Oracle Linux 8 : Unbreakable Enterprise kernel (ELSA-2022-9930)

2022-10-24T00:00:00

Description

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-9930 advisory. - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

{"id": "ORACLELINUX_ELSA-2022-9930.NASL", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "Oracle Linux 8 : Unbreakable Enterprise kernel (ELSA-2022-9930)", "description": "The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-9930 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2022-10-24T00:00:00", "modified": "2022-11-28T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}, "href": "https://www.tenable.com/plugins/nessus/166436", "reporter": "This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3028", "https://linux.oracle.com/errata/ELSA-2022-9930.html"], "cvelist": ["CVE-2022-3028"], "immutableFields": [], "lastseen": "2023-03-03T22:36:54", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "amazon", "idList": ["ALAS-2022-1636", "ALAS-2022-1852", "ALAS2-2022-1852"]}, {"type": "cve", "idList": ["CVE-2022-3028"]}, {"type": "debian", "idList": ["DEBIAN:DLA-3131-1:083C4", "DEBIAN:DLA-3173-1:82909"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2022-3028"]}, {"type": "fedora", "idList": ["FEDORA:37C8F316AAE9", "FEDORA:5334A316CFA4", "FEDORA:671D6305F850", "FEDORA:A1AF5304C6C7", "FEDORA:A8BA33168D26"]}, {"type": "github", "idList": ["GHSA-34VW-M4RH-R36P"]}, {"type": "mageia", "idList": ["MGASA-2022-0324", "MGASA-2022-0380"]}, {"type": "nessus", "idList": ["AL2022_ALAS2022-2022-150.NASL", "AL2022_ALAS2022-2022-185.NASL", "AL2_ALAS-2022-1852.NASL", "AL2_ALASKERNEL-5_10-2022-020.NASL", "AL2_ALASKERNEL-5_15-2022-008.NASL", "AL2_ALASKERNEL-5_4-2022-036.NASL", "ALA_ALAS-2022-1636.NASL", "DEBIAN_DLA-3131.NASL", "DEBIAN_DLA-3173.NASL", "EULEROS_SA-2022-2686.NASL", "EULEROS_SA-2022-2732.NASL", "EULEROS_SA-2022-2767.NASL", "EULEROS_SA-2022-2796.NASL", "EULEROS_SA-2022-2823.NASL", "EULEROS_SA-2022-2906.NASL", "EULEROS_SA-2023-1147.NASL", "EULEROS_SA-2023-1193.NASL", "EULEROS_SA-2023-1223.NASL", "ORACLELINUX_ELSA-2022-9852.NASL", "ORACLELINUX_ELSA-2022-9870.NASL", "ORACLELINUX_ELSA-2022-9871.NASL", "ORACLELINUX_ELSA-2022-9926.NASL", "ORACLELINUX_ELSA-2022-9927.NASL", "ORACLELINUX_ELSA-2022-9931.NASL", "ORACLELINUX_ELSA-2022-9998.NASL", "ORACLELINUX_ELSA-2022-9999.NASL", "ORACLEVM_OVMSA-2022-0026.NASL", "SLACKWARE_SSA_2022-333-01.NASL", "SUSE_SU-2022-3263-1.NASL", "SUSE_SU-2022-3264-1.NASL", "SUSE_SU-2022-3265-1.NASL", "SUSE_SU-2022-3274-1.NASL", "SUSE_SU-2022-3282-1.NASL", "SUSE_SU-2022-3288-1.NASL", "SUSE_SU-2022-3291-1.NASL", "SUSE_SU-2022-3293-1.NASL", "SUSE_SU-2022-3294-1.NASL", "SUSE_SU-2022-3408-1.NASL", "SUSE_SU-2022-3422-1.NASL", "SUSE_SU-2022-3450-1.NASL", "SUSE_SU-2022-3609-1.NASL", "SUSE_SU-2022-3809-1.NASL", "SUSE_SU-2022-4617-1.NASL", "UBUNTU_USN-5650-1.NASL", "UBUNTU_USN-5693-1.NASL", "UBUNTU_USN-5727-1.NASL", "UBUNTU_USN-5727-2.NASL", "UBUNTU_USN-5728-1.NASL", "UBUNTU_USN-5728-2.NASL", "UBUNTU_USN-5728-3.NASL", "UBUNTU_USN-5729-1.NASL", "UBUNTU_USN-5729-2.NASL", "UBUNTU_USN-5774-1.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2023"]}, {"type": "oraclelinux", "idList": ["ELSA-2022-9852", "ELSA-2022-9870", "ELSA-2022-9871", "ELSA-2022-9926", "ELSA-2022-9927", "ELSA-2022-9930", "ELSA-2022-9931", "ELSA-2022-9998", "ELSA-2022-9999"]}, {"type": "osv", "idList": ["OSV:DLA-3131-1", "OSV:DLA-3173-1", "OSV:GHSA-34VW-M4RH-R36P"]}, {"type": "photon", "idList": ["PHSA-2022-0248", "PHSA-2022-0517", "PHSA-2022-3.0-0461", "PHSA-2022-4.0-0248"]}, {"type": "redhatcve", "idList": ["RH:CVE-2022-3028"]}, {"type": "slackware", "idList": ["SSA-2022-333-01"]}, {"type": "suse", "idList": ["SUSE-SU-2022:3264-1", "SUSE-SU-2022:3288-1", "SUSE-SU-2022:3293-1", "SUSE-SU-2022:3408-1", "SUSE-SU-2022:3609-1", "SUSE-SU-2022:3809-1"]}, {"type": "ubuntu", "idList": ["USN-5650-1", "USN-5693-1", "USN-5727-1", "USN-5727-2", "USN-5728-1", "USN-5728-2", "USN-5728-3", "USN-5729-1", "USN-5729-2", "USN-5774-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2022-3028"]}]}, "score": {"value": -0.5, "vector": "NONE"}, "epss": [{"cve": "CVE-2022-3028", "epss": "0.000420000", "percentile": "0.056330000", "modified": "2023-03-20"}], "vulnersScore": -0.5}, "_state": {"dependencies": 1677883088, "score": 1677883214, "epss": 1679338714}, "_internal": {"score_hash": "e40bf2bb7243ee175148a3d76de44e3a"}, "pluginID": "166436", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-9930.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166436);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/28\");\n\n script_cve_id(\"CVE-2022-3028\");\n\n script_name(english:\"Oracle Linux 8 : Unbreakable Enterprise kernel (ELSA-2022-9930)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2022-9930 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-9930.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3028\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-modules-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-modules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-modules-extra\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(os_release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['5.15.0-3.60.5.1.el8uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2022-9930');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '5.15';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'bpftool-5.15.0-3.60.5.1.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'bpftool-5.15.0'},\n {'reference':'bpftool-5.15.0-3.60.5.1.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'bpftool-5.15.0'},\n {'reference':'kernel-uek-5.15.0-3.60.5.1.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.15.0'},\n {'reference':'kernel-uek-5.15.0-3.60.5.1.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.15.0'},\n {'reference':'kernel-uek-core-5.15.0-3.60.5.1.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-core-5.15.0'},\n {'reference':'kernel-uek-core-5.15.0-3.60.5.1.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-core-5.15.0'},\n {'reference':'kernel-uek-debug-5.15.0-3.60.5.1.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.15.0'},\n {'reference':'kernel-uek-debug-5.15.0-3.60.5.1.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.15.0'},\n {'reference':'kernel-uek-debug-core-5.15.0-3.60.5.1.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-core-5.15.0'},\n {'reference':'kernel-uek-debug-core-5.15.0-3.60.5.1.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-core-5.15.0'},\n {'reference':'kernel-uek-debug-devel-5.15.0-3.60.5.1.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.15.0'},\n {'reference':'kernel-uek-debug-devel-5.15.0-3.60.5.1.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.15.0'},\n {'reference':'kernel-uek-debug-modules-5.15.0-3.60.5.1.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-modules-5.15.0'},\n {'reference':'kernel-uek-debug-modules-5.15.0-3.60.5.1.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-modules-5.15.0'},\n {'reference':'kernel-uek-debug-modules-extra-5.15.0-3.60.5.1.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-modules-extra-5.15.0'},\n {'reference':'kernel-uek-debug-modules-extra-5.15.0-3.60.5.1.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-modules-extra-5.15.0'},\n {'reference':'kernel-uek-devel-5.15.0-3.60.5.1.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.15.0'},\n {'reference':'kernel-uek-devel-5.15.0-3.60.5.1.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.15.0'},\n {'reference':'kernel-uek-doc-5.15.0-3.60.5.1.el8uek', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-5.15.0'},\n {'reference':'kernel-uek-modules-5.15.0-3.60.5.1.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-modules-5.15.0'},\n {'reference':'kernel-uek-modules-5.15.0-3.60.5.1.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-modules-5.15.0'},\n {'reference':'kernel-uek-modules-extra-5.15.0-3.60.5.1.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-modules-extra-5.15.0'},\n {'reference':'kernel-uek-modules-extra-5.15.0-3.60.5.1.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-modules-extra-5.15.0'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release) {\n if (exists_check) {\n if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel-uek / kernel-uek-core / etc');\n}\n", "naslFamily": "Oracle Linux Local Security Checks", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:bpftool", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-core", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-core", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-debug-modules", "p-cpe:/a:oracle:linux:kernel-uek-debug-modules-extra", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-modules", "p-cpe:/a:oracle:linux:kernel-uek-modules-extra"], "solution": "Update the affected packages.", "nessusSeverity": "Medium", "cvssScoreSource": "CVE-2022-3028", "vendor_cvss2": {"score": 6, "vector": "AV:L/AC:H/Au:S/C:C/I:C/A:C"}, "vendor_cvss3": {"score": 7, "vector": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "vpr": {"risk factor": "Medium", "score": "6.7"}, "exploitAvailable": false, "exploitEase": "No known exploits are available", "patchPublicationDate": "2022-10-24T00:00:00", "vulnerabilityPublicationDate": "2022-08-31T00:00:00", "exploitableWith": []}

{"debiancve": [{"lastseen": "2023-03-30T16:44:50", "description": "A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-31T16:15:00", "type": "debiancve", "title": "CVE-2022-3028", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-3028"], "modified": "2022-08-31T16:15:00", "id": "DEBIANCVE:CVE-2022-3028", "href": "https://security-tracker.debian.org/tracker/CVE-2022-3028", "cvss": {"score": 0.0, "vector": "NONE"}}], "oraclelinux": [{"lastseen": "2022-11-15T22:47:27", "description": "[5.4.17-2136.313.6]\n- Uninitialized variable image_ext in fixup_vdso_exception of extable.c (Alok Tiwari) [Orabug: 33000550] \n- NFSD: fix use-after-free on source server when doing inter-server copy (Dai Ngo) [Orabug: 34475857] \n- EDAC/mce_amd: Do not load edac_mce_amd module on guests (Smita Koralahalli) [Orabug: 34484268] \n- uek: kabi: update kABI files for new symbol (Saeed Mirzamohammadi) [Orabug: 34595589] \n- RDS/IB Fix allocation warning (Hans Westgaard Ry) [Orabug: 34684322] \n- uek-rpm: Add support for building a kdump kernel on MIPS64 (Dave Kleikamp) [Orabug: 34696261] \n- hwmon: (opbmc) AST2600 SP reset driver adjustment (Jan Zdarek) [Orabug: 34710682] \n- hwmon: (opbmc) Driver message prefixes (Jan Zdarek) [Orabug: 34710682] \n- Revert 'fs: check FMODE_LSEEK to control internal pipe splicing' (Saeed Mirzamohammadi) [Orabug: 34724694] \n- Revert 'sched/deadline: Fix priority inheritance with multiple scheduling classes' (Sherry Yang) [Orabug: 34700434]\n[5.4.17-2136.313.5]\n- IB/mlx5: Move to fully dynamic UAR mode once user space supports it (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Extend QP creation to get uar page index from user space (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Extend CQ creation to get uar page index from user space (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Expose UAR object and its alloc/destroy commands (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Generally use the WC auto detection test result (Yishai Hadas) [Orabug: 34430072] \n- RDMA/mlx5: Use offsetofend() instead of duplicated variant (Leon Romanovsky) [Orabug: 34430072] \n- RDMA/mlx5: Remove duplicate definitions of SW_ICM macros (Erez Shitrit) [Orabug: 34430072] \n- IB/mlx5: Introduce UAPIs to manage packet pacing (Yishai Hadas) [Orabug: 34430072] \n- RDMA/mlx5: Prevent overflow in mmap offset calculations (Leon Romanovsky) [Orabug: 34430072] \n- RDMA/core: Make the entire API tree static (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Ensure that rdma_user_mmap_entry_remove() is a fence (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/mlx5: Set relaxed ordering when requested (Michael Guralnik) [Orabug: 34430072] \n- RDMA/core: Add the core support field to METHOD_GET_CONTEXT (Michael Guralnik) [Orabug: 34430072] \n- RDMA/uverbs: Add new relaxed ordering memory region access flag (Michael Guralnik) [Orabug: 34430072] \n- RDMA/core: Add optional access flags range (Michael Guralnik) [Orabug: 34430072] \n- RDMA/uverbs: Add ioctl command to get a device context (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Remove ucontext_lock from the uverbs_destry_ufile_hw() path (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Add UVERBS_METHOD_ASYNC_EVENT_ALLOC (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Use READ_ONCE for ib_ufile.async_file (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Make ib_uverbs_async_event_file into a uobject (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Remove the ufile arg from rdma_alloc_begin_uobject (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Simplify type usage for ib_uverbs_async_handler() (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Do not erase the type of ib_wq.uobject (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Do not erase the type of ib_qp.uobject (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Do not erase the type of ib_cq.uobject (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Make ib_ucq_object use ib_uevent_object (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Do not allow alloc_commit to fail (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/mlx5: Simplify devx async commands (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Simplify destruction of FD uobjects (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/mlx5: Use RCU and direct refcounts to keep memory alive (Jason Gunthorpe) [Orabug: 34430072] \n- IB/mlx5: Add mmap support for VAR (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Introduce VAR object and its alloc/destroy methods (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Extend caps stage to handle VAR capabilities (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Fix device memory flows (Yishai Hadas) [Orabug: 34430072] \n- IB/core: Introduce rdma_user_mmap_entry_insert_range() API (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Support flow counters offset for bulk counters (Yevgeny Kliteynik) [Orabug: 34430072] \n- IB/mlx5: Rename profile and init methods (Michael Guralnik) [Orabug: 34430072] \n- RDMA: Connect between the mmap entry and the umap_priv structure (Michal Kalderon) [Orabug: 34430072] \n- RDMA/core: Create mmap database and cookie helper functions (Michal Kalderon) [Orabug: 34430072] \n- RDMA/core: Move core content from ib_uverbs to ib_core (Michal Kalderon) [Orabug: 34430072] \n- IB/mlx5: Test write combining support (Michael Guralnik) [Orabug: 34430072] \n- IB/mlx5: Align usage of QP1 create flags with rest of mlx5 defines (Michael Guralnik) [Orabug: 34430072] \n- IB/mlx5: Introduce and use mkey context setting helper routine (Parav Pandit) [Orabug: 34430072] \n- net/rds: Send congestion map updates only via path zero (Anand Khoje) [Orabug: 34578051] \n- Revert 'RDS/IB: Fix RDS IB SRQ implementation and tune it' (Hans Westgaard Ry) [Orabug: 34662431] \n- net: vlan: Avoid using BUG() in vlan_proto_idx() (Florian Fainelli) [Orabug: 34672449] \n- KVM: x86: drop superfluous mmu_check_root() from fast_pgd_switch() (Vitaly Kuznetsov) [Orabug: 34679770] \n- KVM: SVM: Update cr3_lm_rsvd_bits for AMD SEV guests (Babu Moger) [Orabug: 34679770] \n- KVM: x86: Invoke vendor's vcpu_after_set_cpuid() after all common updates (Sean Christopherson) [Orabug: 34679770] \n- KVM: x86: Move kvm_x86_ops.vcpu_after_set_cpuid() into kvm_vcpu_after_set_cpuid() (Xiaoyao Li) [Orabug: 34679770] \n- KVM: x86: Rename cpuid_update() callback to vcpu_after_set_cpuid() (Xiaoyao Li) [Orabug: 34679770] \n- RDMA/cma: Use output interface for net_dev check (Hakon Bugge) [Orabug: 34694980]\n[5.4.17-2136.313.4]\n- arm64: pensando: Suppress tree-loop-distribute-patterns optimization (Henry Willard) [Orabug: 34634974] \n- uek-rpm: Disable floppy related configs (Saeed Mirzamohammadi) [Orabug: 34644240] \n- ACPI: processor idle: Practically limit 'Dummy wait' workaround to old Intel systems (Dave Hansen) [Orabug: 34671342]\n[5.4.17-2136.313.3]\n- Revert 'net: mvpp2: debugfs: fix memory leak when using debugfs_lookup()' (Sasha Levin) \n- USB: core: Fix RST error in hub.c (Alan Stern) \n- cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() (Tetsuo Handa) \n- parisc: ccio-dma: Add missing iounmap in error path in ccio_probe() (Yang Yingliang) \n- LTS tag: v5.4.213 (Sherry Yang) \n- MIPS: loongson32: ls1c: Fix hang during startup (Yang Ling) \n- x86/nospec: Fix i386 RSB stuffing (Peter Zijlstra) \n- sch_sfb: Also store skb len before calling child enqueue (Toke Hoiland-Jorgensen) \n- tcp: fix early ETIMEDOUT after spurious non-SACK RTO (Neal Cardwell) \n- nvme-tcp: fix UAF when detecting digest errors (Sagi Grimberg) \n- RDMA/mlx5: Set local port to one when accessing counters (Chris Mi) \n- ipv6: sr: fix out-of-bounds read when setting HMAC data. (David Lebrun) \n- RDMA/siw: Pass a pointer to virt_to_page() (Linus Walleij) \n- i40e: Fix kernel crash during module removal (Ivan Vecera) \n- tipc: fix shift wrapping bug in map_get() (Dan Carpenter) \n- sch_sfb: Don't assume the skb is still around after enqueueing to child (Toke Hoiland-Jorgensen) \n- afs: Use the operation issue time instead of the reply time for callbacks (David Howells) \n- rxrpc: Fix an insufficiently large sglist in rxkad_verify_packet_2() (David Howells) \n- netfilter: nf_conntrack_irc: Fix forged IP logic (David Leadbeater) \n- netfilter: br_netfilter: Drop dst references before setting. (Harsh Modi) \n- RDMA/hns: Fix supported page size (Chengchang Tang) \n- soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs (Liang He) \n- RDMA/cma: Fix arguments order in net device validation (Michael Guralnik) \n- regulator: core: Clean up on enable failure (Andrew Halaney) \n- ARM: dts: imx6qdl-kontron-samx6i: remove duplicated node (Marco Felsch) \n- smb3: missing inode locks in punch hole (David Howells) \n- scsi: lpfc: Add missing destroy_workqueue() in error path (Yang Yingliang) \n- scsi: mpt3sas: Fix use-after-free warning (Sreekanth Reddy) \n- nvmet: fix a use-after-free (Bart Van Assche) \n- debugfs: add debugfs_lookup_and_remove() (Greg Kroah-Hartman) \n- kprobes: Prohibit probes in gate area (Christian A. Ehrhardt) \n- ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() (Dongxiang Ke) \n- ALSA: aloop: Fix random zeros in capture data when using jiffies timer (Pattara Teerapong) \n- ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() (Tasos Sahanidis) \n- drm/amdgpu: mmVM_L2_CNTL3 register not initialized correctly (Qu Huang) \n- fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() (Yang Yingliang) \n- arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level (Sudeep Holla) \n- parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines (Helge Deller) \n- parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources() (Li Qiong) \n- drm/radeon: add a force flush to delay work when radeon (Zhenneng Li) \n- drm/amdgpu: Check num_gfx_rings for gfx v9_0 rb setup. (Candice Li) \n- drm/gem: Fix GEM handle release errors (Jeffy Chen) \n- scsi: megaraid_sas: Fix double kfree() (Guixin Liu) \n- USB: serial: ch341: fix disabled rx timer on older devices (Johan Hovold) \n- USB: serial: ch341: fix lost character on LCR updates (Johan Hovold) \n- usb: dwc3: disable USB core PHY management (Johan Hovold) \n- usb: dwc3: fix PHY disable sequence (Johan Hovold) \n- btrfs: harden identification of a stale device (Anand Jain) \n- drm/i915/glk: ECS Liva Q2 needs GLK HDMI port timing quirk (Diego Santa Cruz) \n- ALSA: seq: Fix data-race at module auto-loading (Takashi Iwai) \n- ALSA: seq: oss: Fix data-race for max_midi_devs access (Takashi Iwai) \n- net: mac802154: Fix a condition in the receive path (Miquel Raynal) \n- ip: fix triggering of 'icmp redirect' (Nicolas Dichtel) \n- wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected (Siddh Raman Pant) \n- driver core: Don't probe devices after bus_type.match() probe deferral (Isaac J. Manjarres) \n- usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS (Krishna Kurapati) \n- USB: core: Prevent nested device-reset calls (Alan Stern) \n- s390: fix nospec table alignments (Josh Poimboeuf) \n- s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages (Gerald Schaefer) \n- usb-storage: Add ignore-residue quirk for NXP PN7462AU (Witold Lipieta) \n- USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) (Thierry GUIBERT) \n- usb: dwc2: fix wrong order of phy_power_on and phy_init (Heiner Kallweit) \n- usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles (Pablo Sun) \n- USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode (Slark Xiao) \n- USB: serial: option: add Quectel EM060K modem (Yonglin Tan) \n- USB: serial: option: add support for OPPO R11 diag port (Yan Xinyu) \n- USB: serial: cp210x: add Decagon UCA device id (Johan Hovold) \n- xhci: Add grace period after xHC start to prevent premature runtime suspend. (Mathias Nyman) \n- thunderbolt: Use the actual buffer in tb_async_error() (Mika Westerberg) \n- gpio: pca953x: Add mutex_lock for regcache sync in PM (Haibo Chen) \n- hwmon: (gpio-fan) Fix array out of bounds access (Armin Wolf) \n- clk: bcm: rpi: Fix error handling of raspberrypi_fw_get_rate (Stefan Wahren) \n- Input: rk805-pwrkey - fix module autoloading (Peter Robinson) \n- clk: core: Fix runtime PM sequence in clk_core_unprepare() (Chen-Yu Tsai) \n- Revert 'clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops' (Stephen Boyd) \n- clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops (Chen-Yu Tsai) \n- drm/i915/reg: Fix spelling mistake 'Unsupport' -> 'Unsupported' (Colin Ian King) \n- usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup (Johan Hovold) \n- binder: fix UAF of ref->proc caused by race condition (Carlos Llamas) \n- USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id (Niek Nooijens) \n- misc: fastrpc: fix memory corruption on open (Johan Hovold) \n- misc: fastrpc: fix memory corruption on probe (Johan Hovold) \n- iio: adc: mcp3911: use correct formula for AD conversion (Marcus Folkesson) \n- Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag (Tetsuo Handa) \n- tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete (Sherry Sun) \n- vt: Clear selection before changing the font (Helge Deller) \n- powerpc: align syscall table for ppc32 (Masahiro Yamada) \n- staging: rtl8712: fix use after free bugs (Dan Carpenter) \n- serial: fsl_lpuart: RS485 RTS polariy is inverse (Shenwei Wang) \n- net/smc: Remove redundant refcount increase (Yacan Liu) \n- Revert 'sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb' (Jakub Kicinski) \n- tcp: annotate data-race around challenge_timestamp (Eric Dumazet) \n- sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb (Toke Hoiland-Jorgensen) \n- kcm: fix strp_init() order and cleanup (Cong Wang) \n- ethernet: rocker: fix sleep in atomic context bug in neigh_timer_handler (Duoming Zhou) \n- net: sched: tbf: don't call qdisc_put() while holding tree lock (Zhengchao Shao) \n- Revert 'xhci: turn off port power in shutdown' (Mathias Nyman) \n- wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() (Dan Carpenter) \n- ieee802154/adf7242: defer destroy_workqueue call (Lin Ma) \n- iio: adc: mcp3911: make use of the sign bit (Marcus Folkesson) \n- platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask (Andy Shevchenko) \n- drm/msm/dsi: Fix number of regulators for msm8996_dsi_cfg (Douglas Anderson) \n- drm/msm/dsi: fix the inconsistent indenting (sunliming) \n- net: dp83822: disable false carrier interrupt (Enguerrand de Ribaucourt) \n- Revert 'mm: kmemleak: take a full lowmem check in kmemleak_*_phys()' (Yee Lee) \n- fs: only do a memory barrier for the first set_buffer_uptodate() (Linus Torvalds) \n- net: mvpp2: debugfs: fix memory leak when using debugfs_lookup() (Greg Kroah-Hartman) \n- wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in il4965_rs_fill_link_cmd() (Stanislaw Gruszka) \n- efi: capsule-loader: Fix use-after-free in efi_capsule_write (Hyunwoo Kim) \n- LTS tag: v5.4.212 (Sherry Yang) \n- net: neigh: don't call kfree_skb() under spin_lock_irqsave() (Yang Yingliang) \n- net/af_packet: check len when min_header_len equals to 0 (Zhengchao Shao) \n- kprobes: don't call disarm_kprobe() for disabled kprobes (Kuniyuki Iwashima) \n- lib/vdso: Mark do_hres() and do_coarse() as __always_inline (Andrei Vagin) \n- lib/vdso: Let do_coarse() return 0 to simplify the callsite (Christophe Leroy) \n- btrfs: tree-checker: check for overlapping extent items (Josef Bacik) \n- netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y (Geert Uytterhoeven) \n- drm/amd/display: Fix pixel clock programming (Ilya Bakoulin) \n- s390/hypfs: avoid error message under KVM (Juergen Gross) \n- neigh: fix possible DoS due to net iface start/stop loop (Denis V. Lunev) \n- drm/amd/display: clear optc underflow before turn off odm clock (Fudong Wang) \n- drm/amd/display: Avoid MPC infinite loop (Josip Pavic) \n- btrfs: unify lookup return value when dir entry is missing (Filipe Manana) \n- btrfs: do not pin logs too early during renames (Filipe Manana) \n- btrfs: introduce btrfs_lookup_match_dir (Marcos Paulo de Souza) \n- mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse (Jann Horn) \n- bpf: Don't redirect packets with invalid pkt_len (Zhengchao Shao) \n- ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead (Yang Jihong) \n- fbdev: fb_pm2fb: Avoid potential divide by zero error (Letu Ren) \n- HID: hidraw: fix memory leak in hidraw_release() (Karthik Alapati) \n- media: pvrusb2: fix memory leak in pvr_probe (Dongliang Mu) \n- udmabuf: Set the DMA mask for the udmabuf device (v2) (Vivek Kasireddy) \n- HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report (Lee Jones) \n- Bluetooth: L2CAP: Fix build errors in some archs (Luiz Augusto von Dentz) \n- kbuild: Fix include path in scripts/Makefile.modpost (Jing Leng) \n- x86/bugs: Add 'unknown' reporting for MMIO Stale Data (Pawan Gupta) \n- s390/mm: do not trigger write fault when vma does not allow VM_WRITE (Gerald Schaefer) \n- mm: Force TLB flush for PFNMAP mappings before unlink_file_vma() (Jann Horn) \n- scsi: storvsc: Remove WQ_MEM_RECLAIM from storvsc_error_wq (Saurabh Sengar) \n- perf/x86/intel/uncore: Fix broken read_counter() for SNB IMC PMU (Stephane Eranian) \n- md: call __md_stop_writes in md_stop (Guoqing Jiang) \n- mm/hugetlb: fix hugetlb not supporting softdirty tracking (David Hildenbrand) \n- ACPI: processor: Remove freq Qos request for all CPUs (Riwen Lu) \n- s390: fix double free of GS and RI CBs on fork() failure (Brian Foster) \n- asm-generic: sections: refactor memory_intersects (Quanyang Wang) \n- loop: Check for overflow while configuring loop (Siddh Raman Pant) \n- x86/unwind/orc: Unwind ftrace trampolines with correct ORC entry (Chen Zhongjin) \n- btrfs: check if root is readonly while setting security xattr (Goldwyn Rodrigues) \n- btrfs: add info when mount fails due to stale replace target (Anand Jain) \n- btrfs: replace: drop assert for suspended replace (Anand Jain) \n- btrfs: fix silent failure when deleting root reference (Filipe Manana) \n- ixgbe: stop resetting SYSTIME in ixgbe_ptp_start_cyclecounter (Jacob Keller) \n- net: Fix a data-race around sysctl_somaxconn. (Kuniyuki Iwashima) \n- net: Fix a data-race around netdev_budget_usecs. (Kuniyuki Iwashima) \n- net: Fix a data-race around netdev_budget. (Kuniyuki Iwashima) \n- net: Fix a data-race around sysctl_net_busy_read. (Kuniyuki Iwashima) \n- net: Fix a data-race around sysctl_net_busy_poll. (Kuniyuki Iwashima) \n- net: Fix a data-race around sysctl_tstamp_allow_data. (Kuniyuki Iwashima) \n- ratelimit: Fix data-races in ___ratelimit(). (Kuniyuki Iwashima) \n- net: Fix data-races around netdev_tstamp_prequeue. (Kuniyuki Iwashima) \n- net: Fix data-races around weight_p and dev_weight_[rt]x_bias. (Kuniyuki Iwashima) \n- netfilter: nft_tunnel: restrict it to netdev family (Pablo Neira Ayuso) \n- netfilter: nft_osf: restrict osf to ipv4, ipv6 and inet families (Pablo Neira Ayuso) \n- netfilter: nft_payload: do not truncate csum_offset and csum_type (Pablo Neira Ayuso) \n- netfilter: nft_payload: report ERANGE for too long offset and length (Pablo Neira Ayuso) \n- bnxt_en: fix NQ resource accounting during vf creation on 57500 chips (Vikas Gupta) \n- net: ipvtap - add __init/__exit annotations to module init/exit funcs (Maciej zenczykowski) \n- bonding: 802.3ad: fix no transmission of LACPDUs (Jonathan