Computer System\n Interface (SCSI) status as DID_ABORT after a successful\n abort operation. As a result, the discs are no longer\n put into the offlined state in the described situation.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1611&L=scientific-linux-errata&F=&S=&P=3698\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?de3aa8c5\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"kernel-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-abi-whitelists-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debug-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debug-debuginfo-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debug-devel-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debuginfo-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debuginfo-common-i686-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-devel-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-doc-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-firmware-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-headers-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"perf-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"perf-debuginfo-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"python-perf-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"python-perf-debuginfo-2.6.32-642.11.1.el6\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:06:54", "description": "An update for kernel is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* It was found that stacking a file system over procfs in the Linux\nkernel could lead to a kernel stack overflow due to deep nesting, as\ndemonstrated by mounting ecryptfs over procfs and creating a recursion\nby mapping /proc/ environ. An unprivileged, local user could\npotentially use this flaw to escalate their privileges on the system.\n(CVE-2016-1583, Important)\n\n* It was reported that on s390x, the fork of a process with four page\ntable levels will cause memory corruption with a variety of symptoms.\nAll processes are created with three level page table and a limit of\n4TB for the address space. If the parent process has four page table\nlevels with a limit of 8PB, the function that duplicates the address\nspace will try to copy memory areas outside of the address space limit\nfor the child process. (CVE-2016-2143, Moderate)\n\nBug Fix(es) :\n\n* Use of a multi-threaded workload with high memory mappings sometiems\ncaused a kernel panic, due to a race condition between the context\nswitch and the pagetable upgrade. This update fixes the switch_mm() by\nusing the complete asce parameter instead of the asce_bits parameter.\nAs a result, the kernel no longer panics in the described scenario.\n(BZ#1377472)\n\n* When iptables created the Transmission Control Protocol (TCP) reset\npacket, a kernel crash could occur due to uninitialized pointer to the\nTCP header within the Socket Buffer (SKB). This update fixes the\ntransport header pointer in TCP reset for both IPv4 and IPv6, and the\nkernel no longer crashes in the described situation.(BZ#1372266)\n\n* Previously, when the Enhanced Error Handling (EEH) mechanism did not\nblock the PCI configuration space access and an error was detected, a\nkernel panic occurred. This update fixes EEH to fix this problem. As a\nresult, the kernel no longer panics in the described scenario.\n(BZ#1379596)\n\n* When the lockd service failed to start up completely, the notifier\nblocks were in some cases registered on a notification chain multiple\ntimes, which caused the occurrence of a circular list on the\nnotification chain. Consequently, a soft lock-up or a kernel oops\noccurred. With this update, the notifier blocks are unregistered if\nlockd fails to start up completely, and the soft lock-ups or the\nkernel oopses no longer occur under the described circumstances.\n(BZ#1375637)\n\n* When the Fibre Channel over Ethernet (FCoE) was configured, the FCoE\nMaxFrameSize parameter was incorrectly restricted to 1452. With this\nupdate, the NETIF_F_ALL_FCOE symbol is no longer ignored, which fixes\nthis bug. MaxFrameSize is now restricted to 2112, which is the correct\nvalue. (BZ#1381592)\n\n* When the fnic driver was installed on Cisco UCS Blade Server, the\ndiscs were under certain circumstances put into the offline state with\nthe following error message: 'Medium access timeout failure. Offlining\ndisk!'. This update fixes fnic to set the Small Computer System\nInterface (SCSI) status as DID_ABORT after a successful abort\noperation. As a result, the discs are no longer put into the offlined\nstate in the described situation. (BZ#1382620)", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-16T00:00:00", "title": "RHEL 6 : kernel (RHSA-2016:2766)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583", "CVE-2016-2143"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x", "p-cpe:/a:redhat:enterprise_linux:kernel-firmware", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:python-perf", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:kernel-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686"], "id": "REDHAT-RHSA-2016-2766.NASL", "href": "https://www.tenable.com/plugins/nessus/94911", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2766. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94911);\n script_version(\"2.11\");\n script_cvs_date(\"Date: 2019/10/24 15:35:42\");\n\n script_cve_id(\"CVE-2016-1583\", \"CVE-2016-2143\");\n script_xref(name:\"RHSA\", value:\"2016:2766\");\n\n script_name(english:\"RHEL 6 : kernel (RHSA-2016:2766)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* It was found that stacking a file system over procfs in the Linux\nkernel could lead to a kernel stack overflow due to deep nesting, as\ndemonstrated by mounting ecryptfs over procfs and creating a recursion\nby mapping /proc/ environ. An unprivileged, local user could\npotentially use this flaw to escalate their privileges on the system.\n(CVE-2016-1583, Important)\n\n* It was reported that on s390x, the fork of a process with four page\ntable levels will cause memory corruption with a variety of symptoms.\nAll processes are created with three level page table and a limit of\n4TB for the address space. If the parent process has four page table\nlevels with a limit of 8PB, the function that duplicates the address\nspace will try to copy memory areas outside of the address space limit\nfor the child process. (CVE-2016-2143, Moderate)\n\nBug Fix(es) :\n\n* Use of a multi-threaded workload with high memory mappings sometiems\ncaused a kernel panic, due to a race condition between the context\nswitch and the pagetable upgrade. This update fixes the switch_mm() by\nusing the complete asce parameter instead of the asce_bits parameter.\nAs a result, the kernel no longer panics in the described scenario.\n(BZ#1377472)\n\n* When iptables created the Transmission Control Protocol (TCP) reset\npacket, a kernel crash could occur due to uninitialized pointer to the\nTCP header within the Socket Buffer (SKB). This update fixes the\ntransport header pointer in TCP reset for both IPv4 and IPv6, and the\nkernel no longer crashes in the described situation.(BZ#1372266)\n\n* Previously, when the Enhanced Error Handling (EEH) mechanism did not\nblock the PCI configuration space access and an error was detected, a\nkernel panic occurred. This update fixes EEH to fix this problem. As a\nresult, the kernel no longer panics in the described scenario.\n(BZ#1379596)\n\n* When the lockd service failed to start up completely, the notifier\nblocks were in some cases registered on a notification chain multiple\ntimes, which caused the occurrence of a circular list on the\nnotification chain. Consequently, a soft lock-up or a kernel oops\noccurred. With this update, the notifier blocks are unregistered if\nlockd fails to start up completely, and the soft lock-ups or the\nkernel oopses no longer occur under the described circumstances.\n(BZ#1375637)\n\n* When the Fibre Channel over Ethernet (FCoE) was configured, the FCoE\nMaxFrameSize parameter was incorrectly restricted to 1452. With this\nupdate, the NETIF_F_ALL_FCOE symbol is no longer ignored, which fixes\nthis bug. MaxFrameSize is now restricted to 2112, which is the correct\nvalue. (BZ#1381592)\n\n* When the fnic driver was installed on Cisco UCS Blade Server, the\ndiscs were under certain circumstances put into the offline state with\nthe following error message: 'Medium access timeout failure. Offlining\ndisk!'. This update fixes fnic to set the Small Computer System\nInterface (SCSI) status as DID_ABORT after a successful abort\noperation. As a result, the discs are no longer put into the offlined\nstate in the described situation. (BZ#1382620)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:2766\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-1583\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-2143\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-1583\", \"CVE-2016-2143\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2016:2766\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:2766\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-abi-whitelists-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debug-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debug-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debug-debuginfo-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debug-devel-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debug-devel-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debug-devel-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debuginfo-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debuginfo-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-debuginfo-common-i686-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-devel-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-devel-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-devel-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-doc-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-firmware-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"kernel-headers-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-headers-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-headers-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-kdump-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"kernel-kdump-devel-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"perf-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"perf-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"perf-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"perf-debuginfo-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"perf-debuginfo-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"perf-debuginfo-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"python-perf-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"python-perf-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"python-perf-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"python-perf-debuginfo-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"python-perf-debuginfo-2.6.32-642.11.1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-2.6.32-642.11.1.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T04:41:45", "description": "From Red Hat Security Advisory 2016:2766 :\n\nAn update for kernel is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* It was found that stacking a file system over procfs in the Linux\nkernel could lead to a kernel stack overflow due to deep nesting, as\ndemonstrated by mounting ecryptfs over procfs and creating a recursion\nby mapping /proc/ environ. An unprivileged, local user could\npotentially use this flaw to escalate their privileges on the system.\n(CVE-2016-1583, Important)\n\n* It was reported that on s390x, the fork of a process with four page\ntable levels will cause memory corruption with a variety of symptoms.\nAll processes are created with three level page table and a limit of\n4TB for the address space. If the parent process has four page table\nlevels with a limit of 8PB, the function that duplicates the address\nspace will try to copy memory areas outside of the address space limit\nfor the child process. (CVE-2016-2143, Moderate)\n\nBug Fix(es) :\n\n* Use of a multi-threaded workload with high memory mappings sometiems\ncaused a kernel panic, due to a race condition between the context\nswitch and the pagetable upgrade. This update fixes the switch_mm() by\nusing the complete asce parameter instead of the asce_bits parameter.\nAs a result, the kernel no longer panics in the described scenario.\n(BZ#1377472)\n\n* When iptables created the Transmission Control Protocol (TCP) reset\npacket, a kernel crash could occur due to uninitialized pointer to the\nTCP header within the Socket Buffer (SKB). This update fixes the\ntransport header pointer in TCP reset for both IPv4 and IPv6, and the\nkernel no longer crashes in the described situation.(BZ#1372266)\n\n* Previously, when the Enhanced Error Handling (EEH) mechanism did not\nblock the PCI configuration space access and an error was detected, a\nkernel panic occurred. This update fixes EEH to fix this problem. As a\nresult, the kernel no longer panics in the described scenario.\n(BZ#1379596)\n\n* When the lockd service failed to start up completely, the notifier\nblocks were in some cases registered on a notification chain multiple\ntimes, which caused the occurrence of a circular list on the\nnotification chain. Consequently, a soft lock-up or a kernel oops\noccurred. With this update, the notifier blocks are unregistered if\nlockd fails to start up completely, and the soft lock-ups or the\nkernel oopses no longer occur under the described circumstances.\n(BZ#1375637)\n\n* When the Fibre Channel over Ethernet (FCoE) was configured, the FCoE\nMaxFrameSize parameter was incorrectly restricted to 1452. With this\nupdate, the NETIF_F_ALL_FCOE symbol is no longer ignored, which fixes\nthis bug. MaxFrameSize is now restricted to 2112, which is the correct\nvalue. (BZ#1381592)\n\n* When the fnic driver was installed on Cisco UCS Blade Server, the\ndiscs were under certain circumstances put into the offline state with\nthe following error message: 'Medium access timeout failure. Offlining\ndisk!'. This update fixes fnic to set the Small Computer System\nInterface (SCSI) status as DID_ABORT after a successful abort\noperation. As a result, the discs are no longer put into the offlined\nstate in the described situation. (BZ#1382620)", "edition": 26, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-16T00:00:00", "title": "Oracle Linux 6 : kernel (ELSA-2016-2766)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583", "CVE-2016-2143"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-doc", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:kernel-abi-whitelists", "p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-firmware", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2016-2766.NASL", "href": "https://www.tenable.com/plugins/nessus/94908", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2016:2766 and \n# Oracle Linux Security Advisory ELSA-2016-2766 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94908);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2019/09/27 13:00:37\");\n\n script_cve_id(\"CVE-2016-1583\", \"CVE-2016-2143\");\n script_xref(name:\"RHSA\", value:\"2016:2766\");\n\n script_name(english:\"Oracle Linux 6 : kernel (ELSA-2016-2766)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2016:2766 :\n\nAn update for kernel is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* It was found that stacking a file system over procfs in the Linux\nkernel could lead to a kernel stack overflow due to deep nesting, as\ndemonstrated by mounting ecryptfs over procfs and creating a recursion\nby mapping /proc/ environ. An unprivileged, local user could\npotentially use this flaw to escalate their privileges on the system.