Toppins) \n- net: moxa: get rid of asymmetry in DMA mapping/unmapping (Sergei Antonov) \n- net/mlx5e: Properly disable vlan strip on non-UL reps (Vlad Buslov) \n- rose: check NULL rose_loopback_neigh->loopback (Bernard Pidoux) \n- SUNRPC: RPC level errors should set task->tk_rpc_status (Trond Myklebust) \n- xfrm: fix refcount leak in __xfrm_policy_check() (Xin Xiong) \n- kernel/sched: Remove dl_boosted flag comment (Hui Su) \n- sched/deadline: Fix priority inheritance with multiple scheduling classes (Juri Lelli) \n- sched/deadline: Fix stale throttling on de-/boosted tasks (Lucas Stach) \n- sched/deadline: Unthrottle PI boosted threads while enqueuing (Daniel Bristot de Oliveira) \n- pinctrl: amd: Don't save/restore interrupt status and wake status bits (Basavaraj Natikar) \n- Revert 'selftests/bpf: Fix test_align verifier log patterns' (Jean-Philippe Brucker) \n- Revert 'selftests/bpf: Fix 'dubious pointer arithmetic' test' (Jean-Philippe Brucker) \n- usb: cdns3: Fix issue for clear halt endpoint (Pawel Laszczak) \n- kernel/sys_ni: add compat entry for fadvise64_64 (Randy Dunlap) \n- parisc: Fix exception handler for fldw and fstw instructions (Helge Deller) \n- audit: fix potential double free on error path from fsnotify_add_inode_mark (Gaosheng Cui)\n[5.4.17-2136.313.2]\n- ice: enable ethtool hooks for E810 firmware update (John Donnelly) [Orabug: 34077831] \n- ice: add ice_handle_nvm_access() (John Donnelly) [Orabug: 34077831] \n- rds: cong: Make rds_cong_wait an array to reduce lock contention (Hakon Bugge) [Orabug: 34574093] \n- rds: cong: Make rs_cong_notify and rs_cong_mask atomic64_t (Hakon Bugge) [Orabug: 34574093] \n- mm: memcg/slab: disable cache merging for KMALLOC_NORMAL caches (Waiman Long) [Orabug: 34601144] \ncaches (Waiman Long) [Orabug: 34601144] \n- mm: memcg/slab: properly set up gfp flags for objcg pointer array (Waiman Long) [Orabug: 34601144] \n- mm, memcg: introduce mem_cgroup_kmem_disabled() (Roman Gushchin) [Orabug: 34601144] \n- mm, slab: make kmalloc_info[] contain all types of names (Pengfei Li) [Orabug: 34601144] \ncpus_read_lock() deadlock (Tejun Heo) [Orabug: 34639998] \n- cgroup: Elide write-locking threadgroup_rwsem when updating csses on an empty subtree (Tejun Heo) [Orabug: 34639998] \n- cgroup: Optimize single thread migration (Michal Koutny) [Orabug: 34639998] \n- Revert 'cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()' (Imran Khan) [Orabug: 34639998] \ncpus_read_lock() deadlock' (Imran Khan) [Orabug: 34639998] \n- x86/MCE/AMD, EDAC/mce_amd: Support non-uniform MCA bank type enumeration (Yazen Ghannam) [Orabug: 34639981] \n- x86/MCE/AMD, EDAC/mce_amd: Add new SMCA bank types (Yazen Ghannam) [Orabug: 34639981] \n- x86/MCE/AMD, EDAC/mce_amd: Add new SMCA bank types (Muralidhara M K) [Orabug: 34639981] \n- x86/mce: Increase maximum number of banks to 64 (Akshay Gupta) [Orabug: 34639981] \n- x86/MCE/AMD, EDAC/amd64: Move address translation to AMD64 EDAC (Yazen Ghannam) [Orabug: 34639981] \n- x86/MCE/AMD: Export smca_get_bank_type symbol (Mukul Joshi) [Orabug: 34639981] \n- EDAC/amd64: Add support for AMD Family 19h Models 10h-1Fh and A0h-AFh (Yazen Ghannam) [Orabug: 34639981] \n- EDAC/amd64: Set proper family type for Family 19h Models 20h-2Fh (Yazen Ghannam) [Orabug: 34639981] \n- EDAC: Add RDDR5 and LRDDR5 memory types (Yazen Ghannam) [Orabug: 34639981] \n- hwmon: (k10temp) Support up to 12 CCDs on AMD Family of processors (Babu Moger) [Orabug: 34639981] \n- hwmon: (k10temp) Add support for AMD Family 19h Models 10h-1Fh and A0h-AFh (Babu Moger) [Orabug: 34639981] \n- x86/amd_nb: Add AMD Family 19h Models (10h-1Fh) and (A0h-AFh) PCI IDs (Yazen Ghannam) [Orabug: 34639981] \n- hwmon: (k10temp) Remove unused definitions (Babu Moger) [Orabug: 34639981] \n- hwmon: (k10temp) Remove residues of current and voltage (suma hegde) [Orabug: 34639981] \n- hwmon: (k10temp) Add support for yellow carp (Mario Limonciello) [Orabug: 34639981] \n- hwmon: (k10temp) Rework the temperature offset calculation (Mario Limonciello) [Orabug: 34639981] \n- hwmon: (k10temp) Don't show Tdie for all Zen/Zen2/Zen3 CPU/APU (Mario Limonciello) [Orabug: 34639981] \n- hwmon: (k10temp) Add additional missing Zen2 and Zen3 APUs (Mario Limonciello) [Orabug: 34639981] \n- hwmon: (k10temp) support Zen3 APUs (David Bartley) [Orabug: 34639981] \n- x86/amd_nb: Add AMD family 19h model 50h PCI ids (David Bartley) [Orabug: 34639981] \n- hwmon: (k10temp) Zen3 Ryzen Desktop CPUs support (Gabriel Craciunescu) [Orabug: 34639981] \n- hwmon: (k10temp) Remove support for displaying voltage and current on Zen CPUs (Guenter Roeck) [Orabug: 34639981] \n- hwmon: (k10temp) Add support for Zen3 CPUs (Wei Huang) [Orabug: 34639981] \n- hwmon: (k10temp) Take out debugfs code (Guenter Roeck) [Orabug: 34639981] \n- hwmon: (k10temp) Define SVI telemetry and current factors for Zen2 CPUs (Wei Huang) [Orabug: 34639981] \n- hwmon: (k10temp) Create common functions and macros for Zen CPU families (Wei Huang) [Orabug: 34639981] \n- hwmon: (k10temp) make some symbols static (Jason Yan) [Orabug: 34639981] \n- hwmon: (k10temp) Reorganize and simplify temperature support detection (Guenter Roeck) [Orabug: 34639981] \n- Revert 'hwmon: (k10temp) Add support for Zen3 CPUs' (Dave Kleikamp) [Orabug: 34639981] \n- uek-rpm: add missing nft_chain_nat.ko module (Venkat Venkatsubra) [Orabug: 34639977] \n- random: Fix incorrect type for 'rc' variable (Harshit Mogalapalli) [Orabug: 34639972] \n- hwmon: (opbmc) Add support for AST2600 based Pilot (Jan Zdarek) [Orabug: 34639967] \n- KVM: SVM: Clear the CR4 register on reset (Babu Moger) [Orabug: 34639963] \n- x86,swiotlb: Adjust SWIOTLB bounce buffer size for SEV guests (Ashish Kalra) [Orabug: 34639951] \n- netfilter: ebtables: reject blobs that don't provide all entry points (Florian Westphal) [Orabug: 34610051] \n- uek-rpm: Disable CONFIG_CRYPTO_STREEBOG (Victor Erminpour) [Orabug: 34610044] \n- uek-rpm: Disable CONFIG_CRYPTO_SM3 (Victor Erminpour) [Orabug: 34610044] \n- uek-rpm: Disable CONFIG_CRYPTO_SM4 (Victor Erminpour) [Orabug: 34610044] \n- uek-rpm: Add nftables support T93 and Ortano (Henry Willard) [Orabug: 34610035] \n- af_key: Do not call xfrm_probe_algs in parallel (Herbert Xu) [Orabug: 34610032] {CVE-2022-3028}\n- cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() (Tetsuo Handa) [Orabug: 34610025] \ncpus_read_lock() deadlock (Tejun Heo) [Orabug: 34610025] \n- audit: use extern storage class for audit_filter_syscall() (Ankur Arora) [Orabug: 34586449] \n- audit: annotate branch direction for audit_in_mask() (Ankur Arora) [Orabug: 34586449] \n- audit: cache ctx->major in audit_filter_syscall() (Ankur Arora) [Orabug: 34586449]\n[5.4.17-2136.313.1]\n- video: vga16fb: Only probe for EGA and VGA 16 color graphic cards (Javier Martinez Canillas) [Orabug: 32301403] \n- KVM: arm: vgic: Only use the virtual state when userspace accesses enable bits (Marc Zyngier) [Orabug: 34542967] \n- uek-rpm: mips: enable CRYTPTO_USER config options (Dave Kleikamp) [Orabug: 34557309]", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-15T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2022-3028"], "modified": "2022-11-15T00:00:00", "id": "ELSA-2022-9998", "href": "http://linux.oracle.com/errata/ELSA-2022-9998.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-25T00:46:07", "description": "[5.15.0-3.60.5.1]\n- fs: remove no_llseek (Jason A. Donenfeld) [Orabug: 34721465] \n- vfio: do not set FMODE_LSEEK flag (Jason A. Donenfeld) [Orabug: 34721465] \n- dma-buf: remove useless FMODE_LSEEK flag (Jason A. Donenfeld) [Orabug: 34721465] \n- fs: do not compare against ->llseek (Jason A. Donenfeld) [Orabug: 34721465] \n- fs: clear or set FMODE_LSEEK based on llseek function (Jason A. Donenfeld) [Orabug: 34721465]\n[5.15.0-3.60.5]\n- hwmon: (opbmc) Add support for AST2600 based Pilot (Jan Zdarek) [Orabug: 34605427] \n- random: Fix incorrect type for 'rc' variable (Harshit Mogalapalli) [Orabug: 34596909]\n[5.15.0-3.60.4]\n- netfilter: ebtables: reject blobs that don't provide all entry points (Florian Westphal) [Orabug: 34513977] \n- uek-rpm: Disable CONFIG_CRYPTO_STREEBOG (Victor Erminpour) [Orabug: 34538054] \n- uek-rpm: Disable CONFIG_CRYPTO_SM3 (Victor Erminpour) [Orabug: 34538054] \n- uek-rpm: Disable CONFIG_CRYPTO_SM4 (Victor Erminpour) [Orabug: 34538054] \n- af_key: Do not call xfrm_probe_algs in parallel (Herbert Xu) [Orabug: 34566751] {CVE-2022-3028}\n- cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() (Tetsuo Handa) [Orabug: 34567776] \ncpus_read_lock() deadlock (Tejun Heo) [Orabug: 34567776]\n[5.15.0-3.60.3]\n- audit: annotate branch direction for audit_in_mask() (Ankur Arora) [Orabug: 34544783] \n- audit: cache ctx->major in audit_filter_syscall() (Ankur Arora) [Orabug: 34544783]\n[5.15.0-3.60.2]\n- LTS version: v5.15.60 (Jack Vogel) \n- x86/speculation: Add LFENCE to RSB fill sequence (Pawan Gupta) \n- x86/speculation: Add RSB VM Exit protections (Daniel Sneddon) \n- macintosh/adb: fix oob read in do_adb_query() function (Ning Qiang) \n- Bluetooth: btusb: Add Realtek RTL8852C support ID 0x13D3:0x3586 (Hilda Wu) \n- Bluetooth: btusb: Add Realtek RTL8852C support ID 0x13D3:0x3587 (Hilda Wu) \n- Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0CB8:0xC558 (Hilda Wu) \n- Bluetooth: btusb: Add Realtek RTL8852C support ID 0x04C5:0x1675 (Hilda Wu) \n- Bluetooth: btusb: Add Realtek RTL8852C support ID 0x04CA:0x4007 (Hilda Wu) \n- Bluetooth: btusb: Add support of IMC Networks PID 0x3568 (Aaron Ma) \n- dt-bindings: bluetooth: broadcom: Add BCM4349B1 DT binding (Ahmad Fatoum) \n- Bluetooth: hci_bcm: Add DT compatible for CYW55572 (Hakan Jansson) \n- Bluetooth: hci_bcm: Add BCM4349B1 variant (Ahmad Fatoum) \n- btrfs: zoned: fix critical section of relocation inode writeback (Naohiro Aota) \n- btrfs: zoned: prevent allocation from previous data relocation BG (Naohiro Aota) \n- arm64: set UXN on swapper page tables (Peter Collingbourne) \n- KVM: x86/svm: add __GFP_ACCOUNT to __sev_dbg_{en,de}crypt_user() (Mingwei Zhang) \n- selftests: KVM: Handle compiler optimizations in ucall (Raghavendra Rao Ananta) \n- tools/kvm_stat: fix display of error when multiple processes are found (Dmitry Klochkov) \n- KVM: selftests: Make hyperv_clock selftest more stable (Vitaly Kuznetsov) \n- KVM: x86: do not set st->preempted when going back to user space (Paolo Bonzini) \n- KVM: x86: do not report a vCPU as preempted outside instruction boundaries (Paolo Bonzini) [Orabug: 34571000] {CVE-2022-39189}\n- crypto: arm64/poly1305 - fix a read out-of-bound (GUO Zihua) \n- ACPI: APEI: Better fix to avoid spamming the console with old error logs (Tony Luck) \n- ACPI: video: Shortening quirk list by identifying Clevo by board_name only (Werner Sembach) \n- ACPI: video: Force backlight native for some TongFang devices (Werner Sembach) \n- tools/vm/slabinfo: Handle files in debugfs (Stephane Graber) \n- block: fix default IO priority handling again (Jan Kara) \n- selftests/bpf: Check dst_port only on the client socket (Jakub Sitnicki) \n- selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads (Jakub Sitnicki) \n- x86/speculation: Make all RETbleed mitigations 64-bit only (Ben Hutchings) \n- LTS version: v5.15.59 (Jack Vogel) \n- x86/bugs: Do not enable IBPB at firmware entry when IBPB is not available (Thadeu Lima de Souza Cascardo) \n- docs/kernel-parameters: Update descriptions for 'mitigations=' param with retbleed (Eiichi Tsukata) \n- EDAC/ghes: Set the DIMM label unconditionally (Toshi Kani) \n- ARM: 9216/1: Fix MAX_DMA_ADDRESS overflow (Florian Fainelli) \n- page_alloc: fix invalid watermark check on a negative value (Jaewon Kim) \n- mm/hmm: fault non-owner device private entries (Ralph Campbell) \n- ARM: crypto: comment out gcc warning that breaks clang builds (Greg Kroah-Hartman) \n- sctp: leave the err path free in sctp_stream_init to sctp_stream_free (Xin Long) \n- sfc: disable softirqs for ptp TX (Alejandro Lucero) \n- perf symbol: Correct address for bss symbols (Leo Yan) \n- virtio-net: fix the race between refill work and close (Jason Wang) \n- netfilter: nf_queue: do not allow packet truncation below transport header offset (Florian Westphal) \n- octeontx2-pf: cn10k: Fix egress ratelimit configuration (Sunil Goutham) \n- sctp: fix sleep in atomic context bug in timer handlers (Duoming Zhou) \n- i40e: Fix interface init with MSI interrupts (no MSI-X) (Michal Maloszewski) \n- ipv4: Fix data-races around sysctl_fib_notify_on_flag_change. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_reflect_tos. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_comp_sack_nr. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_comp_sack_slack_ns. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns. (Kuniyuki Iwashima) \n- net: Fix data-races around sysctl_[rw]mem(_offset)?. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sk_pacing_rate. (Kuniyuki Iwashima) \n- net: mld: fix reference count leak in mld_{query | report}_work() (Taehee Yoo) \n- net: macsec: fix potential resource leak in macsec_add_rxsa() and macsec_add_txsa() (Jianglei Nie) \n- macsec: always read MACSEC_SA_ATTR_PN as a u64 (Sabrina Dubroca) \n- macsec: limit replay window size with XPN (Sabrina Dubroca) \n- macsec: fix error message in macsec_add_rxsa and _txsa (Sabrina Dubroca) \n- macsec: fix NULL deref in macsec_add_rxsa (Sabrina Dubroca) \n- Documentation: fix sctp_wmem in ip-sysctl.rst (Xin Long) \n- tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_autocorking. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_min_tso_segs. (Kuniyuki Iwashima) \n- net: sungem_phy: Add of_node_put() for reference returned by of_get_parent() (Liang He) \n- net: pcs: xpcs: propagate xpcs_read error to xpcs_get_state_c37_sgmii (Vladimir Oltean) \n- igmp: Fix data-races around sysctl_igmp_qrv. (Kuniyuki Iwashima) \n- net/tls: Remove the context from the list in tls_device_down (Maxim Mikityanskiy) \n- ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr (Ziyang Xuan) \n- net: ping6: Fix memleak in ipv6_renew_options(). (Kuniyuki Iwashima) \n- scsi: mpt3sas: Stop fw fault watchdog work item during system shutdown (David Jeffery) \n- tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_limit_output_bytes. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_moderate_rcvbuf. (Kuniyuki Iwashima) \n- octeontx2-pf: Fix UDP/TCP src and dst port tc filters (Subbaraya Sundeep) \n- Revert 'tcp: change pingpong threshold to 3' (Wei Wang) \n- scsi: ufs: host: Hold reference returned by of_parse_phandle() (Liang He) \n- ice: do not setup vlan for loopback VSI (Maciej Fijalkowski) \n- ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS) (Maciej Fijalkowski) \n- tcp: Fix data-races around sysctl_tcp_no_ssthresh_metrics_save. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_nometrics_save. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_frto. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_adv_win_scale. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_app_win. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_dsack. (Kuniyuki Iwashima) \n- watch_queue: Fix missing locking in add_watch_to_object() (Linus Torvalds) \n- watch_queue: Fix missing rcu annotation (David Howells) \n- drm/simpledrm: Fix return type of simpledrm_simple_display_pipe_mode_valid() (Nathan Chancellor) \n- nouveau/svm: Fix to migrate all requested pages (Alistair Popple) \n- s390/archrandom: prevent CPACF trng invocations in interrupt context (Harald Freudenberger) \n- asm-generic: remove a broken and needless ifdef conditional (Lukas Bulwahn) \n- hugetlb: fix memoryleak in hugetlb_mcopy_atomic_pte (Miaohe Lin) \n- mm: fix page leak with multiple threads mapping the same page (Josef Bacik) \n- secretmem: fix unhandled fault in truncate (Mike Rapoport) \n- fs: sendfile handles O_NONBLOCK of out_fd (Andrei Vagin) \n- ntfs: fix use-after-free in ntfs_ucsncmp() (ChenXiaoSong) \n- Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put (Luiz Augusto von Dentz) \n- LTS version: v5.15.58 (Jack Vogel) \n- drm/amd/display: Fix wrong format specifier in amdgpu_dm.c (Hayden Goodfellow) \n- x86/entry_32: Fix segment exceptions (Peter Zijlstra) \n- drm/amdgpu: Off by one in dm_dmub_outbox1_low_irq() (Dan Carpenter) \n- x86: drop bogus 'cc' clobber from __try_cmpxchg_user_asm() (Jan Beulich) \n- KVM: x86: fix typo in __try_cmpxchg_user causing non-atomicness (Maxim Levitsky) \n- x86/extable: Prefer local labels in .set directives (Nick Desaulniers) \n- drm/amd/display: invalid parameter check in dmub_hpd_callback (Jose Exposito) \n- drm/amd/display: Don't lock connection_mutex for DMUB HPD (Nicholas Kazlauskas) \n- watch-queue: remove spurious double semicolon (Linus Torvalds) \n- net: usb: ax88179_178a needs FLAG_SEND_ZLP (Jose Alonso) \n- tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() (Jiri Slaby) \n- tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() (Jiri Slaby) \n- tty: drop tty_schedule_flip() (Jiri Slaby) \n- tty: the rest, stop using tty_schedule_flip() (Jiri Slaby) \n- tty: drivers/tty/, stop using tty_schedule_flip() (Jiri Slaby) \n- watchqueue: make sure to serialize 'wqueue->defunct' properly (Linus Torvalds) \n- drm/amd/display: Fix surface optimization regression on Carrizo (Nicholas Kazlauskas) \n- drm/amd/display: Optimize bandwidth on following fast update (Nicholas Kazlauskas) \n- drm/amd/display: Reset DMCUB before HW init (Nicholas Kazlauskas) \n- exfat: use updated exfat_chain directly during renaming (Sungjong Seo) \n- Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks (Luiz Augusto von Dentz) \n- Bluetooth: SCO: Fix sco_send_frame returning skb->len (Luiz Augusto von Dentz) \n- Bluetooth: Fix passing NULL to PTR_ERR (Luiz Augusto von Dentz) \n- Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg (Luiz Augusto von Dentz) \n- Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg (Luiz Augusto von Dentz) \n- Bluetooth: Add bt_skb_sendmmsg helper (Luiz Augusto von Dentz) \n- Bluetooth: Add bt_skb_sendmsg helper (Luiz Augusto von Dentz) \n- um: virtio_uml: Fix broken device handling in time-travel (Johannes Berg) \n- um: virtio_uml: Allow probing from devicetree (Vincent Whitchurch) \n- tracing: Fix return value of trace_pid_write() (Wonhyuk Yang) \n- tracing: Place trace_pid_list logic into abstract functions (Steven Rostedt (VMware)) \n- tracing: Have event format check not flag %p* on __get_dynamic_array() (Steven Rostedt (Google)) \n- exfat: fix referencing wrong parent directory information after renaming (Yuezhang Mo) \n- crypto: qat - re-enable registration of algorithms (Giovanni Cabiddu) \n- crypto: qat - add param check for DH (Giovanni Cabiddu) \n- crypto: qat - add param check for RSA (Giovanni Cabiddu) \n- crypto: qat - remove dma_free_coherent() for DH (Giovanni Cabiddu) \n- crypto: qat - remove dma_free_coherent() for RSA (Giovanni Cabiddu) \n- crypto: qat - fix memory leak in RSA (Giovanni Cabiddu) \n- crypto: qat - add backlog mechanism (Giovanni Cabiddu) \n- crypto: qat - refactor submission logic (Giovanni Cabiddu) \n- crypto: qat - use pre-allocated buffers in datapath (Giovanni Cabiddu) \n- crypto: qat - set to zero DH parameters before free (Giovanni Cabiddu) \n- iwlwifi: fw: uefi: add missing include guards (Johannes Berg) \n- mt76: fix use-after-free by removing a non-RCU wcid pointer (Felix Fietkau) \n- xhci: Set HCD flag to defer primary roothub registration (Kishon Vijay Abraham I) \n- xhci: dbc: Rename xhci_dbc_init and xhci_dbc_exit (Mathias Nyman) \n- xhci: dbc: create and remove dbc structure in dbgtty driver. (Mathias Nyman) \n- xhci: dbc: refactor xhci_dbc_init() (Mathias Nyman) \n- KVM: x86: Use __try_cmpxchg_user() to emulate atomic accesses (Sean Christopherson) \n- x86/extable: Extend extable functionality (Peter Zijlstra) \n- x86/entry_32: Remove .fixup usage (Peter Zijlstra) \n- bitfield.h: Fix 'type of reg too small for mask' test (Peter Zijlstra) \n- x86/extable: Provide EX_TYPE_DEFAULT_MCE_SAFE and EX_TYPE_FAULT_MCE_SAFE (Thomas Gleixner) \n- x86/extable: Rework the exception table mechanics (Thomas Gleixner) \n- x86/mce: Deduplicate exception handling (Thomas Gleixner) \n- x86/extable: Get rid of redundant macros (Thomas Gleixner) \n- x86/extable: Tidy up redundant handler functions (Thomas Gleixner) \n- x86/uaccess: Implement macros for CMPXCHG on user addresses (Peter Zijlstra) \n- dlm: fix pending remove if msg allocation fails (Alexander Aring) \n- sched/deadline: Fix BUG_ON condition for deboosted tasks (Juri Lelli) \n- bpf: Make sure mac_header was set before using it (Eric Dumazet) \n- mm/mempolicy: fix uninit-value in mpol_rebind_policy() (Wang Cheng) \n- KVM: Don't null dereference ops->destroy (Alexey Kardashevskiy) \n- spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers (Marc Kleine-Budde) \n- KVM: selftests: Fix target thread to be migrated in rseq_test (Gavin Shan) \n- gpio: gpio-xilinx: Fix integer overflow (Srinivas Neeli) \n- tcp: Fix data-races around sysctl_tcp_max_reordering. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_abort_on_overflow. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_rfc1337. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_stdurg. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_retrans_collapse. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_slow_start_after_idle. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_recovery. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_early_retrans. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl knobs related to SYN option. (Kuniyuki Iwashima) \n- udp: Fix a data-race around sysctl_udp_l3mdev_accept. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_prot_sock. (Kuniyuki Iwashima) \n- ipv4: Fix data-races around sysctl_fib_multipath_hash_fields. (Kuniyuki Iwashima) \n- ipv4: Fix data-races around sysctl_fib_multipath_hash_policy. (Kuniyuki Iwashima) \n- ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh. (Kuniyuki Iwashima) \n- drm/imx/dcss: Add missing of_node_put() in fail path (Liang He) \n- net: dsa: vitesse-vsc73xx: silent spi_device_id warnings (Oleksij Rempel) \n- net: dsa: sja1105: silent spi_device_id warnings (Oleksij Rempel) \n- be2net: Fix buffer overflow in be_get_module_eeprom (Hristo Venev) \n- gpio: pca953x: use the correct register address when regcache sync during init (Haibo Chen) \n- gpio: pca953x: use the correct range when do regmap sync (Haibo Chen) \n- gpio: pca953x: only use single read/write for No AI mode (Haibo Chen) \n- net: stmmac: remove redunctant disable xPCS EEE call (Wong Vee Khee) \n- ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero (Piotr Skajewski) \n- i40e: Fix erroneous adapter reinitialization during recovery process (Dawid Lukwinski) \n- pinctrl: armada-37xx: use raw spinlocks for regmap to avoid invalid wait context (Vladimir Oltean) \n- pinctrl: armada-37xx: Convert to use dev_err_probe() (Andy Shevchenko) \n- pinctrl: armada-37xx: Make use of the devm_platform_ioremap_resource() (Andy Shevchenko) \n- pinctrl: armada-37xx: Use temporary variable for struct device (Andy Shevchenko) \n- iavf: Fix handling of dummy receive descriptors (Przemyslaw Patynowski) \n- tcp: Fix data-races around sysctl_tcp_fastopen_blackhole_timeout. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_fastopen. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_max_syn_backlog. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_tw_reuse. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_notsent_lowat. (Kuniyuki Iwashima) \n- tcp: Fix data-races around some timeout sysctl knobs. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_reordering. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_migrate_req. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_syncookies. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_syn(ack)?_retries. (Kuniyuki Iwashima) \n- tcp: Fix data-races around keepalive sysctl knobs. (Kuniyuki Iwashima) \n- igmp: Fix data-races around sysctl_igmp_max_msf. (Kuniyuki Iwashima) \n- igmp: Fix a data-race around sysctl_igmp_max_memberships. (Kuniyuki Iwashima) \n- igmp: Fix data-races around sysctl_igmp_llm_reports. (Kuniyuki Iwashima) \n- net/tls: Fix race in TLS device down flow (Tariq Toukan) \n- net: stmmac: fix dma queue left shift overflow issue (Junxiao Chang) \n- perf tests: Fix Convert perf time to TSC test for hybrid (Adrian Hunter) \n- i2c: cadence: Change large transfer count reset logic to be unconditional (Robert Hancock) \n- i2c: mlxcpld: Fix register setting for 400KHz frequency (Vadim Pasternak) \n- net: ipv4: use kfree_skb_reason() in ip_rcv_finish_core() (Menglong Dong) \n- net: ipv4: use kfree_skb_reason() in ip_rcv_core() (Menglong Dong) \n- net: netfilter: use kfree_drop_reason() for NF_DROP (Menglong Dong) \n- net: skb_drop_reason: add document for drop reasons (Menglong Dong) \n- net: socket: rename SKB_DROP_REASON_SOCKET_FILTER (Menglong Dong) \n- net: skb: use kfree_skb_reason() in __udp4_lib_rcv() (Menglong Dong) \n- net: skb: use kfree_skb_reason() in tcp_v4_rcv() (Menglong Dong) \n- net: skb: introduce kfree_skb_reason() (Menglong Dong) \n- net: dsa: microchip: ksz_common: Fix refcount leak bug (Liang He) \n- mtd: rawnand: gpmi: Set WAIT_FOR_READY timeout based on program/erase times (Sascha Hauer) \n- mtd: rawnand: gpmi: validate controller clock rate (Dario Binacchi) \n- net: stmmac: fix unbalanced ptp clock issue in suspend/resume flow (Biao Huang) \n- net: stmmac: fix pm runtime issue in stmmac_dvr_remove() (Biao Huang) \n- tcp: Fix a data-race around sysctl_tcp_probe_interval. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_probe_threshold. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_min_snd_mss. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_base_mss. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_mtu_probing. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_l3mdev_accept. (Kuniyuki Iwashima) \n- tcp: sk->sk_bound_dev_if once in inet_request_bound_dev_if() (Eric Dumazet) \n- tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. (Kuniyuki Iwashima) \n- ip: Fix a data-race around sysctl_fwmark_reflect. (Kuniyuki Iwashima) \n- ip: Fix a data-race around sysctl_ip_autobind_reuse. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_nonlocal_bind. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_fwd_update_priority. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_fwd_use_pmtu. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_no_pmtu_disc. (Kuniyuki Iwashima) \n- igc: Reinstate IGC_REMOVED logic and implement it properly (Lennert Buytenhek) \n- Revert 'e1000e: Fix possible HW unit hang after an s0ix exit' (Sasha Neftin) \n- e1000e: Enable GPT clock before sending message to CSME (Sasha Neftin) \n- nvme: fix block device naming collision (Israel Rukshin) \n- nvme: check for duplicate identifiers earlier (Christoph Hellwig) \n- scsi: ufs: core: Drop loglevel of WriteBoost message (Bjorn Andersson) \n- scsi: megaraid: Clear READ queue map's nr_queues (Ming Lei) \n- drm/amd/display: Ignore First MST Sideband Message Return Error (Fangzhi Zuo) \n- drm/amdgpu/display: add quirk handling for stutter mode (Alex Deucher) \n- drm/amd/display: Fork thread to offload work of hpd_rx_irq (Wayne Lin) \n- drm/amd/display: Add option to defer works of hpd_rx_irq (Wayne Lin) \n- drm/amd/display: Support for DMUB HPD interrupt handling (Jude Shih) \n- tcp: Fix data-races around sysctl_tcp_ecn. (Kuniyuki Iwashima) \n- sysctl: move some boundary constants from sysctl.c to sysctl_vals (Xiaoming Ni) \n- mm/pagealloc: sysctl: change watermark_scale_factor max limit to 30% (Suren Baghdasaryan) \n- net: tun: split run_ebpf_filter() and pskb_trim() into different 'if statement' (Dongli Zhang) \n- ipv4/tcp: do not use per netns ctl sockets (Eric Dumazet) \n- perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() (Peter Zijlstra) \n- pinctrl: ralink: Check for null return of devm_kcalloc (William Dean) \n- pinctrl: ralink: rename pinctrl-rt2880 to pinctrl-ralink (Arinc UNAL) \n- pinctrl: ralink: rename MT7628(an) functions to MT76X8 (Arinc UNAL)\n- RDMA/irdma: Fix sleep from invalid context BUG (Mustafa Ismail) \n- RDMA/irdma: Do not advertise 1GB page size for x722 (Mustafa Ismail) \n- power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe (Miaoqian Lin) \n- xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() (Hangyu Hua) \n- ip: Fix data-races around sysctl_ip_default_ttl. (Kuniyuki Iwashima) \n- r8152: fix a WOL issue (Hayes Wang) \n- xfs: fix perag reference leak on iteration race with growfs (Brian Foster) \n- xfs: terminate perag iteration reliably on agcount (Brian Foster) \n- xfs: rename the next_agno perag iteration variable (Brian Foster) \n- xfs: fold perag loop iteration logic into helper function (Brian Foster) \n- xfs: fix maxlevels comparisons in the btree staging code (Darrick J. Wong) \n- mt76: mt7921: Fix the error handling path of mt7921_pci_probe() (Christophe JAILLET) \n- mt76: mt7921e: fix possible probe failure after reboot (Sean Wang) \n- mt76: mt7921: use physical addr to unify register access (Sean Wang) \n- Revert 'mt76: mt7921e: fix possible probe failure after reboot' (Sean Wang) \n- Revert 'mt76: mt7921: Fix the error handling path of mt7921_pci_probe()' (Sean Wang) \n- batman-adv: Use netif_rx_any_context() any. (Sebastian Andrzej Siewior) \n- serial: mvebu-uart: correctly report configured baudrate value (Pali Rohar) \n- PCI: hv: Fix interrupt mapping for multi-MSI (Jeffrey Hugo) \n- PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() (Jeffrey Hugo) \n- PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI (Jeffrey Hugo) \n- PCI: hv: Fix multi-MSI to allow more than one MSI vector (Jeffrey Hugo) \n- Revert 'selftest/vm: verify mmap addr in mremap_test' (Oleksandr Tymoshenko) \n- Revert 'selftest/vm: verify remap destination address in mremap_test' (Oleksandr Tymoshenko) \n- bus: mhi: host: pci_generic: add Telit FN990 (Daniele Palmas) \n- bus: mhi: host: pci_generic: add Telit FN980 v1 hardware revision (Daniele Palmas) \n- drm/ttm: fix locking in vmap/vunmap TTM GEM helpers (Christian Konig) \n- mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication (Ido Schimmel) \n- riscv: add as-options for modules with assembly compontents (Ben Dooks) \n- pinctrl: stm32: fix optional IRQ support to gpios (Fabien Dessenne) \n- LTS version: v5.15.57 (Jack Vogel) \n- x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds (Peter Zijlstra) \n- um: Add missing apply_returns() (Peter Zijlstra) \n- x86/asm/32: Fix ANNOTATE_UNRET_SAFE use on 32-bit (Jiri Slaby) \n- x86/xen: Fix initialisation in hypercall_page after rethunk (Ben Hutchings) \n- x86/static_call: Serialize __static_call_fixup() properly (Thomas Gleixner) \n- x86/speculation: Disable RRSBA behavior (Pawan Gupta) \n- x86/kexec: Disable RET on kexec (Konrad Rzeszutek Wilk) \n- x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported (Thadeu Lima de Souza Cascardo) \n- x86/entry: Move PUSH_AND_CLEAR_REGS() back into error_entry (Peter Zijlstra) \n- x86/bugs: Add Cannon lake to RETBleed affected CPU list (Pawan Gupta) \n- x86/retbleed: Add fine grained Kconfig knobs (Peter Zijlstra) \n- objtool: Re-add UNWIND_HINT_{SAVE_RESTORE} (Josh Poimboeuf) \n- objtool: Add entry UNRET validation (Peter Zijlstra) \n- x86/xen: Add UNTRAIN_RET (Peter Zijlstra) \n- intel_idle: Disable IBRS during long idle (Peter Zijlstra) \n- x86: Add magic AMD return-thunk (Peter Zijlstra) \n- x86/entry: Avoid very early RET (Peter Zijlstra) \n- x86/ftrace: Use alternative RET encoding (Peter Zijlstra) \n- objtool: skip non-text sections when adding return-thunk sites (Thadeu Lima de Souza Cascardo) \n- bpf,x86: Respect X86_FEATURE_RETPOLINE* (Peter Zijlstra) \n- bpf,x86: Simplify computing label offsets (Peter Zijlstra) \n- x86/alternative: Add debug prints to apply_retpolines() (Peter Zijlstra) \n- x86/alternative: Try inline spectre_v2=retpoline,amd (Peter Zijlstra) \n- x86/alternative: Handle Jcc __x86_indirect_thunk_\neg (Peter Zijlstra) \n- x86/alternative: Implement .retpoline_sites support (Peter Zijlstra) \n- x86/retpoline: Create a retpoline thunk array (Peter Zijlstra) \n- x86/retpoline: Move the retpoline thunk declarations to nospec-branch.h (Peter Zijlstra) \n- x86/asm: Fixup odd GEN-for-each-reg.h usage (Peter Zijlstra) \n- x86/asm: Fix register order (Peter Zijlstra) \n- x86/retpoline: Remove unused replacement symbols (Peter Zijlstra) \n- objtool: Introduce CFI hash (Peter Zijlstra) \n- objtool,x86: Replace alternatives with .retpoline_sites (Peter Zijlstra) \n- objtool: Shrink struct instruction (Peter Zijlstra) \n- objtool: Explicitly avoid self modifying code in .altinstr_replacement (Peter Zijlstra) \n- objtool: Fix SLS validation for kcov tail-call replacement (Peter Zijlstra) \n- objtool: Classify symbols (Peter Zijlstra) \n- x86/entry: Don't call error_entry() for XENPV (Lai Jiangshan) \n- x86/entry: Move PUSH_AND_CLEAR_REGS out of error_entry() (Lai Jiangshan) \n- x86/entry: Switch the stack after error_entry() returns (Lai Jiangshan) \n- x86/traps: Use pt_regs directly in fixup_bad_iret() (Lai Jiangshan) \n- LTS version: v5.15.56 (Jack Vogel) \n- drm/aperture: Run fbdev removal before internal helpers (Thomas Zimmermann) \n- x86/pat: Fix x86_has_pat_wp() (Juergen Gross) \n- serial: 8250: Fix PM usage_count for console handover (Ilpo Jarvinen) \n- serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle (Ilpo Jarvinen) \n- serial: stm32: Clear prev values before setting RTS delays (Ilpo Jarvinen) \n- serial: 8250: fix return error code in serial8250_request_std_resource() (Yi Yang) \n- vt: fix memory overlapping when deleting chars in the buffer (Yangxi Xiang) \n- tty: serial: samsung_tty: set dma burst_size to 1 (Chanho Park) \n- usb: dwc3: gadget: Fix event pending check (Thinh Nguyen) \n- usb: typec: add missing uevent when partner support PD (Linyu Yuan) \n- USB: serial: ftdi_sio: add Belimo device ids (Lucien Buchmann) \n- signal handling: don't use BUG_ON() for debugging (Linus Torvalds) \n- nvme-pci: phison e16 has bogus namespace ids (Keith Busch) \n- ALSA: usb-audio: Add quirk for Fiero SC-01 (fw v1.0.0) (Egor Vorontsov) \n- ALSA: usb-audio: Add quirk for Fiero SC-01 (Egor Vorontsov) \n- ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices (John Veness) \n- Revert 'can: xilinx_can: Limit CANFD brp to 2' (Srinivas Neeli) \n- ARM: dts: stm32: use the correct clock source for CEC on stm32mp151 (Gabriel Fernandez) \n- soc: ixp4xx/npe: Fix unused match warning (Linus Walleij) \n- x86: Clear .brk area at early boot (Juergen Gross) \n- irqchip: or1k-pic: Undefine mask_ack for level triggered hardware (Stafford Horne) \n- ASoC: madera: Fix event generation for rate controls (Charles Keepax) \n- ASoC: madera: Fix event generation for OUT1 demux (Charles Keepax) \n- ASoC: cs47l15: Fix event generation for low power mux control (Charles Keepax) \n- ASoC: dapm: Initialise kcontrol data for mux/demux controls (Charles Keepax) \n- ASoC: rt711-sdca: fix kernel NULL pointer dereference when IO error (Shuming Fan) \n- ASoC: wm5110: Fix DRE control (Charles Keepax) \n- ASoC: Intel: bytcr_wm5102: Fix GPIO related probe-ordering problem (Hans de Goede) \n- ASoC: wcd938x: Fix event generation for some controls (Mark Brown) \n- ASoC: SOF: Intel: hda-loader: Clarify the cl_dsp_init() flow (Peter Ujfalusi) \n- ASoC: codecs: rt700/rt711/rt711-sdca: initialize workqueues in probe (Pierre-Louis Bossart) \n- ASoC: rt7*-sdw: harden jack_detect_handler (Pierre-Louis Bossart) \n- ASoC: rt711: fix calibrate mutex initialization (Pierre-Louis Bossart) \n- ASoC: Intel: sof_sdw: handle errors on card registration (Pierre-Louis Bossart) \n- ASoC: rt711-sdca-sdw: fix calibrate mutex initialization (Pierre-Louis Bossart) \n- ASoC: Realtek/Maxim SoundWire codecs: disable pm_runtime on remove (Pierre-Louis Bossart) \n- pinctrl: aspeed: Fix potential NULL dereference in aspeed_pinmux_set_mux() (Haowen Bai) \n- ASoC: ops: Fix off by one in range control validation (Mark Brown) \n- net: sfp: fix memory leak in sfp_probe() (Jianglei Nie) \n- nvme: fix regression when disconnect a recovering ctrl (Ruozhu Li) \n- nvme-tcp: always fail a request when sending it failed (Sagi Grimberg) \n- NFC: nxp-nci: don't print header length mismatch on i2c error (Michael Walle) \n- net: tipc: fix possible refcount leak in tipc_sk_create() (Hangyu Hua) \n- fbdev: Disable sysfb device registration when removing conflicting FBs (Javier Martinez Canillas) \n- firmware: sysfb: Add sysfb_disable() helper function (Javier Martinez Canillas) \n- firmware: sysfb: Make sysfb_create_simplefb() return a pdev pointer (Javier Martinez Canillas) \n- platform/x86: hp-wmi: Ignore Sanitization Mode event (Kai-Heng Feng) \n- cpufreq: pmac32-cpufreq: Fix refcount leak bug (Liang He) \n- scsi: hisi_sas: Limit max hw sectors for v3 HW (John Garry) \n- netfilter: br_netfilter: do not skip all hooks with 0 priority (Florian Westphal) \n- virtio_mmio: Restore guest page size on resume (Stephan Gerhold) \n- virtio_mmio: Add missing PM calls to freeze/restore (Stephan Gerhold) \n- vduse: Tie vduse mgmtdev and its device (Parav Pandit) \n- vdpa/mlx5: Initialize CVQ vringh only once (Eli Cohen) \n- powerpc/xive/spapr: correct bitmap allocation size (Nathan Lynch) \n- ksmbd: use SOCK_NONBLOCK type for kernel_accept() (Namjae Jeon) \n- btrfs: zoned: fix a leaked bioc in read_zone_info (Christoph Hellwig) \n- btrfs: rename btrfs_bio to btrfs_io_context (Qu Wenruo) \n- mm: sysctl: fix missing numa_stat when !CONFIG_HUGETLB_PAGE (Muchun Song) \n- ACPI: video: Fix acpi_video_handles_brightness_key_presses() (Hans de Goede) \n- net/tls: Check for errors in tls_device_init (Tariq Toukan) \n- KVM: x86: Fully initialize 'struct kvm_lapic_irq' in kvm_pv_kick_cpu_op() (Vitaly Kuznetsov) \n- net: atlantic: remove aq_nic_deinit() when resume (Chia-Lin Kao (AceLan)) \n- net: atlantic: remove deep parameter on suspend/resume functions (Chia-Lin Kao (AceLan)) \n- sfc: fix kernel panic when creating VF (Inigo Huguet) \n- seg6: bpf: fix skb checksum in bpf_push_seg6_encap() (Andrea Mayer) \n- seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors (Andrea Mayer) \n- seg6: fix skb checksum evaluation in SRH encapsulation/insertion (Andrea Mayer) \n- ceph: switch netfs read ops to use rreq->inode instead of rreq->mapping->host (Jeff Layton) \n- sfc: fix use after free when disabling sriov (Inigo Huguet) \n- drm/amd/pm: Prevent divide by zero (Yefim Barashkin) \n- drm/amd/display: Only use depth 36 bpp linebuffers on DCN display engines. (Mario Kleiner) \n- ima: Fix potential memory leak in ima_init_crypto() (Jianglei Nie) \n- ima: force signature verification when CONFIG_KEXEC_SIG is configured (Coiby Xu) \n- net: stmmac: fix leaks in probe (Dan Carpenter) \n- net: ftgmac100: Hold reference returned by of_get_child_by_name() (Liang He) \n- nexthop: Fix data-races around nexthop_compat_mode. (Kuniyuki Iwashima) \n- ipv4: Fix data-races around sysctl_ip_dynaddr. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_ecn_fallback. (Kuniyuki Iwashima) \n- raw: Fix a data-race around sysctl_raw_l3mdev_accept. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_ratemask. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_ratelimit. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_errors_use_inbound_ifaddr. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_ignore_bogus_error_responses. (Kuniyuki Iwashima) \n- icmp: Fix data-races around sysctl_icmp_echo_enable_probe. (Kuniyuki Iwashima) \n- sysctl: Fix data-races in proc_dointvec_ms_jiffies(). (Kuniyuki Iwashima) \n- sysctl: Fix data-races in proc_dou8vec_minmax(). (Kuniyuki Iwashima) \n- bnxt_en: Fix bnxt_refclk_read() (Pavan Chebbi) \n- bnxt_en: Fix bnxt_reinit_after_abort() code path (Michael Chan) \n- drm/i915: Require the vm mutex for i915_vma_bind() (Thomas Hellstrom) \n- drm/i915/uc: correctly track uc_fw init failure (Daniele Ceraolo Spurio) \n- drm/i915/gt: Serialize TLB invalidates with GT resets (Chris Wilson) \n- drm/i915/gt: Serialize GRDOM access between multiple engine resets (Chris Wilson) \n- drm/i915/dg2: Add Wa_22011100796 (Bruce Chang) \n- drm/i915/selftests: fix a couple IS_ERR() vs NULL tests (Dan Carpenter) \n- tracing: Fix sleeping while atomic in kdb ftdump (Douglas Anderson) \n- lockd: fix nlm_close_files (Jeff Layton) \n- lockd: set fl_owner when unlocking files (Jeff Layton) \n- xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE (Demi Marie Obenour) \n- drm/i915/gvt: IS_ERR() vs NULL bug in intel_gvt_update_reg_whitelist() (Dan Carpenter) \n- netfilter: nf_tables: replace BUG_ON by element length check (Pablo Neira Ayuso) \n- netfilter: nf_log: incorrect offset to network header (Pablo Neira Ayuso) \n- arm64: dts: broadcom: bcm4908: Fix cpu node for smp boot (William Zhang) \n- arm64: dts: broadcom: bcm4908: Fix timer node for BCM4906 SoC (William Zhang) \n- ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero (Michal Suchanek) \n- ARM: dts: at91: sama5d2: Fix typo in i2s1 node (Ryan Wanner) \n- ipv4: Fix a data-race around sysctl_fib_sync_mem. (Kuniyuki Iwashima) \n- icmp: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- cipso: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- net: Fix data-races around sysctl_mem. (Kuniyuki Iwashima) \n- inetpeer: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_max_orphans. (Kuniyuki Iwashima) \n- sysctl: Fix data races in proc_dointvec_jiffies(). (Kuniyuki Iwashima) \n- sysctl: Fix data races in proc_doulongvec_minmax(). (Kuniyuki Iwashima) \n- sysctl: Fix data races in proc_douintvec_minmax(). (Kuniyuki Iwashima) \n- sysctl: Fix data races in proc_dointvec_minmax(). (Kuniyuki Iwashima) \n- sysctl: Fix data races in proc_douintvec(). (Kuniyuki Iwashima) \n- sysctl: Fix data races in proc_dointvec(). (Kuniyuki Iwashima) \n- net: ethernet: ti: am65-cpsw: Fix devlink port register sequence (Siddharth Vadapalli) \n- net: stmmac: dwc-qos: Disable split header for Tegra194 (Jon Hunter) \n- ASoC: Intel: Skylake: Correct the handling of fmt_config flexible array (Peter Ujfalusi) \n- ASoC: Intel: Skylake: Correct the ssp rate discovery in skl_get_ssp_clks() (Peter Ujfalusi) \n- ASoC: tas2764: Fix amp gain register offset & default (Hector Martin) \n- ASoC: tas2764: Correct playback volume range (Hector Martin) \n- ASoC: tas2764: Fix and extend FSYNC polarity handling (Martin Poviser) \n- ASoC: tas2764: Add post reset delays (Martin Poviser) \n- ASoC: sgtl5000: Fix noise on shutdown/remove (Francesco Dolcini) \n- ima: Fix a potential integer overflow in ima_appraise_measurement (Huaxin Lu) \n- drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector() (Hangyu Hua) \n- net/mlx5e: Ring the TX doorbell on DMA errors (Maxim Mikityanskiy) \n- net/mlx5e: Fix capability check for updating vnic env counters (Gal Pressman) \n- net/mlx5e: Fix enabling sriov while tc nic rules are offloaded (Paul Blakey) \n- net/mlx5e: kTLS, Fix build time constant test in RX (Tariq Toukan) \n- net/mlx5e: kTLS, Fix build time constant test in TX (Tariq Toukan) \n- ARM: 9210/1: Mark the FDT_FIXED sections as shareable (Zhen Lei) \n- ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle (Ard Biesheuvel) \n- spi: amd: Limit max transfer and message size (Cristian Ciocaltea) \n- ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count (Kris Bahnsen) \n- reset: Fix devm bulk optional exclusive control getter (Serge Semin) \n- xfs: drop async cache flushes from CIL commits. (Dave Chinner) \n- xfs: don't include bnobt blocks when reserving free block pool (Darrick J. Wong) \n- Revert 'evm: Fix memleak in init_desc' (Xiu Jianfeng) \n- sh: convert nommu io{re,un}map() to static inline functions (Geert Uytterhoeven) \n- nilfs2: fix incorrect masking of permission flags for symlinks (Ryusuke Konishi) \n- fs/remap: constrain dedupe of EOF blocks (Dave Chinner) \n- drm/panfrost: Fix shrinker list corruption by madvise IOCTL (Dmitry Osipenko) \n- drm/panfrost: Put mapping instead of shmem obj on panfrost_mmu_map_fault_addr() error (Dmitry Osipenko) \n- btrfs: return -EAGAIN for NOWAIT dio reads/writes on compressed and inline extents (Filipe Manana) \n- cgroup: Use separate src/dst nodes when preloading css_sets for migration (Tejun Heo) \n- wifi: mac80211: fix queue selection for mesh/OCB interfaces (Felix Fietkau) \n- ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction (Ard Biesheuvel) \n- ARM: 9213/1: Print message about disabled Spectre workarounds only once (Dmitry Osipenko) \n- ip: fix dflt addr selection for connected nexthop (Nicolas Dichtel) \n- net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer (Steven Rostedt (Google)) \n- tracing/histograms: Fix memory leak problem (Zheng Yejian) \n- mm: split huge PUD on wp_huge_pud fallback (Gowans, James) \n- mm: userfaultfd: fix UFFDIO_CONTINUE on fallocated shmem pages (Axel Rasmussen) \n- xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue (Juergen Gross) \n- ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop (Meng Tang) \n- ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221 (Meng Tang) \n- ALSA: hda/realtek: fix mute/micmute LEDs for HP machines (Jeremy Szu) \n- ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 (Meng Tang) \n- ALSA: hda/realtek: Fix headset mic for Acer SF313-51 (Meng Tang) \n- ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model (Meng Tang) \n- ALSA: hda - Add fixup for Dell Latitidue E5430 (Meng Tang) \n- LTS version: v5.15.55 (Jack Vogel) \n- Revert 'mtd: rawnand: gpmi: Fix setting busy timeout setting' (Greg Kroah-Hartman) \n- LTS version: v5.15.54 (Jack Vogel) \n- selftests/net: fix section name when using xdp_dummy.o (Hangbin Liu) \n- dmaengine: idxd: force wq context cleanup on device disable path (Dave Jiang) \n- dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate (Miaoqian Lin) \n- dmaengine: qcom: bam_dma: fix runtime PM underflow (Caleb Connolly) \n- dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate (Miaoqian Lin) \n- dmaengine: at_xdma: handle errors of at_xdmac_alloc_desc() correctly (Michael Walle) \n- dmaengine: lgm: Fix an error handling path in intel_ldma_probe() (Christophe JAILLET) \n- dmaengine: pl330: Fix lockdep warning about non-static key (Dmitry Osipenko) \n- ida: don't use BUG_ON() for debugging (Linus Torvalds) \n- dt-bindings: dma: allwinner,sun50i-a64-dma: Fix min/max typo (Samuel Holland) \n- Revert 'serial: 8250_mtk: Make sure to select the right FEATURE_SEL' (AngeloGioacchino Del Regno) \n- Revert 'mm/memory-failure.c: fix race with changing page compound again' (Naoya Horiguchi) \n- misc: rtsx_usb: set return value in rsp_buf alloc err path (Shuah Khan) \n- misc: rtsx_usb: use separate command and response buffers (Shuah Khan) \n- misc: rtsx_usb: fix use of dma mapped buffer for usb bulk transfer (Shuah Khan) \n- dmaengine: imx-sdma: Allow imx8m for imx7 FW revs (Peter Robinson) \n- i2c: cadence: Unregister the clk notifier in error path (Satish Nagireddy) \n- r8169: fix accessing unset transport header (Heiner Kallweit) \n- selftests: forwarding: fix error message in learning_test (Vladimir Oltean) \n- selftests: forwarding: fix learning_test when h1 supports IFF_UNICAST_FLT (Vladimir Oltean) \n- selftests: forwarding: fix flood_unicast_test when h2 supports IFF_UNICAST_FLT (Vladimir Oltean) \n- ibmvnic: Properly dispose of all skbs during a failover. (Rick Lindsley) \n- ARM: dts: stm32: add missing usbh clock and fix clk order on stm32mp15 (Fabrice Gasnier) \n- ARM: dts: stm32: use usbphyc ck_usbo_48m as USBH OHCI clock on stm32mp151 (Amelie Delaunay) \n- i40e: Fix VF's MAC Address change on VM (Norbert Zulinski) \n- i40e: Fix dropped jumbo frames statistics (Lukasz Cieplicki) \n- i2c: piix4: Fix a memory leak in the EFCH MMIO support (Jean Delvare) \n- xsk: Clear page contiguity bit when unmapping pool (Ivan Malov) \n- ARM: at91: fix soc detection for SAM9X60 SiPs (Mihai Sain) \n- ARM: dts: at91: sama5d2_icp: fix eeprom compatibles (Eugen Hristev) \n- ARM: dts: at91: sam9x60ek: fix eeprom compatible and size (Eugen Hristev) \n- ARM: at91: pm: use proper compatibles for sama7g5's rtc and rtt (Claudiu Beznea) \n- ARM: at91: pm: use proper compatibles for sam9x60's rtc and rtt (Claudiu Beznea) \n- ARM: at91: pm: use proper compatible for sama5d2's rtc (Claudiu Beznea) \n- arm64: dts: qcom: msm8992-*: Fix vdd_lvs1_2-supply typo (Stephan Gerhold) \n- pinctrl: sunxi: sunxi_pconf_set: use correct offset (Andrei Lalaev) \n- arm64: dts: imx8mp-phyboard-pollux-rdk: correct i2c2 & mmc settings (Peng Fan) \n- arm64: dts: imx8mp-phyboard-pollux-rdk: correct eqos pad settings (Peng Fan) \n- arm64: dts: imx8mp-phyboard-pollux-rdk: correct uart pad settings (Peng Fan) \n- arm64: dts: imx8mp-evk: correct I2C3 pad settings (Peng Fan) \n- arm64: dts: imx8mp-evk: correct I2C1 pad settings (Peng Fan) \n- arm64: dts: imx8mp-evk: correct eqos pad settings (Peng Fan) \n- arm64: dts: imx8mp-evk: correct vbus pad settings (Peng Fan) \n- arm64: dts: imx8mp-evk: correct gpio-led pad settings (Peng Fan) \n- arm64: dts: imx8mp-evk: correct the uart2 pinctl value (Sherry Sun) \n- arm64: dts: imx8mp-evk: correct mmc pad settings (Peng Fan) \n- ARM: mxs_defconfig: Enable the framebuffer (Fabio Estevam) \n- arm64: dts: qcom: sdm845: use dispcc AHB clock for mdss node (Dmitry Baryshkov) \n- arm64: dts: qcom: msm8994: Fix CPU6/7 reg values (Konrad Dybcio) \n- ASoC: codecs: rt700/rt711/rt711-sdca: resume bus/codec in .set_jack_detect (Pierre-Louis Bossart) \n- ASoC: rt711-sdca: Add endianness flag in snd_soc_component_driver (Charles Keepax) \n- ASoC: rt711: Add endianness flag in snd_soc_component_driver (Charles Keepax) \n- pinctrl: sunxi: a83t: Fix NAND function name for some pins (Samuel Holland) \n- ARM: meson: Fix refcount leak in meson_smp_prepare_cpus (Miaoqian Lin) \n- tty: n_gsm: fix encoding of command/response bit (daniel.starke@siemens.com) \n- btrfs: fix use of uninitialized variable at rm device ioctl (Tom Rix) \n- virtio-blk: modify the value type of num in virtio_queue_rq() (Ye Guojin) \n- btrfs: fix error pointer dereference in btrfs_ioctl_rm_dev_v2() (Dan Carpenter) \n- Revert 'serial: sc16is7xx: Clear RS485 bits in the shutdown' (Hui Wang) \n- can: kvaser_usb: kvaser_usb_leaf: fix bittiming limits (Jimmy Assarsson) \n- can: kvaser_usb: kvaser_usb_leaf: fix CAN clock frequency regression (Jimmy Assarsson) \n- can: kvaser_usb: replace run-time checks with struct kvaser_usb_driver_info (Jimmy Assarsson) \n- net: dsa: qca8k: reset cpu port on MTU change (Christian Marangi) \n- powerpc/powernv: delay rng platform device creation until later in boot (Jason A. Donenfeld) \n- video: of_display_timing.h: include errno.h (Hsin-Yi Wang) \n- memregion: Fix memregion_free() fallback definition (Dan Williams) \n- PM: runtime: Redefine pm_runtime_release_supplier() (Rafael J. Wysocki) \n- fbcon: Prevent that screen size is smaller than font size (Helge Deller) \n- fbcon: Disallow setting font bigger than screen size (Helge Deller) \n- fbmem: Check virtual screen sizes in fb_set_var() (Helge Deller) \n- fbdev: fbmem: Fix logo center image dx issue (Guiling Deng) \n- iommu/vt-d: Fix PCI bus rescan device hot add (Yian Chen) \n- module: fix [e_shstrndx].sh_size=0 OOB access (Alexey Dobriyan) \n- module: change to print useful messages from elf_validity_check() (Shuah Khan) \n- dt-bindings: soc: qcom: smd-rpm: Fix missing MSM8936 compatible (Bryan O'Donoghue) \n- dt-bindings: soc: qcom: smd-rpm: Add compatible for MSM8953 SoC (Vladimir Lypak) \n- rxrpc: Fix locking issue (David Howells) \n- irqchip/gic-v3: Refactor ISB + EOIR at ack time (Mark Rutland) \n- irqchip/gic-v3: Ensure pseudo-NMIs have an ISB between ack and handling (Mark Rutland) \n- io_uring: avoid io-wq -EAGAIN looping for !IOPOLL (Pavel Begunkov) \n- Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event (Sean Wang) \n- Bluetooth: protect le accept and resolv lists with hdev->lock (Niels Dossche) \n- drm/mediatek: Add vblank register/unregister callback functions (Rex-BC Chen) \n- drm/mediatek: Add cmdq_handle in mtk_crtc (Chun-Kuang Hu) \n- drm/mediatek: Detect CMDQ execution timeout (Chun-Kuang Hu) \n- drm/mediatek: Remove the pointer of struct cmdq_client (Chun-Kuang Hu) \n- drm/mediatek: Use mailbox rx_callback instead of cmdq_task_cb (Chun-Kuang Hu) \n- drm/i915: Fix a race between vma / object destruction and unbinding (Thomas Hellstrom) \n- drm/amdgpu: vi: disable ASPM on Intel Alder Lake based systems (Richard Gong) \n- drm/amd: Refactor amdgpu_aspm to be evaluated per device (Mario Limonciello) \n- tty: n_gsm: fix invalid gsmtty_write_room() result (Daniel Starke) \n- serial: 8250_mtk: Make sure to select the right FEATURE_SEL (AngeloGioacchino Del Regno) \n- tty: n_gsm: fix sometimes uninitialized warning in gsm_dlci_modem_output() (Daniel Starke) \n- tty: n_gsm: fix invalid use of MSC in advanced option (Daniel Starke) \n- mm/hwpoison: fix race between hugetlb free/demotion and memory_failure_hugetlb() (Naoya Horiguchi) \n- mm/memory-failure.c: fix race with changing page compound again (Miaohe Lin) \n- mm/hwpoison: avoid the impact of hwpoison_filter() return value on mce handler (luofei) \n- mm/hwpoison: mf_mutex for soft offline and unpoison (Naoya Horiguchi) \n- KVM: Initialize debugfs_dentry when a VM is created to avoid NULL deref (Sean Christopherson) \n- btrfs: zoned: use dedicated lock for data relocation (Naohiro Aota) \n- btrfs: zoned: encapsulate inode locking for zoned relocation (Johannes Thumshirn) \n- tty: n_gsm: fix missing update of modem controls after DLCI open (Daniel Starke) \n- ALSA: usb-audio: add mapping for MSI MAG X570S Torpedo MAX. (Maurizio Avogadro) \n- ALSA: usb-audio: add mapping for MSI MPG X570S Carbon Max Wifi. (Johannes Schickel) \n- tty: n_gsm: fix frame reception handling (Daniel Starke) \n- tty: n_gsm: Save dlci address open status when config requester (Zhenguo Zhao) \n- tty: n_gsm: Modify CR,PF bit when config requester (Zhenguo Zhao) \n- KVM: Don't create VM debugfs files outside of the VM directory (Oliver Upton) \n- drm/amd/vcn: fix an error msg on vcn 3.0 (tiancyin) \n- ASoC: rt5682: fix an incorrect NULL check on list iterator (Xiaomeng Tong) \n- ASoC: rt5682: move clk related code to rt5682_i2c_probe (Jack Yu) \n- uapi/linux/stddef.h: Add include guards (Tadeusz Struk) \n- stddef: Introduce DECLARE_FLEX_ARRAY() helper (Kees Cook) \n- bus: mhi: Fix pm_state conversion to string (Paul Davey) \n- bus: mhi: core: Use correctly sized arguments for bit field (Kees Cook) \n- serial: sc16is7xx: Clear RS485 bits in the shutdown (Hui Wang) \n- powerpc/tm: Fix more userspace r13 corruption (Nicholas Piggin) \n- powerpc: flexible GPR range save/restore macros (Nicholas Piggin) \n- powerpc/32: Don't use lmw/stmw for saving/restoring non volatile regs (Christophe Leroy) \n- scsi: qla2xxx: Fix loss of NVMe namespaces after driver reload test (Arun Easi) \n- KVM: s390x: fix SCK locking (Claudio Imbrenda) \n- btrfs: don't access possibly stale fs_info data in device_list_add (Dongliang Mu) \n- KVM: use __vcalloc for very large allocations (Paolo Bonzini) \n- mm: vmalloc: introduce array allocation functions (Paolo Bonzini) \n- Compiler Attributes: add __alloc_size() for better bounds checking (Kees Cook) \n- mtd: spi-nor: Skip erase logic when SPI_NOR_NO_ERASE is set (Tudor Ambarus) \n- batman-adv: Use netif_rx(). (Sebastian Andrzej Siewior) \n- iio: accel: mma8452: use the correct logic to get mma8452_data (Haibo Chen) \n- riscv/mm: Add XIP_FIXUP for riscv_pfn_base (Palmer Dabbelt) \n- NFSD: COMMIT operations must not return NFS?ERR_INVAL (Chuck Lever) \n- NFSD: De-duplicate net_generic(nf->nf_net, nfsd_net_id) (Chuck Lever) \n- drm/amd/display: Fix by adding FPU protection for dcn30_internal_validate_bw (CHANDAN VURDIGERE NATARAJ) \n- drm/amd/display: Set min dcfclk if pipe count is 0 (Michael Strauss) \n- drbd: fix an invalid memory access caused by incorrect use of list iterator (Xiaomeng Tong) \n- drbd: Fix double free problem in drbd_create_device (Wu Bo) \n- drbd: add error handling support for add_disk() (Luis Chamberlain) \n- btrfs: remove device item and update super block in the same transaction (Qu Wenruo) \n- btrfs: use btrfs_get_dev_args_from_path in dev removal ioctls (Josef Bacik) \n- btrfs: add a btrfs_get_dev_args_from_path helper (Josef Bacik) \n- btrfs: handle device lookup with btrfs_dev_lookup_args (Josef Bacik) \n- vdpa/mlx5: Avoid processing works if workqueue was destroyed (Eli Cohen) \n- gfs2: Fix gfs2_file_buffered_write endless loop workaround (Andreas Gruenbacher) \n- scsi: qla2xxx: Fix crash during module load unload test (Arun Easi) \n- scsi: qla2xxx: edif: Replace list_for_each_safe with list_for_each_entry_safe (Quinn Tran) \n- scsi: qla2xxx: Fix laggy FC remote port session recovery (Quinn Tran) \n- scsi: qla2xxx: Move heartbeat handling from DPC thread to workqueue (Manish Rangankar) \n- KVM: x86/mmu: Use common TDP MMU zap helper for MMU notifier unmap hook (Sean Christopherson) \n- KVM: x86/mmu: Use yield-safe TDP MMU root iter in MMU notifier unmapping (Sean Christopherson) \n- clk: renesas: r9a07g044: Update multiplier and divider values for PLL2/3 (Lad Prabhakar) \n- cxl/port: Hold port reference until decoder release (Dan Williams) \n- mt76: mt7921: do not always disable fw runtime-pm (Lorenzo Bianconi) \n- mt76: mt76_connac: fix