\n(CVE-2016-1583, Important)\n\n* It was reported that on s390x, the fork of a process with four page\ntable levels will cause memory corruption with a variety of symptoms.\nAll processes are created with three level page table and a limit of\n4TB for the address space. If the parent process has four page table\nlevels with a limit of 8PB, the function that duplicates the address\nspace will try to copy memory areas outside of the address space limit\nfor the child process. (CVE-2016-2143, Moderate)\n\nBug Fix(es) :\n\n* Use of a multi-threaded workload with high memory mappings sometiems\ncaused a kernel panic, due to a race condition between the context\nswitch and the pagetable upgrade. This update fixes the switch_mm() by\nusing the complete asce parameter instead of the asce_bits parameter.\nAs a result, the kernel no longer panics in the described scenario.\n(BZ#1377472)\n\n* When iptables created the Transmission Control Protocol (TCP) reset\npacket, a kernel crash could occur due to uninitialized pointer to the\nTCP header within the Socket Buffer (SKB). This update fixes the\ntransport header pointer in TCP reset for both IPv4 and IPv6, and the\nkernel no longer crashes in the described situation.(BZ#1372266)\n\n* Previously, when the Enhanced Error Handling (EEH) mechanism did not\nblock the PCI configuration space access and an error was detected, a\nkernel panic occurred. This update fixes EEH to fix this problem. As a\nresult, the kernel no longer panics in the described scenario.\n(BZ#1379596)\n\n* When the lockd service failed to start up completely, the notifier\nblocks were in some cases registered on a notification chain multiple\ntimes, which caused the occurrence of a circular list on the\nnotification chain. Consequently, a soft lock-up or a kernel oops\noccurred. With this update, the notifier blocks are unregistered if\nlockd fails to start up completely, and the soft lock-ups or the\nkernel oopses no longer occur under the described circumstances.\n(BZ#1375637)\n\n* When the Fibre Channel over Ethernet (FCoE) was configured, the FCoE\nMaxFrameSize parameter was incorrectly restricted to 1452. With this\nupdate, the NETIF_F_ALL_FCOE symbol is no longer ignored, which fixes\nthis bug. MaxFrameSize is now restricted to 2112, which is the correct\nvalue. (BZ#1381592)\n\n* When the fnic driver was installed on Cisco UCS Blade Server, the\ndiscs were under certain circumstances put into the offline state with\nthe following error message: 'Medium access timeout failure. Offlining\ndisk!'. This update fixes fnic to set the Small Computer System\nInterface (SCSI) status as DID_ABORT after a successful abort\noperation. As a result, the discs are no longer put into the offlined\nstate in the described situation. (BZ#1382620)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-November/006512.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-1583\", \"CVE-2016-2143\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2016-2766\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-abi-whitelists-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-abi-whitelists-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-debug-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-debug-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-debug-devel-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-debug-devel-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-devel-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-devel-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-doc-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-doc-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-firmware-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-firmware-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-headers-2.6.32\") && rpm_check(release:\"EL6\", reference:\"kernel-headers-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"perf-2.6.32-642.11.1.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"python-perf-2.6.32-642.11.1.el6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T13:24:02", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - ecryptfs: forbid opening files without mmap handler\n (Jann Horn) [Orabug: 24971919] (CVE-2016-1583)\n\n - RDS: IB: fix panic with handlers running post teardown\n (Santosh Shilimkar) [Orabug: 24395795]", "edition": 27, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-04T00:00:00", "title": "OracleVM 3.3 : Unbreakable / etc (OVMSA-2016-0155)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583"], "modified": "2016-11-04T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.3", "p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware"], "id": "ORACLEVM_OVMSA-2016-0155.NASL", "href": "https://www.tenable.com/plugins/nessus/94535", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2016-0155.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94535);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-1583\");\n\n script_name(english:\"OracleVM 3.3 : Unbreakable / etc (OVMSA-2016-0155)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - ecryptfs: forbid opening files without mmap handler\n (Jann Horn) [Orabug: 24971919] (CVE-2016-1583)\n\n - RDS: IB: fix panic with handlers running post teardown\n (Santosh Shilimkar) [Orabug: 24395795]\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2016-November/000577.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c34a2e30\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.3\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"kernel-uek-3.8.13-118.14.1.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"kernel-uek-firmware-3.8.13-118.14.1.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T04:41:56", "description": "Description of changes:\n\nkernel-uek\n[3.8.13-118.14.1.el7uek]\n- ecryptfs: forbid opening files without mmap handler (Jann Horn) \n[Orabug: 24971919] {CVE-2016-1583}\n- RDS: IB: fix panic with handlers running post teardown (Santosh \nShilimkar) [Orabug: 24395795]", "edition": 22, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-04T00:00:00", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3636)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.14.1.el7uek", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.14.1.el6uek", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2016-3636.NASL", "href": "https://www.tenable.com/plugins/nessus/94533", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2016-3636.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94533);\n script_version(\"2.6\");\n script_cvs_date(\"Date: 2019/09/27 13:00:37\");\n\n script_cve_id(\"CVE-2016-1583\");\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2016-3636)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\nkernel-uek\n[3.8.13-118.14.1.el7uek]\n- ecryptfs: forbid opening files without mmap handler (Jann Horn) \n[Orabug: 24971919] {CVE-2016-1583}\n- RDS: IB: fix panic with handlers running post teardown (Santosh \nShilimkar) [Orabug: 24395795]\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-November/006456.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-November/006457.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.14.1.el6uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dtrace-modules-3.8.13-118.14.1.el7uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-1583\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2016-3636\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"3.8\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.14.1.el6uek-0.4.5-3.el6\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.14.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.14.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.14.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.14.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.14.1.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.14.1.el6uek\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"dtrace-modules-3.8.13-118.14.1.el7uek-0.4.5-3.el7\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-3.8.13-118.14.1.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-3.8.13-118.14.1.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-3.8.13-118.14.1.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-devel-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-devel-3.8.13-118.14.1.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-doc-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-doc-3.8.13-118.14.1.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-firmware-3.8.13\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-3.8.13-118.14.1.el7uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T06:43:47", "description": "Jann Horn discovered that eCryptfs improperly attempted to use the\nmmap() handler of a lower filesystem that did not implement one,\ncausing a recursive page fault to occur. A local unprivileged attacker\ncould use to cause a denial of service (system crash) or possibly\nexecute arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 27, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-06-10T00:00:00", "title": "Ubuntu 16.04 LTS : linux-snapdragon vulnerability (USN-3008-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-snapdragon"], "id": "UBUNTU_USN-3008-1.NASL", "href": "https://www.tenable.com/plugins/nessus/91570", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3008-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91570);\n script_version(\"2.10\");\n script_cvs_date(\"Date: 2019/09/18 12:31:45\");\n\n script_cve_id(\"CVE-2016-1583\");\n script_xref(name:\"USN\", value:\"3008-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : linux-snapdragon vulnerability (USN-3008-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jann Horn discovered that eCryptfs improperly attempted to use the\nmmap() handler of a lower filesystem that did not implement one,\ncausing a recursive page fault to occur. A local unprivileged attacker\ncould use to cause a denial of service (system crash) or possibly\nexecute arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3008-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected linux-image-4.4-snapdragon package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.4-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-1583\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3008-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"linux-image-4.4.0-1015-snapdragon\", pkgver:\"4.4.0-1015.18\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.4-snapdragon\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T14:24:09", "description": "The SUSE Linux Enterprise 12 GA kernel was updated to fix one security\nissue.\n\nThe following security bug was fixed :\n\n - CVE-2016-1583: Prevent the usage of mmap when the lower\n file system does not allow it. This could have lead to\n local privilege escalation when ecryptfs-utils was\n installed and /sbin/mount.ecryptfs_private was setuid\n (bsc#983143).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-06-17T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:1596-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583"], "modified": "2016-06-17T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-extra", "p-cpe:/a:novell:suse_linux:kernel-xen", "p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-debugsource", "p-cpe:/a:novell:suse_linux:kernel-xen-base", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-default", "p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-xen-devel"], "id": "SUSE_SU-2016-1596-1.NASL", "href": "https://www.tenable.com/plugins/nessus/91669", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:1596-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91669);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-1583\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2016:1596-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 12 GA kernel was updated to fix one security\nissue.\n\nThe following security bug was fixed :\n\n - CVE-2016-1583: Prevent the usage of mmap when the lower\n file system does not allow it. This could have lead to\n local privilege escalation when ecryptfs-utils was\n installed and /sbin/mount.ecryptfs_private was setuid\n (bsc#983143).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=983143\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-1583/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20161596-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2cdc9436\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12 :\n\nzypper in -t patch SUSE-SLE-WE-12-2016-944=1\n\nSUSE Linux Enterprise Software Development Kit 12 :\n\nzypper in -t patch SUSE-SLE-SDK-12-2016-944=1\n\nSUSE Linux Enterprise Server 12 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-2016-944=1\n\nSUSE Linux Enterprise Module for Public Cloud 12 :\n\nzypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2016-944=1\n\nSUSE Linux Enterprise Live Patching 12 :\n\nzypper in -t patch SUSE-SLE-Live-Patching-12-2016-944=1\n\nSUSE Linux Enterprise Desktop 12 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-2016-944=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-base-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-base-debuginfo-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"kernel-default-man-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-base-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-base-debuginfo-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-debuginfo-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-debugsource-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-default-devel-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"kernel-syms-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-debuginfo-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-debugsource-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-devel-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-extra-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-default-extra-debuginfo-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-syms-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.55-52.45.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"0\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.55-52.45.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T13:24:02", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - sched: panic on corrupted stack end (Jann Horn) [Orabug:\n 24971921] (CVE-2016-1583)\n\n - ecryptfs: forbid opening files without mmap handler\n (Jann Horn) [Orabug: 24971921] (CVE-2016-1583)\n\n - proc: prevent stacking filesystems on top (Jann Horn)\n [Orabug: 24971921] (CVE-2016-1583)", "edition": 27, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-04T00:00:00", "title": "OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0154)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583"], "modified": "2016-11-04T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.4", "p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware"], "id": "ORACLEVM_OVMSA-2016-0154.NASL", "href": "https://www.tenable.com/plugins/nessus/94534", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2016-0154.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94534);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-1583\");\n\n script_name(english:\"OracleVM 3.4 : Unbreakable / etc (OVMSA-2016-0154)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - sched: panic on corrupted stack end (Jann Horn) [Orabug:\n 24971921] (CVE-2016-1583)\n\n - ecryptfs: forbid opening files without mmap handler\n (Jann Horn) [Orabug: 24971921] (CVE-2016-1583)\n\n - proc: prevent stacking filesystems on top (Jann Horn)\n [Orabug: 24971921] (CVE-2016-1583)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2016-November/000576.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a8380846\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.4\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-4.1.12-61.1.17.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-firmware-4.1.12-61.1.17.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T06:43:44", "description": "Jann Horn discovered that eCryptfs improperly attempted to use the\nmmap() handler of a lower filesystem that did not implement one,\ncausing a recursive page fault to occur. A local unprivileged attacker\ncould use to cause a denial of service (system crash) or possibly\nexecute arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 27, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-06-10T00:00:00", "title": "Ubuntu 14.04 LTS : linux vulnerability (USN-2999-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1583"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "UBUNTU_USN-2999-1.NASL", "href": "https://www.tenable.com/plugins/nessus/91561", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2999-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91561);\n script_version(\"2.10\");\n script_cvs_date(\"Date: 2019/09/18 12:31:45\");\n\n script_cve_id(\"CVE-2016-1583\");\n script_xref(name:\"USN\", value:\"2999-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS : linux vulnerability (USN-2999-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jann Horn discovered that eCryptfs improperly attempted to use the\nmmap() handler of a lower filesystem that did not implement one,\ncausing a recursive page fault to occur. A local unprivileged attacker\ncould use to cause a denial of service (system crash) or possibly\nexecute arbitrary code with administrative privileges.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2999-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected linux-image-3.13-generic,\nlinux-image-3.13-generic-lpae and / or linux-image-3.13-lowlatency\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-1583\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-2999-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-88-generic\", pkgver:\"3.13.0-88.135\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-88-generic-lpae\", pkgver:\"3.13.0-88.135\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"linux-image-3.13.0-88-lowlatency\", pkgver:\"3.13.0-88.135\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-3.13-generic / linux-image-3.13-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:21", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583", "CVE-2016-5195", "CVE-2016-2143"], "description": "[2.6.32-642.11.1]\n- [mm] close FOLL MAP_PRIVATE race (Larry Woodman) [1385116 1385117] {CVE-2016-5195}\n[2.6.32-642.10.1]\n- [scsi] fnic: Fix to cleanup aborted IO to avoid device being offlined by mid-layer (Maurizio Lombardi) [1382620 1341298]\n[2.6.32-642.9.1]\n- [net] vlan: Fix FCOE_MTU support (Maurizio Lombardi) [1381592 1367250]\n- [s390] mm: fix asce_bits handling with dynamic pagetable levels (Steve Best) [1377472 1341758]\n- [powerpc] eeh: Block PCI configuration space access during EEH (Gustavo Duarte) [1379596 1216944]\n- [fs] ecryptfs: prevent mounts backed by procfs (Mateusz Guzik) [1347101 1347102] {CVE-2016-1583}\n- [s390] mm: four page table levels vs. fork (Hendrik Brueckner) [1341546 1316461] {CVE-2016-2143}\n[2.6.32-642.8.1]\n- [fs] lockd: unregister notifier blocks if the service fails to come up completely (Scott Mayhew) [1375637 1346317]\n[2.6.32-642.7.1]\n- [net] netfilter: ip(6)t_REJECT: fix wrong transport header pointer in TCP reset (William Townsend) [1372266 1343816]", "edition": 4, "modified": "2016-11-15T00:00:00", "published": "2016-11-15T00:00:00", "id": "ELSA-2016-2766", "href": "http://linux.oracle.com/errata/ELSA-2016-2766.html", "title": "kernel security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:19", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583"], "description": "kernel-uek\n[3.8.13-118.14.1]\n- ecryptfs: forbid opening files without mmap handler (Jann Horn) [Orabug: 24971919] {CVE-2016-1583}\n- RDS: IB: fix panic with handlers running post teardown (Santosh Shilimkar) [Orabug: 24395795] ", "edition": 4, "modified": "2016-11-03T00:00:00", "published": "2016-11-03T00:00:00", "id": "ELSA-2016-3636", "href": "http://linux.oracle.com/errata/ELSA-2016-3636.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:37", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583"], "description": "kernel-uek\n[4.1.12-61.1.17]\n- sched: panic on corrupted stack end (Jann Horn) [Orabug: 24971921] {CVE-2016-1583}\n- ecryptfs: forbid opening files without mmap handler (Jann Horn) [Orabug: 24971921] {CVE-2016-1583}\n- proc: prevent stacking filesystems on top (Jann Horn) [Orabug: 24971921] {CVE-2016-1583}", "edition": 4, "modified": "2016-11-03T00:00:00", "published": "2016-11-03T00:00:00", "id": "ELSA-2016-3635", "href": "http://linux.oracle.com/errata/ELSA-2016-3635.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:32", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583", "CVE-2016-5195"], "description": "kernel\n[2.6.18-416]\n- [mm] Fix Privilege escalation via MAP_PRIVATE (Larry Woodman) [1385112] {CVE-2016-5195}\n[2.6.18-415]\n- [fs] gfs2: Initialize atime of I_NEW inodes (Andreas Grunbacher) [1374861]\n- [fs] gfs2: Update file times after grabbing glock (Andreas Grunbacher) [1374861]\n- Revert: [fs] gfs2: Only refresh newer in-memory timestamps (Andreas Grunbacher) [1374861]\n[2.6.18-414]\n- [redhat] Fix missed -413 kernel version (Alexander Gordeev)\n[2.6.18-413]\n- [redhat] Disable 'Invalid version (double separator '-')' error (Alexander Gordeev) [1375746]\n- [fs] jbd: Fix oops in journal_remove_journal_head() (Lukas Czerner) [1067708]\n- [fs] jbd: Fix race between CP and journal_get_write_access() (Lukas Czerner) [1067708]\n- [fs] ecryptfs: prevent mounts backed by procfs (Mateusz Guzik) [1347100] {CVE-2016-1583}", "edition": 4, "modified": "2016-10-28T00:00:00", "published": "2016-10-28T00:00:00", "id": "ELSA-2016-2124", "href": "http://linux.oracle.com/errata/ELSA-2016-2124.html", "title": "kernel security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-30T19:27:23", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583", "CVE-2016-5195"], "description": "kernel\n- 2.6.18-416.0.0.0.1\n- [netfront] fix ring buffer index go back led vif stop [orabug 18272251]\n- [net] fix tcp_trim_head() (James Li) [orabug 14512145, 19219078]\n- ocfs2: dlm: fix recovery hung (Junxiao Bi) [orabug 13956772]\n- i386: fix MTRR code (Zhenzhong Duan) [orabug 15862649]\n- [oprofile] x86, mm: Add __get_user_pages_fast() [orabug 14277030]\n- [oprofile] export __get_user_pages_fast() function [orabug 14277030]\n- [oprofile] oprofile, x86: Fix nmi-unsafe callgraph support [orabug 14277030]\n- [oprofile] oprofile: use KM_NMI slot for kmap_atomic [orabug 14277030]\n- [oprofile] oprofile: i386 add get_user_pages_fast support [orabug 14277030]\n- [kernel] Initialize the local uninitialized variable stats. [orabug 14051367]\n- [fs] JBD:make jbd support 512B blocks correctly for ocfs2. [orabug 13477763]\n- [mm] fix hugetlb page leak (Dave McCracken) [orabug 12375075]\n- fix ia64 build error due to add-support-above-32-vcpus.patch(Zhenzhong Duan)\n- [x86] use dynamic vcpu_info remap to support more than 32 vcpus (Zhenzhong Duan)\n- [x86] Fix lvt0 reset when hvm boot up with noapic param\n- [scsi] remove printk's when doing I/O to a dead device (John Sobecki, Chris Mason)\n [orabug 12342275]\n- [char] ipmi: Fix IPMI errors due to timing problems (Joe Jin) [orabug 12561346]\n- [scsi] Fix race when removing SCSI devices (Joe Jin) [orabug 12404566]\n- [net] net: Redo the broken redhat netconsole over bonding (Tina Yang) [orabug 12740042]\n- [fs] nfs: Fix __put_nfs_open_context() NULL pointer panic (Joe Jin) [orabug 12687646]\n- fix filp_close() race (Joe Jin) [orabug 10335998]\n- make xenkbd.abs_pointer=1 by default [orabug 67188919]\n- [xen] check to see if hypervisor supports memory reservation change\n (Chuck Anderson) [orabug 7556514]\n- [net] Enable entropy for bnx2,bnx2x,e1000e,igb,ixgb,ixgbe,ixgbevf (John Sobecki)\n [orabug 10315433]\n- [NET] Add xen pv netconsole support (Tina Yang) [orabug 6993043] [bz 7258]\n- [mm] Patch shrink_zone to yield during severe mempressure events, avoiding\n hangs and evictions (John Sobecki,Chris Mason) [orabug 6086839]\n- [mm] Enhance shrink_zone patch allow full swap utilization, and also be\n NUMA-aware (John Sobecki,Chris Mason,Herbert van den Bergh) [orabug 9245919]\n- fix aacraid not to reset during kexec (Joe Jin) [orabug 8516042]\n- [xen] PVHVM guest with PoD crashes under memory pressure (Chuck Anderson)\n [orabug 9107465]\n- [xen] PV guest with FC HBA hangs during shutdown (Chuck Anderson)\n [orabug 9764220]\n- Support 256GB+ memory for pv guest (Mukesh Rathor) [orabug 9450615]\n- fix overcommit memory to use percpu_counter for (KOSAKI Motohiro,\n Guru Anbalagane) [orabug 6124033]\n- [ipmi] make configurable timeouts for kcs of ipmi [orabug 9752208]\n- [ib] fix memory corruption (Andy Grover) [orabug 9972346]\n- [usb] USB: fix __must_check warnings in drivers/usb/core/ (Junxiao Bi) [orabug 14795203]", "edition": 6, "modified": "2016-10-28T00:00:00", "published": "2016-10-28T00:00:00", "id": "ELSA-2016-2124-1", "href": "http://linux.oracle.com/errata/ELSA-2016-2124-1.html", "title": "kernel security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:20", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8660", "CVE-2016-2143", "CVE-2016-4470", "CVE-2016-4565"], "description": "[3.10.0-327.28.2.OL7]\n- Oracle Linux certificates (Alexey Petrenko)\n[3.10.0-327.28.2]\n- [net] bridge: include in6.h in if_bridge.h for struct in6_addr (Jiri Benc) [1331285 1268057]\n- [net] inet: defines IPPROTO_* needed for module alias generation (Jiri Benc) [1331285 1268057]\n- [net] sync some IP headers with glibc (Jiri Benc) [1331285 1268057]\n[3.10.0-327.28.1]\n- [netdrv] e1000: Double Tx descriptors needed check for 82544 (Jarod Wilson) [1349448 1274170]\n- [netdrv] e1000: Do not overestimate descriptor counts in Tx pre-check (Jarod Wilson) [1349448 1274170]\n- [scsi] 3w-9xxx: version string touch (Tomas Henzl) [1348833 1322447]\n- [scsi] 3w-9xxx: don't unmap bounce buffered commands (Tomas Henzl) [1348833 1322447]\n- [scsi] 3w-9xxx: fix command completion race (Tomas Henzl) [1348833 1322447]\n- [fs] gfs2: don't set rgrp gl_object until it's inserted into rgrp tree (Robert S Peterson) [1348829 1344363]\n- [fs] fanotify: fix notification of groups with inode & mount marks (Miklos Szeredi) [1348828 1308393]\n- [fs] ovl: fix permission checking for setattr (Vivek Goyal) [1293980 1293981]\n- [security] keys: potential uninitialized variable (David Howells) [1345935 1341352] {CVE-2016-4470}\n- [tty] Invert tty_lock/ldisc_sem lock order (Herton R. Krzesinski) [1336823 1327403]\n- [tty] Don't hold tty_lock for ldisc release (Herton R. Krzesinski) [1336823 1327403]\n- [tty] Reset hupped state on open (Herton R. Krzesinski) [1336823 1327403]\n- [tty] Fix hangup race with TIOCSETD ioctl (Herton R. Krzesinski) [1336823 1327403]\n- [tty] Clarify ldisc variable (Herton R. Krzesinski) [1336823 1327403]\n- [infiniband] security: Restrict use of the write() interface (Don Dutile) [1332553 1316685] {CVE-2016-4565}\n[3.10.0-327.27.1]\n- [md] raid5: check_reshape() shouldn't call mddev_suspend (Jes Sorensen) [1344313 1312828]\n- [net] sctp: Potentially-Failed state should not be reached from unconfirmed state (Xin Long) [1347809 1333696]\n- [net] sctp: fix the transports round robin issue when init is retransmitted (Xin Long) [1347809 1333696]\n- [net] sctp: fix suboptimal edge-case on non-active active/retrans path selection (Xin Long) [1347809 1333696]\n- [net] sctp: spare unnecessary comparison in sctp_trans_elect_best (Xin Long) [1347809 1333696]\n- [net] sctp: improve sctp_select_active_and_retran_path selection (Xin Long) [1347809 1333696]\n- [net] sctp: migrate most recently used transport to ktime (Xin Long) [1347809 1333696]\n- [net] sctp: refactor active path selection (Xin Long) [1347809 1333696]\n- [net] sctp: remove NULL check in sctp_assoc_update_retran_path (Xin Long) [1347809 1333696]\n- [net] sctp: rework multihoming retransmission path selection to rfc4960 (Xin Long) [1347809 1333696]\n- [net] sctp: retran_path not set properly after transports recovering (Xin Long) [1347809 1333696]\n- [mm] memcg: fix endless loop caused by mem_cgroup_iter (Herton R. Krzesinski) [1344750 1297381]\n- [scsi] qla2xxx: Set relogin flag when we fail to queue login requests (Chad Dupuis) [1347344 1273080]\n- [x86] perf/x86/intel/uncore: Add Broadwell-EP uncore support (Jiri Olsa) [1347374 1259976]\n- [x86] perf/x86/intel/uncore: Add Broadwell-DE uncore support (Jiri Olsa) [1348063 1306834]\n- [lib] rhashtable: Do hashing inside of rhashtable_lookup_compare() (Phil Sutter) [1343639 1238749]\n- [s390] mm: four page table levels vs. fork (Hendrik Brueckner) [1341547 1308879] {CVE-2016-2143}\n- [firmware] dmi_scan: Fix UUID endianness for SMBIOS >= 2.6 (Prarit Bhargava) [1340118 1294461]\n- [misc] cxl: Export AFU error buffer via sysfs (Gustavo Duarte) [1343537 1275968]\n- [misc] cxl: Poll for outstanding IRQs when detaching a context (Alexander Gordeev) [1338886 1332487]\n- [misc] cxl: Keep IRQ mappings on context teardown (Alexander Gordeev) [1338886 1332487]\n- [netdrv] mlx4_en: Fix endianness bug in IPV6 csum calculation (kamal heib) [1337431 1325358]\n- [acpi] srat: fix SRAT parsing order with both LAPIC and X2APIC present (Prarit Bhargava) [1336821 1331394]\n[3.10.0-327.26.1]\n- [block] blk-mq: fix race between timeout and freeing request (David Milburn) [1347743 1288601]\n- [x86] nmi: Fix use of unallocated cpumask_var_t (Jerry Snitselaar) [1346176 1069217]\n- [x86] nmi: Perform a safe NMI stack trace on all CPUs (Jerry Snitselaar) [1346176 1069217]\n- [kernel] printk: Add per_cpu printk func to allow printk to be diverted (Jerry Snitselaar) [1346176 1069217]\n- [lib] seq: Add minimal support for seq_buf (Jerry Snitselaar) [1346176 1069217]\n- [fs] ovl: use a minimal buffer in ovl_copy_xattr (Vivek Goyal) [1347235 1306358]\n- [fs] ovl: allow zero size xattr (Vivek Goyal) [1347235 1306358]\n[3.10.0-327.25.1]\n- [fs] xfs: fix broken multi-fsb buffer logging (Brian Foster) [1344234 1334671]\n[3.10.0-327.24.1]\n- [net] udp: properly support MSG_PEEK with truncated buffers (Sabrina Dubroca) [1339115 1294384]\n[3.10.0-327.23.1]\n- [net] af_unix: Guard against other == sk in unix_dgram_sendmsg (Jakub Sitnicki) [1337513 1285792]\n- [net] unix: avoid use-after-free in ep_remove_wait_queue (Paolo Abeni) [1337513 1285792]", "edition": 4, "modified": "2016-08-02T00:00:00", "published": "2016-08-02T00:00:00", "id": "ELSA-2016-1539", "href": "http://linux.oracle.com/errata/ELSA-2016-1539.html", "title": "kernel security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:20", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3139", "CVE-2019-11190", "CVE-2016-1583", "CVE-2017-13305", "CVE-2017-16650", "CVE-2018-19985"], "description": "kernel-uek\n[3.8.13-118.34.1]\n- Input: wacom - move the USB (now hid) Wacom driver in drivers/hid (Benjamin Tissoires) [Orabug: 25512494] {CVE-2016-3139}\n- net: qmi_wwan: fix divide by 0 on bad descriptors (Bjorn Mork) [Orabug: 27215229] {CVE-2017-16650}\n- USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data (Hui Peng) [Orabug: 29605987] {CVE-2018-19985} {CVE-2018-19985}\n- KEYS: encrypted: fix buffer overread in valid_master_desc() (Eric Biggers) [Orabug: 29605993] {CVE-2017-13305}\n- ecryptfs: don't allow mmap when the lower fs doesn't support it (Jeff Mahoney) [Orabug: 29666607] {CVE-2016-1583} {CVE-2016-1583}\n- Revert 'ecryptfs: forbid opening files without mmap handler' (Brian Maly) [Orabug: 29666607] {CVE-2016-1583}\n- binfmt_elf: switch to new creds when switching to new mm (Linus Torvalds) [Orabug: 29677234] {CVE-2019-11190}", "edition": 3, "modified": "2019-05-16T00:00:00", "published": "2019-05-16T00:00:00", "id": "ELSA-2019-4644", "href": "http://linux.oracle.com/errata/ELSA-2019-4644.