MCU_CE_CMD_SET_ROC definition error (Sean Wang) \n- media: davinci: vpif: fix use-after-free on driver unbind (Johan Hovold) \n- media: omap3isp: Use struct_group() for memcpy() region (Kees Cook) \n- stddef: Introduce struct_group() helper macro (Kees Cook) \n- block: fix rq-qos breakage from skipping rq_qos_done_bio() (Tejun Heo) \n- block: only mark bio as tracked if it really is tracked (Jens Axboe) \n- block: use bdev_get_queue() in bio.c (Pavel Begunkov) \n- io_uring: ensure that fsnotify is always called (Jens Axboe) \n- virtio-blk: avoid preallocating big SGL for data (Max Gurtovoy) \n- ibmvnic: Allow queueing resets during probe (Sukadev Bhattiprolu) \n- ibmvnic: clear fop when retrying probe (Sukadev Bhattiprolu) \n- ibmvnic: init init_done_rc earlier (Sukadev Bhattiprolu) \n- s390/setup: preserve memory at OLDMEM_BASE and OLDMEM_SIZE (Alexander Egorenkov) \n- s390/setup: use physical pointers for memblock_reserve() (Alexander Gordeev) \n- s390/boot: allocate amode31 section in decompressor (Alexander Gordeev) \n- netfilter: nft_payload: don't allow th access for fragments (Florian Westphal) \n- netfilter: nft_payload: support for inner header matching / mangling (Pablo Neira Ayuso) \n- netfilter: nf_tables: convert pktinfo->tprot_set to flags field (Pablo Neira Ayuso) \n- ASoC: rt5682: Fix deadlock on resume (Peter Ujfalusi) \n- ASoC: rt5682: Re-detect the combo jack after resuming (Derek Fang) \n- ASoC: rt5682: Avoid the unexpected IRQ event during going to suspend (Derek Fang) \n- net/mlx5e: TC, Reject rules with forward and drop actions (Roi Dayan) \n- net/mlx5e: TC, Reject rules with drop and modify hdr action (Roi Dayan) \n- net/mlx5e: Split actions_match_supported() into a sub function (Roi Dayan) \n- net/mlx5e: Check action fwd/drop flag exists also for nic flows (Roi Dayan) \n- RISC-V: defconfigs: Set CONFIG_FB=y, for FB console (Palmer Dabbelt) \n- riscv: defconfig: enable DRM_NOUVEAU (Heinrich Schuchardt) \n- bpf, arm64: Use emit_addr_mov_i64() for BPF_PSEUDO_FUNC (Hou Tao) \n- bpf: Stop caching subprog index in the bpf_pseudo_func insn (Martin KaFai Lau) \n- mt76: mt7921: fix a possible race enabling/disabling runtime-pm (Lorenzo Bianconi) \n- mt76: mt7921: introduce mt7921_mcu_set_beacon_filter utility routine (Lorenzo Bianconi) \n- mt76: mt7921: get rid of mt7921_mac_set_beacon_filter (Lorenzo Bianconi) \n- platform/x86: wmi: Fix driver->notify() vs ->probe() race (Hans de Goede) \n- platform/x86: wmi: Replace read_takes_no_args with a flags field (Hans de Goede) \n- platform/x86: wmi: introduce helper to convert driver to WMI driver (Barnabas Pocze) \n- qed: Improve the stack space of filter_config() (Shai Malin) \n- ath11k: add hw_param for wakeup_mhi (Seevalamuthu Mariappan) \n- memory: renesas-rpc-if: Avoid unaligned bus access for HyperFlash (Andrew Gabbasov) \n- media: ir_toy: prevent device from hanging during transmit (Sean Young) \n- PCI: pciehp: Ignore Link Down/Up caused by error-induced Hot Reset (Lukas Wunner) \n- PCI/portdrv: Rename pm_iter() to pcie_port_device_iter() (Lukas Wunner) \n- drm/i915: Replace the unconditional clflush with drm_clflush_virt_range() (Ville Syrjala) \n- drm/i915/gt: Register the migrate contexts with their engines (Thomas Hellstrom) \n- drm/i915: Disable bonding on gen12+ platforms (Matthew Brost) \n- btrfs: fix deadlock between chunk allocation and chunk btree modifications (Filipe Manana) \n- dma-buf/poll: Get a file reference for outstanding fence callbacks (Michel Danzer) \n- Input: goodix - try not to touch the reset-pin on x86/ACPI devices (Hans de Goede) \n- Input: goodix - refactor reset handling (Hans de Goede) \n- Input: goodix - add a goodix.h header file (Hans de Goede) \n- Input: goodix - change goodix_i2c_write() len parameter type to int (Hans de Goede) \n- Input: cpcap-pwrbutton - handle errors from platform_get_irq() (Tang Bin) \n- btrfs: fix warning when freeing leaf after subvolume creation failure (Filipe Manana) \n- btrfs: fix invalid delayed ref after subvolume creation failure (Filipe Manana) \n- btrfs: add additional parameters to btrfs_init_tree_ref/btrfs_init_data_ref (Nikolay Borisov) \n- btrfs: rename btrfs_alloc_chunk to btrfs_create_chunk (Nikolay Borisov) \n- netfilter: nft_set_pipapo: release elements in clone from abort path (Pablo Neira Ayuso) \n- net: rose: fix UAF bug caused by rose_t0timer_expiry (Duoming Zhou) \n- usbnet: fix memory leak in error case (Oliver Neukum) \n- bpf: Fix insufficient bounds propagation from adjust_scalar_min_max_vals (Daniel Borkmann) \n- bpf: Fix incorrect verifier simulation around jmp32's jeq/jne (Daniel Borkmann) \n- can: mcp251xfd: mcp251xfd_regmap_crc_read(): update workaround broken CRC on TBC register (Thomas Kopp) \n- can: mcp251xfd: mcp251xfd_regmap_crc_read(): improve workaround handling for mcp2517fd (Thomas Kopp) \n- can: m_can: m_can_{read_fifo,echo_tx_event}(): shift timestamp to full 32 bits (Marc Kleine-Budde) \n- can: m_can: m_can_chip_config(): actually enable internal timestamping (Marc Kleine-Budde) \n- can: gs_usb: gs_usb_open/close(): fix memory leak (Rhett Aultman) \n- can: grcan: grcan_probe(): remove extra of_node_get() (Liang He) \n- can: bcm: use call_rcu() instead of costly synchronize_rcu() (Oliver Hartkopp) \n- ALSA: cs46xx: Fix missing snd_card_free() call at probe error (Takashi Iwai) \n- ALSA: hda/realtek: Add quirk for Clevo L140PU (Tim Crawford) \n- ALSA: usb-audio: Workarounds for Behringer UMC 204/404 HD (Takashi Iwai) \n- Revert 'selftests/bpf: Add test for bpf_timer overwriting crash' (Po-Hsu Lin) \n- mm/filemap: fix UAF in find_lock_entries (Liu Shixin) \n- mm/slub: add missing TID updates on slab deactivation (Jann Horn) \n- LTS version: v5.15.53 (Jack Vogel) \n- hwmon: (ibmaem) don't call platform_device_del() if platform_device_add() fails (Yang Yingliang) \n- hwmon: (occ) Prevent power cap command overwriting poll response (Eddie James) \n- hwmon: (occ) Remove sequence numbering and checksum calculation (Eddie James) \n- drm/fourcc: fix integer type usage in uapi header (Carlos Llamas) \n- platform/x86: panasonic-laptop: filter out duplicate volume up/down/mute keypresses (Hans de Goede) \n- platform/x86: panasonic-laptop: don't report duplicate brightness key-presses (Hans de Goede) \n- platform/x86: panasonic-laptop: revert 'Resolve hotkey double trigger bug' (Hans de Goede) \n- platform/x86: panasonic-laptop: sort includes alphabetically (Hans de Goede) \n- platform/x86: panasonic-laptop: de-obfuscate button codes (Stefan Seyfried) \n- drivers: cpufreq: Add missing of_node_put() in qoriq-cpufreq.c (Liang He) \n- drm/msm/gem: Fix error return on fence id alloc fail (Rob Clark) \n- drm/i915/gem: add missing else (katrinzhou) \n- net: fix IFF_TX_SKB_NO_LINEAR definition (Dan Carpenter) \n- fsi: occ: Force sequence numbering per OCC (Eddie James) \n- clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup() (Greg Kroah-Hartman) \n- net: usb: qmi_wwan: add Telit 0x1070 composition (Daniele Palmas) \n- xen/arm: Fix race in RB-tree based P2M accounting (Oleksandr Tyshchenko) \n- xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses() (Jan Beulich) \n- xen/blkfront: force data bouncing when backend is untrusted (Roger Pau Monne) \n- xen/netfront: force data bouncing when backend is untrusted (Roger Pau Monne) \n- xen/netfront: fix leaking data in shared pages (Roger Pau Monne) \n- xen/blkfront: fix leaking data in shared pages (Roger Pau Monne) \n- selftests/rseq: Change type of rseq_offset to ptrdiff_t (Mathieu Desnoyers) \n- selftests/rseq: x86-32: use %gs segment selector for accessing rseq thread area (Mathieu Desnoyers) \n- selftests/rseq: x86-64: use %fs segment selector for accessing rseq thread area (Mathieu Desnoyers) \n- selftests/rseq: Fix: work-around asm goto compiler bugs (Mathieu Desnoyers) \n- selftests/rseq: Remove arm/mips asm goto compiler work-around (Mathieu Desnoyers) \n- selftests/rseq: Fix warnings about #if checks of undefined tokens (Mathieu Desnoyers) \n- selftests/rseq: Fix ppc32 offsets by using long rather than off_t (Mathieu Desnoyers) \n- selftests/rseq: Fix ppc32 missing instruction selection 'u' and 'x' for load/store (Mathieu Desnoyers) \n- selftests/rseq: Fix ppc32: wrong rseq_cs 32-bit field pointer on big endian (Mathieu Desnoyers) \n- selftests/rseq: Uplift rseq selftests for compatibility with glibc-2.35 (Mathieu Desnoyers) \n- selftests/rseq: Introduce thread pointer getters (Mathieu Desnoyers) \n- selftests/rseq: Introduce rseq_get_abi() helper (Mathieu Desnoyers) \n- selftests/rseq: Remove volatile from __rseq_abi (Mathieu Desnoyers) \n- selftests/rseq: Remove useless assignment to cpu variable (Mathieu Desnoyers) \n- selftests/rseq: introduce own copy of rseq uapi header (Mathieu Desnoyers) \n- selftests/rseq: remove ARRAY_SIZE define from individual tests (Shuah Khan) \n- selftests/bpf: Add test_verifier support to fixup kfunc call insns (Kumar Kartikeya Dwivedi) \n- tcp: add a missing nf_reset_ct() in 3WHS handling (Eric Dumazet) \n- MAINTAINERS: add Leah as xfs maintainer for 5.15.y (Leah Rumancik) \n- net: tun: avoid disabling NAPI twice (Jakub Kicinski) \n- mlxsw: spectrum_router: Fix rollback in tunnel next hop init (Petr Machata) \n- ipv6: fix lockdep splat in in6_dump_addrs() (Eric Dumazet) \n- ipv6/sit: fix ipip6_tunnel_get_prl return value (katrinzhou) \n- tunnels: do not assume mac header is set in skb_tunnel_check_pmtu() (Eric Dumazet) \n- ACPI: video: Change how we determine if brightness key-presses are handled (Hans de Goede) \n- io_uring: ensure that send/sendmsg and recv/recvmsg check sqe->ioprio (Jens Axboe) \n- epic100: fix use after free on rmmod (Tong Zhang) \n- tipc: move bc link creation back to tipc_node_create (Xin Long) \n- NFC: nxp-nci: Don't issue a zero length i2c_master_read() (Michael Walle) \n- nfc: nfcmrvl: Fix irq_of_parse_and_map() return value (Krzysztof Kozlowski) \n- powerpc/memhotplug: Add add_pages override for PPC (Aneesh Kumar K.V) \n- net: bonding: fix use-after-free after 802.3ad slave unbind (Yevhen Orlov) \n- net: phy: ax88772a: fix lost pause advertisement configuration (Oleksij Rempel) \n- net: bonding: fix possible NULL deref in rlb code (Eric Dumazet) \n- net: asix: fix 'can't send until first packet is send' issue (Oleksij Rempel) \n- net/sched: act_api: Notify user space if any actions were flushed before error (Victor Nogueira) \n- net/dsa/hirschmann: Add missing of_node_get() in hellcreek_led_setup() (Liang He) \n- netfilter: nft_dynset: restore set element counter when failing to update (Pablo Neira Ayuso) \n- s390: remove unneeded 'select BUILD_BIN2C' (Masahiro Yamada) \n- vdpa/mlx5: Update Control VQ callback information (Eli Cohen) \n- PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events (Miaoqian Lin) \n- caif_virtio: fix race between virtio_device_ready() and ndo_open() (Jason Wang) \n- vfs: fix copy_file_range() regression in cross-fs copies (Amir Goldstein) \n- NFSD: restore EINVAL error translation in nfsd_commit() (Alexey Khoroshilov) \n- net: ipv6: unexport __init-annotated seg6_hmac_net_init() (YueHaibing) \n- selftests: mptcp: more stable diag tests (Paolo Abeni) \n- usbnet: fix memory allocation in helpers (Oliver Neukum) \n- net: usb: asix: do not force pause frames support (Oleksij Rempel) \n- linux/dim: Fix divide by 0 in RDMA DIM (Tao Liu) \n- RDMA/cm: Fix memory leak in ib_cm_insert_listen (Miaoqian Lin) \n- RDMA/qedr: Fix reporting QP timeout attribute (Kamal Heib) \n- net: dp83822: disable rx error interrupt (Enguerrand de Ribaucourt) \n- net: dp83822: disable false carrier interrupt (Enguerrand de Ribaucourt) \n- net: tun: stop NAPI when detaching queues (Jakub Kicinski) \n- net: tun: unlink NAPI from device on destruction (Jakub Kicinski) \n- net: dsa: bcm_sf2: force pause link settings (Doug Berger) \n- selftests/net: pass ipv6_args to udpgso_bench's IPv6 TCP test (Dimitris Michailidis) \n- virtio-net: fix race between ndo_open() and virtio_device_ready() (Jason Wang) \n- net: usb: ax88179_178a: Fix packet receiving (Jose Alonso) \n- net: rose: fix UAF bugs caused by timer handler (Duoming Zhou) \n- SUNRPC: Fix READ_PLUS crasher (Chuck Lever) \n- s390/archrandom: simplify back to earlier design and initialize earlier (Jason A. Donenfeld) \n- dm raid: fix KASAN warning in raid5_add_disks (Mikulas Patocka) \n- dm raid: fix accesses beyond end of raid member array (Heinz Mauelshagen) \n- powerpc/bpf: Fix use of user_pt_regs in uapi (Naveen N. Rao) \n- powerpc/book3e: Fix PUD allocation size in map_kernel_page() (Christophe Leroy) \n- powerpc/prom_init: Fix kernel config grep (Liam Howlett) \n- nvdimm: Fix badblocks clear off-by-one error (Chris Ye) \n- nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA IM2P33F8ABR1 (Lamarque Vieira Souza) \n- nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA XPG SX6000LNP (AKA SPECTRIX S40G) (Pablo Greco) \n- net: phy: Don't trigger state machine while in suspend (Lukas Wunner) \n- ipv6: take care of disable_policy when restoring routes (Nicolas Dichtel) \n- ksmbd: use vfs_llseek instead of dereferencing NULL (Jason A. Donenfeld) \n- ksmbd: check invalid FileOffset and BeyondFinalZero in FSCTL_ZERO_DATA (Namjae Jeon) \n- ksmbd: set the range of bytes to zero without extending file size in FSCTL_ZERO_DATA (Namjae Jeon) \n- drm/amdgpu: To flush tlb for MMHUB of RAVEN series (Ruili Ji) \n- Revert 'drm/amdgpu/display: set vblank_disable_immediate for DC' (Alex Deucher) \n- cpufreq:cppc_cpufreq: prevent crash on reading freqdomain_cpus (chris hyser) [Orabug: 34327463] \n- vmcoreinfo: add kallsyms_num_syms symbol (Stephen Brennan) [Orabug: 34475877] \n- vmcoreinfo: include kallsyms symbols (Stephen Brennan) [Orabug: 34475877] \n- kallsyms: move declarations to internal header (Stephen Brennan) [Orabug: 34475877] \n- Revert 'KVM: x86: Print error code in exception injection tracepoint iff valid' (Sherry Yang) [Orabug: 34539458] \n- uek-rpm: Enable IMA_APPRAISE_SB_BOOTPARAM (Eric Snowberg) [Orabug: 34549007] \n- integrity: Allow ima_appraise bootparam to be set when SB is enabled (Eric Snowberg) [Orabug: 34549007] \n- net/mlx5: E-Switch, change VFs default admin state to auto in switchdev (Maor Dickman) [Orabug: 34533007] \n- Revert 'net/mlx5: E-Switch, change VFs default admin state to auto in switchdev' (Devesh Sharma) [Orabug: 34532946] \n- uek-rpm: Install kernel-rpm-macros as build dependency (Somasundaram Krishnasamy) [Orabug: 34529696]\n[5.15.0-3.52.1]\n- rds: ib: Fix lfstack to acquire visibility to list head (Hakon Bugge) [Orabug: 34522536] \n- locking/atomic: Make test_and_*_bit() ordered on failure (Hector Martin) [Orabug: 34520178] \n- intel_idle: make SPR C1 and C1E be independent (Artem Bityutskiy) [Orabug: 34510397] \n- intel_idle: Add AlderLake support (Zhang Rui) [Orabug: 34510397] \n- intel_idle: Fix SPR C6 optimization (Artem Bityutskiy) [Orabug: 34510397] \n- intel_idle: Fix the 'preferred_cstates' module parameter (Artem Bityutskiy) [Orabug: 34510397] \n- cpuidle: intel_idle: Drop redundant backslash at line end (Rafael J. Wysocki) [Orabug: 34510397] \n- mlx4: Subscribe to PXM notifier (Konrad Rzeszutek Wilk) [Orabug: 27206634] [Orabug: 34509446] \n- xen/pci: Add PXM node notifier for PXM (NUMA) changes. (Konrad Rzeszutek Wilk) [Orabug: 27206634] [Orabug: 34509446] \n- xen/pcifront: Walk the PCI bus after XenStore notification (Konrad Rzeszutek Wilk) [Orabug: 27206634] [Orabug: 34509446] \n- xen-pcifront/hvm: Slurp up 'pxm' entry and set NUMA node on PCIe device. (V5) (Konrad Rzeszutek Wilk) [Orabug: 34509446] \n- scsi: core: Fix warning in scsi_alloc_sgtables() (Jason Yan) [Orabug: 33857787]", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-24T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2022-3028"], "modified": "2022-10-24T00:00:00", "id": "ELSA-2022-9930", "href": "http://linux.oracle.com/errata/ELSA-2022-9930.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-24T20:46:03", "description": "[5.15.0-3.60.5.1.el8]\n- fs: remove no_llseek (Jason A. Donenfeld) [Orabug: 34721465] \n- vfio: do not set FMODE_LSEEK flag (Jason A. Donenfeld) [Orabug: 34721465] \n- dma-buf: remove useless FMODE_LSEEK flag (Jason A. Donenfeld) [Orabug: 34721465] \n- fs: do not compare against ->llseek (Jason A. Donenfeld) [Orabug: 34721465] \n- fs: clear or set FMODE_LSEEK based on llseek function (Jason A. Donenfeld) [Orabug: 34721465]\n[5.15.0-3.60.5]\n- hwmon: (opbmc) Add support for AST2600 based Pilot (Jan Zdarek) [Orabug: 34605427] \n- random: Fix incorrect type for 'rc' variable (Harshit Mogalapalli) [Orabug: 34596909]\n[5.15.0-3.60.4]\n- netfilter: ebtables: reject blobs that don't provide all entry points (Florian Westphal) [Orabug: 34513977] \n- uek-rpm: Disable CONFIG_CRYPTO_STREEBOG (Victor Erminpour) [Orabug: 34538054] \n- uek-rpm: Disable CONFIG_CRYPTO_SM3 (Victor Erminpour) [Orabug: 34538054] \n- uek-rpm: Disable CONFIG_CRYPTO_SM4 (Victor Erminpour) [Orabug: 34538054] \n- af_key: Do not call xfrm_probe_algs in parallel (Herbert Xu) [Orabug: 34566751] {CVE-2022-3028}\n- cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() (Tetsuo Handa) [Orabug: 34567776] \ncpus_read_lock() deadlock (Tejun Heo) [Orabug: 34567776]\n[5.15.0-3.60.3]\n- audit: annotate branch direction for audit_in_mask() (Ankur Arora) [Orabug: 34544783] \n- audit: cache ctx->major in audit_filter_syscall() (Ankur Arora) [Orabug: 34544783]\n[5.15.0-3.60.2]\n- LTS version: v5.15.60 (Jack Vogel) \n- x86/speculation: Add LFENCE to RSB fill sequence (Pawan Gupta) \n- x86/speculation: Add RSB VM Exit protections (Daniel Sneddon) \n- macintosh/adb: fix oob read in do_adb_query() function (Ning Qiang) \n- Bluetooth: btusb: Add Realtek RTL8852C support ID 0x13D3:0x3586 (Hilda Wu) \n- Bluetooth: btusb: Add Realtek RTL8852C support ID 0x13D3:0x3587 (Hilda Wu) \n- Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0CB8:0xC558 (Hilda Wu) \n- Bluetooth: btusb: Add Realtek RTL8852C support ID 0x04C5:0x1675 (Hilda Wu) \n- Bluetooth: btusb: Add Realtek RTL8852C support ID 0x04CA:0x4007 (Hilda Wu) \n- Bluetooth: btusb: Add support of IMC Networks PID 0x3568 (Aaron Ma) \n- dt-bindings: bluetooth: broadcom: Add BCM4349B1 DT binding (Ahmad Fatoum) \n- Bluetooth: hci_bcm: Add DT compatible for CYW55572 (Hakan Jansson) \n- Bluetooth: hci_bcm: Add BCM4349B1 variant (Ahmad Fatoum) \n- btrfs: zoned: fix critical section of relocation inode writeback (Naohiro Aota) \n- btrfs: zoned: prevent allocation from previous data relocation BG (Naohiro Aota) \n- arm64: set UXN on swapper page tables (Peter Collingbourne) \n- KVM: x86/svm: add __GFP_ACCOUNT to __sev_dbg_{en,de}crypt_user() (Mingwei Zhang) \n- selftests: KVM: Handle compiler optimizations in ucall (Raghavendra Rao Ananta) \n- tools/kvm_stat: fix display of error when multiple processes are found (Dmitry Klochkov) \n- KVM: selftests: Make hyperv_clock selftest more stable (Vitaly Kuznetsov) \n- KVM: x86: do not set st->preempted when going back to user space (Paolo Bonzini) \n- KVM: x86: do not report a vCPU as preempted outside instruction boundaries (Paolo Bonzini) [Orabug: 34571000] {CVE-2022-39189}\n- crypto: arm64/poly1305 - fix a read out-of-bound (GUO Zihua) \n- ACPI: APEI: Better fix to avoid spamming the console with old error logs (Tony Luck) \n- ACPI: video: Shortening quirk list by identifying Clevo by board_name only (Werner Sembach) \n- ACPI: video: Force backlight native for some TongFang devices (Werner Sembach) \n- tools/vm/slabinfo: Handle files in debugfs (Stephane Graber) \n- block: fix default IO priority handling again (Jan Kara) \n- selftests/bpf: Check dst_port only on the client socket (Jakub Sitnicki) \n- selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads (Jakub Sitnicki) \n- x86/speculation: Make all RETbleed mitigations 64-bit only (Ben Hutchings) \n- LTS version: v5.15.59 (Jack Vogel) \n- x86/bugs: Do not enable IBPB at firmware entry when IBPB is not available (Thadeu Lima de Souza Cascardo) \n- docs/kernel-parameters: Update descriptions for 'mitigations=' param with retbleed (Eiichi Tsukata) \n- EDAC/ghes: Set the DIMM label unconditionally (Toshi Kani) \n- ARM: 9216/1: Fix MAX_DMA_ADDRESS overflow (Florian Fainelli) \n- page_alloc: fix invalid watermark check on a negative value (Jaewon Kim) \n- mm/hmm: fault non-owner device private entries (Ralph Campbell) \n- ARM: crypto: comment out gcc warning that breaks clang builds (Greg Kroah-Hartman) \n- sctp: leave the err path free in sctp_stream_init to sctp_stream_free (Xin Long) \n- sfc: disable softirqs for ptp TX (Alejandro Lucero) \n- perf symbol: Correct address for bss symbols (Leo Yan) \n- virtio-net: fix the race between refill work and close (Jason Wang) \n- netfilter: nf_queue: do not allow packet truncation below transport header offset (Florian Westphal) \n- octeontx2-pf: cn10k: Fix egress ratelimit configuration (Sunil Goutham) \n- sctp: fix sleep in atomic context bug in timer handlers (Duoming Zhou) \n- i40e: Fix interface init with MSI interrupts (no MSI-X) (Michal Maloszewski) \n- ipv4: Fix data-races around sysctl_fib_notify_on_flag_change. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_reflect_tos. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_comp_sack_nr. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_comp_sack_slack_ns. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns. (Kuniyuki Iwashima) \n- net: Fix data-races around sysctl_[rw]mem(_offset)?. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sk_pacing_rate. (Kuniyuki Iwashima) \n- net: mld: fix reference count leak in mld_{query | report}_work() (Taehee Yoo) \n- net: macsec: fix potential resource leak in macsec_add_rxsa() and macsec_add_txsa() (Jianglei Nie) \n- macsec: always read MACSEC_SA_ATTR_PN as a u64 (Sabrina Dubroca) \n- macsec: limit replay window size with XPN (Sabrina Dubroca) \n- macsec: fix error message in macsec_add_rxsa and _txsa (Sabrina Dubroca) \n- macsec: fix NULL deref in macsec_add_rxsa (Sabrina Dubroca) \n- Documentation: fix sctp_wmem in ip-sysctl.rst (Xin Long) \n- tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_autocorking. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_min_tso_segs. (Kuniyuki Iwashima) \n- net: sungem_phy: Add of_node_put() for reference returned by of_get_parent() (Liang He) \n- net: pcs: xpcs: propagate xpcs_read error to xpcs_get_state_c37_sgmii (Vladimir Oltean) \n- igmp: Fix data-races around sysctl_igmp_qrv. (Kuniyuki Iwashima) \n- net/tls: Remove the context from the list in tls_device_down (Maxim Mikityanskiy) \n- ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr (Ziyang Xuan) \n- net: ping6: Fix memleak in ipv6_renew_options(). (Kuniyuki Iwashima) \n- scsi: mpt3sas: Stop fw fault watchdog work item during system shutdown (David Jeffery) \n- tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_limit_output_bytes. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_moderate_rcvbuf. (Kuniyuki Iwashima) \n- octeontx2-pf: Fix UDP/TCP src and dst port tc filters (Subbaraya Sundeep) \n- Revert 'tcp: change pingpong threshold to 3' (Wei Wang) \n- scsi: ufs: host: Hold reference returned by of_parse_phandle() (Liang He) \n- ice: do not setup vlan for loopback VSI (Maciej Fijalkowski) \n- ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS) (Maciej Fijalkowski) \n- tcp: Fix data-races around sysctl_tcp_no_ssthresh_metrics_save. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_nometrics_save. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_frto. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_adv_win_scale. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_app_win. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_dsack. (Kuniyuki Iwashima) \n- watch_queue: Fix missing locking in add_watch_to_object() (Linus Torvalds) \n- watch_queue: Fix missing rcu annotation (David Howells) \n- drm/simpledrm: Fix return type of simpledrm_simple_display_pipe_mode_valid() (Nathan Chancellor) \n- nouveau/svm: Fix to migrate all requested pages (Alistair Popple) \n- s390/archrandom: prevent CPACF trng invocations in interrupt context (Harald Freudenberger) \n- asm-generic: remove a broken and needless ifdef conditional (Lukas Bulwahn) \n- hugetlb: fix memoryleak in hugetlb_mcopy_atomic_pte (Miaohe Lin) \n- mm: fix page leak with multiple threads mapping the same page (Josef Bacik) \n- secretmem: fix unhandled fault in truncate (Mike Rapoport) \n- fs: sendfile handles O_NONBLOCK of out_fd (Andrei Vagin) \n- ntfs: fix use-after-free in ntfs_ucsncmp() (ChenXiaoSong) \n- Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put (Luiz Augusto von Dentz) \n- LTS version: v5.15.58 (Jack Vogel) \n- drm/amd/display: Fix wrong format specifier in amdgpu_dm.c (Hayden Goodfellow) \n- x86/entry_32: Fix segment exceptions (Peter Zijlstra) \n- drm/amdgpu: Off by one in dm_dmub_outbox1_low_irq() (Dan Carpenter) \n- x86: drop bogus 'cc' clobber from __try_cmpxchg_user_asm() (Jan Beulich) \n- KVM: x86: fix typo in __try_cmpxchg_user causing non-atomicness (Maxim Levitsky) \n- x86/extable: Prefer local labels in .set directives (Nick Desaulniers) \n- drm/amd/display: invalid parameter check in dmub_hpd_callback (Jose Exposito) \n- drm/amd/display: Don't lock connection_mutex for DMUB HPD (Nicholas Kazlauskas) \n- watch-queue: remove spurious double semicolon (Linus Torvalds) \n- net: usb: ax88179_178a needs FLAG_SEND_ZLP (Jose Alonso) \n- tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() (Jiri Slaby) \n- tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() (Jiri Slaby) \n- tty: drop tty_schedule_flip() (Jiri Slaby) \n- tty: the rest, stop using tty_schedule_flip() (Jiri Slaby) \n- tty: drivers/tty/, stop using tty_schedule_flip() (Jiri Slaby) \n- watchqueue: make sure to serialize 'wqueue->defunct' properly (Linus Torvalds) \n- drm/amd/display: Fix surface optimization regression on Carrizo (Nicholas Kazlauskas) \n- drm/amd/display: Optimize bandwidth on following fast update (Nicholas Kazlauskas) \n- drm/amd/display: Reset DMCUB before HW init (Nicholas Kazlauskas) \n- exfat: use updated exfat_chain directly during renaming (Sungjong Seo) \n- Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks (Luiz Augusto von Dentz) \n- Bluetooth: SCO: Fix sco_send_frame returning skb->len (Luiz Augusto von Dentz) \n- Bluetooth: Fix passing NULL to PTR_ERR (Luiz Augusto von Dentz) \n- Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg (Luiz Augusto von Dentz) \n- Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg (Luiz Augusto von Dentz) \n- Bluetooth: Add bt_skb_sendmmsg helper (Luiz Augusto von Dentz) \n- Bluetooth: Add bt_skb_sendmsg helper (Luiz Augusto von Dentz) \n- um: virtio_uml: Fix broken device handling in time-travel (Johannes Berg) \n- um: virtio_uml: Allow probing from devicetree (Vincent Whitchurch) \n- tracing: Fix return value of trace_pid_write() (Wonhyuk Yang) \n- tracing: Place trace_pid_list logic into abstract functions (Steven Rostedt (VMware)) \n- tracing: Have event format check not flag %p* on __get_dynamic_array() (Steven Rostedt (Google)) \n- exfat: fix referencing wrong parent directory information after renaming (Yuezhang Mo) \n- crypto: qat - re-enable registration of algorithms (Giovanni Cabiddu) \n- crypto: qat - add param check for DH (Giovanni Cabiddu) \n- crypto: qat - add param check for RSA (Giovanni Cabiddu) \n- crypto: qat - remove dma_free_coherent() for DH (Giovanni Cabiddu) \n- crypto: qat - remove dma_free_coherent() for RSA (Giovanni Cabiddu) \n- crypto: qat - fix memory leak in RSA (Giovanni Cabiddu) \n- crypto: qat - add backlog mechanism (Giovanni Cabiddu) \n- crypto: qat - refactor submission logic (Giovanni Cabiddu) \n- crypto: qat - use pre-allocated buffers in datapath (Giovanni Cabiddu) \n- crypto: qat - set to zero DH parameters before free (Giovanni Cabiddu) \n- iwlwifi: fw: uefi: add missing include guards (Johannes Berg) \n- mt76: fix use-after-free by removing a non-RCU wcid pointer (Felix Fietkau) \n- xhci: Set HCD flag to defer primary roothub registration (Kishon Vijay Abraham I) \n- xhci: dbc: Rename xhci_dbc_init and xhci_dbc_exit (Mathias Nyman) \n- xhci: dbc: create and remove dbc structure in dbgtty driver. (Mathias Nyman) \n- xhci: dbc: refactor xhci_dbc_init() (Mathias Nyman) \n- KVM: x86: Use __try_cmpxchg_user() to emulate atomic accesses (Sean Christopherson) \n- x86/extable: Extend extable functionality (Peter Zijlstra) \n- x86/entry_32: Remove .fixup usage (Peter Zijlstra) \n- bitfield.h: Fix 'type of reg too small for mask' test (Peter Zijlstra) \n- x86/extable: Provide EX_TYPE_DEFAULT_MCE_SAFE and EX_TYPE_FAULT_MCE_SAFE (Thomas Gleixner) \n- x86/extable: Rework the exception table mechanics (Thomas Gleixner) \n- x86/mce: Deduplicate exception handling (Thomas Gleixner) \n- x86/extable: Get rid of redundant macros (Thomas Gleixner) \n- x86/extable: Tidy up redundant handler functions (Thomas Gleixner) \n- x86/uaccess: Implement macros for CMPXCHG on user addresses (Peter Zijlstra) \n- dlm: fix pending remove if msg allocation fails (Alexander Aring) \n- sched/deadline: Fix BUG_ON condition for deboosted tasks (Juri Lelli) \n- bpf: Make sure mac_header was set before using it (Eric Dumazet) \n- mm/mempolicy: fix uninit-value in mpol_rebind_policy() (Wang Cheng) \n- KVM: Don't null dereference ops->destroy (Alexey Kardashevskiy) \n- spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers (Marc Kleine-Budde) \n- KVM: selftests: Fix target thread to be migrated in rseq_test (Gavin Shan) \n- gpio: gpio-xilinx: Fix integer overflow (Srinivas Neeli) \n- tcp: Fix data-races around sysctl_tcp_max_reordering. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_abort_on_overflow. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_rfc1337. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_stdurg. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_retrans_collapse. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_slow_start_after_idle. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_recovery. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_early_retrans. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl knobs related to SYN option. (Kuniyuki Iwashima) \n- udp: Fix a data-race around sysctl_udp_l3mdev_accept. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_prot_sock. (Kuniyuki Iwashima) \n- ipv4: Fix data-races around sysctl_fib_multipath_hash_fields. (Kuniyuki Iwashima) \n- ipv4: Fix data-races around sysctl_fib_multipath_hash_policy. (Kuniyuki Iwashima) \n- ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh. (Kuniyuki Iwashima) \n- drm/imx/dcss: Add missing of_node_put() in fail path (Liang He) \n- net: dsa: vitesse-vsc73xx: silent spi_device_id warnings (Oleksij Rempel) \n- net: dsa: sja1105: silent spi_device_id warnings (Oleksij Rempel) \n- be2net: Fix buffer overflow in be_get_module_eeprom (Hristo Venev) \n- gpio: pca953x: use the correct register address when regcache sync during init (Haibo Chen) \n- gpio: pca953x: use the correct range when do regmap sync (Haibo Chen) \n- gpio: pca953x: only use single read/write for No AI mode (Haibo Chen) \n- net: stmmac: remove redunctant disable xPCS EEE call (Wong Vee Khee) \n- ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero (Piotr Skajewski) \n- i40e: Fix erroneous adapter reinitialization during recovery process (Dawid Lukwinski) \n- pinctrl: armada-37xx: use raw spinlocks for regmap to avoid invalid wait context (Vladimir Oltean) \n- pinctrl: armada-37xx: Convert to use dev_err_probe() (Andy Shevchenko) \n- pinctrl: armada-37xx: Make use of the devm_platform_ioremap_resource() (Andy Shevchenko) \n- pinctrl: armada-37xx: Use temporary variable for struct device (Andy Shevchenko) \n- iavf: Fix handling of dummy receive descriptors (Przemyslaw Patynowski) \n- tcp: Fix data-races around sysctl_tcp_fastopen_blackhole_timeout. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_fastopen. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_max_syn_backlog. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_tw_reuse. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_notsent_lowat. (Kuniyuki Iwashima) \n- tcp: Fix data-races around some timeout sysctl knobs. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_reordering. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_migrate_req. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_syncookies. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_syn(ack)?_retries. (Kuniyuki Iwashima) \n- tcp: Fix data-races around keepalive sysctl knobs. (Kuniyuki Iwashima) \n- igmp: Fix data-races around sysctl_igmp_max_msf. (Kuniyuki Iwashima) \n- igmp: Fix a data-race around sysctl_igmp_max_memberships. (Kuniyuki Iwashima) \n- igmp: Fix data-races around sysctl_igmp_llm_reports. (Kuniyuki Iwashima) \n- net/tls: Fix race in TLS device down flow (Tariq Toukan) \n- net: stmmac: fix dma queue left shift overflow issue (Junxiao Chang) \n- perf tests: Fix Convert perf time to TSC test for hybrid (Adrian Hunter) \n- i2c: cadence: Change large transfer count reset logic to be unconditional (Robert Hancock) \n- i2c: mlxcpld: Fix register setting for 400KHz frequency (Vadim Pasternak) \n- net: ipv4: use kfree_skb_reason() in ip_rcv_finish_core() (Menglong Dong) \n- net: ipv4: use kfree_skb_reason() in ip_rcv_core() (Menglong Dong) \n- net: netfilter: use kfree_drop_reason() for NF_DROP (Menglong Dong) \n- net: skb_drop_reason: add document for drop reasons (Menglong Dong) \n- net: socket: rename SKB_DROP_REASON_SOCKET_FILTER (Menglong Dong) \n- net: skb: use kfree_skb_reason() in __udp4_lib_rcv() (Menglong Dong) \n- net: skb: use kfree_skb_reason() in tcp_v4_rcv() (Menglong Dong) \n- net: skb: introduce kfree_skb_reason() (Menglong Dong) \n- net: dsa: microchip: ksz_common: Fix refcount leak bug (Liang He) \n- mtd: rawnand: gpmi: Set WAIT_FOR_READY timeout based on program/erase times (Sascha Hauer) \n- mtd: rawnand: gpmi: validate controller clock rate (Dario Binacchi) \n- net: stmmac: fix unbalanced ptp clock issue in suspend/resume flow (Biao Huang) \n- net: stmmac: fix pm runtime issue in stmmac_dvr_remove() (Biao Huang) \n- tcp: Fix a data-race around sysctl_tcp_probe_interval. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_probe_threshold. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_min_snd_mss. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_base_mss. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_mtu_probing. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_l3mdev_accept. (Kuniyuki Iwashima) \n- tcp: sk->sk_bound_dev_if once in inet_request_bound_dev_if() (Eric Dumazet) \n- tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. (Kuniyuki Iwashima) \n- ip: Fix a data-race around sysctl_fwmark_reflect. (Kuniyuki Iwashima) \n- ip: Fix a data-race around sysctl_ip_autobind_reuse. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_nonlocal_bind. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_fwd_update_priority. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_fwd_use_pmtu. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_no_pmtu_disc. (Kuniyuki Iwashima) \n- igc: Reinstate IGC_REMOVED logic and implement it properly (Lennert Buytenhek) \n- Revert 'e1000e: Fix possible HW unit hang after an s0ix exit' (Sasha Neftin) \n- e1000e: Enable GPT clock before sending message to CSME (Sasha Neftin) \n- nvme: fix block device naming collision (Israel Rukshin) \n- nvme: check for duplicate identifiers earlier (Christoph Hellwig) \n- scsi: ufs: core: Drop loglevel of WriteBoost message (Bjorn Andersson) \n- scsi: megaraid: Clear READ queue map's nr_queues (Ming Lei) \n- drm/amd/display: Ignore First MST Sideband Message Return Error (Fangzhi Zuo) \n- drm/amdgpu/display: add quirk handling for stutter mode (Alex Deucher) \n- drm/amd/display: Fork thread to offload work of hpd_rx_irq (Wayne Lin) \n- drm/amd/display: Add option to defer works of hpd_rx_irq (Wayne Lin) \n- drm/amd/display: Support for DMUB HPD interrupt handling (Jude Shih) \n- tcp: Fix data-races around sysctl_tcp_ecn. (Kuniyuki Iwashima) \n- sysctl: move some boundary constants from sysctl.c to sysctl_vals (Xiaoming Ni) \n- mm/pagealloc: sysctl: change watermark_scale_factor max limit to 30% (Suren Baghdasaryan) \n- net: tun: split run_ebpf_filter() and pskb_trim() into different 'if statement' (Dongli Zhang) \n- ipv4/tcp: do not use per netns ctl sockets (Eric Dumazet) \n- perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() (Peter Zijlstra) \n- pinctrl: ralink: Check for null return of devm_kcalloc (William Dean) \n- pinctrl: ralink: rename pinctrl-rt2880 to pinctrl-ralink (Arinc UNAL) \n- pinctrl: ralink: rename MT7628(an) functions to MT76X8 (Arinc UNAL)\n- RDMA/irdma: Fix sleep from invalid context BUG (Mustafa Ismail) \n- RDMA/irdma: Do not advertise 1GB page size for x722 (Mustafa Ismail) \n- power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe (Miaoqian Lin) \n- xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() (Hangyu Hua) \n- ip: Fix data-races around sysctl_ip_default_ttl. (Kuniyuki Iwashima) \n- r8152: fix a WOL issue (Hayes Wang) \n- xfs: fix perag reference leak on iteration race with growfs (Brian Foster) \n- xfs: terminate perag iteration reliably on agcount (Brian Foster) \n- xfs: rename the next_agno perag iteration variable (Brian Foster) \n- xfs: fold perag loop iteration logic into helper function (Brian Foster) \n- xfs: fix maxlevels comparisons in the btree staging code (Darrick J. Wong) \n- mt76: mt7921: Fix the error handling path of mt7921_pci_probe() (Christophe JAILLET) \n- mt76: mt7921e: fix possible probe failure after reboot (Sean Wang) \n- mt76: mt7921: use physical addr to unify register access (Sean Wang) \n- Revert 'mt76: mt7921e: fix possible probe failure after reboot' (Sean Wang) \n- Revert 'mt76: mt7921: Fix the error handling path of mt7921_pci_probe()' (Sean Wang) \n- batman-adv: Use netif_rx_any_context() any. (Sebastian Andrzej Siewior) \n- serial: mvebu-uart: correctly report configured baudrate value (Pali Rohar) \n- PCI: hv: Fix interrupt mapping for multi-MSI (Jeffrey Hugo) \n- PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() (Jeffrey Hugo) \n- PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI (Jeffrey Hugo) \n- PCI: hv: Fix multi-MSI to allow more than one MSI vector (Jeffrey Hugo) \n- Revert 'selftest/vm: verify mmap addr in mremap_test' (Oleksandr Tymoshenko) \n- Revert 'selftest/vm: verify remap destination address in mremap_test' (Oleksandr Tymoshenko) \n- bus: mhi: host: pci_generic: add Telit FN990 (Daniele Palmas) \n- bus: mhi: host: pci_generic: add Telit FN980 v1 hardware revision (Daniele Palmas) \n- drm/ttm: fix locking in vmap/vunmap TTM GEM helpers (Christian Konig) \n- mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication (Ido Schimmel) \n- riscv: add as-options for modules with assembly compontents (Ben Dooks) \n- pinctrl: stm32: fix optional IRQ support to gpios (Fabien Dessenne) \n- LTS version: v5.15.57 (Jack Vogel) \n- x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds (Peter Zijlstra) \n- um: Add missing apply_returns() (Peter Zijlstra) \n- x86/asm/32: Fix ANNOTATE_UNRET_SAFE use on 32-bit (Jiri Slaby) \n- x86/xen: Fix initialisation in hypercall_page after rethunk (Ben Hutchings) \n- x86/static_call: Serialize __static_call_fixup() properly (Thomas Gleixner) \n- x86/speculation: Disable RRSBA behavior (Pawan Gupta) \n- x86/kexec: Disable RET on kexec (Konrad Rzeszutek Wilk) \n- x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported (Thadeu Lima de Souza Cascardo) \n- x86/entry: Move PUSH_AND_CLEAR_REGS() back into error_entry (Peter Zijlstra) \n- x86/bugs: Add Cannon lake to RETBleed affected CPU list (Pawan Gupta) \n- x86/retbleed: Add fine grained Kconfig knobs (Peter Zijlstra) \n- objtool: Re-add UNWIND_HINT_{SAVE_RESTORE} (Josh Poimboeuf) \n- objtool: Add entry UNRET validation (Peter Zijlstra) \n- x86/xen: Add UNTRAIN_RET (Peter Zijlstra) \n- intel_idle: Disable IBRS during long idle (Peter Zijlstra) \n- x86: Add magic AMD return-thunk (Peter Zijlstra) \n- x86/entry: Avoid very early RET (Peter Zijlstra) \n- x86/ftrace: Use alternative RET encoding (Peter Zijlstra) \n- objtool: skip non-text sections when adding return-thunk sites (Thadeu Lima de Souza Cascardo) \n- bpf,x86: Respect X86_FEATURE_RETPOLINE* (Peter Zijlstra) \n- bpf,x86: Simplify computing label offsets (Peter Zijlstra) \n- x86/alternative: Add debug prints to apply_retpolines() (Peter Zijlstra) \n- x86/alternative: Try inline spectre_v2=retpoline,amd (Peter Zijlstra) \n- x86/alternative: Handle Jcc __x86_indirect_thunk_\neg (Peter Zijlstra) \n- x86/alternative: Implement .retpoline_sites support (Peter Zijlstra) \n- x86/retpoline: Create a retpoline thunk array (Peter Zijlstra) \n- x86/retpoline: Move the retpoline thunk declarations to nospec-branch.h (Peter Zijlstra) \n- x86/asm: Fixup odd GEN-for-each-reg.h usage (Peter Zijlstra) \n- x86/asm: Fix register order (Peter Zijlstra) \n- x86/retpoline: Remove unused replacement symbols (Peter Zijlstra) \n- objtool: Introduce CFI hash (Peter Zijlstra) \n- objtool,x86: Replace alternatives with .retpoline_sites (Peter Zijlstra) \n- objtool: Shrink struct instruction (Peter Zijlstra) \n- objtool: Explicitly avoid self modifying code in .altinstr_replacement (Peter Zijlstra) \n- objtool: Fix SLS validation for kcov tail-call replacement (Peter Zijlstra) \n- objtool: Classify symbols (Peter Zijlstra) \n- x86/entry: Don't call error_entry() for XENPV (Lai Jiangshan) \n- x86/entry: Move PUSH_AND_CLEAR_REGS out of error_entry() (Lai Jiangshan) \n- x86/entry: Switch the stack after error_entry() returns (Lai Jiangshan) \n- x86/traps: Use pt_regs directly in fixup_bad_iret() (Lai Jiangshan) \n- LTS version: v5.15.56 (Jack Vogel) \n- drm/aperture: Run fbdev removal before internal helpers (Thomas Zimmermann) \n- x86/pat: Fix x86_has_pat_wp() (Juergen Gross) \n- serial: 8250: Fix PM usage_count for console handover (Ilpo Jarvinen) \n- serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle (Ilpo Jarvinen) \n- serial: stm32: Clear prev values before setting RTS delays (Ilpo Jarvinen) \n- serial: 8250: fix return error code in serial8250_request_std_resource() (Yi Yang) \n- vt: fix memory overlapping when deleting chars in the buffer (Yangxi Xiang) \n- tty: serial: samsung_tty: set dma burst_size to 1 (Chanho Park) \n- usb: dwc3: gadget: Fix event pending check (Thinh Nguyen) \n- usb: typec: add missing uevent when partner support PD (Linyu Yuan) \n- USB: serial: ftdi_sio: add Belimo device ids (Lucien Buchmann) \n- signal handling: don't use BUG_ON() for debugging (Linus Torvalds) \n- nvme-pci: phison e16 has bogus namespace ids (Keith Busch) \n- ALSA: usb-audio: Add quirk for Fiero SC-01 (fw v1.0.0) (Egor Vorontsov) \n- ALSA: usb-audio: Add quirk for Fiero SC-01 (Egor Vorontsov) \n- ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices (John Veness) \n- Revert 'can: xilinx_can: Limit CANFD brp to 2' (Srinivas Neeli) \n- ARM: dts: stm32: use the correct clock source for CEC on stm32mp151 (Gabriel Fernandez) \n- soc: ixp4xx/npe: Fix unused match warning (Linus Walleij) \n- x86: Clear .brk area at early boot (Juergen Gross) \n- irqchip: or1k-pic: Undefine mask_ack for level triggered hardware (Stafford Horne) \n- ASoC: madera: Fix event generation for rate controls (Charles Keepax) \n- ASoC: madera: Fix event generation for OUT1 demux (Charles Keepax) \n- ASoC: cs47l15: Fix event generation for low power mux control (Charles Keepax) \n- ASoC: dapm: Initialise kcontrol data for mux/demux controls (Charles Keepax) \n- ASoC: rt711-sdca: fix kernel NULL pointer dereference when IO error (Shuming Fan) \n- ASoC: wm5110: Fix DRE control (Charles Keepax) \n- ASoC: Intel: bytcr_wm5102: Fix GPIO related probe-ordering problem (Hans de Goede) \n- ASoC: wcd938x: Fix event generation for some controls (Mark Brown) \n- ASoC: SOF: Intel: hda-loader: Clarify the cl_dsp_init() flow (Peter Ujfalusi) \n- ASoC: codecs: rt700/rt711/rt711-sdca: initialize workqueues in probe (Pierre-Louis Bossart) \n- ASoC: rt7*-sdw: harden jack_detect_handler (Pierre-Louis Bossart) \n- ASoC: rt711: fix calibrate mutex initialization (Pierre-Louis Bossart) \n- ASoC: Intel: sof_sdw: handle errors on card registration (Pierre-Louis Bossart) \n- ASoC: rt711-sdca-sdw: fix calibrate mutex initialization (Pierre-Louis Bossart) \n- ASoC: Realtek/Maxim SoundWire codecs: disable pm_runtime on remove (Pierre-Louis Bossart) \n- pinctrl: aspeed: Fix potential NULL dereference in aspeed_pinmux_set_mux() (Haowen Bai) \n- ASoC: ops: Fix off by one in range control validation (Mark Brown) \n- net: sfp: fix memory leak in sfp_probe() (Jianglei Nie) \n- nvme: fix regression when disconnect a recovering ctrl (Ruozhu Li) \n- nvme-tcp: always fail a request when sending it failed (Sagi Grimberg) \n- NFC: nxp-nci: don't print header length mismatch on i2c error (Michael Walle) \n- net: tipc: fix possible refcount leak in tipc_sk_create() (Hangyu Hua) \n- fbdev: Disable sysfb device registration when removing conflicting FBs (Javier Martinez Canillas) \n- firmware: sysfb: Add sysfb_disable() helper function (Javier Martinez Canillas) \n- firmware: sysfb: Make sysfb_create_simplefb() return a pdev pointer (Javier Martinez Canillas) \n- platform/x86: hp-wmi: Ignore Sanitization Mode event (Kai-Heng Feng) \n- cpufreq: pmac32-cpufreq: Fix refcount leak bug (Liang He) \n- scsi: hisi_sas: Limit max hw sectors for v3 HW (John Garry) \n- netfilter: br_netfilter: do not skip all hooks with 0 priority (Florian Westphal) \n- virtio_mmio: Restore guest page size on resume (Stephan Gerhold) \n- virtio_mmio: Add missing PM calls to freeze/restore (Stephan Gerhold) \n- vduse: Tie vduse mgmtdev and its device (Parav Pandit) \n- vdpa/mlx5: Initialize CVQ vringh only once (Eli Cohen) \n- powerpc/xive/spapr: correct bitmap allocation size (Nathan Lynch) \n- ksmbd: use SOCK_NONBLOCK type for kernel_accept() (Namjae Jeon) \n- btrfs: zoned: fix a leaked bioc in read_zone_info (Christoph Hellwig) \n- btrfs: rename btrfs_bio to btrfs_io_context (Qu Wenruo) \n- mm: sysctl: fix missing numa_stat when !CONFIG_HUGETLB_PAGE (Muchun Song) \n- ACPI: video: Fix acpi_video_handles_brightness_key_presses() (Hans de Goede) \n- net/tls: Check for errors in tls_device_init (Tariq Toukan) \n- KVM: x86: Fully initialize 'struct kvm_lapic_irq' in kvm_pv_kick_cpu_op() (Vitaly Kuznetsov) \n- net: atlantic: remove aq_nic_deinit() when resume (Chia-Lin Kao (AceLan)) \n- net: atlantic: remove deep parameter on suspend/resume functions (Chia-Lin Kao (AceLan)) \n- sfc: fix kernel panic when creating VF (Inigo Huguet) \n- seg6: bpf: fix skb checksum in bpf_push_seg6_encap() (Andrea Mayer) \n- seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors (Andrea Mayer) \n- seg6: fix skb checksum evaluation in SRH encapsulation/insertion (Andrea Mayer) \n- ceph: switch netfs read ops to use rreq->inode instead of rreq->mapping->host (Jeff Layton) \n- sfc: fix use after free when disabling sriov (Inigo Huguet) \n- drm/amd/pm: Prevent divide by zero (Yefim Barashkin) \n- drm/amd/display: Only use depth 36 bpp linebuffers on DCN display engines. (Mario Kleiner) \n- ima: Fix potential memory leak in ima_init_crypto() (Jianglei Nie) \n- ima: force signature verification when CONFIG_KEXEC_SIG is configured (Coiby Xu) \n- net: stmmac: fix leaks in probe (Dan Carpenter) \n- net: ftgmac100: Hold reference returned by of_get_child_by_name() (Liang He) \n- nexthop: Fix data-races around nexthop_compat_mode. (Kuniyuki Iwashima) \n- ipv4: Fix data-races around sysctl_ip_dynaddr. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_ecn_fallback. (Kuniyuki Iwashima) \n- raw: Fix a data-race around sysctl_raw_l3mdev_accept. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_ratemask. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_ratelimit. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_errors_use_inbound_ifaddr. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_ignore_bogus_error_responses. (Kuniyuki Iwashima) \n- icmp: Fix data-races around sysctl_icmp_echo_enable_probe. (Kuniyuki Iwashima) \n- sysctl: Fix data-races in proc_dointvec_ms_jiffies(). (Kuniyuki Iwashima) \n- sysctl: Fix data-races in proc_dou8vec_minmax(). (Kuniyuki Iwashima) \n- bnxt_en: Fix bnxt_refclk_read() (Pavan Chebbi) \n- bnxt_en: Fix bnxt_reinit_after_abort() code path (Michael Chan) \n- drm/i915: Require the vm mutex for i915_vma_bind() (Thomas Hellstrom) \n- drm/i915/uc: correctly track uc_fw init failure (Daniele Ceraolo Spurio) \n- drm/i915/gt: Serialize TLB invalidates with GT resets (Chris Wilson) \n- drm/i915/gt: Serialize GRDOM access between multiple engine resets (Chris Wilson) \n- drm/i915/dg2: Add Wa_22011100796 (Bruce Chang) \n- drm/i915/selftests: fix a couple IS_ERR() vs NULL tests (Dan Carpenter) \n- tracing: Fix sleeping while atomic in kdb ftdump (Douglas Anderson) \n- lockd: fix nlm_close_files (Jeff Layton) \n- lockd: set fl_owner when unlocking files (Jeff Layton) \n- xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE (Demi Marie Obenour) \n- drm/i915/gvt: IS_ERR() vs NULL bug in intel_gvt_update_reg_whitelist() (Dan Carpenter) \n- netfilter: nf_tables: replace BUG_ON by element length check (Pablo Neira Ayuso) \n- netfilter: nf_log: incorrect offset to network header (Pablo Neira Ayuso) \n- arm64: dts: broadcom: bcm4908: Fix cpu node for smp boot (William Zhang) \n- arm64: dts: broadcom: bcm4908: Fix timer node for BCM4906 SoC (William Zhang) \n- ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero (Michal Suchanek) \n- ARM: dts: at91: sama5d2: Fix typo in i2s1 node (Ryan Wanner) \n- ipv4: Fix a data-race around sysctl_fib_sync_mem. (Kuniyuki Iwashima) \n- icmp: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- cipso: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- net: Fix data-races around sysctl_mem. (Kuniyuki Iwashima) \n- inetpeer: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_max_orphans. (Kuniyuki Iwashima) \n- sysctl: Fix data races in proc_dointvec_jiffies(). (Kuniyuki Iwashima) \n- sysctl: Fix data races in proc_doulongvec_minmax(). (Kuniyuki Iwashima) \n- sysctl: Fix data races in proc_douintvec_minmax(). (Kuniyuki Iwashima) \n- sysctl: Fix data races in proc_dointvec_minmax(). (Kuniyuki Iwashima) \n- sysctl: Fix data races in proc_douintvec(). (Kuniyuki Iwashima) \n- sysctl: Fix data races in proc_dointvec(). (Kuniyuki Iwashima) \n- net: ethernet: ti: am65-cpsw: Fix devlink port register sequence (Siddharth Vadapalli) \n- net: stmmac: dwc-qos: Disable split header for Tegra194 (Jon Hunter) \n- ASoC: Intel: Skylake: Correct the handling of fmt_config flexible array (Peter Ujfalusi) \n- ASoC: Intel: Skylake: Correct the ssp rate discovery in skl_get_ssp_clks() (Peter Ujfalusi) \n- ASoC: tas2764: Fix amp gain register offset & default (Hector Martin) \n- ASoC: tas2764: Correct playback volume range (Hector Martin) \n- ASoC: tas2764: Fix and extend FSYNC polarity handling (Martin Poviser) \n- ASoC: tas2764: Add post reset delays (Martin Poviser) \n- ASoC: sgtl5000: Fix noise on shutdown/remove (Francesco Dolcini) \n- ima: Fix a potential integer overflow in ima_appraise_measurement (Huaxin Lu) \n- drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector() (Hangyu Hua) \n- net/mlx5e: Ring the TX doorbell on DMA errors (Maxim Mikityanskiy) \n- net/mlx5e: Fix capability check for updating vnic env counters (Gal Pressman) \n- net/mlx5e: Fix enabling sriov while tc nic rules are offloaded (Paul Blakey) \n- net/mlx5e: kTLS, Fix build time constant test in RX (Tariq Toukan) \n- net/mlx5e: kTLS, Fix build time constant test in TX (Tariq Toukan) \n- ARM: 9210/1: Mark the FDT_FIXED sections as shareable (Zhen Lei) \n- ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle (Ard Biesheuvel) \n- spi: amd: Limit max transfer and message size (Cristian Ciocaltea) \n- ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count (Kris Bahnsen) \n- reset: Fix devm bulk optional exclusive control getter (Serge Semin) \n- xfs: drop async cache flushes from CIL commits. (Dave Chinner) \n- xfs: don't include bnobt blocks when reserving free block pool (Darrick J. Wong) \n- Revert 'evm: Fix memleak in init_desc' (Xiu Jianfeng) \n- sh: convert nommu io{re,un}map() to static inline functions (Geert Uytterhoeven) \n- nilfs2: fix incorrect masking of permission flags for symlinks (Ryusuke Konishi) \n- fs/remap: constrain dedupe of EOF blocks (Dave Chinner) \n- drm/panfrost: Fix shrinker list corruption by madvise IOCTL (Dmitry Osipenko) \n- drm/panfrost: Put mapping instead of shmem obj on panfrost_mmu_map_fault_addr() error (Dmitry Osipenko) \n- btrfs: return -EAGAIN for NOWAIT dio reads/writes on compressed and inline extents (Filipe Manana) \n- cgroup: Use separate src/dst nodes when preloading css_sets for migration (Tejun Heo) \n- wifi: mac80211: fix queue selection for mesh/OCB interfaces (Felix Fietkau) \n- ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction (Ard Biesheuvel) \n- ARM: 9213/1: Print message about disabled Spectre workarounds only once (Dmitry Osipenko) \n- ip: fix dflt addr selection for connected nexthop (Nicolas Dichtel) \n- net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer (Steven Rostedt (Google)) \n- tracing/histograms: Fix memory leak problem (Zheng Yejian) \n- mm: split huge PUD on wp_huge_pud fallback (Gowans, James) \n- mm: userfaultfd: fix UFFDIO_CONTINUE on fallocated shmem pages (Axel Rasmussen) \n- xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue (Juergen Gross) \n- ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop (Meng Tang) \n- ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221 (Meng Tang) \n- ALSA: hda/realtek: fix mute/micmute LEDs for HP machines (Jeremy Szu) \n- ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 (Meng Tang) \n- ALSA: hda/realtek: Fix headset mic for Acer SF313-51 (Meng Tang) \n- ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model (Meng Tang) \n- ALSA: hda - Add fixup for Dell Latitidue E5430 (Meng Tang) \n- LTS version: v5.15.55 (Jack Vogel) \n- Revert 'mtd: rawnand: gpmi: Fix setting busy timeout setting' (Greg Kroah-Hartman) \n- LTS version: v5.15.54 (Jack Vogel) \n- selftests/net: fix section name when using xdp_dummy.o (Hangbin Liu) \n- dmaengine: idxd: force wq context cleanup on device disable path (Dave Jiang) \n- dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate (Miaoqian Lin) \n- dmaengine: qcom: bam_dma: fix runtime PM underflow (Caleb Connolly) \n- dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate (Miaoqian Lin) \n- dmaengine: at_xdma: handle errors of at_xdmac_alloc_desc() correctly (Michael Walle) \n- dmaengine: lgm: Fix an error handling path in intel_ldma_probe() (Christophe JAILLET) \n- dmaengine: pl330: Fix lockdep warning about non-static key (Dmitry Osipenko) \n- ida: don't use BUG_ON() for debugging (Linus Torvalds) \n- dt-bindings: dma: allwinner,sun50i-a64-dma: Fix min/max typo (Samuel Holland) \n- Revert 'serial: 8250_mtk: Make sure to select the right FEATURE_SEL' (AngeloGioacchino Del Regno) \n- Revert 'mm/memory-failure.c: fix race with changing page compound again' (Naoya Horiguchi) \n- misc: rtsx_usb: set return value in rsp_buf alloc err path (Shuah Khan) \n- misc: rtsx_usb: use separate command and response buffers (Shuah Khan) \n- misc: rtsx_usb: fix use of dma mapped buffer for usb bulk transfer (Shuah Khan) \n- dmaengine: imx-sdma: Allow imx8m for imx7 FW revs (Peter Robinson) \n- i2c: cadence: Unregister the clk notifier in error path (Satish Nagireddy) \n- r8169: fix accessing unset transport header (Heiner Kallweit) \n- selftests: forwarding: fix error message in learning_test (Vladimir Oltean) \n- selftests: forwarding: fix learning_test when h1 supports IFF_UNICAST_FLT (Vladimir Oltean) \n- selftests: forwarding: fix flood_unicast_test when h2 supports IFF_UNICAST_FLT (Vladimir Oltean) \n- ibmvnic: Properly dispose of all skbs during a failover. (Rick Lindsley) \n- ARM: dts: stm32: add missing usbh clock and fix clk order on stm32mp15 (Fabrice Gasnier) \n- ARM: dts: stm32: use usbphyc ck_usbo_48m as USBH OHCI clock on stm32mp151 (Amelie Delaunay) \n- i40e: Fix VF's MAC Address change on VM (Norbert Zulinski) \n- i40e: Fix dropped jumbo frames statistics (Lukasz Cieplicki) \n- i2c: piix4: Fix a memory leak in the EFCH MMIO support (Jean Delvare) \n- xsk: Clear page contiguity bit when unmapping pool (Ivan Malov) \n- ARM: at91: fix soc detection for SAM9X60 SiPs (Mihai Sain) \n- ARM: dts: at91: sama5d2_icp: fix eeprom compatibles (Eugen Hristev) \n- ARM: dts: at91: sam9x60ek: fix eeprom compatible and size (Eugen Hristev) \n- ARM: at91: pm: use proper compatibles for sama7g5's rtc and rtt (Claudiu Beznea) \n- ARM: at91: pm: use proper compatibles for sam9x60's rtc and rtt (Claudiu Beznea) \n- ARM: at91: pm: use proper compatible for sama5d2's rtc (Claudiu Beznea) \n- arm64: dts: qcom: msm8992-*: Fix vdd_lvs1_2-supply typo (Stephan Gerhold) \n- pinctrl: sunxi: sunxi_pconf_set: use correct offset (Andrei Lalaev) \n- arm64: dts: imx8mp-phyboard-pollux-rdk: correct i2c2 & mmc settings (Peng Fan) \n- arm64: dts: imx8mp-phyboard-pollux-rdk: correct eqos pad settings (Peng Fan) \n- arm64: dts: imx8mp-phyboard-pollux-rdk: correct uart pad settings (Peng Fan) \n- arm64: dts: imx8mp-evk: correct I2C3 pad settings (Peng Fan) \n- arm64: dts: imx8mp-evk: correct I2C1 pad settings (Peng Fan) \n- arm64: dts: imx8mp-evk: correct eqos pad settings (Peng Fan) \n- arm64: dts: imx8mp-evk: correct vbus pad settings (Peng Fan) \n- arm64: dts: imx8mp-evk: correct gpio-led pad settings (Peng Fan) \n- arm64: dts: imx8mp-evk: correct the uart2 pinctl value (Sherry Sun) \n- arm64: dts: imx8mp-evk: correct mmc pad settings (Peng Fan) \n- ARM: mxs_defconfig: Enable the framebuffer (Fabio Estevam) \n- arm64: dts: qcom: sdm845: use dispcc AHB clock for mdss node (Dmitry Baryshkov) \n- arm64: dts: qcom: msm8994: Fix CPU6/7 reg values (Konrad Dybcio) \n- ASoC: codecs: rt700/rt711/rt711-sdca: resume bus/codec in .set_jack_detect (Pierre-Louis Bossart) \n- ASoC: rt711-sdca: Add endianness flag in snd_soc_component_driver (Charles Keepax) \n- ASoC: rt711: Add endianness flag in snd_soc_component_driver (Charles Keepax) \n- pinctrl: sunxi: a83t: Fix NAND function name for some pins (Samuel Holland) \n- ARM: meson: Fix refcount leak in meson_smp_prepare_cpus (Miaoqian Lin) \n- tty: n_gsm: fix encoding of command/response bit (daniel.starke@siemens.com) \n- btrfs: fix use of uninitialized variable at rm device ioctl (Tom Rix) \n- virtio-blk: modify the value type of num in virtio_queue_rq() (Ye Guojin) \n- btrfs: fix error pointer dereference in btrfs_ioctl_rm_dev_v2() (Dan Carpenter) \n- Revert 'serial: sc16is7xx: Clear RS485 bits in the shutdown' (Hui Wang) \n- can: kvaser_usb: kvaser_usb_leaf: fix bittiming limits (Jimmy Assarsson) \n- can: kvaser_usb: kvaser_usb_leaf: fix CAN clock frequency regression (Jimmy Assarsson) \n- can: kvaser_usb: replace run-time checks with struct kvaser_usb_driver_info (Jimmy Assarsson) \n- net: dsa: qca8k: reset cpu port on MTU change (Christian Marangi) \n- powerpc/powernv: delay rng platform device creation until later in boot (Jason A. Donenfeld) \n- video: of_display_timing.h: include errno.h (Hsin-Yi Wang) \n- memregion: Fix memregion_free() fallback definition (Dan Williams) \n- PM: runtime: Redefine pm_runtime_release_supplier() (Rafael J. Wysocki) \n- fbcon: Prevent that screen size is smaller than font size (Helge Deller) \n- fbcon: Disallow setting font bigger than screen size (Helge Deller) \n- fbmem: Check virtual screen sizes in fb_set_var() (Helge Deller) \n- fbdev: fbmem: Fix logo center image dx issue (Guiling Deng) \n- iommu/vt-d: Fix PCI bus rescan device hot add (Yian Chen) \n- module: fix [e_shstrndx].sh_size=0 OOB access (Alexey Dobriyan) \n- module: change to print useful messages from elf_validity_check() (Shuah Khan) \n- dt-bindings: soc: qcom: smd-rpm: Fix missing MSM8936 compatible (Bryan O'Donoghue) \n- dt-bindings: soc: qcom: smd-rpm: Add compatible for MSM8953 SoC (Vladimir Lypak) \n- rxrpc: Fix locking issue (David Howells) \n- irqchip/gic-v3: Refactor ISB + EOIR at ack time (Mark Rutland) \n- irqchip/gic-v3: Ensure pseudo-NMIs have an ISB between ack and handling (Mark Rutland) \n- io_uring: avoid io-wq -EAGAIN looping for !IOPOLL (Pavel Begunkov) \n- Bluetooth: btmtksdio: fix use-after-free at btmtksdio_recv_event (Sean Wang) \n- Bluetooth: protect le accept and resolv lists with hdev->lock (Niels Dossche) \n- drm/mediatek: Add vblank register/unregister callback functions (Rex-BC Chen) \n- drm/mediatek: Add cmdq_handle in mtk_crtc (Chun-Kuang Hu) \n- drm/mediatek: Detect CMDQ execution timeout (Chun-Kuang Hu) \n- drm/mediatek: Remove the pointer of struct cmdq_client (Chun-Kuang Hu) \n- drm/mediatek: Use mailbox rx_callback instead of cmdq_task_cb (Chun-Kuang Hu) \n- drm/i915: Fix a race between vma / object destruction and unbinding (Thomas Hellstrom) \n- drm/amdgpu: vi: disable ASPM on Intel Alder Lake based systems (Richard Gong) \n- drm/amd: Refactor amdgpu_aspm to be evaluated per device (Mario Limonciello) \n- tty: n_gsm: fix invalid gsmtty_write_room() result (Daniel Starke) \n- serial: 8250_mtk: Make sure to select the right FEATURE_SEL (AngeloGioacchino Del Regno) \n- tty: n_gsm: fix sometimes uninitialized warning in gsm_dlci_modem_output() (Daniel Starke) \n- tty: n_gsm: fix invalid use of MSC in advanced option (Daniel Starke) \n- mm/hwpoison: fix race between hugetlb free/demotion and memory_failure_hugetlb() (Naoya Horiguchi) \n- mm/memory-failure.c: fix race with changing page compound again (Miaohe Lin) \n- mm/hwpoison: avoid the impact of hwpoison_filter() return value on mce handler (luofei) \n- mm/hwpoison: mf_mutex for soft offline and unpoison (Naoya Horiguchi) \n- KVM: Initialize debugfs_dentry when a VM is created to avoid NULL deref (Sean Christopherson) \n- btrfs: zoned: use dedicated lock for data relocation (Naohiro Aota) \n- btrfs: zoned: encapsulate inode locking for zoned relocation (Johannes Thumshirn) \n- tty: n_gsm: fix missing update of modem controls after DLCI open (Daniel Starke) \n- ALSA: usb-audio: add mapping for MSI MAG X570S Torpedo MAX. (Maurizio Avogadro) \n- ALSA: usb-audio: add mapping for MSI MPG X570S Carbon Max Wifi. (Johannes Schickel) \n- tty: n_gsm: fix frame reception handling (Daniel Starke) \n- tty: n_gsm: Save dlci address open status when config requester (Zhenguo Zhao) \n- tty: n_gsm: Modify CR,PF bit when config requester (Zhenguo Zhao) \n- KVM: Don't create VM debugfs files outside of the VM directory (Oliver Upton) \n- drm/amd/vcn: fix an error msg on vcn 3.0 (tiancyin) \n- ASoC: rt5682: fix an incorrect NULL check on list iterator (Xiaomeng Tong) \n- ASoC: rt5682: move clk related code to rt5682_i2c_probe (Jack Yu) \n- uapi/linux/stddef.h: Add include guards (Tadeusz Struk) \n- stddef: Introduce DECLARE_FLEX_ARRAY() helper (Kees Cook) \n- bus: mhi: Fix pm_state conversion to string (Paul Davey) \n- bus: mhi: core: Use correctly sized arguments for bit field (Kees Cook) \n- serial: sc16is7xx: Clear RS485 bits in the shutdown (Hui Wang) \n- powerpc/tm: Fix more userspace r13 corruption (Nicholas Piggin) \n- powerpc: flexible GPR range save/restore macros (Nicholas Piggin) \n- powerpc/32: Don't use lmw/stmw for saving/restoring non volatile regs (Christophe Leroy) \n- scsi: qla2xxx: Fix loss of NVMe namespaces after driver reload test (Arun Easi) \n- KVM: s390x: fix SCK locking (Claudio Imbrenda) \n- btrfs: don't access possibly stale fs_info data in device_list_add (Dongliang Mu) \n- KVM: use __vcalloc for very large allocations (Paolo Bonzini) \n- mm: vmalloc: introduce array allocation functions (Paolo Bonzini) \n- Compiler Attributes: add __alloc_size() for better bounds checking (Kees Cook) \n- mtd: spi-nor: Skip erase logic when SPI_NOR_NO_ERASE is set (Tudor Ambarus) \n- batman-adv: Use netif_rx(). (Sebastian Andrzej Siewior) \n- iio: accel: mma8452: use the correct logic to get mma8452_data (Haibo Chen) \n- riscv/mm: Add XIP_FIXUP for riscv_pfn_base (Palmer Dabbelt) \n- NFSD: COMMIT operations must not return NFS?ERR_INVAL (Chuck Lever) \n- NFSD: De-duplicate net_generic(nf->nf_net, nfsd_net_id) (Chuck Lever) \n- drm/amd/display: Fix by adding FPU protection for dcn30_internal_validate_bw (CHANDAN VURDIGERE NATARAJ) \n- drm/amd/display: Set min dcfclk if pipe count is 0 (Michael Strauss) \n- drbd: fix an invalid memory access caused by incorrect use of list iterator (Xiaomeng Tong) \n- drbd: Fix double free problem in drbd_create_device (Wu Bo) \n- drbd: add error handling support for add_disk() (Luis Chamberlain) \n- btrfs: remove device item and update super block in the same transaction (Qu Wenruo) \n- btrfs: use btrfs_get_dev_args_from_path in dev removal ioctls (Josef Bacik) \n- btrfs: add a btrfs_get_dev_args_from_path helper (Josef Bacik) \n- btrfs: handle device lookup with btrfs_dev_lookup_args (Josef Bacik) \n- vdpa/mlx5: Avoid processing works if workqueue was destroyed (Eli Cohen) \n- gfs2: Fix gfs2_file_buffered_write endless loop workaround (Andreas Gruenbacher) \n- scsi: qla2xxx: Fix crash during module load unload test (Arun Easi) \n- scsi: qla2xxx: edif: Replace list_for_each_safe with list_for_each_entry_safe (Quinn Tran) \n- scsi: qla2xxx: Fix laggy FC remote port session recovery (Quinn Tran) \n- scsi: qla2xxx: Move heartbeat handling from DPC thread to workqueue (Manish Rangankar) \n- KVM: x86/mmu: Use common TDP MMU zap helper for MMU notifier unmap hook (Sean Christopherson) \n- KVM: x86/mmu: Use yield-safe TDP MMU root iter in MMU notifier unmapping (Sean Christopherson) \n- clk: renesas: r9a07g044: Update multiplier and divider values for PLL2/3 (Lad Prabhakar) \n- cxl/port: Hold port reference until decoder release (Dan Williams) \n- mt76: mt7921: do not always disable fw runtime-pm (Lorenzo Bianconi) \n- mt76: mt76_connac: fix MCU_CE_CMD_SET_ROC definition error (Sean Wang) \n- media: davinci: vpif: fix use-after-free on driver unbind (Johan Hovold) \n- media: omap3isp: Use struct_group() for memcpy() region (Kees Cook) \n- stddef: Introduce struct_group() helper macro (Kees Cook) \n- block: fix rq-qos breakage from skipping rq_qos_done_bio() (Tejun Heo) \n- block: only mark bio as tracked if it really is tracked (Jens Axboe) \n- block: use bdev_get_queue() in bio.c (Pavel Begunkov) \n- io_uring: ensure that fsnotify is always called (Jens Axboe) \n- virtio-blk: avoid preallocating big SGL for data (Max Gurtovoy) \n- ibmvnic: Allow queueing resets during probe (Sukadev Bhattiprolu) \n- ibmvnic: clear fop when retrying probe (Sukadev Bhattiprolu) \n- ibmvnic: init init_done_rc earlier (Sukadev Bhattiprolu) \n- s390/setup: preserve memory at OLDMEM_BASE and OLDMEM_SIZE (Alexander Egorenkov) \n- s390/setup: use physical pointers for memblock_reserve() (Alexander Gordeev) \n- s390/boot: allocate amode31 section in decompressor (Alexander Gordeev) \n- netfilter: nft_payload: don't allow th access for fragments (Florian Westphal) \n- netfilter: nft_payload: support for inner header matching / mangling (Pablo Neira Ayuso) \n- netfilter: nf_tables: convert pktinfo->tprot_set to flags field (Pablo Neira Ayuso) \n- ASoC: rt5682: Fix deadlock on resume (Peter Ujfalusi) \n- ASoC: rt5682: Re-detect the combo jack after resuming (Derek Fang) \n- ASoC: rt5682: Avoid the unexpected IRQ event during going to suspend (Derek Fang) \n- net/mlx5e: TC, Reject rules with forward and drop actions (Roi Dayan) \n- net/mlx5e: TC, Reject rules with drop and modify hdr action (Roi Dayan) \n- net/mlx5e: Split actions_match_supported() into a sub function (Roi Dayan) \n- net/mlx5e: Check action fwd/drop flag exists also for nic flows (Roi Dayan) \n- RISC-V: defconfigs: Set CONFIG_FB=y, for FB console (Palmer Dabbelt) \n- riscv: defconfig: enable DRM_NOUVEAU (Heinrich Schuchardt) \n- bpf, arm64: Use emit_addr_mov_i64() for BPF_PSEUDO_FUNC (Hou Tao) \n- bpf: Stop caching subprog index in the bpf_pseudo_func insn (Martin KaFai Lau) \n- mt76: mt7921: fix a possible race enabling/disabling runtime-pm (Lorenzo Bianconi) \n- mt76: mt7921: introduce mt7921_mcu_set_beacon_filter utility routine (Lorenzo Bianconi) \n- mt76: mt7921: get rid of mt7921_mac_set_beacon_filter (Lorenzo Bianconi) \n- platform/x86: wmi: Fix driver->notify() vs ->probe() race (Hans de Goede) \n- platform/x86: wmi: Replace read_takes_no_args with a flags field (Hans de Goede) \n- platform/x86: wmi: introduce helper to convert driver to WMI driver (Barnabas Pocze) \n- qed: Improve the stack space of filter_config() (Shai Malin) \n- ath11k: add hw_param for wakeup_mhi (Seevalamuthu Mariappan) \n- memory: renesas-rpc-if: Avoid unaligned bus access for HyperFlash (Andrew Gabbasov) \n- media: ir_toy: prevent device from hanging during transmit (Sean Young) \n- PCI: pciehp: Ignore Link Down/Up caused by error-induced Hot Reset (Lukas Wunner) \n- PCI/portdrv: Rename pm_iter() to pcie_port_device_iter() (Lukas Wunner) \n- drm/i915: Replace the unconditional clflush with drm_clflush_virt_range() (Ville Syrjala) \n- drm/i915/gt: Register the migrate contexts with their engines (Thomas Hellstrom) \n- drm/i915: Disable bonding on gen12+ platforms (Matthew Brost) \n- btrfs: fix deadlock between chunk allocation and chunk btree modifications (Filipe Manana) \n- dma-buf/poll: Get a file reference for outstanding fence callbacks (Michel Danzer) \n- Input: goodix - try not to touch the reset-pin on x86/ACPI devices (Hans de Goede) \n- Input: goodix - refactor reset handling (Hans de Goede) \n- Input: goodix - add a goodix.h header file (Hans de Goede) \n- Input: goodix - change goodix_i2c_write() len parameter type to int (Hans de Goede) \n- Input: cpcap-pwrbutton - handle errors from platform_get_irq() (Tang Bin) \n- btrfs: fix warning when freeing leaf after subvolume creation failure (Filipe Manana) \n- btrfs: fix invalid delayed ref after subvolume creation failure (Filipe Manana) \n- btrfs: add additional parameters to btrfs_init_tree_ref/btrfs_init_data_ref (Nikolay Borisov) \n- btrfs: rename btrfs_alloc_chunk to btrfs_create_chunk (Nikolay Borisov) \n- netfilter: nft_set_pipapo: release elements in clone from abort path (Pablo Neira Ayuso) \n- net: rose: fix UAF bug caused by rose_t0timer_expiry (Duoming Zhou) \n- usbnet: fix memory leak in error case (Oliver Neukum) \n- bpf: Fix insufficient bounds propagation from adjust_scalar_min_max_vals (Daniel Borkmann) \n- bpf: Fix incorrect verifier simulation around jmp32's jeq/jne (Daniel Borkmann) \n- can: mcp251xfd: mcp251xfd_regmap_crc_read(): update workaround broken CRC on TBC register (Thomas Kopp) \n- can: mcp251xfd: mcp251xfd_regmap_crc_read(): improve workaround handling for mcp2517fd (Thomas Kopp) \n- can: m_can: m_can_{read_fifo,echo_tx_event}(): shift timestamp to full 32 bits (Marc Kleine-Budde) \n- can: m_can: m_can_chip_config(): actually enable internal timestamping (Marc Kleine-Budde) \n- can: gs_usb: gs_usb_open/close(): fix memory leak (Rhett Aultman) \n- can: grcan: grcan_probe(): remove extra of_node_get() (Liang He) \n- can: bcm: use call_rcu() instead of costly synchronize_rcu() (Oliver Hartkopp) \n- ALSA: cs46xx: Fix missing snd_card_free() call at probe error (Takashi Iwai) \n- ALSA: hda/realtek: Add quirk for Clevo L140PU (Tim Crawford) \n- ALSA: usb-audio: Workarounds for Behringer UMC 204/404 HD (Takashi Iwai) \n- Revert 'selftests/bpf: Add test for bpf_timer overwriting crash' (Po-Hsu Lin) \n- mm/filemap: fix UAF in find_lock_entries (Liu Shixin) \n- mm/slub: add missing TID updates on slab deactivation (Jann Horn) \n- LTS version: v5.15.53 (Jack Vogel) \n- hwmon: (ibmaem) don't call platform_device_del() if platform_device_add() fails (Yang Yingliang) \n- hwmon: (occ) Prevent power cap command overwriting poll response (Eddie James) \n- hwmon: (occ) Remove sequence numbering and checksum calculation (Eddie James) \n- drm/fourcc: fix integer type usage in uapi header (Carlos Llamas) \n- platform/x86: panasonic-laptop: filter out duplicate volume up/down/mute keypresses (Hans de Goede) \n- platform/x86: panasonic-laptop: don't report duplicate brightness key-presses (Hans de Goede) \n- platform/x86: panasonic-laptop: revert 'Resolve hotkey double trigger bug' (Hans de Goede) \n- platform/x86: panasonic-laptop: sort includes alphabetically (Hans de Goede) \n- platform/x86: panasonic-laptop: de-obfuscate button codes (Stefan Seyfried) \n- drivers: cpufreq: Add missing of_node_put() in qoriq-cpufreq.c (Liang He) \n- drm/msm/gem: Fix error return on fence id alloc fail (Rob Clark) \n- drm/i915/gem: add missing else (katrinzhou) \n- net: fix IFF_TX_SKB_NO_LINEAR definition (Dan Carpenter) \n- fsi: occ: Force sequence numbering per OCC (Eddie James) \n- clocksource/drivers/ixp4xx: remove EXPORT_SYMBOL_GPL from ixp4xx_timer_setup() (Greg Kroah-Hartman) \n- net: usb: qmi_wwan: add Telit 0x1070 composition (Daniele Palmas) \n- xen/arm: Fix race in RB-tree based P2M accounting (Oleksandr Tyshchenko) \n- xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses() (Jan Beulich) \n- xen/blkfront: force data bouncing when backend is untrusted (Roger Pau Monne) \n- xen/netfront: force data bouncing when backend is untrusted (Roger Pau Monne) \n- xen/netfront: fix leaking data in shared pages (Roger Pau Monne) \n- xen/blkfront: fix leaking data in shared pages (Roger Pau Monne) \n- selftests/rseq: Change type of rseq_offset to ptrdiff_t (Mathieu Desnoyers) \n- selftests/rseq: x86-32: use %gs segment selector for accessing rseq thread area (Mathieu Desnoyers) \n- selftests/rseq: x86-64: use %fs segment selector for accessing rseq thread area (Mathieu Desnoyers) \n- selftests/rseq: Fix: work-around asm goto compiler bugs (Mathieu Desnoyers) \n- selftests/rseq: Remove arm/mips asm goto compiler work-around (Mathieu Desnoyers) \n- selftests/rseq: Fix warnings about #if checks of undefined tokens (Mathieu Desnoyers) \n- selftests/rseq: Fix ppc32 offsets by using long rather than off_t (Mathieu Desnoyers) \n- selftests/rseq: Fix ppc32 missing instruction selection 'u' and 'x' for load/store (Mathieu Desnoyers) \n- selftests/rseq: Fix ppc32: wrong rseq_cs 32-bit field pointer on big endian (Mathieu Desnoyers) \n- selftests/rseq: Uplift rseq selftests for compatibility with glibc-2.35 (Mathieu Desnoyers) \n- selftests/rseq: Introduce thread pointer getters (Mathieu Desnoyers) \n- selftests/rseq: Introduce rseq_get_abi() helper (Mathieu Desnoyers) \n- selftests/rseq: Remove volatile from __rseq_abi (Mathieu Desnoyers) \n- selftests/rseq: Remove useless assignment to cpu variable (Mathieu Desnoyers) \n- selftests/rseq: introduce own copy of rseq uapi header (Mathieu Desnoyers) \n- selftests/rseq: remove ARRAY_SIZE define from individual tests (Shuah Khan) \n- selftests/bpf: Add test_verifier support to fixup kfunc call insns (Kumar Kartikeya Dwivedi) \n- tcp: add a missing nf_reset_ct() in 3WHS handling (Eric Dumazet) \n- MAINTAINERS: add Leah as xfs maintainer for 5.15.y (Leah Rumancik) \n- net: tun: avoid disabling NAPI twice (Jakub Kicinski) \n- mlxsw: spectrum_router: Fix rollback in tunnel next hop init (Petr Machata) \n- ipv6: fix lockdep splat in in6_dump_addrs() (Eric Dumazet) \n- ipv6/sit: fix ipip6_tunnel_get_prl return value (katrinzhou) \n- tunnels: do not assume mac header is set in skb_tunnel_check_pmtu() (Eric Dumazet) \n- ACPI: video: Change how we determine if brightness key-presses are handled (Hans de Goede) \n- io_uring: ensure that send/sendmsg and recv/recvmsg check sqe->ioprio (Jens Axboe) \n- epic100: fix use after free on rmmod (Tong Zhang) \n- tipc: move bc link creation back to tipc_node_create (Xin Long) \n- NFC: nxp-nci: Don't issue a zero length i2c_master_read() (Michael Walle) \n- nfc: nfcmrvl: Fix irq_of_parse_and_map() return value (Krzysztof Kozlowski) \n- powerpc/memhotplug: Add add_pages override for PPC (Aneesh Kumar K.V) \n- net: bonding: fix use-after-free after 802.3ad slave unbind (Yevhen Orlov) \n- net: phy: ax88772a: fix lost pause advertisement configuration (Oleksij Rempel) \n- net: bonding: fix possible NULL deref in rlb code (Eric Dumazet) \n- net: asix: fix 'can't send until first packet is send' issue (Oleksij Rempel) \n- net/sched: act_api: Notify user space if any actions were flushed before error (Victor Nogueira) \n- net/dsa/hirschmann: Add missing of_node_get() in hellcreek_led_setup() (Liang He) \n- netfilter: nft_dynset: restore set element counter when failing to update (Pablo Neira Ayuso) \n- s390: remove unneeded 'select BUILD_BIN2C' (Masahiro Yamada) \n- vdpa/mlx5: Update Control VQ callback information (Eli Cohen) \n- PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events (Miaoqian Lin) \n- caif_virtio: fix race between virtio_device_ready() and ndo_open() (Jason Wang) \n- vfs: fix copy_file_range() regression in cross-fs copies (Amir Goldstein) \n- NFSD: restore EINVAL error translation in nfsd_commit() (Alexey Khoroshilov) \n- net: ipv6: unexport __init-annotated seg6_hmac_net_init() (YueHaibing) \n- selftests: mptcp: more stable diag tests (Paolo Abeni) \n- usbnet: fix memory allocation in helpers (Oliver Neukum) \n- net: usb: asix: do not force pause frames support (Oleksij Rempel) \n- linux/dim: Fix divide by 0 in RDMA DIM (Tao Liu) \n- RDMA/cm: Fix memory leak in ib_cm_insert_listen (Miaoqian Lin) \n- RDMA/qedr: Fix reporting QP timeout attribute (Kamal Heib) \n- net: dp83822: disable rx error interrupt (Enguerrand de Ribaucourt) \n- net: dp83822: disable false carrier interrupt (Enguerrand de Ribaucourt) \n- net: tun: stop NAPI when detaching queues (Jakub Kicinski) \n- net: tun: unlink NAPI from device on destruction (Jakub Kicinski) \n- net: dsa: bcm_sf2: force pause link settings (Doug Berger) \n- selftests/net: pass ipv6_args to udpgso_bench's IPv6 TCP test (Dimitris Michailidis) \n- virtio-net: fix race between ndo_open() and virtio_device_ready() (Jason Wang) \n- net: usb: ax88179_178a: Fix packet receiving (Jose Alonso) \n- net: rose: fix UAF bugs caused by timer handler (Duoming Zhou) \n- SUNRPC: Fix READ_PLUS crasher (Chuck Lever) \n- s390/archrandom: simplify back to earlier design and initialize earlier (Jason A. Donenfeld) \n- dm raid: fix KASAN warning in raid5_add_disks (Mikulas Patocka) \n- dm raid: fix accesses beyond end of raid member array (Heinz Mauelshagen) \n- powerpc/bpf: Fix use of user_pt_regs in uapi (Naveen N. Rao) \n- powerpc/book3e: Fix PUD allocation size in map_kernel_page() (Christophe Leroy) \n- powerpc/prom_init: Fix kernel config grep (Liam Howlett) \n- nvdimm: Fix badblocks clear off-by-one error (Chris Ye) \n- nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA IM2P33F8ABR1 (Lamarque Vieira Souza) \n- nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA XPG SX6000LNP (AKA SPECTRIX S40G) (Pablo Greco) \n- net: phy: Don't trigger state machine while in suspend (Lukas Wunner) \n- ipv6: take care of disable_policy when restoring routes (Nicolas Dichtel) \n- ksmbd: use vfs_llseek instead of dereferencing NULL (Jason A. Donenfeld) \n- ksmbd: check invalid FileOffset and BeyondFinalZero in FSCTL_ZERO_DATA (Namjae Jeon) \n- ksmbd: set the range of bytes to zero without extending file size in FSCTL_ZERO_DATA (Namjae Jeon) \n- drm/amdgpu: To flush tlb for MMHUB of RAVEN series (Ruili Ji) \n- Revert 'drm/amdgpu/display: set vblank_disable_immediate for DC' (Alex Deucher) \n- cpufreq:cppc_cpufreq: prevent crash on reading freqdomain_cpus (chris hyser) [Orabug: 34327463] \n- vmcoreinfo: add kallsyms_num_syms symbol (Stephen Brennan) [Orabug: 34475877] \n- vmcoreinfo: include kallsyms symbols (Stephen Brennan) [Orabug: 34475877] \n- kallsyms: move declarations to internal header (Stephen Brennan) [Orabug: 34475877] \n- Revert 'KVM: x86: Print error code in exception injection tracepoint iff valid' (Sherry Yang) [Orabug: 34539458] \n- uek-rpm: Enable IMA_APPRAISE_SB_BOOTPARAM (Eric Snowberg) [Orabug: 34549007] \n- integrity: Allow ima_appraise bootparam to be set when SB is enabled (Eric Snowberg) [Orabug: 34549007] \n- net/mlx5: E-Switch, change VFs default admin state to auto in switchdev (Maor Dickman) [Orabug: 34533007] \n- Revert 'net/mlx5: E-Switch, change VFs default admin state to auto in switchdev' (Devesh Sharma) [Orabug: 34532946] \n- uek-rpm: Install kernel-rpm-macros as build dependency (Somasundaram Krishnasamy) [Orabug: 34529696]\n[5.15.0-3.52.1]\n- rds: ib: Fix lfstack to acquire visibility to list head (Hakon Bugge) [Orabug: 34522536] \n- locking/atomic: Make test_and_*_bit() ordered on failure (Hector Martin) [Orabug: 34520178] \n- intel_idle: make SPR C1 and C1E be independent (Artem Bityutskiy) [Orabug: 34510397] \n- intel_idle: Add AlderLake support (Zhang Rui) [Orabug: 34510397] \n- intel_idle: Fix SPR C6 optimization (Artem Bityutskiy) [Orabug: 34510397] \n- intel_idle: Fix the 'preferred_cstates' module parameter (Artem Bityutskiy) [Orabug: 34510397] \n- cpuidle: intel_idle: Drop redundant backslash at line end (Rafael J. Wysocki) [Orabug: 34510397] \n- mlx4: Subscribe to PXM notifier (Konrad Rzeszutek Wilk) [Orabug: 27206634] [Orabug: 34509446] \n- xen/pci: Add PXM node notifier for PXM (NUMA) changes. (Konrad Rzeszutek Wilk) [Orabug: 27206634] [Orabug: 34509446] \n- xen/pcifront: Walk the PCI bus after XenStore notification (Konrad Rzeszutek Wilk) [Orabug: 27206634] [Orabug: 34509446] \n- xen-pcifront/hvm: Slurp up 'pxm' entry and set NUMA node on PCIe device. (V5) (Konrad Rzeszutek Wilk) [Orabug: 34509446] \n- scsi: core: Fix warning in scsi_alloc_sgtables() (Jason Yan) [Orabug: 33857787]", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-24T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel-container security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2022-3028"], "modified": "2022-10-24T00:00:00", "id": "ELSA-2022-9931", "href": "http://linux.oracle.com/errata/ELSA-2022-9931.