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:03", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6480", "CVE-2016-3070", "CVE-2016-1583", "CVE-2016-6136", "CVE-2016-4569", "CVE-2015-8956", "CVE-2016-4578"], "description": "[2.6.39-400.290.2]\n- aacraid: Check size values after double-fetch from user (Dave Carroll) [Orabug: 25060055] {CVE-2016-6480} {CVE-2016-6480}\n- audit: fix a double fetch in audit_log_single_execve_arg() (Paul Moore) [Orabug: 25059962] {CVE-2016-6136}\n- ecryptfs: don't allow mmap when the lower fs doesn't support it (Jeff Mahoney) [Orabug: 24971918] {CVE-2016-1583} {CVE-2016-1583}\n- ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt (Kangjie Lu) [Orabug: 25059900] {CVE-2016-4578}\n- ALSA: timer: Fix leak in events via snd_timer_user_ccallback (Kangjie Lu) [Orabug: 25059900] {CVE-2016-4578}\n- ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (Kangjie Lu) [Orabug: 25059755] {CVE-2016-4569}\n- Bluetooth: Fix potential NULL dereference in RFCOMM bind callback (Jaganath Kanakkassery) [Orabug: 25058905] {CVE-2015-8956}\n- mm: migrate dirty page without clear_page_dirty_for_io etc (Hugh Dickins) [Orabug: 25059195] {CVE-2016-3070}", "edition": 4, "modified": "2016-11-20T00:00:00", "published": "2016-11-20T00:00:00", "id": "ELSA-2016-3646", "href": "http://linux.oracle.com/errata/ELSA-2016-3646.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:48", "bulletinFamily": "unix", "cvelist": ["CVE-2016-4794", "CVE-2016-6480", "CVE-2016-3070", "CVE-2016-2053", "CVE-2016-1583", "CVE-2016-6136", "CVE-2016-4569", "CVE-2016-3699", "CVE-2015-8956", "CVE-2016-4578"], "description": "kernel-uek\n[4.1.12-61.1.19]\n- acpi: Disable ACPI table override if securelevel is set (Linn Crosetto) [Orabug: 25058966] {CVE-2016-3699}\n- aacraid: Check size values after double-fetch from user (Dave Carroll) [Orabug: 25060060] {CVE-2016-6480} {CVE-2016-6480}\n- audit: fix a double fetch in audit_log_single_execve_arg() (Paul Moore) [Orabug: 25059969] {CVE-2016-6136}\n- ecryptfs: don't allow mmap when the lower fs doesn't support it (Jeff Mahoney) [Orabug: 25023269] {CVE-2016-1583} {CVE-2016-1583}\n- Revert 'ecryptfs: forbid opening files without mmap handler' (Chuck Anderson) [Orabug: 24971921] {CVE-2016-1583}\n- percpu: fix synchronization between synchronous map extension and chunk destruction (Tejun Heo) [Orabug: 25060084] {CVE-2016-4794}\n- percpu: fix synchronization between chunk->map_extend_work and chunk destruction (Tejun Heo) [Orabug: 25060084] {CVE-2016-4794}\n- ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt (Kangjie Lu) [Orabug: 25059898] {CVE-2016-4578}\n- ALSA: timer: Fix leak in events via snd_timer_user_ccallback (Kangjie Lu) [Orabug: 25059898] {CVE-2016-4578}\n- ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS (Kangjie Lu) [Orabug: 25059752] {CVE-2016-4569}\n- Bluetooth: Fix potential NULL dereference in RFCOMM bind callback (Jaganath Kanakkassery) [Orabug: 25058894] {CVE-2015-8956}\n- ASN.1: Fix non-match detection failure on data overrun (David Howells) [Orabug: 25059037] {CVE-2016-2053}\n- mm: migrate dirty page without clear_page_dirty_for_io etc (Hugh Dickins) [Orabug: 25059188] {CVE-2016-3070}\n[4.1.12-61.1.18]\n- uek-rpm ol7: change uek-rpm/ol7/update-el release value from 7.1 to 7.3 (Chuck Anderson) [Orabug: 25050614]", "edition": 4, "modified": "2016-11-20T00:00:00", "published": "2016-11-20T00:00:00", "id": "ELSA-2016-3644", "href": "http://linux.oracle.com/errata/ELSA-2016-3644.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T12:18:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583"], "description": "The SUSE Linux Enterprise 12 GA kernel was updated to fix one security\n issue.\n\n The following security bug was fixed:\n - CVE-2016-1583: Prevent the usage of mmap when the lower file system does\n not allow it. This could have lead to local privilege escalation when\n ecryptfs-utils was installed and /sbin/mount.ecryptfs_private was setuid\n (bsc#983143).\n\n", "edition": 1, "modified": "2016-06-16T15:07:58", "published": "2016-06-16T15:07:58", "id": "SUSE-SU-2016:1596-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00027.html", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:13:42", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2053", "CVE-2016-1583", "CVE-2016-0758", "CVE-2013-7446", "CVE-2016-4470", "CVE-2016-4565", "CVE-2016-3134"], "description": "This update for the Linux Kernel 3.12.57-60_35 fixes the several issues.\n\n These security issues were fixed:\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bsc#984764).\n - CVE-2016-1583: The ecryptfs_privileged_open function in\n fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (stack memory consumption) via\n vectors involving crafted mmap calls for /proc pathnames, leading to\n recursive pagefault handling (bsc#983144).\n - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel\n incorrectly relied on the write system call, which allowed local users\n to cause a denial of service (kernel memory write operation) or possibly\n have unspecified other impact via a uAPI interface (bsc#980883).\n - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux\n kernel allowed local users to gain privileges via crafted ASN.1 data\n (bsc#980856).\n - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in\n the Linux kernel allowed attackers to cause a denial of service (panic)\n via an ASN.1 BER file that lacks a public key, leading to mishandling by\n the public_key_verify_signature function in\n crypto/asymmetric_keys/public_key.c (bsc#979074).\n - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not\n validate certain offset fields, which allowed local users to gain\n privileges or cause a denial of service (heap memory corruption) via an\n IPT_SO_SET_REPLACE setsockopt call (bsc#971793).\n\n", "edition": 1, "modified": "2016-08-09T17:18:31", "published": "2016-08-09T17:18:31", "id": "SUSE-SU-2016:2000-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00014.html", "type": "suse", "title": "Security update for Linux Kernel Live Patch 4 for SLE 12 SP1 (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:02:17", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2053", "CVE-2016-1583", "CVE-2016-0758", "CVE-2015-8816", "CVE-2013-7446", "CVE-2016-4470", "CVE-2016-4565", "CVE-2016-3134"], "description": "This update for the Linux Kernel 3.12.51-52_34 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bsc#984764).\n - CVE-2016-1583: The ecryptfs_privileged_open function in\n fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (stack memory consumption) via\n vectors involving crafted mmap calls for /proc pathnames, leading to\n recursive pagefault handling (bsc#983144).\n - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel\n incorrectly relied on the write system call, which allowed local users\n to cause a denial of service (kernel memory write operation) or possibly\n have unspecified other impact via a uAPI interface (bsc#980883).\n - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux\n kernel allowed local users to gain privileges via crafted ASN.1 data\n (bsc#980856).\n - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in\n the Linux kernel allowed attackers to cause a denial of service (panic)\n via an ASN.1 BER file that lacks a public key, leading to mishandling by\n the public_key_verify_signature function in\n crypto/asymmetric_keys/public_key.c (bsc#979074).\n - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in\n the Linux kernel did not properly maintain a hub-interface data\n structure, which allowed physically proximate attackers to cause a\n denial of service (invalid memory access and system crash) or possibly\n have unspecified other impact by unplugging a USB hub device\n (bsc#979064).\n - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not\n validate certain offset fields, which allowed local users to gain\n privileges or cause a denial of service (heap memory corruption) via an\n IPT_SO_SET_REPLACE setsockopt call (bsc#971793).\n - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the\n Linux kernel allowed local users to bypass intended AF_UNIX socket\n permissions or cause a denial of service (panic) via crafted epoll_ctl\n calls (bsc#973570, bsc#955837).\n\n", "edition": 1, "modified": "2016-08-09T17:20:56", "published": "2016-08-09T17:20:56", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00016.html", "id": "SUSE-SU-2016:2002-1", "title": "Security update for Linux Kernel Live Patch 10 for SLE 12 (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:56:25", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2053", "CVE-2016-1583", "CVE-2016-0758", "CVE-2015-8816", "CVE-2013-7446", "CVE-2016-4470", "CVE-2016-4565", "CVE-2016-3134"], "description": "This update for the Linux Kernel 3.12.53-60_30 fixes the several issues.\n\n These security issues were fixed:\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bsc#984764).\n - CVE-2016-1583: The ecryptfs_privileged_open function in\n fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (stack memory consumption) via\n vectors involving crafted mmap calls for /proc pathnames, leading to\n recursive pagefault handling (bsc#983144).\n - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel\n incorrectly relied on the write system call, which allowed local users\n to cause a denial of service (kernel memory write operation) or possibly\n have unspecified other impact via a uAPI interface (bsc#980883).\n - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux\n kernel allowed local users to gain privileges via crafted ASN.1 data\n (bsc#980856).\n - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in\n the Linux kernel allowed attackers to cause a denial of service (panic)\n via an ASN.1 BER file that lacks a public key, leading to mishandling by\n the public_key_verify_signature function in\n crypto/asymmetric_keys/public_key.c (bsc#979074).\n - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in\n the Linux kernel did not properly maintain a hub-interface data\n structure, which allowed physically proximate attackers to cause a\n denial of service (invalid memory access and system crash) or possibly\n have unspecified other impact by unplugging a USB hub device\n (bsc#979064).\n - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not\n validate certain offset fields, which allowed local users to gain\n privileges or cause a denial of service (heap memory corruption) via an\n IPT_SO_SET_REPLACE setsockopt call (bsc#971793).\n\n This non-security issue was fixed:\n - bsc#973570: The fix for CVE-2013-7446 introduced a bug that could have\n possibly lead to a softlockup.\n\n", "edition": 1, "modified": "2016-08-09T17:26:55", "published": "2016-08-09T17:26:55", "id": "SUSE-SU-2016:2007-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00020.html", "type": "suse", "title": "Security update for Linux Kernel Live Patch 3 for SLE 12 SP1 (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:57:02", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2053", "CVE-2016-1583", "CVE-2016-0758", "CVE-2015-8816", "CVE-2013-7446", "CVE-2016-4470", "CVE-2016-4565", "CVE-2016-3134"], "description": "This update for the Linux Kernel 3.12.55-52_42 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bsc#984764).\n - CVE-2016-1583: The ecryptfs_privileged_open function in\n fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (stack memory consumption) via\n vectors involving crafted mmap calls for /proc pathnames, leading to\n recursive pagefault handling (bsc#983144).\n - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel\n incorrectly relied on the write system call, which allowed local users\n to cause a denial of service (kernel memory write operation) or possibly\n have unspecified other impact via a uAPI interface (bsc#980883).\n - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux\n kernel allowed local users to gain privileges via crafted ASN.1 data\n (bsc#980856).\n - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in\n the Linux kernel allowed attackers to cause a denial of service (panic)\n via an ASN.1 BER file that lacks a public key, leading to mishandling by\n the public_key_verify_signature function in\n crypto/asymmetric_keys/public_key.c (bsc#979074).\n - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in\n the Linux kernel did not properly maintain a hub-interface data\n structure, which allowed physically proximate attackers to cause a\n denial of service (invalid memory access and system crash) or possibly\n have unspecified other impact by unplugging a USB hub device\n (bsc#979064).\n - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not\n validate certain offset fields, which allowed local users to gain\n privileges or cause a denial of service (heap memory corruption) via an\n IPT_SO_SET_REPLACE setsockopt call (bsc#971793).\n - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the\n Linux kernel allowed local users to bypass intended AF_UNIX socket\n permissions or cause a denial of service (panic) via crafted epoll_ctl\n calls (bsc#973570, bsc#955837).\n\n", "edition": 1, "modified": "2016-08-09T17:25:21", "published": "2016-08-09T17:25:21", "id": "SUSE-SU-2016:2006-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00019.html", "type": "suse", "title": "Security update for Linux Kernel Live Patch 12 for SLE 12 (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:31:56", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2053", "CVE-2016-1583", "CVE-2016-0758", "CVE-2015-8816", "CVE-2013-7446", "CVE-2016-4470", "CVE-2016-4565", "CVE-2016-3134"], "description": "This update for the Linux Kernel 3.12.51-52_39 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bsc#984764).\n - CVE-2016-1583: The ecryptfs_privileged_open function in\n fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (stack memory consumption) via\n vectors involving crafted mmap calls for /proc pathnames, leading to\n recursive pagefault handling (bsc#983144).\n - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel\n incorrectly relied on the write system call, which allowed local users\n to cause a denial of service (kernel memory write operation) or possibly\n have unspecified other impact via a uAPI interface (bsc#980883).