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-15T22:47:26", "description": "[5.4.17-2136.313.6]\n- Uninitialized variable image_ext in fixup_vdso_exception of extable.c (Alok Tiwari) [Orabug: 33000550] \n- NFSD: fix use-after-free on source server when doing inter-server copy (Dai Ngo) [Orabug: 34475857] \n- EDAC/mce_amd: Do not load edac_mce_amd module on guests (Smita Koralahalli) [Orabug: 34484268] \n- uek: kabi: update kABI files for new symbol (Saeed Mirzamohammadi) [Orabug: 34595589] \n- RDS/IB Fix allocation warning (Hans Westgaard Ry) [Orabug: 34684322] \n- uek-rpm: Add support for building a kdump kernel on MIPS64 (Dave Kleikamp) [Orabug: 34696261] \n- hwmon: (opbmc) AST2600 SP reset driver adjustment (Jan Zdarek) [Orabug: 34710682] \n- hwmon: (opbmc) Driver message prefixes (Jan Zdarek) [Orabug: 34710682] \n- Revert 'fs: check FMODE_LSEEK to control internal pipe splicing' (Saeed Mirzamohammadi) [Orabug: 34724694] \n- Revert 'sched/deadline: Fix priority inheritance with multiple scheduling classes' (Sherry Yang) [Orabug: 34700434]\n[5.4.17-2136.313.5]\n- IB/mlx5: Move to fully dynamic UAR mode once user space supports it (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Extend QP creation to get uar page index from user space (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Extend CQ creation to get uar page index from user space (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Expose UAR object and its alloc/destroy commands (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Generally use the WC auto detection test result (Yishai Hadas) [Orabug: 34430072] \n- RDMA/mlx5: Use offsetofend() instead of duplicated variant (Leon Romanovsky) [Orabug: 34430072] \n- RDMA/mlx5: Remove duplicate definitions of SW_ICM macros (Erez Shitrit) [Orabug: 34430072] \n- IB/mlx5: Introduce UAPIs to manage packet pacing (Yishai Hadas) [Orabug: 34430072] \n- RDMA/mlx5: Prevent overflow in mmap offset calculations (Leon Romanovsky) [Orabug: 34430072] \n- RDMA/core: Make the entire API tree static (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Ensure that rdma_user_mmap_entry_remove() is a fence (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/mlx5: Set relaxed ordering when requested (Michael Guralnik) [Orabug: 34430072] \n- RDMA/core: Add the core support field to METHOD_GET_CONTEXT (Michael Guralnik) [Orabug: 34430072] \n- RDMA/uverbs: Add new relaxed ordering memory region access flag (Michael Guralnik) [Orabug: 34430072] \n- RDMA/core: Add optional access flags range (Michael Guralnik) [Orabug: 34430072] \n- RDMA/uverbs: Add ioctl command to get a device context (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Remove ucontext_lock from the uverbs_destry_ufile_hw() path (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Add UVERBS_METHOD_ASYNC_EVENT_ALLOC (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Use READ_ONCE for ib_ufile.async_file (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Make ib_uverbs_async_event_file into a uobject (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Remove the ufile arg from rdma_alloc_begin_uobject (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Simplify type usage for ib_uverbs_async_handler() (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Do not erase the type of ib_wq.uobject (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Do not erase the type of ib_qp.uobject (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Do not erase the type of ib_cq.uobject (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Make ib_ucq_object use ib_uevent_object (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Do not allow alloc_commit to fail (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/mlx5: Simplify devx async commands (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/core: Simplify destruction of FD uobjects (Jason Gunthorpe) [Orabug: 34430072] \n- RDMA/mlx5: Use RCU and direct refcounts to keep memory alive (Jason Gunthorpe) [Orabug: 34430072] \n- IB/mlx5: Add mmap support for VAR (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Introduce VAR object and its alloc/destroy methods (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Extend caps stage to handle VAR capabilities (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Fix device memory flows (Yishai Hadas) [Orabug: 34430072] \n- IB/core: Introduce rdma_user_mmap_entry_insert_range() API (Yishai Hadas) [Orabug: 34430072] \n- IB/mlx5: Support flow counters offset for bulk counters (Yevgeny Kliteynik) [Orabug: 34430072] \n- IB/mlx5: Rename profile and init methods (Michael Guralnik) [Orabug: 34430072] \n- RDMA: Connect between the mmap entry and the umap_priv structure (Michal Kalderon) [Orabug: 34430072] \n- RDMA/core: Create mmap database and cookie helper functions (Michal Kalderon) [Orabug: 34430072] \n- RDMA/core: Move core content from ib_uverbs to ib_core (Michal Kalderon) [Orabug: 34430072] \n- IB/mlx5: Test write combining support (Michael Guralnik) [Orabug: 34430072] \n- IB/mlx5: Align usage of QP1 create flags with rest of mlx5 defines (Michael Guralnik) [Orabug: 34430072] \n- IB/mlx5: Introduce and use mkey context setting helper routine (Parav Pandit) [Orabug: 34430072] \n- net/rds: Send congestion map updates only via path zero (Anand Khoje) [Orabug: 34578051] \n- Revert 'RDS/IB: Fix RDS IB SRQ implementation and tune it' (Hans Westgaard Ry) [Orabug: 34662431] \n- net: vlan: Avoid using BUG() in vlan_proto_idx() (Florian Fainelli) [Orabug: 34672449] \n- KVM: x86: drop superfluous mmu_check_root() from fast_pgd_switch() (Vitaly Kuznetsov) [Orabug: 34679770] \n- KVM: SVM: Update cr3_lm_rsvd_bits for AMD SEV guests (Babu Moger) [Orabug: 34679770] \n- KVM: x86: Invoke vendor's vcpu_after_set_cpuid() after all common updates (Sean Christopherson) [Orabug: 34679770] \n- KVM: x86: Move kvm_x86_ops.vcpu_after_set_cpuid() into kvm_vcpu_after_set_cpuid() (Xiaoyao Li) [Orabug: 34679770] \n- KVM: x86: Rename cpuid_update() callback to vcpu_after_set_cpuid() (Xiaoyao Li) [Orabug: 34679770] \n- RDMA/cma: Use output interface for net_dev check (Hakon Bugge) [Orabug: 34694980]\n[5.4.17-2136.313.4]\n- arm64: pensando: Suppress tree-loop-distribute-patterns optimization (Henry Willard) [Orabug: 34634974] \n- uek-rpm: Disable floppy related configs (Saeed Mirzamohammadi) [Orabug: 34644240] \n- ACPI: processor idle: Practically limit 'Dummy wait' workaround to old Intel systems (Dave Hansen) [Orabug: 34671342]\n[5.4.17-2136.313.3]\n- Revert 'net: mvpp2: debugfs: fix memory leak when using debugfs_lookup()' (Sasha Levin) \n- USB: core: Fix RST error in hub.c (Alan Stern) \n- cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() (Tetsuo Handa) \n- parisc: ccio-dma: Add missing iounmap in error path in ccio_probe() (Yang Yingliang) \n- LTS tag: v5.4.213 (Sherry Yang) \n- MIPS: loongson32: ls1c: Fix hang during startup (Yang Ling) \n- x86/nospec: Fix i386 RSB stuffing (Peter Zijlstra) \n- sch_sfb: Also store skb len before calling child enqueue (Toke Hoiland-Jorgensen) \n- tcp: fix early ETIMEDOUT after spurious non-SACK RTO (Neal Cardwell) \n- nvme-tcp: fix UAF when detecting digest errors (Sagi Grimberg) \n- RDMA/mlx5: Set local port to one when accessing counters (Chris Mi) \n- ipv6: sr: fix out-of-bounds read when setting HMAC data. (David Lebrun) \n- RDMA/siw: Pass a pointer to virt_to_page() (Linus Walleij) \n- i40e: Fix kernel crash during module removal (Ivan Vecera) \n- tipc: fix shift wrapping bug in map_get() (Dan Carpenter) \n- sch_sfb: Don't assume the skb is still around after enqueueing to child (Toke Hoiland-Jorgensen) \n- afs: Use the operation issue time instead of the reply time for callbacks (David Howells) \n- rxrpc: Fix an insufficiently large sglist in rxkad_verify_packet_2() (David Howells) \n- netfilter: nf_conntrack_irc: Fix forged IP logic (David Leadbeater) \n- netfilter: br_netfilter: Drop dst references before setting. (Harsh Modi) \n- RDMA/hns: Fix supported page size (Chengchang Tang) \n- soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs (Liang He) \n- RDMA/cma: Fix arguments order in net device validation (Michael Guralnik) \n- regulator: core: Clean up on enable failure (Andrew Halaney) \n- ARM: dts: imx6qdl-kontron-samx6i: remove duplicated node (Marco Felsch) \n- smb3: missing inode locks in punch hole (David Howells) \n- scsi: lpfc: Add missing destroy_workqueue() in error path (Yang Yingliang) \n- scsi: mpt3sas: Fix use-after-free warning (Sreekanth Reddy) \n- nvmet: fix a use-after-free (Bart Van Assche) \n- debugfs: add debugfs_lookup_and_remove() (Greg Kroah-Hartman) \n- kprobes: Prohibit probes in gate area (Christian A. Ehrhardt) \n- ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() (Dongxiang Ke) \n- ALSA: aloop: Fix random zeros in capture data when using jiffies timer (Pattara Teerapong) \n- ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() (Tasos Sahanidis) \n- drm/amdgpu: mmVM_L2_CNTL3 register not initialized correctly (Qu Huang) \n- fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() (Yang Yingliang) \n- arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level (Sudeep Holla) \n- parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines (Helge Deller) \n- parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources() (Li Qiong) \n- drm/radeon: add a force flush to delay work when radeon (Zhenneng Li) \n- drm/amdgpu: Check num_gfx_rings for gfx v9_0 rb setup. (Candice Li) \n- drm/gem: Fix GEM handle release errors (Jeffy Chen) \n- scsi: megaraid_sas: Fix double kfree() (Guixin Liu) \n- USB: serial: ch341: fix disabled rx timer on older devices (Johan Hovold) \n- USB: serial: ch341: fix lost character on LCR updates (Johan Hovold) \n- usb: dwc3: disable USB core PHY management (Johan Hovold) \n- usb: dwc3: fix PHY disable sequence (Johan Hovold) \n- btrfs: harden identification of a stale device (Anand Jain) \n- drm/i915/glk: ECS Liva Q2 needs GLK HDMI port timing quirk (Diego Santa Cruz) \n- ALSA: seq: Fix data-race at module auto-loading (Takashi Iwai) \n- ALSA: seq: oss: Fix data-race for max_midi_devs access (Takashi Iwai) \n- net: mac802154: Fix a condition in the receive path (Miquel Raynal) \n- ip: fix triggering of 'icmp redirect' (Nicolas Dichtel) \n- wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected (Siddh Raman Pant) \n- driver core: Don't probe devices after bus_type.match() probe deferral (Isaac J. Manjarres) \n- usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS (Krishna Kurapati) \n- USB: core: Prevent nested device-reset calls (Alan Stern) \n- s390: fix nospec table alignments (Josh Poimboeuf) \n- s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages (Gerald Schaefer) \n- usb-storage: Add ignore-residue quirk for NXP PN7462AU (Witold Lipieta) \n- USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) (Thierry GUIBERT) \n- usb: dwc2: fix wrong order of phy_power_on and phy_init (Heiner Kallweit) \n- usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles (Pablo Sun) \n- USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode (Slark Xiao) \n- USB: serial: option: add Quectel EM060K modem (Yonglin Tan) \n- USB: serial: option: add support for OPPO R11 diag port (Yan Xinyu) \n- USB: serial: cp210x: add Decagon UCA device id (Johan Hovold) \n- xhci: Add grace period after xHC start to prevent premature runtime suspend. (Mathias Nyman) \n- thunderbolt: Use the actual buffer in tb_async_error() (Mika Westerberg) \n- gpio: pca953x: Add mutex_lock for regcache sync in PM (Haibo Chen) \n- hwmon: (gpio-fan) Fix array out of bounds access (Armin Wolf) \n- clk: bcm: rpi: Fix error handling of raspberrypi_fw_get_rate (Stefan Wahren) \n- Input: rk805-pwrkey - fix module autoloading (Peter Robinson) \n- clk: core: Fix runtime PM sequence in clk_core_unprepare() (Chen-Yu Tsai) \n- Revert 'clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops' (Stephen Boyd) \n- clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops (Chen-Yu Tsai) \n- drm/i915/reg: Fix spelling mistake 'Unsupport' -> 'Unsupported' (Colin Ian King) \n- usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup (Johan Hovold) \n- binder: fix UAF of ref->proc caused by race condition (Carlos Llamas) \n- USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id (Niek Nooijens) \n- misc: fastrpc: fix memory corruption on open (Johan Hovold) \n- misc: fastrpc: fix memory corruption on probe (Johan Hovold) \n- iio: adc: mcp3911: use correct formula for AD conversion (Marcus Folkesson) \n- Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag (Tetsuo Handa) \n- tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete (Sherry Sun) \n- vt: Clear selection before changing the font (Helge Deller) \n- powerpc: align syscall table for ppc32 (Masahiro Yamada) \n- staging: rtl8712: fix use after free bugs (Dan Carpenter) \n- serial: fsl_lpuart: RS485 RTS polariy is inverse (Shenwei Wang) \n- net/smc: Remove redundant refcount increase (Yacan Liu) \n- Revert 'sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb' (Jakub Kicinski) \n- tcp: annotate data-race around challenge_timestamp (Eric Dumazet) \n- sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb (Toke Hoiland-Jorgensen) \n- kcm: fix strp_init() order and cleanup (Cong Wang) \n- ethernet: rocker: fix sleep in atomic context bug in neigh_timer_handler (Duoming Zhou) \n- net: sched: tbf: don't call qdisc_put() while holding tree lock (Zhengchao Shao) \n- Revert 'xhci: turn off port power in shutdown' (Mathias Nyman) \n- wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() (Dan Carpenter) \n- ieee802154/adf7242: defer destroy_workqueue call (Lin Ma) \n- iio: adc: mcp3911: make use of the sign bit (Marcus Folkesson) \n- platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask (Andy Shevchenko) \n- drm/msm/dsi: Fix number of regulators for msm8996_dsi_cfg (Douglas Anderson) \n- drm/msm/dsi: fix the inconsistent indenting (sunliming) \n- net: dp83822: disable false carrier interrupt (Enguerrand de Ribaucourt) \n- Revert 'mm: kmemleak: take a full lowmem check in kmemleak_*_phys()' (Yee Lee) \n- fs: only do a memory barrier for the first set_buffer_uptodate() (Linus Torvalds) \n- net: mvpp2: debugfs: fix memory leak when using debugfs_lookup() (Greg Kroah-Hartman) \n- wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in il4965_rs_fill_link_cmd() (Stanislaw Gruszka) \n- efi: capsule-loader: Fix use-after-free in efi_capsule_write (Hyunwoo Kim) \n- LTS tag: v5.4.212 (Sherry Yang) \n- net: neigh: don't call kfree_skb() under spin_lock_irqsave() (Yang Yingliang) \n- net/af_packet: check len when min_header_len equals to 0 (Zhengchao Shao) \n- kprobes: don't call disarm_kprobe() for disabled kprobes (Kuniyuki Iwashima) \n- lib/vdso: Mark do_hres() and do_coarse() as __always_inline (Andrei Vagin) \n- lib/vdso: Let do_coarse() return 0 to simplify the callsite (Christophe Leroy) \n- btrfs: tree-checker: check for overlapping extent items (Josef Bacik) \n- netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y (Geert Uytterhoeven) \n- drm/amd/display: Fix pixel clock programming (Ilya Bakoulin) \n- s390/hypfs: avoid error message under KVM (Juergen Gross) \n- neigh: fix possible DoS due to net iface start/stop loop (Denis V. Lunev) \n- drm/amd/display: clear optc underflow before turn off odm clock (Fudong Wang) \n- drm/amd/display: Avoid MPC infinite loop (Josip Pavic) \n- btrfs: unify lookup return value when dir entry is missing (Filipe Manana) \n- btrfs: do not pin logs too early during renames (Filipe Manana) \n- btrfs: introduce btrfs_lookup_match_dir (Marcos Paulo de Souza) \n- mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse (Jann Horn) \n- bpf: Don't redirect packets with invalid pkt_len (Zhengchao Shao) \n- ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead (Yang Jihong) \n- fbdev: fb_pm2fb: Avoid potential divide by zero error (Letu Ren) \n- HID: hidraw: fix memory leak in hidraw_release() (Karthik Alapati) \n- media: pvrusb2: fix memory leak in pvr_probe (Dongliang Mu) \n- udmabuf: Set the DMA mask for the udmabuf device (v2) (Vivek Kasireddy) \n- HID: steam: Prevent NULL pointer dereference in steam_{recv,send}_report (Lee Jones) \n- Bluetooth: L2CAP: Fix build errors in some archs (Luiz Augusto von Dentz) \n- kbuild: Fix include path in scripts/Makefile.modpost (Jing Leng) \n- x86/bugs: Add 'unknown' reporting for MMIO Stale Data (Pawan Gupta) \n- s390/mm: do not trigger write fault when vma does not allow VM_WRITE (Gerald Schaefer) \n- mm: Force TLB flush for PFNMAP mappings before unlink_file_vma() (Jann Horn) \n- scsi: storvsc: Remove WQ_MEM_RECLAIM from storvsc_error_wq (Saurabh Sengar) \n- perf/x86/intel/uncore: Fix broken read_counter() for SNB IMC PMU (Stephane Eranian) \n- md: call __md_stop_writes in md_stop (Guoqing Jiang) \n- mm/hugetlb: fix hugetlb not supporting softdirty tracking (David Hildenbrand) \n- ACPI: processor: Remove freq Qos request for all CPUs (Riwen Lu) \n- s390: fix double free of GS and RI CBs on fork() failure (Brian Foster) \n- asm-generic: sections: refactor memory_intersects (Quanyang Wang) \n- loop: Check for overflow while configuring loop (Siddh Raman Pant) \n- x86/unwind/orc: Unwind ftrace trampolines with correct ORC entry (Chen Zhongjin) \n- btrfs: check if root is readonly while setting security xattr (Goldwyn Rodrigues) \n- btrfs: add info when mount fails due to stale replace target (Anand Jain) \n- btrfs: replace: drop assert for suspended replace (Anand Jain) \n- btrfs: fix silent failure when deleting root reference (Filipe Manana) \n- ixgbe: stop resetting SYSTIME in ixgbe_ptp_start_cyclecounter (Jacob Keller) \n- net: Fix a data-race around sysctl_somaxconn. (Kuniyuki Iwashima) \n- net: Fix a data-race around netdev_budget_usecs. (Kuniyuki Iwashima) \n- net: Fix a data-race around netdev_budget. (Kuniyuki Iwashima) \n- net: Fix a data-race around sysctl_net_busy_read. (Kuniyuki Iwashima) \n- net: Fix a data-race around sysctl_net_busy_poll. (Kuniyuki Iwashima) \n- net: Fix a data-race around sysctl_tstamp_allow_data. (Kuniyuki Iwashima) \n- ratelimit: Fix data-races in ___ratelimit(). (Kuniyuki Iwashima) \n- net: Fix data-races around netdev_tstamp_prequeue. (Kuniyuki Iwashima) \n- net: Fix data-races around weight_p and dev_weight_[rt]x_bias. (Kuniyuki Iwashima) \n- netfilter: nft_tunnel: restrict it to netdev family (Pablo Neira Ayuso) \n- netfilter: nft_osf: restrict osf to ipv4, ipv6 and inet families (Pablo Neira Ayuso) \n- netfilter: nft_payload: do not truncate csum_offset and csum_type (Pablo Neira Ayuso) \n- netfilter: nft_payload: report ERANGE for too long offset and length (Pablo Neira Ayuso) \n- bnxt_en: fix NQ resource accounting during vf creation on 57500 chips (Vikas Gupta) \n- net: ipvtap - add __init/__exit annotations to module init/exit funcs (Maciej zenczykowski) \n- bonding: 802.3ad: fix no transmission of LACPDUs (Jonathan Toppins) \n- net: moxa: get rid of asymmetry in DMA mapping/unmapping (Sergei Antonov) \n- net/mlx5e: Properly disable vlan strip on non-UL reps (Vlad Buslov) \n- rose: check NULL rose_loopback_neigh->loopback (Bernard Pidoux) \n- SUNRPC: RPC level errors should set task->tk_rpc_status (Trond Myklebust) \n- xfrm: fix refcount leak in __xfrm_policy_check() (Xin Xiong) \n- kernel/sched: Remove dl_boosted flag comment (Hui Su) \n- sched/deadline: Fix priority inheritance with multiple scheduling classes (Juri Lelli) \n- sched/deadline: Fix stale throttling on de-/boosted tasks (Lucas Stach) \n- sched/deadline: Unthrottle PI boosted threads while enqueuing (Daniel Bristot de Oliveira) \n- pinctrl: amd: Don't save/restore interrupt status and wake status bits (Basavaraj Natikar) \n- Revert 'selftests/bpf: Fix test_align verifier log patterns' (Jean-Philippe Brucker) \n- Revert 'selftests/bpf: Fix 'dubious pointer arithmetic' test' (Jean-Philippe Brucker) \n- usb: cdns3: Fix issue for clear halt endpoint (Pawel Laszczak) \n- kernel/sys_ni: add compat entry for fadvise64_64 (Randy Dunlap) \n- parisc: Fix exception handler for fldw and fstw instructions (Helge Deller) \n- audit: fix potential double free on error path from fsnotify_add_inode_mark (Gaosheng Cui)\n[5.4.17-2136.313.2]\n- ice: enable ethtool hooks for E810 firmware update (John Donnelly) [Orabug: 34077831] \n- ice: add ice_handle_nvm_access() (John Donnelly) [Orabug: 34077831] \n- rds: cong: Make rds_cong_wait an array to reduce lock contention (Hakon Bugge) [Orabug: 34574093] \n- rds: cong: Make rs_cong_notify and rs_cong_mask atomic64_t (Hakon Bugge) [Orabug: 34574093] \n- mm: memcg/slab: disable cache merging for KMALLOC_NORMAL caches (Waiman Long) [Orabug: 34601144] \ncaches (Waiman Long) [Orabug: 34601144] \n- mm: memcg/slab: properly set up gfp flags for objcg pointer array (Waiman Long) [Orabug: 34601144] \n- mm, memcg: introduce mem_cgroup_kmem_disabled() (Roman Gushchin) [Orabug: 34601144] \n- mm, slab: make kmalloc_info[] contain all types of names (Pengfei Li) [Orabug: 34601144] \ncpus_read_lock() deadlock (Tejun Heo) [Orabug: 34639998] \n- cgroup: Elide write-locking threadgroup_rwsem when updating csses on an empty subtree (Tejun Heo) [Orabug: 34639998] \n- cgroup: Optimize single thread migration (Michal Koutny) [Orabug: 34639998] \n- Revert 'cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()' (Imran Khan) [Orabug: 34639998] \ncpus_read_lock() deadlock' (Imran Khan) [Orabug: 34639998] \n- x86/MCE/AMD, EDAC/mce_amd: Support non-uniform MCA bank type enumeration (Yazen Ghannam) [Orabug: 34639981] \n- x86/MCE/AMD, EDAC/mce_amd: Add new SMCA bank types (Yazen Ghannam) [Orabug: 34639981] \n- x86/MCE/AMD, EDAC/mce_amd: Add new SMCA bank types (Muralidhara M K) [Orabug: 34639981] \n- x86/mce: Increase maximum number of banks to 64 (Akshay Gupta) [Orabug: 34639981] \n- x86/MCE/AMD, EDAC/amd64: Move address translation to AMD64 EDAC (Yazen Ghannam) [Orabug: 34639981] \n- x86/MCE/AMD: Export smca_get_bank_type symbol (Mukul Joshi) [Orabug: 34639981] \n- EDAC/amd64: Add support for AMD Family 19h Models 10h-1Fh and A0h-AFh (Yazen Ghannam) [Orabug: 34639981] \n- EDAC/amd64: Set proper family type for Family 19h Models 20h-2Fh (Yazen Ghannam) [Orabug: 34639981] \n- EDAC: Add RDDR5 and LRDDR5 memory types (Yazen Ghannam) [Orabug: 34639981] \n- hwmon: (k10temp) Support up to 12 CCDs on AMD Family of processors (Babu Moger) [Orabug: 34639981] \n- hwmon: (k10temp) Add support for AMD Family 19h Models 10h-1Fh and A0h-AFh (Babu Moger) [Orabug: 34639981] \n- x86/amd_nb: Add AMD Family 19h Models (10h-1Fh) and (A0h-AFh) PCI IDs (Yazen Ghannam) [Orabug: 34639981] \n- hwmon: (k10temp) Remove unused definitions (Babu Moger) [Orabug: 34639981] \n- hwmon: (k10temp) Remove residues of current and voltage (suma hegde) [Orabug: 34639981] \n- hwmon: (k10temp) Add support for yellow carp (Mario Limonciello) [Orabug: 34639981] \n- hwmon: (k10temp) Rework the temperature offset calculation (Mario Limonciello) [Orabug: 34639981] \n- hwmon: (k10temp) Don't show Tdie for all Zen/Zen2/Zen3 CPU/APU (Mario Limonciello) [Orabug: 34639981] \n- hwmon: (k10temp) Add additional missing Zen2 and Zen3 APUs (Mario Limonciello) [Orabug: 34639981] \n- hwmon: (k10temp) support Zen3 APUs (David Bartley) [Orabug: 34639981] \n- x86/amd_nb: Add AMD family 19h model 50h PCI ids (David Bartley) [Orabug: 34639981] \n- hwmon: (k10temp) Zen3 Ryzen Desktop CPUs support (Gabriel Craciunescu) [Orabug: 34639981] \n- hwmon: (k10temp) Remove support for displaying voltage and current on Zen CPUs (Guenter Roeck) [Orabug: 34639981] \n- hwmon: (k10temp) Add support for Zen3 CPUs (Wei Huang) [Orabug: 34639981] \n- hwmon: (k10temp) Take out debugfs code (Guenter Roeck) [Orabug: 34639981] \n- hwmon: (k10temp) Define SVI telemetry and current factors for Zen2 CPUs (Wei Huang) [Orabug: 34639981] \n- hwmon: (k10temp) Create common functions and macros for Zen CPU families (Wei Huang) [Orabug: 34639981] \n- hwmon: (k10temp) make some symbols static (Jason Yan) [Orabug: 34639981] \n- hwmon: (k10temp) Reorganize and simplify temperature support detection (Guenter Roeck) [Orabug: 34639981] \n- Revert 'hwmon: (k10temp) Add support for Zen3 CPUs' (Dave Kleikamp) [Orabug: 34639981] \n- uek-rpm: add missing nft_chain_nat.ko module (Venkat Venkatsubra) [Orabug: 34639977] \n- random: Fix incorrect type for 'rc' variable (Harshit Mogalapalli) [Orabug: 34639972] \n- hwmon: (opbmc) Add support for AST2600 based Pilot (Jan Zdarek) [Orabug: 34639967] \n- KVM: SVM: Clear the CR4 register on reset (Babu Moger) [Orabug: 34639963] \n- x86,swiotlb: Adjust SWIOTLB bounce buffer size for SEV guests (Ashish Kalra) [Orabug: 34639951] \n- netfilter: ebtables: reject blobs that don't provide all entry points (Florian Westphal) [Orabug: 34610051] \n- uek-rpm: Disable CONFIG_CRYPTO_STREEBOG (Victor Erminpour) [Orabug: 34610044] \n- uek-rpm: Disable CONFIG_CRYPTO_SM3 (Victor Erminpour) [Orabug: 34610044] \n- uek-rpm: Disable CONFIG_CRYPTO_SM4 (Victor Erminpour) [Orabug: 34610044] \n- uek-rpm: Add nftables support T93 and Ortano (Henry Willard) [Orabug: 34610035] \n- af_key: Do not call xfrm_probe_algs in parallel (Herbert Xu) [Orabug: 34610032] {CVE-2022-3028}\n- cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() (Tetsuo Handa) [Orabug: 34610025] \ncpus_read_lock() deadlock (Tejun Heo) [Orabug: 34610025] \n- audit: use extern storage class for audit_filter_syscall() (Ankur Arora) [Orabug: 34586449] \n- audit: annotate branch direction for audit_in_mask() (Ankur Arora) [Orabug: 34586449] \n- audit: cache ctx->major in audit_filter_syscall() (Ankur Arora) [Orabug: 34586449]\n[5.4.17-2136.313.1]\n- video: vga16fb: Only probe for EGA and VGA 16 color graphic cards (Javier Martinez Canillas) [Orabug: 32301403] \n- KVM: arm: vgic: Only use the virtual state when userspace accesses enable bits (Marc Zyngier) [Orabug: 34542967] \n- uek-rpm: mips: enable CRYTPTO_USER config options (Dave Kleikamp) [Orabug: 34557309]", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-15T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel-container security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2022-3028"], "modified": "2022-11-15T00:00:00", "id": "ELSA-2022-9999", "href": "http://linux.oracle.com/errata/ELSA-2022-9999.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-21T06:45:48", "description": "[5.4.17-2136.312.3.4]\n- Revert 'fs: check FMODE_LSEEK to control internal pipe splicing' (Saeed Mirzamohammadi) [Orabug: 34666845]\n[5.4.17-2136.312.3.3]\ncpus_read_lock() deadlock (Tejun Heo) [Orabug: 34607590] \n- cgroup: Elide write-locking threadgroup_rwsem when updating csses on an empty subtree (Tejun Heo) [Orabug: 34607590] \n- cgroup: Optimize single thread migration (Michal Koutny) [Orabug: 34607590] \n- Revert 'cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()' (Imran Khan) [Orabug: 34607590] \ncpus_read_lock() deadlock' (Imran Khan) [Orabug: 34607590] \n- x86/MCE/AMD, EDAC/mce_amd: Support non-uniform MCA bank type enumeration (Yazen Ghannam) [Orabug: 34120320] \n- x86/MCE/AMD, EDAC/mce_amd: Add new SMCA bank types (Yazen Ghannam) [Orabug: 34120320] \n- x86/MCE/AMD, EDAC/mce_amd: Add new SMCA bank types (Muralidhara M K) [Orabug: 34120320] \n- x86/mce: Increase maximum number of banks to 64 (Akshay Gupta) [Orabug: 34120320] \n- x86/MCE/AMD, EDAC/amd64: Move address translation to AMD64 EDAC (Yazen Ghannam) [Orabug: 34120320] \n- x86/MCE/AMD: Export smca_get_bank_type symbol (Mukul Joshi) [Orabug: 34120320] \n- EDAC/amd64: Add support for AMD Family 19h Models 10h-1Fh and A0h-AFh (Yazen Ghannam) [Orabug: 34120320] \n- EDAC/amd64: Set proper family type for Family 19h Models 20h-2Fh (Yazen Ghannam) [Orabug: 34120320] \n- EDAC: Add RDDR5 and LRDDR5 memory types (Yazen Ghannam) [Orabug: 34120320] \n- hwmon: (k10temp) Support up to 12 CCDs on AMD Family of processors (Babu Moger) [Orabug: 34120320] \n- hwmon: (k10temp) Add support for AMD Family 19h Models 10h-1Fh and A0h-AFh (Babu Moger) [Orabug: 34120320] \n- x86/amd_nb: Add AMD Family 19h Models (10h-1Fh) and (A0h-AFh) PCI IDs (Yazen Ghannam) [Orabug: 34120320] \n- hwmon: (k10temp) Remove unused definitions (Babu Moger) [Orabug: 34120320] \n- hwmon: (k10temp) Remove residues of current and voltage (suma hegde) [Orabug: 34120320] \n- hwmon: (k10temp) Add support for yellow carp (Mario Limonciello) [Orabug: 34120320] \n- hwmon: (k10temp) Rework the temperature offset calculation (Mario Limonciello) [Orabug: 34120320] \n- hwmon: (k10temp) Don't show Tdie for all Zen/Zen2/Zen3 CPU/APU (Mario Limonciello) [Orabug: 34120320] \n- hwmon: (k10temp) Add additional missing Zen2 and Zen3 APUs (Mario Limonciello) [Orabug: 34120320] \n- hwmon: (k10temp) support Zen3 APUs (David Bartley) [Orabug: 34120320] \n- x86/amd_nb: Add AMD family 19h model 50h PCI ids (David Bartley) [Orabug: 34120320] \n- hwmon: (k10temp) Zen3 Ryzen Desktop CPUs support (Gabriel Craciunescu) [Orabug: 34120320] \n- hwmon: (k10temp) Remove support for displaying voltage and current on Zen CPUs (Guenter Roeck) [Orabug: 34120320] \n- hwmon: (k10temp) Add support for Zen3 CPUs (Wei Huang) [Orabug: 34120320] \n- hwmon: (k10temp) Take out debugfs code (Guenter Roeck) [Orabug: 34120320] \n- hwmon: (k10temp) Define SVI telemetry and current factors for Zen2 CPUs (Wei Huang) [Orabug: 34120320] \n- hwmon: (k10temp) Create common functions and macros for Zen CPU families (Wei Huang) [Orabug: 34120320] \n- hwmon: (k10temp) make some symbols static (Jason Yan) [Orabug: 34120320] \n- hwmon: (k10temp) Reorganize and simplify temperature support detection (Guenter Roeck) [Orabug: 34120320] \n- Revert 'hwmon: (k10temp) Add support for Zen3 CPUs' (Dave Kleikamp) [Orabug: 34120320] \n- uek-rpm: add missing nft_chain_nat.ko module (Venkat Venkatsubra) [Orabug: 34553255] \n- random: Fix incorrect type for 'rc' variable (Harshit Mogalapalli) [Orabug: 34601349] \n- hwmon: (opbmc) Add support for AST2600 based Pilot (Jan Zdarek) [Orabug: 34605428] \n- KVM: SVM: Clear the CR4 register on reset (Babu Moger) [Orabug: 34610277] \n- x86,swiotlb: Adjust SWIOTLB bounce buffer size for SEV guests (Ashish Kalra) [Orabug: 34626337]\n[5.4.17-2136.312.3.2]\n- netfilter: ebtables: reject blobs that don't provide all entry points (Florian Westphal) [Orabug: 34513978] \n- uek-rpm: Disable CONFIG_CRYPTO_STREEBOG (Victor Erminpour) [Orabug: 34557344] \n- uek-rpm: Disable CONFIG_CRYPTO_SM3 (Victor Erminpour) [Orabug: 34557344] \n- uek-rpm: Disable CONFIG_CRYPTO_SM4 (Victor Erminpour) [Orabug: 34557344] \n- uek-rpm: Add nftables support T93 and Ortano (Henry Willard) [Orabug: 34561703] \n- af_key: Do not call xfrm_probe_algs in parallel (Herbert Xu) [Orabug: 34566752] {CVE-2022-3028}\n- cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() (Tetsuo Handa) [Orabug: 34567777] \ncpus_read_lock() deadlock (Tejun Heo) [Orabug: 34567777]\n[5.4.17-2136.312.3.1]\n- audit: use extern storage class for audit_filter_syscall() (Ankur Arora) [Orabug: 33697500] \n- audit: annotate branch direction for audit_in_mask() (Ankur Arora) [Orabug: 33697500] \n- audit: cache ctx->major in audit_filter_syscall() (Ankur Arora) [Orabug: 33697500] \n- video: vga16fb: Only probe for EGA and VGA 16 color graphic cards (Javier Martinez Canillas) [Orabug: 34580817] \n- KVM: arm: vgic: Only use the virtual state when userspace accesses enable bits (Marc Zyngier) [Orabug: 34580807] \n- uek-rpm: mips: enable CRYTPTO_USER config options (Dave Kleikamp) [Orabug: 34580802]\n[5.4.17-2136.312.3]\n- LTS tag: v5.4.211 (Sherry Yang) \n- btrfs: raid56: don't trust any cached sector in __raid56_parity_recover() (Qu Wenruo) \n- btrfs: only write the sectors in the vertical stripe which has data stripes (Qu Wenruo) \n- can: j1939: j1939_session_destroy(): fix memory leak of skbs (Fedor Pchelkin) \n- can: j1939: j1939_sk_queue_activate_next_locked(): replace WARN_ON_ONCE with netdev_warn_once() (Fedor Pchelkin) \n- tracing/probes: Have kprobes and uprobes use too (Steven Rostedt (Google)) \n- MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0 (Nathan Chancellor) \n- video: fbdev: i740fb: Check the argument of i740_calc_vclk() (Zheyu Ma) \n- powerpc/64: Init jump labels before parse_early_param() (Zhouyi Zhou) \n- smb3: check xattr value length earlier (Steve French) \n- f2fs: fix to avoid use f2fs_bug_on() in f2fs_new_node_page() (Chao Yu) \n- ALSA: timer: Use deferred fasync helper (Takashi Iwai) \n- ALSA: core: Add async signal helpers (Takashi Iwai) \n- powerpc/32: Don't always pass -mcpu=powerpc to the compiler (Christophe Leroy) \n- watchdog: export lockup_detector_reconfigure (Laurent Dufour) \n- RISC-V: Add fast call path of crash_kexec() (Xianting Tian) \n- riscv: mmap with PROT_WRITE but no PROT_READ is invalid (Celeste Liu) \n- mips: cavium-octeon: Fix missing of_node_put() in