\n - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux\n kernel allowed local users to gain privileges via crafted ASN.1 data\n (bsc#980856).\n - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in\n the Linux kernel allowed attackers to cause a denial of service (panic)\n via an ASN.1 BER file that lacks a public key, leading to mishandling by\n the public_key_verify_signature function in\n crypto/asymmetric_keys/public_key.c (bsc#979074).\n - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in\n the Linux kernel did not properly maintain a hub-interface data\n structure, which allowed physically proximate attackers to cause a\n denial of service (invalid memory access and system crash) or possibly\n have unspecified other impact by unplugging a USB hub device\n (bsc#979064).\n - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not\n validate certain offset fields, which allowed local users to gain\n privileges or cause a denial of service (heap memory corruption) via an\n IPT_SO_SET_REPLACE setsockopt call (bsc#971793).\n - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the\n Linux kernel allowed local users to bypass intended AF_UNIX socket\n permissions or cause a denial of service (panic) via crafted epoll_ctl\n calls (bsc#973570, bsc#955837).\n\n", "edition": 1, "modified": "2016-08-09T17:32:41", "published": "2016-08-09T17:32:41", "id": "SUSE-SU-2016:2010-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00022.html", "type": "suse", "title": "Security update for Linux Kernel Live Patch 11 for SLE 12 (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:14:55", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2053", "CVE-2016-1583", "CVE-2016-0758", "CVE-2015-8816", "CVE-2013-7446", "CVE-2016-4470", "CVE-2016-4565", "CVE-2016-3134"], "description": "This update for the Linux Kernel 3.12.44-52_18 fixes several issues.\n\n The following security bugs were fixed:\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bsc#984764).\n - CVE-2016-1583: The ecryptfs_privileged_open function in\n fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (stack memory consumption) via\n vectors involving crafted mmap calls for /proc pathnames, leading to\n recursive pagefault handling (bsc#983144).\n - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel\n incorrectly relied on the write system call, which allowed local users\n to cause a denial of service (kernel memory write operation) or possibly\n have unspecified other impact via a uAPI interface (bsc#980883).\n - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux\n kernel allowed local users to gain privileges via crafted ASN.1 data\n (bsc#980856).\n - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in\n the Linux kernel allowed attackers to cause a denial of service (panic)\n via an ASN.1 BER file that lacks a public key, leading to mishandling by\n the public_key_verify_signature function in\n crypto/asymmetric_keys/public_key.c (bsc#979074).\n - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in\n the Linux kernel did not properly maintain a hub-interface data\n structure, which allowed physically proximate attackers to cause a\n denial of service (invalid memory access and system crash) or possibly\n have unspecified other impact by unplugging a USB hub device\n (bsc#979064).\n - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not\n validate certain offset fields, which allowed local users to gain\n privileges or cause a denial of service (heap memory corruption) via an\n IPT_SO_SET_REPLACE setsockopt call (bsc#971793).\n - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the\n Linux kernel allowed local users to bypass intended AF_UNIX socket\n permissions or cause a denial of service (panic) via crafted epoll_ctl\n calls (bsc#973570, bsc#955837).\n\n", "edition": 1, "modified": "2016-08-09T17:38:57", "published": "2016-08-09T17:38:57", "id": "SUSE-SU-2016:2014-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00026.html", "type": "suse", "title": "Security update for Linux Kernel Live Patch 7 for SLE 12 (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:37:04", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2384", "CVE-2016-2782", "CVE-2016-3139", "CVE-2016-3156", "CVE-2015-8812", "CVE-2016-2184", "CVE-2016-2143", "CVE-2015-8816", "CVE-2015-8709"], "description": "The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.57 to receive\n various security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2015-8812: A flaw was found in the CXGB3 kernel driver when the\n network was considered congested. The kernel would incorrectly\n misinterpret the congestion as an error condition and incorrectly\n free/clean up the skb. When the device would then send the skb's queued,\n these structures would be referenced and may panic the system or allow\n an attacker to escalate privileges in a use-after-free scenario.\n (bsc#966437)\n - CVE-2015-8816: A malicious USB device could cause a kernel crash in the\n USB hub driver. (bnc#968010).\n - CVE-2016-2143: On zSeries a fork of a large process could have caused\n memory corruption due to incorrect page table handling. (bnc#970504)\n - CVE-2016-2184: A malicious USB device could cause a kernel crash in the\n alsa usb-audio driver. (bsc#971125).\n - CVE-2016-2384: A malicious USB device could cause a kernel crash in the\n alsa usb-audio driver. (bsc#966693)\n - CVE-2016-2782: A malicious USB device could cause a kernel crash in the\n usb visor driver. (bnc#968670).\n - CVE-2016-3139: A malicious USB device could cause a kernel crash in the\n wacom driver. (bnc#970909).\n - CVE-2016-3156: Removal of ipv4 interfaces with a large number of IP\n addresses was taking very long. (bsc#971360).\n - CVE-2015-8709: kernel/ptrace.c in the Linux kernel mishandled uid and\n gid mappings, which allowed local users to gain privileges by\n establishing a user namespace, waiting for a root process to enter that\n namespace with an unsafe uid or gid, and then using the ptrace system\n call. NOTE: the vendor states &quot;there is no kernel bug here (bnc#960561).\n\n The following non-security bugs were fixed:\n - aacraid: Refresh patches.drivers/0005-aacraid-MSI-x-support.patch.\n (boo#970249)\n - acpi: processor: Introduce apic_id in struct processor to save parsed\n APIC id (bsc#959463).\n - alsa: rawmidi: Make snd_rawmidi_transmit() race-free (bsc#968018).\n - alsa: seq: Fix leak of pool buffer at concurrent writes (bsc#968018).\n - btrfs: Account data space in more proper timing: (bsc#963193).\n - btrfs: Add handler for invalidate page (bsc#963193).\n - btrfs: check prepare_uptodate_page() error code earlier (bnc#966910).\n - btrfs: delayed_ref: Add new function to record reserved space into\n delayed ref (bsc#963193).\n - btrfs: delayed_ref: release and free qgroup reserved at proper timing\n (bsc#963193).\n - btrfs: extent_io: Introduce needed structure for recoding set/clear bits\n (bsc#963193).\n - btrfs: extent_io: Introduce new function clear_record_extent_bits()\n (bsc#963193).\n - btrfs: extent_io: Introduce new function set_record_extent_bits\n (bsc#963193).\n - btrfs: extent-tree: Add new version of btrfs_check_data_free_space and\n btrfs_free_reserved_data_space (bsc#963193).\n - btrfs: extent-tree: Add new version of\n btrfs_delalloc_reserve/release_space (bsc#963193).\n - btrfs: extent-tree: Switch to new check_data_free_space and\n free_reserved_data_space (bsc#963193).\n - btrfs: extent-tree: Switch to new delalloc space reserve and release\n (bsc#963193).\n - btrfs: fallocate: Added a prerequisite patch and rebased the chunks that\n had previously been taken from it. Fixes a warning we had in\n fs/btrfs/file.c.\n - btrfs: fallocate: Add support to accurate qgroup reserve (bsc#963193).\n - btrfs: fix invalid page accesses in extent_same (dedup) ioctl\n (bnc#968230).\n - btrfs: fix page reading in extent_same ioctl leading to csum errors\n (bnc#968230).\n - btrfs: fix warning in backref walking (bnc#966278).\n - btrfs: qgroup: Add handler for NOCOW and inline (bsc#963193).\n - btrfs: qgroup: Add new trace point for qgroup data reserve (bsc#963193).\n - btrfs: qgroup: Avoid calling btrfs_free_reserved_data_space in\n clear_bit_hook (bsc#963193).\n - btrfs: qgroup: Check if qgroup reserved space leaked (bsc#963193).\n - btrfs: qgroup: Cleanup old inaccurate facilities (bsc#963193).\n - btrfs: qgroup: Fix a race in delayed_ref which leads to abort trans\n (bsc#963193).\n - btrfs: qgroup: Fix a rebase bug which will cause qgroup double free\n (bsc#963193).\n - btrfs: qgroup: Fix dead judgement on qgroup_rescan_leaf() return value\n (bsc#969439).\n - btrfs: qgroup: Introduce btrfs_qgroup_reserve_data function (bsc#963193).\n - btrfs: qgroup: Introduce functions to release/free qgroup reserve data\n space (bsc#963193).\n - btrfs: qgroup: Introduce new functions to reserve/free metadata\n (bsc#963193).\n - btrfs: qgroup: Use new metadata reservation (bsc#963193).\n - dcache: use IS_ROOT to decide where dentry is hashed (bsc#949752).\n - dmapi: fix dm_open_by_handle_rvp taking an extra ref to mnt (bsc#967292).\n - drivers/base/memory.c: fix kernel warning during memory hotplug on ppc64\n (bsc#963827).\n - drivers: hv: Allow for MMIO claims that span ACPI _CRS records\n (bnc#965924).\n - drivers: hv: Define the channel type for Hyper-V PCI Express\n pass-through (bnc#965924).\n - drivers: hv: Export a function that maps Linux CPU num onto Hyper-V proc\n num (bnc#965924).\n - drivers: hv: Export the API to invoke a hypercall on Hyper-V\n (bnc#965924).\n - drivers: hv: kvp: fix IP Failover.\n - drivers: pci:hv: New paravirtual PCI front-end for Hyper-V VMs\n (bnc#965924).\n - drivers: xen-blkfront: only talk_to_blkback() when in\n XenbusStateInitialising (bsc#957986 fate#320625).\n - drivers: xen-blkfront: move talk_to_blkback to a more suitable place\n (bsc#957986 fate#320625).\n - e1000e: Avoid divide by zero error (bsc#968643).\n - e1000e: fix division by zero on jumbo MTUs (bsc#968643).\n - e1000e: Fix tight loop implementation of systime read algorithm\n (bsc#968643).\n - efi: Ignore efivar_validate kabi failures -- it's an EFI internal\n function.\n - fix: print ext4 mountopt data_err=abort correctly (bsc#969735).\n - Fix problem with setting ACL on directories (bsc#867251).\n - fs/proc_namespace.c: simplify testing nsp and nsp-&gt;mnt_ns (bug#963960).\n - futex: Drop refcount if requeue_pi() acquired the rtmutex (bug#960174).\n - hv: Lock access to hyperv_mmio resource tree (bnc#965924).\n - hv: Make a function to free mmio regions through vmbus (bnc#965924).\n - hv: Reverse order of resources in hyperv_mmio (bnc#965924).\n - hv: Track allocations of children of hv_vmbus in private resource tree\n (bnc#965924).\n - hv: Use new vmbus_mmio_free() from client drivers (bnc#965924).\n - hwmon: (coretemp) Increase maximum core to 128 (bsc#970160)\n - ibmvnic: Fix ibmvnic_capability struct (fate#320253).\n - intel_pstate: Use del_timer_sync in intel_pstate_cpu_stop (bsc#967650).\n - ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs\n (bsc#956852).\n - kabi: Preserve checksum of kvm_x86_ops (bsc#969112).\n - kabi: protect struct acpi_processor signature (bsc#959463).\n - kgr: fix reversion of a patch already reverted by a replace_all patch\n (fate#313296).\n - kvm: SVM: add rdmsr support for AMD event registers (bsc#968448).\n - kvm: x86: Check dest_map-&gt;vector to match eoi signals for rtc\n (bsc#966471).\n - kvm: x86: Convert ioapic-&gt;rtc_status.dest_map to a struct (bsc#966471).\n - kvm: x86: store IOAPIC-handled vectors in each VCPU (bsc#966471).\n - kvm: x86: Track irq vectors in ioapic-&gt;rtc_status.dest_map (bsc#966471).\n - libata: Revert &quot;libata: Align ata_device's id on a cacheline&quot;.\n - libceph: fix scatterlist last_piece calculation (bsc#963746).\n - lpfc: Fix kmalloc overflow in LPFC driver at large core count\n (bsc#969690).\n - memcg: do not hang on OOM when killed by userspace OOM access to memory\n reserves (bnc#969571).\n - mld, igmp: Fix reserved tailroom calculation (bsc#956852).\n - namespaces: Re-introduce task_nsproxy() helper (bug#963960).\n - namespaces: Use task_lock and not rcu to protect nsproxy (bug#963960).\n - net: core: Correct an over-stringent device loop detection (bsc#945219).\n - net: irda: Fix use-after-free in irtty_open() (bnc#967903).\n - net: Revert &quot;net/ipv6: add sysctl option accept_ra_min_hop_limit&quot;.\n - nfs4: treat lock owners as opaque values (bnc#968141).\n - nfs: Background flush should not be low priority (bsc#955308).\n - nfsd: fix nfsd_setattr return code for HSM (bsc#969992).\n - nfs: do not use STABLE writes during writeback (bnc#816099).\n - nfs: Fix handling of re-write-before-commit for mmapped NFS pages\n (bsc#964201).\n - nvme: default to 4k device page size (bsc#967047).\n - nvme: special case AEN requests (bsc#965087).\n - pci: Add global pci_lock_rescan_remove() (bnc#965924).\n - pci: allow access to VPD attributes with size 0 (bsc#959146).\n - pciback: Check PF instead of VF for PCI_COMMAND_MEMORY.\n - pciback: Save the number of MSI-X entries to be copied later.\n - pci: Blacklist vpd access for buggy devices (bsc#959146).\n - pci: Determine actual VPD size on first access (bsc#959146).\n - pci: Export symbols required for loadable host driver modules\n (bnc#965924).\n - pci: pciehp: Disable link notification across slot reset (bsc#967651).\n - pci: pciehp: Do not check adapter or latch status while disabling\n (bsc#967651).\n - pci: pciehp: Do not disable the link permanently during removal\n (bsc#967651).\n - pci: pciehp: Ensure very fast hotplug events are also processed\n (bsc#967651).\n - pci: Update VPD definitions (bsc#959146).\n - perf, nmi: Fix unknown NMI warning (bsc#968512).\n - proc: Fix ptrace-based permission checks for accessing task maps.\n - pv6: Revert &quot;ipv6: tcp: add rcu locking in tcp_v6_send_synack()&quot;\n (bnc#961257).\n - qla2xxx: Remove unavailable firmware files (bsc#943645).\n - rbd: do not log miscompare as an error (bsc#970062).\n - resources: Set type in __request_region() (bnc#965924).\n - rpm/kernel-binary.spec.in: Sync the main and -base package dependencies\n (bsc#965830#c51).\n - rpm/kernel-module-subpackage: Fix obsoleting dropped flavors (bsc#968253)\n - scsi_dh_alua: Do not block request queue if workqueue is active\n (bsc#960458).\n - scsi: fix soft lockup in scsi_remove_target() on module removal\n (bsc#965199).\n - scsi: proper state checking and module refcount handling in\n scsi_device_get (boo#966831).\n - series.conf: add section comments\n - supported.conf: Add e1000e (emulated by VMware) to -base (bsc#968074)\n - supported.conf: Add Hyper-V modules to -base (bsc#965830)\n - supported.conf: Add isofs to -base (bsc#969655).\n - supported.conf: Add more qemu device driver (bsc#968234)\n - supported.conf: Add mptspi and mptsas to -base (bsc#968206)\n - supported.conf: Add the qemu scsi driver (sym53c8xx) to -base\n (bsc#967802)\n - supported.conf: Add tulip to -base for Hyper-V (bsc#968234)\n - supported.conf: Add virtio-rng (bsc#966026)\n - supported.conf: Add xen-blkfront.\n - supported.conf: Add xfs to -base (bsc#965891)\n - supported.conf: Fix usb-common path usb-common moved to its own\n subdirectory in kernel v3.16, and we backported that change to SLE12.\n - tcp: Restore RFC5961-compliant behavior for SYN packets (bsc#966864).\n - usb: Quiet down false peer failure messages (bnc#960629).\n - x86: export x86_msi (bnc#965924).\n - xen: Add /etc/modprobe.d/50-xen.conf selecting Xen frontend driver\n implementation (bsc#957986, bsc#956084, bsc#961658).\n - xen-blkfront: allow building in our Xen environment (bsc#957986\n fate#320625).\n - xen, blkfront: factor out flush-related checks from do_blkif_request()\n (bsc#957986 fate#320625).\n - xen-blkfront: fix accounting of reqs when migrating (bsc#957986\n fate#320625).\n - xen/blkfront: Fix crash if backend does not follow the right states\n (bsc#957986 fate#320625).\n - xen-blkfront: improve aproximation of required grants per request\n (bsc#957986 fate#320625).\n - xen/blkfront: improve protection against issuing unsupported REQ_FUA\n (bsc#957986 fate#320625).\n - xen/blkfront: remove redundant flush_op (bsc#957986 fate#320625).\n - xen-blkfront: remove type check from blkfront_setup_discard (bsc#957986\n fate#320625).\n - xen-blkfront: Silence pfn maybe-uninitialized warning (bsc#957986\n fate#320625).\n - xen: block: xen-blkfront: Fix possible NULL ptr dereference (bsc#957986\n fate#320625).\n - xen: Refresh patches.xen/xen3-patch-2.6.33 (detect NX support early).\n - xen: Refresh patches.xen/xen-vscsi-large-requests (gsc#966094).\n - xen: Update Xen config files (enable upstream block frontend).\n - xen: Update Xen patches to 3.12.55.\n - xen-vscsi-large-requests: Fix resource collision for racing request maps\n and unmaps (bsc#966094).\n - xfs/dmapi: drop lock over synchronous XFS_SEND_DATA events (bsc#969993).\n - xfs/dmapi: propertly send postcreate event (bsc#967299).\n\n", "edition": 1, "modified": "2016-04-12T21:09:08", "published": "2016-04-12T21:09:08", "id": "SUSE-SU-2016:1019-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00019.html", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:10:59", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2053", "CVE-2016-1583", "CVE-2016-0758", "CVE-2015-8019", "CVE-2015-8816", "CVE-2013-7446", "CVE-2016-4470", "CVE-2016-4565", "CVE-2016-3134"], "description": "This update for the Linux Kernel 3.12.51-60_25 fixes the several issues.\n\n These security issues were fixed:\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bsc#984764).\n - CVE-2016-1583: The ecryptfs_privileged_open function in\n fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (stack memory consumption) via\n vectors involving crafted mmap calls for /proc pathnames, leading to\n recursive pagefault handling (bsc#983144).\n - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel\n incorrectly relied on the write system call, which allowed local users\n to cause a denial of service (kernel memory write operation) or possibly\n have unspecified other impact via a uAPI interface (bsc#980883).\n - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux\n kernel allowed local users to gain privileges via crafted ASN.1 data\n (bsc#980856).\n - CVE-2015-8019: The skb_copy_and_csum_datagram_iovec function in\n net/core/datagram.c in the Linux kernel did not accept a length\n argument, which allowed local users to cause a denial of service (memory\n corruption) or possibly have unspecified other impact via a write system\n call followed by a recvmsg system call (bsc#979078).\n - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in\n the Linux kernel allowed attackers to cause a denial of service (panic)\n via an ASN.1 BER file that lacks a public key, leading to mishandling by\n the public_key_verify_signature function in\n crypto/asymmetric_keys/public_key.c (bsc#979074).\n - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in\n the Linux kernel did not properly maintain a hub-interface data\n structure, which allowed physically proximate attackers to cause a\n denial of service (invalid memory access and system crash) or possibly\n have unspecified other impact by unplugging a USB hub device\n (bsc#979064).\n - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not\n validate certain offset fields, which allowed local users to gain\n privileges or cause a denial of service (heap memory corruption) via an\n IPT_SO_SET_REPLACE setsockopt call (bsc#971793).\n\n This non-security issue was fixed:\n - bsc#973570: The fix for CVE-2013-7446 introduced a bug that could have\n possibly lead to a softlockup.\n\n", "edition": 1, "modified": "2016-08-09T17:31:09", "published": "2016-08-09T17:31:09", "id": "SUSE-SU-2016:2009-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00021.html", "type": "suse", "title": "Security update for Linux Kernel Live Patch 2 for SLE 12 SP1 (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:50:35", "bulletinFamily": "unix", "cvelist": ["CVE-2016-2053", "CVE-2016-1583", "CVE-2016-0758", "CVE-2015-8019", "CVE-2015-8816", "CVE-2013-7446", "CVE-2016-4470", "CVE-2016-4565", "CVE-2016-3134"], "edition": 1, "description": "This update for the Linux Kernel 3.12.51-60_20 fixes the several issues.\n\n These security issues were fixed:\n - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c\n in the Linux kernel did not ensure that a certain data structure is\n initialized, which allowed local users to cause a denial of service\n (system crash) via vectors involving a crafted keyctl request2 command\n (bsc#984764).\n - CVE-2016-1583: The ecryptfs_privileged_open function in\n fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (stack memory consumption) via\n vectors involving crafted mmap calls for /proc pathnames, leading to\n recursive pagefault handling (bsc#983144).\n - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel\n incorrectly relied on the write system call, which allowed local users\n to cause a denial of service (kernel memory write operation) or possibly\n have unspecified other impact via a uAPI interface (bsc#980883).\n - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux\n kernel allowed local users to gain privileges via crafted ASN.1 data\n (bsc#980856).\n - CVE-2015-8019: The skb_copy_and_csum_datagram_iovec function in\n net/core/datagram.c in the Linux kernel did not accept a length\n argument, which allowed local users to cause a denial of service (memory\n corruption) or possibly have unspecified other impact via a write system\n call followed by a recvmsg system call (bsc#979078).\n - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in\n the Linux kernel allowed attackers to cause a denial of service (panic)\n via an ASN.1 BER file that lacks a public key, leading to mishandling by\n the public_key_verify_signature function in\n crypto/asymmetric_keys/public_key.c (bsc#979074).\n - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in\n the Linux kernel did not properly maintain a hub-interface data\n structure, which allowed physically proximate attackers to cause a\n denial of service (invalid memory access and system crash) or possibly\n have unspecified other impact by unplugging a USB hub device\n (bsc#979064).\n - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not\n validate certain offset fields, which allowed local users to gain\n privileges or cause a denial of service (heap memory corruption) via an\n IPT_SO_SET_REPLACE setsockopt call (bsc#971793). This non-security issue\n was fixed:\n - bsc#973570: The fix for CVE-2013-7446 introduced a bug that could have\n possibly lead to a softlockup.\n\n", "modified": "2016-08-09T17:09:05", "published": "2016-08-09T17:09:05", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00008.html", "id": "SUSE-SU-2016:1994-1", "type": "suse", "title": "Security update for Linux Kernel Live Patch 1 for SLE 12 SP1 (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:37:55", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583"], "description": "Jann Horn discovered that eCryptfs improperly attempted to use the mmap() \nhandler of a lower filesystem that did not implement one, causing a \nrecursive page fault to occur. A local unprivileged attacker could use to \ncause a denial of service (system crash) or possibly execute arbitrary code \nwith administrative privileges.", "edition": 5, "modified": "2016-06-10T00:00:00", "published": "2016-06-10T00:00:00", "id": "USN-3008-1", "href": "https://ubuntu.com/security/notices/USN-3008-1", "title": "Linux kernel (Qualcomm Snapdragon) vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:34:18", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583"], "description": "Jann Horn discovered that eCryptfs improperly attempted to use the mmap() \nhandler of a lower filesystem that did not implement one, causing a \nrecursive page fault to occur. A local unprivileged attacker could use to \ncause a denial of service (system crash) or possibly execute arbitrary code \nwith administrative privileges.", "edition": 5, "modified": "2016-06-10T00:00:00", "published": "2016-06-10T00:00:00", "id": "USN-2999-1", "href": "https://ubuntu.com/security/notices/USN-2999-1", "title": "Linux kernel vulnerability", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:40:23", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3961", "CVE-2016-4581", "CVE-2015-8839", "CVE-2016-4486", "CVE-2016-2187", "CVE-2016-1583", "CVE-2016-4558", "CVE-2016-4485", "CVE-2016-2117", "CVE-2016-4565"], "description": "Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux \nkernel incorrectly enables scatter/gather I/O. A remote attacker could use \nthis to obtain potentially sensitive information from kernel memory. \n(CVE-2016-2117)\n\nJann Horn discovered that eCryptfs improperly attempted to use the mmap() \nhandler of a lower filesystem that did not implement one, causing a \nrecursive page fault to occur. A local unprivileged attacker could use to \ncause a denial of service (system crash) or possibly execute arbitrary code \nwith administrative privileges. (CVE-2016-1583)\n\nMultiple race conditions where discovered in the Linux kernel's ext4 file \nsystem. A local user could exploit this flaw to cause a denial of service \n(disk corruption) by writing to a page that is associated with a different \nusers file after unsynchronized hole punching and page-fault handling. \n(CVE-2015-8839)\n\nRalf Spenneberg discovered that the Linux kernel's GTCO digitizer USB \ndevice driver did not properly validate endpoint descriptors. An attacker \nwith physical access could use this to cause a denial of service (system \ncrash). (CVE-2016-2187)\n\nVitaly Kuznetsov discovered that the Linux kernel did not properly suppress \nhugetlbfs support in X86 paravirtualized guests. An attacker in the guest \nOS could cause a denial of service (guest system crash). (CVE-2016-3961)\n\nKangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 \nSupport implementations in the Linux kernel. A local attacker could use \nthis to obtain potentially sensitive information from kernel memory. \n(CVE-2016-4485)\n\nKangjie Lu discovered an information leak in the routing netlink socket \ninterface (rtnetlink) implementation in the Linux kernel. A local attacker \ncould use this to obtain potentially sensitive information from kernel \nmemory. (CVE-2016-4486)\n\nJann Horn discovered that the extended Berkeley Packet Filter (eBPF) \nimplementation in the Linux kernel could overflow reference counters on \nsystems with more than 32GB of physical ram and with RLIMIT_MEMLOCK set to \ninfinite. A local unprivileged attacker could use to create a use-after- \nfree situation, causing a denial of service (system crash) or possibly gain \nadministrative privileges. (CVE-2016-4558)\n\nJann Horn discovered that the InfiniBand interfaces within the Linux kernel \ncould be coerced into overwriting kernel memory. A local unprivileged \nattacker could use this to possibly gain administrative privileges on \nsystems where InifiniBand related kernel modules are loaded. \n(CVE-2016-4565)\n\nIt was discovered that in some situations the Linux kernel did not handle \npropagated mounts correctly. A local unprivileged attacker could use this \nto cause a denial of service (system crash). (CVE-2016-4581)", "edition": 5, "modified": "2016-06-10T00:00:00", "published": "2016-06-10T00:00:00", "id": "USN-3006-1", "href": "https://ubuntu.com/security/notices/USN-3006-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:44:16", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3961", "CVE-2016-4581", "CVE-2015-8839", "CVE-2016-4486", "CVE-2016-2187", "CVE-2016-1583", "CVE-2016-4558", "CVE-2016-4485", "CVE-2016-2117", "CVE-2016-4565"], "description": "Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux \nkernel incorrectly enables scatter/gather I/O. A remote attacker could use \nthis to obtain potentially sensitive information from kernel memory. \n(CVE-2016-2117)\n\nJann Horn discovered that eCryptfs improperly attempted to use the mmap() \nhandler of a lower filesystem that did not implement one, causing a \nrecursive page fault to occur. A local unprivileged attacker could use to \ncause a denial of service (system crash) or possibly execute arbitrary code \nwith administrative privileges. (CVE-2016-1583)\n\nMultiple race conditions where discovered in the Linux kernel's ext4 file \nsystem. A local user could exploit this flaw to cause a denial of service \n(disk corruption) by writing to a page that is associated with a different \nusers file after unsynchronized hole punching and page-fault handling. \n(CVE-2015-8839)\n\nRalf Spenneberg discovered that the Linux kernel's GTCO digitizer USB \ndevice driver did not properly validate endpoint descriptors. An attacker \nwith physical access could use this to cause a denial of service (system \ncrash). (CVE-2016-2187)\n\nVitaly Kuznetsov discovered that the Linux kernel did not properly suppress \nhugetlbfs support in X86 paravirtualized guests. An attacker in the guest \nOS could cause a denial of service (guest system crash). (CVE-2016-3961)\n\nKangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 \nSupport implementations in the Linux kernel. A local attacker could use \nthis to obtain potentially sensitive information from kernel memory. \n(CVE-2016-4485)\n\nKangjie Lu discovered an information leak in the routing netlink socket \ninterface (rtnetlink) implementation in the Linux kernel. A local attacker \ncould use this to obtain potentially sensitive information from kernel \nmemory. (CVE-2016-4486)\n\nJann Horn discovered that the extended Berkeley Packet Filter (eBPF) \nimplementation in the Linux kernel could overflow reference counters on \nsystems with more than 32GB of physical ram and with RLIMIT_MEMLOCK set to \ninfinite. A local unprivileged attacker could use to create a use-after- \nfree situation, causing a denial of service (system crash) or possibly gain \nadministrative privileges. (CVE-2016-4558)\n\nJann Horn discovered that the InfiniBand interfaces within the Linux kernel \ncould be coerced into overwriting kernel memory. A local unprivileged \nattacker could use this to possibly gain administrative privileges on \nsystems where InifiniBand related kernel modules are loaded. \n(CVE-2016-4565)\n\nIt was discovered that in some situations the Linux kernel did not handle \npropagated mounts correctly. A local unprivileged attacker could use this \nto cause a denial of service (system crash). (CVE-2016-4581)", "edition": 5, "modified": "2016-06-10T00:00:00", "published": "2016-06-10T00:00:00", "id": "USN-3007-1", "href": "https://ubuntu.com/security/notices/USN-3007-1", "title": "Linux kernel (Raspberry Pi 2) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:42:24", "bulletinFamily": "unix", "cvelist": ["CVE-2016-3961", "CVE-2016-4581", "CVE-2015-8839", "CVE-2016-4486", "CVE-2016-2187", "CVE-2016-1583", "CVE-2016-4558", "CVE-2016-4485", "CVE-2016-2117", "CVE-2016-4565"], "description": "Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux \nkernel incorrectly enables scatter/gather I/O. A remote attacker could use \nthis to obtain potentially sensitive information from kernel memory. \n(CVE-2016-2117)\n\nJann Horn discovered that eCryptfs improperly attempted to use the mmap() \nhandler of a lower filesystem that did not implement one, causing a \nrecursive page fault to occur. A local unprivileged attacker could use to \ncause a denial of service (system crash) or possibly execute arbitrary code \nwith administrative privileges. (CVE-2016-1583)\n\nMultiple race conditions where discovered in the Linux kernel's ext4 file \nsystem. A local user could exploit this flaw to cause a denial of service \n(disk corruption) by writing to a page that is associated with a different \nusers file after unsynchronized hole punching and page-fault handling. \n(CVE-2015-8839)\n\nRalf Spenneberg discovered that the Linux kernel's GTCO digitizer USB \ndevice driver did not properly validate endpoint descriptors. An attacker \nwith physical access could use this to cause a denial of service (system \ncrash). (CVE-2016-2187)\n\nVitaly Kuznetsov discovered that the Linux kernel did not properly suppress \nhugetlbfs support in X86 paravirtualized guests. An attacker in the guest \nOS could cause a denial of service (guest system crash). (CVE-2016-3961)\n\nKangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2 \nSupport implementations in the Linux kernel. A local attacker could use \nthis to obtain potentially sensitive information from kernel memory. \n(CVE-2016-4485)\n\nKangjie Lu discovered an information leak in the routing netlink socket \ninterface (rtnetlink) implementation in the Linux kernel. A local attacker \ncould use this to obtain potentially sensitive information from kernel \nmemory. (CVE-2016-4486)\n\nJann Horn discovered that the extended Berkeley Packet Filter (eBPF) \nimplementation in the Linux kernel could overflow reference counters on \nsystems with more than 32GB of physical ram and with RLIMIT_MEMLOCK set to \ninfinite. A local unprivileged attacker could use to create a use-after- \nfree situation, causing a denial of service (system crash) or possibly gain \nadministrative privileges. (CVE-2016-4558)\n\nJann Horn discovered that the InfiniBand interfaces within the Linux kernel \ncould be coerced into overwriting kernel memory. A local unprivileged \nattacker could use this to possibly gain administrative privileges on \nsystems where InifiniBand related kernel modules are loaded. \n(CVE-2016-4565)\n\nIt was discovered that in some situations the Linux kernel did not handle \npropagated mounts correctly. A local unprivileged attacker could use this \nto cause a denial of service (system crash). (CVE-2016-4581)", "edition": 5, "modified": "2016-06-10T00:00:00", "published": "2016-06-10T00:00:00", "id": "USN-3005-1", "href": "https://ubuntu.com/security/notices/USN-3005-1", "title": "Linux kernel (Xenial HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-06-21T17:03:06", "description": "Linux - ecryptfs and /proc/$pid/environ Privilege Escalation. CVE-2016-1583. Local exploit for linux platform", "published": "2016-06-21T00:00:00", "type": "exploitdb", "title": "Linux - ecryptfs and /proc/$pid/environ Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-1583"], "modified": "2016-06-21T00:00:00", "id": "EDB-ID:39992", "href": "https://www.exploit-db.com/exploits/39992/", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=836\r\n\r\nStacking filesystems, including ecryptfs, protect themselves against\r\ndeep nesting, which would lead to kernel stack overflow, by tracking\r\nthe recursion depth of filesystems. E.g. in ecryptfs, this is\r\nimplemented in ecryptfs_mount() as follows:\r\n\r\n\ts->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;\r\n\r\n\trc = -EINVAL;\r\n\tif (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {\r\n\t\tpr_err(\"eCryptfs: maximum fs stacking depth exceeded\\n\");\r\n\t\tgoto out_free;\r\n\t}\r\n\r\n\r\nThe files /proc/$pid/{mem,environ,cmdline}, when read, access the\r\nuserspace memory of the target process, involving, if necessary,\r\nnormal pagefault handling. If it was possible to mmap() them, an\r\nattacker could create a chain of e.g. /proc/$pid/environ mappings\r\nwhere process 1 has /proc/2/environ mapped into its environment area,\r\nprocess 2 has /proc/3/environ mapped into its environment area and so\r\non. A read from /proc/1/environ would invoke the pagefault handler for\r\nprocess 1, which would invoke the pagefault handler for process 2 and\r\nso on. This would, again, lead to kernel stack overflow.\r\n\r\n\r\nOne interesting fact about ecryptfs is that, because of the encryption\r\ninvolved, it doesn't just forward mmap to the lower file's mmap\r\noperation. Instead, it has its own page cache, maintained using the\r\nnormal filemap helpers, and performs its cryptographic operations when\r\ndirty pages need to be written out or when pages need to be faulted\r\nin. Therefore, not just its read and write handlers, but also its mmap\r\nhandler only uses the lower filesystem's read and write methods.\r\nThis means that using ecryptfs, you can mmap [decrypted views of]\r\nfiles that normally wouldn't be mappable.\r\n\r\nCombining these things, it is possible to trigger recursion with\r\narbitrary depth where:\r\n\r\na reading userspace memory access in process A (from userland or from\r\n copy_from_user())\r\ncauses a pagefault in an ecryptfs mapping in process A, which\r\ncauses a read from /proc/{B}/environ, which\r\ncauses a pagefault in an ecryptfs mapping in process B, which\r\ncauses a read from /proc/{C}/environ, which\r\ncauses a pagefault in an ecryptfs mapping in process C, and so on.\r\n\r\nOn systems with the /sbin/mount.ecryptfs_private helper installed\r\n(e.g. Ubuntu if the \"encrypt my home directory\" checkbox is ticked\r\nduring installation), this bug can be triggered by an unprivileged\r\nuser. The mount helper considers /proc/$pid, where $pid is the PID of\r\na process owned by the user, to be a valid mount source because the\r\ndirectory is \"owned\" by the user.\r\n\r\nI have attached both a generic crash PoC and a build-specific exploit\r\nthat can be used to gain root privileges from a normal user account on\r\nUbuntu 16.04 with kernel package linux-image-4.4.0-22-generic, version\r\n4.4.0-22.40, uname \"Linux user-VirtualBox 4.4.0-22-generic #40-Ubuntu\r\nSMP Thu May 12 22:03:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux\".\r\n\r\ndmesg output of the crasher:\r\n\r\n```\r\n[ 80.036069] BUG: unable to handle kernel paging request at fffffffe4b9145c0\r\n[ 80.040028] IP: [<ffffffff810c9a33>] cpuacct_charge+0x23/0x40\r\n[ 80.040028] PGD 1e0d067 PUD 0 \r\n[ 80.040028] Thread overran stack, or stack corrupted\r\n[ 80.040028] Oops: 0000 [#1] SMP \r\n[ 80.040028] Modules linked in: vboxsf drbg ansi_cprng xts gf128mul dm_crypt snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi vboxvideo snd_seq ttm snd_seq_device drm_kms_helper snd_timer joydev drm snd fb_sys_fops soundcore syscopyarea sysfillrect sysimgblt vboxguest input_leds i2c_piix4 8250_fintek mac_hid serio_raw parport_pc ppdev lp parport autofs4 hid_generic usbhid hid psmouse ahci libahci e1000 pata_acpi fjes video\r\n[ 80.040028] CPU: 0 PID: 2135 Comm: crasher Not tainted 4.4.0-22-generic #40-Ubuntu\r\n[ 80.040028] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006\r\n[ 80.040028] task: ffff880035443200 ti: ffff8800d933c000 task.ti: ffff8800d933c000\r\n[ 80.040028] RIP: 0010:[<ffffffff810c9a33>] [<ffffffff810c9a33>] cpuacct_charge+0x23/0x40\r\n[ 80.040028] RSP: 0000:ffff88021fc03d70 EFLAGS: 00010046\r\n[ 80.040028] RAX: 000000000000dc68 RBX: ffff880035443260 RCX: ffffffffd933c068\r\n[ 80.040028] RDX: ffffffff81e50560 RSI: 000000000013877a RDI: ffff880035443200\r\n[ 80.040028] RBP: ffff88021fc03d70 R08: 0000000000000000 R09: 0000000000010000\r\n[ 80.040028] R10: 0000000000002d4e R11: 00000000000010ae R12: ffff8802137aa200\r\n[ 80.040028] R13: 000000000013877a R14: ffff880035443200 R15: ffff88021fc0ee68\r\n[ 80.040028] FS: 00007fbd9fadd700(0000) GS:ffff88021fc00000(0000) knlGS:0000000000000000\r\n[ 80.040028] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 80.040028] CR2: fffffffe4b9145c0 CR3: 0000000035415000 CR4: 00000000000006f0\r\n[ 80.040028] Stack:\r\n[ 80.040028] ffff88021fc03db0 ffffffff810b4b83 0000000000016d00 ffff88021fc16d00\r\n[ 80.040028] ffff880035443260 ffff8802137aa200 0000000000000000 ffff88021fc0ee68\r\n[ 80.040028] ffff88021fc03e30 ffffffff810bb414 ffff88021fc03dd0 ffff880035443200\r\n[ 80.040028] Call Trace:\r\n[ 80.040028] <IRQ> \r\n[ 80.040028] [<ffffffff810b4b83>] update_curr+0xe3/0x160\r\n[ 80.040028] [<ffffffff810bb414>] task_tick_fair+0x44/0x8e0\r\n[ 80.040028] [<ffffffff810b1267>] ? sched_clock_local+0x17/0x80\r\n[ 80.040028] [<ffffffff810b146f>] ? sched_clock_cpu+0x7f/0xa0\r\n[ 80.040028] [<ffffffff810ad35c>] scheduler_tick+0x5c/0xd0\r\n[ 80.040028] [<ffffffff810fe560>] ? tick_sched_handle.isra.14+0x60/0x60\r\n[ 80.040028] [<ffffffff810ee961>] update_process_times+0x51/0x60\r\n[ 80.040028] [<ffffffff810fe525>] tick_sched_handle.isra.14+0x25/0x60\r\n[ 80.040028] [<ffffffff810fe59d>] tick_sched_timer+0x3d/0x70\r\n[ 80.040028] [<ffffffff810ef282>] __hrtimer_run_queues+0x102/0x290\r\n[ 80.040028] [<ffffffff810efa48>] hrtimer_interrupt+0xa8/0x1a0\r\n[ 80.040028] [<ffffffff81052fa8>] local_apic_timer_interrupt+0x38/0x60\r\n[ 80.040028] [<ffffffff81827d9d>] smp_apic_timer_interrupt+0x3d/0x50\r\n[ 80.040028] [<ffffffff81826062>] apic_timer_interrupt+0x82/0x90\r\n[ 80.040028] <EOI> \r\n[ 80.040028] Code: 0f 1f 84 00 00 00 00 00 66 66 66 66 90 48 8b 47 08 48 8b 97 78 07 00 00 55 48 63 48 10 48 8b 52 60 48 89 e5 48 8b 82 b8 00 00 00 <48> 03 04 cd 80 42 f3 81 48 01 30 48 8b 52 48 48 85 d2 75 e5 5d \r\n[ 80.040028] RIP [<ffffffff810c9a33>] cpuacct_charge+0x23/0x40\r\n[ 80.040028] RSP <ffff88021fc03d70>\r\n[ 80.040028] CR2: fffffffe4b9145c0\r\n[ 80.040028] fbcon_switch: detected unhandled fb_set_par error, error code -16\r\n[ 80.040028] fbcon_switch: detected unhandled fb_set_par error, error code -16\r\n[ 80.040028] ---[ end trace 616e3de50958c35b ]---\r\n[ 80.040028] Kernel panic - not syncing: Fatal exception in interrupt\r\n[ 80.040028] Shutting down cpus with NMI\r\n[ 80.040028] Kernel Offset: disabled\r\n[ 80.040028] ---[ end Kernel panic - not syncing: Fatal exception in interrupt\r\n```\r\n\r\nexample run of the exploit, in a VM with 4 cores, with Ubuntu 16.04 installed:\r\n\r\n```\r\nuser@user-VirtualBox:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ls\r\ncompile.sh exploit.c hello.c suidhelper.c\r\nuser@user-VirtualBox:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ./compile.sh \r\nuser@user-VirtualBox:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ls\r\ncompile.sh exploit exploit.c hello hello.c suidhelper suidhelper.c\r\nuser@user-VirtualBox:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ./exploit\r\nall spammers ready\r\nrecurser parent ready\r\nspam over\r\nfault chain set up, faulting now\r\nwriting stackframes\r\nstackframes written\r\nkilling 2494\r\npost-corruption code is alive!\r\nchildren should be dead\r\ncoredump handler set. recurser exiting.\r\ngoing to crash now\r\nsuid file detected, launching rootshell...\r\nwe have root privs now...\r\nroot@user-VirtualBox:/proc# id\r\nuid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)\r\n```\r\n\r\n(If the exploit crashes even with the right kernel version, try\r\nrestarting the machine. Also, ensure that no program like top/htop/...\r\nis running that might try to read process command lines. Note that\r\nthe PoC and the exploit don't really clean up after themselves and\r\nleave mountpoints behind that prevent them from re-running without\r\na reboot or manual unmounting.)\r\n\r\nNote that Ubuntu compiled their kernel with\r\nCONFIG_SCHED_STACK_END_CHECK turned on, making it harder than it used\r\nto be in the past to not crash the kernel while exploiting this bug,\r\nand an overwrite of addr_limit would be useless because at the\r\ntime the thread_info is overwritten, there are multiple instances of\r\nkernel_read() on the stack. Still, the bug is exploitable by carefully\r\naligning the stack so that the vital components of thread_info are\r\npreserved, stopping with an out-of-bounds stack pointer and\r\noverwriting the thread stack using a normal write to an adjacent\r\nallocation of the buddy allocator.\r\n\r\nRegarding the fix, I think the following would be reasonable:\r\n\r\n - Explicitly forbid stacking anything on top of procfs by setting its\r\n s_stack_depth to a sufficiently large value. In my opinion, there\r\n is too much magic going on inside procfs to allow stacking things\r\n on top of it, and there isn't any good reason to do it. (For\r\n example, ecryptfs invokes open handlers from a kernel thread\r\n instead of normal user process context, so the access checks inside\r\n VFS open handlers are probably ineffective - and procfs relies\r\n heavily on those.)\r\n\r\n - Forbid opening files with f_op->mmap==NULL through ecryptfs. If the\r\n lower filesystem doesn't expect to be called in pagefault-handling\r\n context, it probably shouldn't be called in that context.\r\n\r\n - Create a dedicated kernel stack cache outside of the direct mapping\r\n of physical memory that has a guard page (or a multi-page gap) at\r\n the bottom of each stack, and move the struct thread_info to a\r\n different place (if nothing else works, the top of the stack, above\r\n the pt_regs).\r\n While e.g. race conditions are more common than stack overflows in\r\n the Linux kernel, the whole vulnerability class of stack overflows\r\n is easy to mitigate, and the kernel is sufficiently complicated for\r\n unbounded recursion to emerge in unexpected places - or perhaps\r\n even for someone to discover a way to create a stack with a bounded\r\n length that is still too high. Therefore, I believe that guard\r\n pages are a useful mitigation.\r\n Nearly everywhere, stack overflows are caught using guard pages\r\n nowadays; this includes Linux userland, but also {### TODO ###}\r\n and, on 64-bit systems, grsecurity (using GRKERNSEC_KSTACKOVERFLOW).\r\n\r\nOh, and by the way: The `BUG_ON(task_stack_end_corrupted(prev))`\r\nin schedule_debug() ought to be a direct panic instead of an oops. At\r\nthe moment, when you hit it, you get a recursion between the scheduler\r\ninvocation in do_exit() and the BUG_ON in the scheduler, and the\r\nkernel recurses down the stack until it hits something sufficiently\r\nimportant to cause a panic.\r\n\r\nI'm going to send (compile-tested) patches for my first two fix\r\nsuggestions and the recursive oops bug. I haven't written a patch for\r\nthe guard pages mitigation - I'm not familiar enough with the x86\r\nsubsystem for that.\r\n\r\n\r\nNotes regarding the exploit:\r\n\r\nIt makes an invalid assumption that causes it to require at least around 6GB of RAM.\r\n\r\nIt has a trivially avoidable race that causes it to fail on single-core systems after overwriting the coredump handler; if this happens, it's still possible to manually trigger a coredump and execute the suid helper to get a root shell.\r\n\r\nThe page spraying is pretty primitive and racy; while it works reliably for me, there might be influencing factors that cause it to fail on other people's machines.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39992.zip\r\n\r\n", "cvss": {"score": 7.3, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:HIGH/I:HIGH/A:HIGH/"}, "sourceHref": "https://www.exploit-db.com/download/39992/"}], "zdt": [{"lastseen": "2018-03-19T05:21:05", "edition": 2, "description": "Exploit for linux platform in category local exploits", "published": "2016-06-21T00:00:00", "type": "zdt", "title": "Linux - ecryptfs and /proc/$pid/environ Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-1583"], "modified": "2016-06-21T00:00:00", "id": "1337DAY-ID-25603", "href": "https://0day.today/exploit/description/25603", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=836\r\n \r\nStacking filesystems, including ecryptfs, protect themselves against\r\ndeep nesting, which would lead to kernel stack overflow, by tracking\r\nthe recursion depth of filesystems. E.g. in ecryptfs, this is\r\nimplemented in ecryptfs_mount() as follows:\r\n \r\n s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;\r\n \r\n rc = -EINVAL;\r\n if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {\r\n pr_err(\"eCryptfs: maximum fs stacking depth exceeded\\n\");\r\n goto out_free;\r\n }\r\n \r\n \r\nThe files /proc/$pid/{mem,environ,cmdline}, when read, access the\r\nuserspace memory of the target process, involving, if necessary,\r\nnormal pagefault handling. If it was possible to mmap() them, an\r\nattacker could create a chain of e.g. /proc/$pid/environ mappings\r\nwhere process 1 has /proc/2/environ mapped into its environment area,\r\nprocess 2 has /proc/3/environ mapped into its environment area and so\r\non. A read from /proc/1/environ would invoke the pagefault handler for\r\nprocess 1, which would invoke the pagefault handler for process 2 and\r\nso on. This would, again, lead to kernel stack overflow.\r\n \r\n \r\nOne interesting fact about ecryptfs is that, because of the encryption\r\ninvolved, it doesn't just forward mmap to the lower file's mmap\r\noperation. Instead, it has its own page cache, maintained using the\r\nnormal filemap helpers, and performs its cryptographic operations when\r\ndirty pages need to be written out or when pages need to be faulted\r\nin. Therefore, not just its read and write handlers, but also its mmap\r\nhandler only uses the lower filesystem's read and write methods.\r\nThis means that using ecryptfs, you can mmap [decrypted views of]\r\nfiles that normally wouldn't be mappable.\r\n \r\nCombining these things, it is possible to trigger recursion with\r\narbitrary depth where:\r\n \r\na reading userspace memory access in process A (from userland or from\r\n copy_from_user())\r\ncauses a pagefault in an ecryptfs mapping in process A, which\r\ncauses a read from /proc/{B}/environ, which\r\ncauses a pagefault in an ecryptfs mapping in process B, which\r\ncauses a read from /proc/{C}/environ, which\r\ncauses a pagefault in an ecryptfs mapping in process C, and so on.\r\n \r\nOn systems with the /sbin/mount.ecryptfs_private helper installed\r\n(e.g. Ubuntu if the \"encrypt my home directory\" checkbox is ticked\r\nduring installation), this bug can be triggered by an unprivileged\r\nuser. The mount helper considers /proc/$pid, where $pid is the PID of\r\na process owned by the user, to be a valid mount source because the\r\ndirectory is \"owned\" by the user.\r\n \r\nI have attached both a generic crash PoC and a build-specific exploit\r\nthat can be used to gain root privileges from a normal user account on\r\nUbuntu 16.04 with kernel package linux-image-4.4.0-22-generic, version\r\n4.4.0-22.40, uname \"Linux user-VirtualBox 4.4.0-22-generic #40-Ubuntu\r\nSMP Thu May 12 22:03:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux\".\r\n \r\ndmesg output of the crasher:\r\n \r\n```\r\n[ 80.036069] BUG: unable to handle kernel paging request at fffffffe4b9145c0\r\n[ 80.040028] IP: [<ffffffff810c9a33>] cpuacct_charge+0x23/0x40\r\n[ 80.040028] PGD 1e0d067 PUD 0 \r\n[ 80.040028] Thread overran stack, or stack corrupted\r\n[ 80.040028] Oops: 0000 [#1] SMP \r\n[ 80.040028] Modules linked in: vboxsf drbg ansi_cprng xts gf128mul dm_crypt snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi vboxvideo snd_seq ttm snd_seq_device drm_kms_helper snd_timer joydev drm snd fb_sys_fops soundcore syscopyarea sysfillrect sysimgblt vboxguest input_leds i2c_piix4 8250_fintek mac_hid serio_raw parport_pc ppdev lp parport autofs4 hid_generic usbhid hid psmouse ahci libahci e1000 pata_acpi fjes video\r\n[ 80.040028] CPU: 0 PID: 2135 Comm: crasher Not tainted 4.4.0-22-generic #40-Ubuntu\r\n[ 80.040028] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006\r\n[ 80.040028] task: ffff880035443200 ti: ffff8800d933c000 task.ti: ffff8800d933c000\r\n[ 80.040028] RIP: 0010:[<ffffffff810c9a33>] [<ffffffff810c9a33>] cpuacct_charge+0x23/0x40\r\n[ 80.040028] RSP: 0000:ffff88021fc03d70 EFLAGS: 00010046\r\n[ 80.040028] RAX: 000000000000dc68 RBX: ffff880035443260 RCX: ffffffffd933c068\r\n[ 80.040028] RDX: ffffffff81e50560 RSI: 000000000013877a RDI: ffff880035443200\r\n[ 80.040028] RBP: ffff88021fc03d70 R08: 0000000000000000 R09: 0000000000010000\r\n[ 80.040028] R10: 0000000000002d4e R11: 00000000000010ae R12: ffff8802137aa200\r\n[ 80.040028] R13: 000000000013877a R14: ffff880035443200 R15: ffff88021fc0ee68\r\n[ 80.040028] FS: 00007fbd9fadd700(0000) GS:ffff88021fc00000(0000) knlGS:0000000000000000\r\n[ 80.040028] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 80.040028] CR2: fffffffe4b9145c0 CR3: 0000000035415000 CR4: 00000000000006f0\r\n[ 80.040028] Stack:\r\n[ 80.040028] ffff88021fc03db0 ffffffff810b4b83 0000000000016d00 ffff88021fc16d00\r\n[ 80.040028] ffff880035443260 ffff8802137aa200 0000000000000000 ffff88021fc0ee68\r\n[ 80.040028] ffff88021fc03e30 ffffffff810bb414 ffff88021fc03dd0 ffff880035443200\r\n[ 80.040028] Call Trace:\r\n[ 80.040028] <IRQ> \r\n[ 80.040028] [<ffffffff810b4b83>] update_curr+0xe3/0x160\r\n[ 80.040028] [<ffffffff810bb414>] task_tick_fair+0x44/0x8e0\r\n[ 80.040028] [<ffffffff810b1267>] ? sched_clock_local+0x17/0x80\r\n[ 80.040028] [<ffffffff810b146f>] ? sched_clock_cpu+0x7f/0xa0\r\n[ 80.040028] [<ffffffff810ad35c>] scheduler_tick+0x5c/0xd0\r\n[ 80.040028] [<ffffffff810fe560>] ? tick_sched_handle.isra.14+0x60/0x60\r\n[ 80.040028] [<ffffffff810ee961>] update_process_times+0x51/0x60\r\n[ 80.040028] [<ffffffff810fe525>] tick_sched_handle.isra.14+0x25/0x60\r\n[ 80.040028] [<ffffffff810fe59d>] tick_sched_timer+0x3d/0x70\r\n[ 80.040028] [<ffffffff810ef282>] __hrtimer_run_queues+0x102/0x290\r\n[ 80.040028] [<ffffffff810efa48>] hrtimer_interrupt+0xa8/0x1a0\r\n[ 80.040028] [<ffffffff81052fa8>] local_apic_timer_interrupt+0x38/0x60\r\n[ 80.040028] [<ffffffff81827d9d>] smp_apic_timer_interrupt+0x3d/0x50\r\n[ 80.040028] [<ffffffff81826062>] apic_timer_interrupt+0x82/0x90\r\n[ 80.040028] <EOI> \r\n[ 80.040028] Code: 0f 1f 84 00 00 00 00 00 66 66 66 66 90 48 8b 47 08 48 8b 97 78 07 00 00 55 48 63 48 10 48 8b 52 60 48 89 e5 48 8b 82 b8 00 00 00 <48> 03 04 cd 80 42 f3 81 48 01 30 48 8b 52 48 48 85 d2 75 e5 5d \r\n[ 80.040028] RIP [<ffffffff810c9a33>] cpuacct_charge+0x23/0x40\r\n[ 80.040028] RSP <ffff88021fc03d70>\r\n[ 80.040028] CR2: fffffffe4b9145c0\r\n[ 80.040028] fbcon_switch: detected unhandled fb_set_par error, error code -16\r\n[ 80.040028] fbcon_switch: detected unhandled fb_set_par error, error code -16\r\n[ 80.040028] ---[ end trace 616e3de50958c35b ]---\r\n[ 80.040028] Kernel panic - not syncing: Fatal exception in interrupt\r\n[ 80.040028] Shutting down cpus with NMI\r\n[ 80.040028] Kernel Offset: disabled\r\n[ 80.040028] ---[ end Kernel panic - not syncing: Fatal exception in interrupt\r\n```\r\n \r\nexample run of the exploit, in a VM with 4 cores, with Ubuntu 16.04 installed:\r\n \r\n```\r\n[email\u00a0protected]:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ls\r\ncompile.sh exploit.c hello.c suidhelper.c\r\n[email\u00a0protected]:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ./compile.sh \r\n[email\u00a0protected]:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ls\r\ncompile.sh exploit exploit.c hello hello.c suidhelper suidhelper.c\r\n[email\u00a0protected]:/media/sf_vm_shared/crypt_endless_recursion/exploit$ ./exploit\r\nall spammers ready\r\nrecurser parent ready\r\nspam over\r\nfault chain set up, faulting now\r\nwriting stackframes\r\nstackframes written\r\nkilling 2494\r\npost-corruption code is alive!\r\nchildren should be dead\r\ncoredump handler set. recurser exiting.\r\ngoing to crash now\r\nsuid file detected, launching rootshell...\r\nwe have root privs now...\r\n[email\u00a0protected]:/proc# id\r\nuid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),999(vboxsf),1000(user)\r\n```\r\n \r\n(If the exploit crashes even with the right kernel version, try\r\nrestarting the machine. Also, ensure that no program like top/htop/...\r\nis running that might try to read process command lines. Note that\r\nthe PoC and the exploit don't really clean up after themselves and\r\nleave mountpoints behind that prevent them from re-running without\r\na reboot or manual unmounting.)\r\n \r\nNote that Ubuntu compiled their kernel with\r\nCONFIG_SCHED_STACK_END_CHECK turned on, making it harder than it used\r\nto be in the past to not crash the kernel while exploiting this bug,\r\nand an overwrite of addr_limit would be useless because at the\r\ntime the thread_info is overwritten, there are multiple instances of\r\nkernel_read() on the stack. Still, the bug is exploitable by carefully\r\naligning the stack so that the vital components of thread_info are\r\npreserved, stopping with an out-of-bounds stack pointer and\r\noverwriting the thread stack using a normal write to an adjacent\r\nallocation of the buddy allocator.\r\n \r\nRegarding the fix, I think the following would be reasonable:\r\n \r\n - Explicitly forbid stacking anything on top of procfs by setting its\r\n s_stack_depth to a sufficiently large value. In my opinion, there\r\n is too much magic going on inside procfs to allow stacking things\r\n on top of it, and there isn't any good reason to do it. (For\r\n example, ecryptfs invokes open handlers from a kernel thread\r\n instead of normal user process context, so the access checks inside\r\n VFS open handlers are probably ineffective - and procfs relies\r\n heavily on those.)\r\n \r\n - Forbid opening files with f_op->mmap==NULL through ecryptfs. If the\r\n lower filesystem doesn't expect to be called in pagefault-handling\r\n context, it probably shouldn't be called in that context.\r\n \r\n - Create a dedicated kernel stack cache outside of the direct mapping\r\n of physical memory that has a guard page (or a multi-page gap) at\r\n the bottom of each stack, and move the struct thread_info to a\r\n different place (if nothing else works, the top of the stack, above\r\n the pt_regs).\r\n While e.g. race conditions are more common than stack overflows in\r\n the Linux kernel, the whole vulnerability class of stack overflows\r\n is easy to mitigate, and the kernel is sufficiently complicated for\r\n unbounded recursion to emerge in unexpected places - or perhaps\r\n even for someone to discover a way to create a stack with a bounded\r\n length that is still too high. Therefore, I believe that guard\r\n pages are a useful mitigation.\r\n Nearly everywhere, stack overflows are caught using guard pages\r\n nowadays; this includes Linux userland, but also {### TODO ###}\r\n and, on 64-bit systems, grsecurity (using GRKERNSEC_KSTACKOVERFLOW).\r\n \r\nOh, and by the way: The `BUG_ON(task_stack_end_corrupted(prev))`\r\nin schedule_debug() ought to be a direct panic instead of an oops. At\r\nthe moment, when you hit it, you get a recursion between the scheduler\r\ninvocation in do_exit() and the BUG_ON in the scheduler, and the\r\nkernel recurses down the stack until it hits something sufficiently\r\nimportant to cause a panic.\r\n \r\nI'm going to send (compile-tested) patches for my first two fix\r\nsuggestions and the recursive oops bug. I haven't written a patch for\r\nthe guard pages mitigation - I'm not familiar enough with the x86\r\nsubsystem for that.\r\n \r\n \r\nNotes regarding the exploit:\r\n \r\nIt makes an invalid assumption that causes it to require at least around 6GB of RAM.\r\n \r\nIt has a trivially avoidable race that causes it to fail on single-core systems after overwriting the coredump handler; if this happens, it's still possible to manually trigger a coredump and execute the suid helper to get a root shell.\r\n \r\nThe page spraying is pretty primitive and racy; while it works reliably for me, there might be influencing factors that cause it to fail on other people's machines.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39992.zip\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25603"}], "virtuozzo": [{"lastseen": "2019-11-05T11:28:16", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7910", "CVE-2016-7911", "CVE-2016-1583", "CVE-2016-6828"], "description": "This update provides a new Virtuozzo 6.0 kernel 2.6.32-042stab120.11 based on the Red Hat Enterprise Linux 6.8 kernel 2.6.32-642.6.1.el6. The new kernel provides security and stability fixes.\n**Vulnerability id:** CVE-2016-1583\nStack overflow via ecryptfs and /proc/$pid/environ. It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system.\n\n**Vulnerability id:** CVE-2016-6828\nUse after free in tcp_xmit_retransmit_queue. A use after free vulnerability was found in tcp_xmit_retransmit_queue and other tcp_* functions. This condition could allow an attacker to send an incorrect selective acknowledgment to existing connections, possibly resetting a connection.\n\n**Vulnerability id:** CVE-2016-7910\nblock: fix use-after-free in seq file. Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel before 4.7.1 allows local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed.\n\n**Vulnerability id:** CVE-2016-7911\nblock: fix use-after-free in sys_ioprio_get(). Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel before 4.6.6 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call.\n\n", "edition": 1, "modified": "2016-11-21T00:00:00", "published": "2016-11-21T00:00:00", "id": "VZA-2016-104", "href": "https://docs.virtuozzo.com/vza/VZA-2016-104.json", "title": "Critical kernel security update: vulnerability fixes CVE-2016-7910, CVE-2016-7911 (and other), new kernel 2.6.32-042stab120.11", "type": "virtuozzo", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583", "CVE-2016-4470", "CVE-2016-4997", "CVE-2016-4998"], "description": "The kernel meta package ", "modified": "2016-07-19T07:20:52", "published": "2016-07-19T07:20:52", "id": "FEDORA:EE2EE6087A58", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: kernel-4.4.14-200.fc22", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1583", "CVE-2016-4470", "CVE-2016-4997", "CVE-2016-4998", "CVE-2016-5728"], "description": "The kernel meta package ", "modified": "2016-06-30T21:30:47", "published": "2016-06-30T21:30:47", "id": "FEDORA:F325C6013F0A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: kernel-4.6.3-300.fc24", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1237", "CVE-2016-1583", "CVE-2016-4470", "CVE-2016-4998", "CVE-2016-5728", "CVE-2016-5829"], "description": "The kernel meta package ", "modified": "2016-07-02T19:33:02", "published": "2016-07-02T19:33:02", "id": "FEDORA:4F34C605E513", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: kernel-4.5.7-202.fc23", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}