octeon2_usb_clocks_start (Liang He) \n- vfio: Clear the caps->buf to NULL after free (Schspa Shi) \n- tty: serial: Fix refcount leak bug in ucc_uart.c (Liang He) \n- lib/list_debug.c: Detect uninitialized lists (Guenter Roeck) \n- ext4: avoid resizing to a partial cluster size (Kiselev, Oleg) \n- ext4: avoid remove directory when directory is corrupted (Ye Bin) \n- drivers:md:fix a potential use-after-free bug (Wentao_Liang) \n- nvmet-tcp: fix lockdep complaint on nvmet_tcp_wq flush during queue teardown (Sagi Grimberg) \n- dmaengine: sprd: Cleanup in .remove() after pm_runtime_get_sync() failed (Uwe Kleine-Konig) \n- selftests/kprobe: Do not test for GRP/ without event failures (Steven Rostedt (Google)) \n- um: add 'noreboot' command line option for PANIC_TIMEOUT=-1 setups (Jason A. Donenfeld) \n- PCI/ACPI: Guard ARM64-specific mcfg_quirks (Huacai Chen) \n- cxl: Fix a memory leak in an error handling path (Christophe JAILLET) \n- gadgetfs: ep_io - wait until IRQ finishes (Jozef Martiniak) \n- scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user input (James Smart) \n- clk: qcom: ipq8074: dont disable gcc_sleep_clk_src (Robert Marko) \n- vboxguest: Do not use devm for irq (Pascal Terjan) \n- usb: renesas: Fix refcount leak bug (Liang He) \n- usb: host: ohci-ppc-of: Fix refcount leak bug (Liang He) \n- drm/meson: Fix overflow implicit truncation warnings (Sai Prakash Ranjan) \n- irqchip/tegra: Fix overflow implicit truncation warnings (Sai Prakash Ranjan) \n- usb: gadget: uvc: call uvc uvcg_warn on completed status instead of uvcg_info (Michael Grzeschik) \n- usb: cdns3 fix use-after-free at workaround 2 (Frank Li) \n- PCI: Add ACS quirk for Broadcom BCM5750x NICs (Pavan Chebbi) \n- drm/meson: Fix refcount bugs in meson_vpu_has_available_connectors() (Liang He) \n- locking/atomic: Make test_and_*_bit() ordered on failure (Hector Martin) \n- gcc-plugins: Undefine LATENT_ENTROPY_PLUGIN when plugin disabled for a file (Andrew Donnellan) \n- igb: Add lock to avoid data race (Lin Ma) \n- fec: Fix timer capture timing in fec_ptp_enable_pps() (Csokas Bence) \n- i40e: Fix to stop tx_timeout recovery if GLOBR fails (Alan Brady) \n- ice: Ignore EEXIST when setting promisc mode (Grzegorz Siwik) \n- net: dsa: microchip: ksz9477: fix fdb_dump last invalid entry (Arun Ramadoss) \n- net: moxa: pass pdev instead of ndev to DMA functions (Sergei Antonov) \n- net: dsa: mv88e6060: prevent crash on an unused port (Sergei Antonov) \n- powerpc/pci: Fix get_phb_number() locking (Michael Ellerman) \n- netfilter: nf_tables: really skip inactive sets when allocating name (Pablo Neira Ayuso) \n- clk: rockchip: add sclk_mac_lbtest to rk3188_critical_clocks (Alex Bee) \n- iavf: Fix adminq error handling (Przemyslaw Patynowski) \n- nios2: add force_successful_syscall_return() (Al Viro) \n- nios2: restarts apply only to the first sigframe we build... (Al Viro) \n- nios2: fix syscall restart checks (Al Viro) \n- nios2: traced syscall does need to check the syscall number (Al Viro) \n- nios2: don't leave NULLs in sys_call_table[] (Al Viro) \n- nios2: page fault et.al. are *not* restartable syscalls... (Al Viro) \n- tee: add overflow check in register_shm_helper() (Jens Wiklander) \n- dpaa2-eth: trace the allocated address instead of page struct (Chen Lin) \n- atm: idt77252: fix use-after-free bugs caused by tst_timer (Duoming Zhou) \n- xen/xenbus: fix return type in xenbus_file_read() (Dan Carpenter) \n- nfp: ethtool: fix the display error of ethtool -m DEVNAME (Yu Xiao) \n- NTB: ntb_tool: uninitialized heap data in tool_fn_write() (Dan Carpenter) \n- tools build: Switch to new openssl API for test-libcrypto (Roberto Sassu) \n- tools/vm/slabinfo: use alphabetic order when two values are equal (Yuanzheng Song) \n- dt-bindings: arm: qcom: fix MSM8916 MTP compatibles (Krzysztof Kozlowski) \n- vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout() (Peilin Ye) \n- vsock: Fix memory leak in vsock_connect() (Peilin Ye) \n- plip: avoid rcu debug splat (Florian Westphal) \n- geneve: do not use RT_TOS for IPv6 flowlabel (Matthias May) \n- ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool (Sakari Ailus) \n- pinctrl: sunxi: Add I/O bias setting for H6 R-PIO (Samuel Holland) \n- pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed (Nikita Travkin) \n- pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map (Miaoqian Lin) \n- net: bgmac: Fix a BUG triggered by wrong bytes_compl (Sandor Bodo-Merle) \n- devlink: Fix use-after-free after a failed reload (Ido Schimmel) \n- SUNRPC: Reinitialise the backchannel request buffers before reuse (Trond Myklebust) \n- sunrpc: fix expiry of auth creds (Dan Aloni) \n- can: mcp251x: Fix race condition on receive interrupt (Sebastian Wurl) \n- NFSv4/pnfs: Fix a use-after-free bug in open (Trond Myklebust) \n- NFSv4.1: RECLAIM_COMPLETE must handle EACCES (Zhang Xianwei) \n- NFSv4: Fix races in the legacy idmapper upcall (Trond Myklebust) \n- NFSv4.1: Handle NFS4ERR_DELAY replies to OP_SEQUENCE correctly (Trond Myklebust) \n- NFSv4.1: Don't decrease the value of seq_nr_highest_sent (Trond Myklebust) \n- Documentation: ACPI: EINJ: Fix obsolete example (Qifu Zhang) \n- apparmor: Fix memleak in aa_simple_write_to_buffer() (Xiu Jianfeng) \n- apparmor: fix reference count leak in aa_pivotroot() (Xin Xiong) \n- apparmor: fix overlapping attachment computation (John Johansen) \n- apparmor: fix aa_label_asxprint return check (Tom Rix) \n- apparmor: Fix failed mount permission check error message (John Johansen) \n- apparmor: fix absroot causing audited secids to begin with = (John Johansen) \n- apparmor: fix quiet_denied for file rules (John Johansen) \n- can: ems_usb: fix clang's -Wunaligned-access warning (Marc Kleine-Budde) \n- tracing: Have filter accept 'common_cpu' to be consistent (Steven Rostedt (Google)) \n- btrfs: fix lost error handling when looking up extended ref on log replay (Filipe Manana) \n- mmc: pxamci: Fix an error handling path in pxamci_probe() (Christophe JAILLET) \n- mmc: pxamci: Fix another error handling path in pxamci_probe() (Christophe JAILLET) \n- ata: libata-eh: Add missing command name (Damien Le Moal) \n- ALSA: info: Fix llseek return value when using callback (Amadeusz Slawinski) \n- net_sched: cls_route: disallow handle of 0 (Jamal Hadi Salim) \n- net/9p: Initialize the iounit field during fid creation (Tyler Hicks) \n- Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression (Luiz Augusto von Dentz) \n- Revert 'net: usb: ax88179_178a needs FLAG_SEND_ZLP' (Jose Alonso) \n- scsi: sg: Allow waiting for commands to complete on removed device (Tony Battersby) \n- tcp: fix over estimation in sk_forced_mem_schedule() (Eric Dumazet) \n- btrfs: reject log replay if there is unsupported RO compat flag (Qu Wenruo) \n- iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) (Alexander Lobakin) \n- firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails (Sudeep Holla) \n- timekeeping: contribute wall clock to rng on time change (Jason A. Donenfeld) \n- ACPI: CPPC: Do not prevent CPPC from working in the future (Rafael J. Wysocki) \n- dm writecache: set a default MAX_WRITEBACK_JOBS (Mikulas Patocka) \n- dm thin: fix use-after-free crash in dm_sm_register_threshold_callback (Luo Meng) \n- dm raid: fix address sanitizer warning in raid_status (Mikulas Patocka) \n- dm raid: fix address sanitizer warning in raid_resume (Mikulas Patocka) \n- intel_th: pci: Add Meteor Lake-P support (Alexander Shishkin) \n- intel_th: pci: Add Raptor Lake-S PCH support (Alexander Shishkin) \n- intel_th: pci: Add Raptor Lake-S CPU support (Alexander Shishkin) \n- ext4: correct the misjudgment in ext4_iget_extra_inode (Baokun Li) \n- ext4: correct max_inline_xattr_value_size computing (Baokun Li) \n- ext4: fix extent status tree race in writeback error recovery path (Eric Whitney) \n- ext4: update s_overhead_clusters in the superblock during an on-line resize (Theodore Ts'o) \n- ext4: fix use-after-free in ext4_xattr_set_entry (Baokun Li) \n- ext4: make sure ext4_append() always allocates new block (Lukas Czerner) \n- ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h (Baokun Li) \n- btrfs: reset block group chunk force if we have to wait (Josef Bacik) \n- tpm: eventlog: Fix section mismatch for DEBUG_SECTION_MISMATCH (Huacai Chen) \n- kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification (Michal Suchanek) \n- spmi: trace: fix stack-out-of-bound access in SPMI tracing functions (David Collins) \n- x86/olpc: fix 'logical not is only applied to the left hand side' (Alexander Lobakin) \n- scsi: qla2xxx: Fix erroneous mailbox timeout after PCI error injection (Quinn Tran) \n- scsi: qla2xxx: Turn off multi-queue for 8G adapters (Quinn Tran) \n- scsi: qla2xxx: Fix discovery issues in FC-AL topology (Arun Easi) \n- scsi: zfcp: Fix missing auto port scan and thus missing target ports (Steffen Maier) \n- video: fbdev: s3fb: Check the size of screen before memset_io() (Zheyu Ma) \n- video: fbdev: arkfb: Check the size of screen before memset_io() (Zheyu Ma) \n- video: fbdev: vt8623fb: Check the size of screen before memset_io() (Zheyu Ma) \n- tools/thermal: Fix possible path truncations (Florian Fainelli) \n- video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock() (Zheyu Ma) \n- x86/numa: Use cpumask_available instead of hardcoded NULL check (Siddh Raman Pant) \n- scripts/faddr2line: Fix vmlinux detection on arm64 (Josh Poimboeuf) \n- genelf: Use HAVE_LIBCRYPTO_SUPPORT, not the never defined HAVE_LIBCRYPTO (Arnaldo Carvalho de Melo) \n- powerpc/pci: Fix PHB numbering when using opal-phbid (Michael Ellerman) \n- kprobes: Forbid probing on trampoline and BPF code areas (Chen Zhongjin) \n- perf symbol: Fail to read phdr workaround (Ian Rogers) \n- powerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address (Miaoqian Lin) \n- powerpc/xive: Fix refcount leak in xive_get_max_prio (Miaoqian Lin) \n- powerpc/spufs: Fix refcount leak in spufs_init_isolated_loader (Miaoqian Lin) \n- powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' and alias (Pali Rohar) \n- powerpc/32: Do not allow selection of e5500 or e6500 CPUs on PPC32 (Christophe Leroy) \n- video: fbdev: sis: fix typos in SiS_GetModeID() (Rustam Subkhankulov) \n- video: fbdev: amba-clcd: Fix refcount leak bugs (Liang He) \n- watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe() (William Dean) \n- ASoC: audio-graph-card: Add of_node_put() in fail path (Liang He) \n- fuse: Remove the control interface for virtio-fs (Xie Yongji) \n- ASoC: qcom: q6dsp: Fix an off-by-one in q6adm_alloc_copp() (Christophe JAILLET) \n- s390/zcore: fix race when reading from hardware system area (Alexander Gordeev) \n- iommu/arm-smmu: qcom_iommu: Add of_node_put() when breaking out of loop (Liang He) \n- mfd: max77620: Fix refcount leak in max77620_initialise_fps (Miaoqian Lin) \n- mfd: t7l66xb: Drop platform disable callback (Uwe Kleine-Konig) \n- kfifo: fix kfifo_to_user() return type (Dan Carpenter) \n- rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge (Miaoqian Lin) \n- iommu/exynos: Handle failed IOMMU device registration properly (Sam Protsenko) \n- tty: n_gsm: fix missing corner cases in gsmld_poll() (Daniel Starke) \n- tty: n_gsm: fix DM command (Daniel Starke) \n- tty: n_gsm: fix wrong T1 retry count handling (Daniel Starke) \n- vfio/ccw: Do not change FSM state in subchannel event (Eric Farman) \n- remoteproc: qcom: wcnss: Fix handling of IRQs (Sireesh Kodali) \n- tty: n_gsm: fix race condition in gsmld_write() (Daniel Starke) \n- tty: n_gsm: fix packet re-transmission without open control channel (Daniel Starke) \n- tty: n_gsm: fix non flow control frames during mux flow off (Daniel Starke) \n- profiling: fix shift too large makes kernel panic (Chen Zhongjin) \n- ASoC: codecs: wcd9335: move gains from SX_TLV to S8_TLV (Srinivas Kandagatla) \n- ASoC: codecs: msm8916-wcd-digital: move gains from SX_TLV to S8_TLV (Srinivas Kandagatla) \n- serial: 8250_dw: Store LSR into lsr_saved_flags in dw8250_tx_wait_empty() (Ilpo Jarvinen) \n- ASoC: mediatek: mt8173-rt5650: Fix refcount leak in mt8173_rt5650_dev_probe (Miaoqian Lin) \n- ASoC: codecs: da7210: add check for i2c_add_driver (Jiasheng Jiang) \n- ASoC: mt6797-mt6351: Fix refcount leak in mt6797_mt6351_dev_probe (Miaoqian Lin) \n- ASoC: mediatek: mt8173: Fix refcount leak in mt8173_rt5650_rt5676_dev_probe (Miaoqian Lin) \n- opp: Fix error check in dev_pm_opp_attach_genpd() (Tang Bin) \n- jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted (Zhihao Cheng) \n- ext4: recover csum seed of tmp_inode after migrating to extents (Li Lingfeng) \n- jbd2: fix outstanding credits assert in jbd2_journal_commit_transaction() (Zhang Yi) \n- null_blk: fix ida error handling in null_add_dev() (Dan Carpenter) \n- RDMA/rxe: Fix error unwind in rxe_create_qp() (Zhu Yanjun) \n- mm/mmap.c: fix missing call to vm_unacct_memory in mmap_region (Miaohe Lin) \n- platform/olpc: Fix uninitialized data in debugfs write (Dan Carpenter) \n- USB: serial: fix tty-port initialized comments (Johan Hovold) \n- PCI: tegra194: Fix link up retry sequence (Vidya Sagar) \n- PCI: tegra194: Fix Root Port interrupt handling (Vidya Sagar) \n- HID: alps: Declare U1_UNICORN_LEGACY support (Artem Borisov) \n- mmc: cavium-thunderx: Add of_node_put() when breaking out of loop (Liang He) \n- mmc: cavium-octeon: Add of_node_put() when breaking out of loop (Liang He) \n- gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data() (Liang He) \n- RDMA/hfi1: fix potential memory leak in setup_base_ctxt() (Jianglei Nie) \n- RDMA/siw: Fix duplicated reported IW_CM_EVENT_CONNECT_REPLY event (Cheng Xu) \n- RDMA/hns: Fix incorrect clearing of interrupt status register (Haoyue Xu) \n- usb: gadget: udc: amd5536 depends on HAS_DMA (Randy Dunlap) \n- scsi: smartpqi: Fix DMA direction for RAID requests (Mahesh Rajashekhara) \n- mmc: sdhci-of-at91: fix set_uhs_signaling rewriting of MC1R (Eugen Hristev) \n- memstick/ms_block: Fix a memory leak (Christophe JAILLET) \n- memstick/ms_block: Fix some incorrect memory allocation (Christophe JAILLET) \n- mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch (Miaoqian Lin) \n- staging: rtl8192u: Fix sleep in atomic context bug in dm_fsync_timer_callback (Duoming Zhou) \n- intel_th: msu: Fix vmalloced buffers (Alexander Shishkin) \n- intel_th: msu-sink: Potential dereference of null pointer (Jiasheng Jiang) \n- intel_th: Fix a resource leak in an error handling path (Christophe JAILLET) \n- soundwire: bus_type: fix remove and shutdown support (Pierre-Louis Bossart) \n- clk: qcom: camcc-sdm845: Fix topology around titan_top power domain (Vladimir Zapolskiy) \n- clk: qcom: ipq8074: set BRANCH_HALT_DELAY flag for UBI clocks (Robert Marko) \n- clk: qcom: ipq8074: fix NSS port frequency tables (Robert Marko) \n- usb: host: xhci: use snprintf() in xhci_decode_trb() (Sergey Shtylyov) \n- clk: qcom: clk-krait: unlock spin after mux completion (Ansuel Smith) \n- driver core: fix potential deadlock in __driver_attach (Zhang Wensheng) \n- misc: rtsx: Fix an error handling path in rtsx_pci_probe() (Christophe JAILLET) \n- clk: mediatek: reset: Fix written reset bit offset (Rex-BC Chen) \n- usb: xhci: tegra: Fix error check (Tang Bin) \n- usb: ohci-nxp: Fix refcount leak in ohci_hcd_nxp_probe (Miaoqian Lin) \n- usb: host: Fix refcount leak in ehci_hcd_ppc_of_probe (Miaoqian Lin) \n- fpga: altera-pr-ip: fix unsigned comparison with less than zero (Marco Pagani) \n- mtd: st_spi_fsm: Add a clk_disable_unprepare() in .probe()'s error path (Uwe Kleine-Konig) \n- mtd: partitions: Fix refcount leak in parse_redboot_of (Miaoqian Lin) \n- mtd: sm_ftl: Fix deadlock caused by cancel_work_sync in sm_release (Duoming Zhou) \n- HID: cp2112: prevent a buffer overflow in cp2112_xfer() (Harshit Mogalapalli) \n- mtd: rawnand: meson: Fix a potential double free issue (Christophe JAILLET) \n- mtd: maps: Fix refcount leak in ap_flash_init (Miaoqian Lin) \n- mtd: maps: Fix refcount leak in of_flash_probe_versatile (Miaoqian Lin) \n- clk: renesas: r9a06g032: Fix UART clkgrp bitsel (Ralph Siemsen) \n- dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock (Hangyu Hua) \n- net: rose: fix netdev reference changes (Eric Dumazet) \n- netdevsim: Avoid allocation warnings triggered from user space (Jakub Kicinski) \n- iavf: Fix max_rate limiting (Przemyslaw Patynowski) \n- crypto: inside-secure - Add missing MODULE_DEVICE_TABLE for of (Pali Rohar) \n- net/mlx5e: Fix the value of MLX5E_MAX_RQ_NUM_MTTS (Maxim Mikityanskiy) \n- wifi: libertas: Fix possible refcount leak in if_usb_probe() (Hangyu Hua) \n- wifi: iwlwifi: mvm: fix double list_add at iwl_mvm_mac_wake_tx_queue (Jose Ignacio Tornos Martinez) \n- wifi: wil6210: debugfs: fix uninitialized variable use in wil_write_file_wmi() (Ammar Faizi) \n- i2c: mux-gpmux: Add of_node_put() when breaking out of loop (Liang He) \n- i2c: cadence: Support PEC for SMBus block read (Lars-Peter Clausen) \n- Bluetooth: hci_intel: Add check for platform_driver_register (Jiasheng Jiang) \n- can: pch_can: pch_can_error(): initialize errc before using it (Vincent Mailhol) \n- can: error: specify the values of data[5..7] of CAN error frames (Vincent Mailhol) \n- can: usb_8dev: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- can: kvaser_usb_leaf: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- can: kvaser_usb_hydra: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- can: sun4i_can: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- can: hi311x: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- can: sja1000: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- can: rcar_can: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- can: pch_can: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- selftests/bpf: fix a test for snprintf() overflow (Dan Carpenter) \n- wifi: p54: add missing parentheses in p54_flush() (Rustam Subkhankulov) \n- wifi: p54: Fix an error handling path in p54spi_probe() (Christophe JAILLET) \n- wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi() (Dan Carpenter) \n- fs: check FMODE_LSEEK to control internal pipe splicing (Jason A. Donenfeld) \n- selftests: timers: clocksource-switch: fix passing errors from child (Wolfram Sang) \n- selftests: timers: valid-adjtimex: build fix for newer toolchains (Wolfram Sang) \n- libbpf: Fix the name of a reused map (Anquan Wu) \n- tcp: make retransmitted SKB fit into the send window (Yonglong Li) \n- drm/exynos/exynos7_drm_decon: free resources when clk_set_parent() failed. (Jian Zhang) \n- mediatek: mt76: mac80211: Fix missing of_node_put() in mt76_led_init() (Liang He) \n- media: platform: mtk-mdp: Fix mdp_ipi_comm structure alignment (AngeloGioacchino Del Regno) \n- crypto: hisilicon - Kunpeng916 crypto driver don't sleep when in softirq (Zhengchao Shao) \n- drm/msm/mdp5: Fix global state lock backoff (Rob Clark) \n- drm: bridge: sii8620: fix possible off-by-one (Hangyu Hua) \n- drm/mediatek: dpi: Only enable dpi after the bridge is enabled (Guillaume Ranquet) \n- drm/mediatek: dpi: Remove output format of YUV (Bo-Chen Chen) \n- drm/rockchip: Fix an error handling path rockchip_dp_probe() (Christophe JAILLET) \n- drm/rockchip: vop: Don't crash for invalid duplicate_state() (Brian Norris) \n- crypto: arm64/gcm - Select AEAD for GHASH_ARM64_CE (Qian Cai) \n- drm/vc4: dsi: Correct DSI divider calculations (Dave Stevenson) \n- drm/vc4: plane: Fix margin calculations for the right/bottom edges (Dave Stevenson) \n- drm/vc4: plane: Remove subpixel positioning check (Dom Cobley) \n- media: hdpvr: fix error value returns in hdpvr_read (Niels Dossche) \n- drm/mcde: Fix refcount leak in mcde_dsi_bind (Miaoqian Lin) \n- drm: bridge: adv7511: Add check for mipi_dsi_driver_register (Jiasheng Jiang) \n- wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd() (Alexey Kodanev) \n- ath9k: fix use-after-free in ath9k_hif_usb_rx_cb (Pavel Skripkin) \n- media: tw686x: Register the irq at the end of probe (Zheyu Ma) \n- i2c: Fix a potential use after free (Xu Wang) \n- drm: adv7511: override i2c address of cec before accessing it (Antonio Borneo) \n- drm/mediatek: Add pull-down MIPI operation in mtk_dsi_poweroff function (Xinlei Lee) \n- drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers() (Alexey Kodanev) \n- drm/mipi-dbi: align max_chunk to 2 in spi_transfer (Yunhao Tian) \n- wifi: rtlwifi: fix error codes in rtl_debugfs_set_write_h2c() (Dan Carpenter) \n- ath10k: do not enforce interrupt trigger type (Krzysztof Kozlowski) \n- dm: return early from dm_pr_call() if DM device is suspended (Mike Snitzer) \n- thermal/tools/tmon: Include pthread and time headers in tmon.h (Markus Mayer) \n- nohz/full, sched/rt: Fix missed tick-reenabling bug in dequeue_task_rt() (Nicolas Saenz Julienne) \n- regulator: of: Fix refcount leak bug in of_get_regulation_constraints() (Liang He) \n- blk-mq: don't create hctx debugfs dir until q->debugfs_dir is created (Ming Lei) \n- erofs: avoid consecutive detection for Highmem memory (Gao Xiang) \n- arm64: dts: mt7622: fix BPI-R64 WPS button (Nick Hainke) \n- bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe() (Yang Yingliang) \n- ARM: dts: qcom: pm8841: add required thermal-sensor-cells (Krzysztof Kozlowski) \n- soc: qcom: aoss: Fix refcount leak in qmp_cooling_devices_register (Miaoqian Lin) \n- cpufreq: zynq: Fix refcount leak in zynq_get_revision (Miaoqian Lin) \n- ARM: OMAP2+: Fix refcount leak in omap3xxx_prm_late_init (Miaoqian Lin) \n- ARM: OMAP2+: Fix refcount leak in omapdss_init_of (Miaoqian Lin) \n- ARM: dts: qcom: mdm9615: add missing PMIC GPIO reg (Krzysztof Kozlowski) \n- soc: fsl: guts: machine variable might be unset (Michael Walle) \n- ARM: dts: ast2600-evb: fix board compatible (Krzysztof Kozlowski) \n- ARM: dts: ast2500-evb: fix board compatible (Krzysztof Kozlowski) \n- x86/pmem: Fix platform-device leak in error path (Johan Hovold) \n- ARM: bcm: Fix refcount leak in bcm_kona_smc_init (Miaoqian Lin) \n- meson-mx-socinfo: Fix refcount leak in meson_mx_socinfo_init (Miaoqian Lin) \n- ARM: findbit: fix overflowing offset (Russell King (Oracle)) \n- spi: spi-rspi: Fix PIO fallback on RZ platforms (Biju Das) \n- selinux: Add boundary check in put_entry() (Xiu Jianfeng) \n- PM: hibernate: defer device probing when resuming from hibernation (Tetsuo Handa) \n- ARM: shmobile: rcar-gen2: Increase refcount for new reference (Liang He) \n- arm64: dts: allwinner: a64: orangepi-win: Fix LED node name (Samuel Holland) \n- arm64: dts: qcom: ipq8074: fix NAND node name (Robert Marko) \n- ACPI: LPSS: Fix missing check in register_device_clock() (huhai) \n- ACPI: PM: save NVS memory for Lenovo G40-45 (Manyi Li) \n- ACPI: EC: Remove duplicate ThinkPad X1 Carbon 6th entry from DMI quirks (Hans de Goede) \n- ARM: OMAP2+: display: Fix refcount leak bug (Liang He) \n- spi: synquacer: Add missing clk_disable_unprepare() (Guo Mengqi) \n- ARM: dts: imx6ul: fix qspi node compatible (Alexander Stein) \n- ARM: dts: imx6ul: fix lcdif node compatible (Alexander Stein) \n- ARM: dts: imx6ul: fix csi node compatible (Alexander Stein) \n- ARM: dts: imx6ul: change operating-points to uint32-matrix (Alexander Stein) \n- ARM: dts: imx6ul: add missing properties for sram (Alexander Stein) \n- wait: Fix __wait_event_hrtimeout for RT/DL tasks (Juri Lelli) \n- genirq: Don't return error on missing optional irq_request_resources() (Antonio Borneo) \n- ext2: Add more validity checks for inode counts (Jan Kara) \n- arm64: fix oops in concurrently setting insn_emulation sysctls (haibinzhang () \n- arm64: Do not forget syscall when starting a new thread. (Francis Laniel) \n- x86: Handle idle=nomwait cmdline properly for x86_idle (Wyes Karny) \n- epoll: autoremove wakers even more aggressively (Benjamin Segall) \n- netfilter: nf_tables: fix null deref due to zeroed list head (Florian Westphal) \n- arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC (Kunihiko Hayashi) \n- ARM: dts: uniphier: Fix USB interrupts for PXs2 SoC (Kunihiko Hayashi) \n- USB: HCD: Fix URB giveback issue in tasklet function (Weitao Wang) \n- coresight: Clear the connection field properly (Suzuki K Poulose) \n- MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK (Huacai Chen) \n- powerpc/powernv: Avoid crashing if rng is NULL (Michael Ellerman) \n- powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E (Christophe Leroy) \n- powerpc/fsl-pci: Fix Class Code of PCIe Root Port (Pali Rohar) \n- PCI: Add defines for normal and subtractive PCI bridges (Pali Rohar) \n- ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() (Alexander Lobakin) \n- md-raid10: fix KASAN warning (Mikulas Patocka) \n- serial: mvebu-uart: uart2 error bits clearing (Narendra Hadke) \n- fuse: limit nsec (Miklos Szeredi) \n- iio: light: isl29028: Fix the warning in isl29028_remove() (Zheyu Ma) \n- drm/amdgpu: Check BO's requested pinning domains against its preferred_domains (Leo Li) \n- drm/nouveau: fix another off-by-one in nvbios_addr (Timur Tabi) \n- drm/gem: Properly annotate WW context on drm_gem_lock_reservations() error (Dmitry Osipenko) \n- parisc: io_pgetevents_time64() needs compat syscall in 32-bit compat mode (Helge Deller) \n- parisc: Fix device names in /proc/iomem (Helge Deller) \n- ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh() (Jiachen Zhang) \n- usbnet: Fix linkwatch use-after-free on disconnect (Lukas Wunner) \n- fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters (Helge Deller) \n- thermal: sysfs: Fix cooling_device_stats_setup() error code path (Rafael J. Wysocki) \n- fs: Add missing umask strip in vfs_tmpfile (Yang Xu) \n- vfs: Check the truncate maximum size in inode_newsize_ok() (David Howells) \n- tty: vt: initialize unicode screen buffer (Tetsuo Handa) \n- ALSA: hda/realtek: Add quirk for another Asus K42JZ model (Meng Tang) \n- ALSA: hda/cirrus - support for iMac 12,1 model (Allen Ballway) \n- ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model (Meng Tang) \n- mm/mremap: hold the rmap lock in write mode when moving page table entries. (Aneesh Kumar K.V) \n- KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP (Sean Christopherson) \n- KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks (Sean Christopherson) \n- KVM: nVMX: Let userspace set nVMX MSR to any _host_ supported value (Sean Christopherson) \n- KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL for !nested_run_pending case (Sean Christopherson) \n- KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case (Sean Christopherson) \n- HID: wacom: Don't register pad_input for touch switch (Ping Cheng) \n- HID: wacom: Only report rotation for art pen (Ping Cheng) \n- add barriers to buffer_uptodate and set_buffer_uptodate (Mikulas Patocka) \n- wifi: mac80211_hwsim: use 32-bit skb cookie (Johannes Berg) \n- wifi: mac80211_hwsim: add back erroneously removed cast (Johannes Berg) \n- wifi: mac80211_hwsim: fix race condition in pending packet (Jeongik Cha) \n- igc: Remove _I_PHY_ID checking (Sasha Neftin) \n- ALSA: bcd2000: Fix a UAF bug on the error path of probing (Zheyu Ma) \n- scsi: Revert 'scsi: qla2xxx: Fix disk failure to rediscover' (Nilesh Javali) \n- x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments (Nick Desaulniers) \n- Makefile: link with -z noexecstack --no-warn-rwx-segments (Nick Desaulniers) \n- LTS tag: v5.4.210 (Sherry Yang) \n- macintosh/adb: fix oob read in do_adb_query() function (Ning Qiang) \n- media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls (Chen-Yu Tsai) \n- selftests: KVM: Handle compiler optimizations in ucall (Raghavendra Rao Ananta) \n- KVM: Don't null dereference ops->destroy (Alexey Kardashevskiy) \n- selftests/bpf: Fix 'dubious pointer arithmetic' test (Jean-Philippe Brucker) \n- selftests/bpf: Fix test_align verifier log patterns (Stanislav Fomichev) \n- bpf: Test_verifier, #70 error message updates for 32-bit right shift (John Fastabend) \n- selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads (Jakub Sitnicki) \n- bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds() (John Fastabend) \n- ACPI: APEI: Better fix to avoid spamming the console with old error logs (Tony Luck) \n- ACPI: video: Shortening quirk list by identifying Clevo by board_name only (Werner Sembach) \n- ACPI: video: Force backlight native for some TongFang devices (Werner Sembach) \n- thermal: Fix NULL pointer dereferences in of_thermal_ functions (Subbaraman Narayanamurthy) \n- LTS tag: v5.4.209 (Sherry Yang) \n- scsi: core: Fix race between handling STS_RESOURCE and completion (Ming Lei) \n- mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle. (Wei Mingzhi) \n- ARM: crypto: comment out gcc warning that breaks clang builds (Greg Kroah-Hartman) \n- sctp: leave the err path free in sctp_stream_init to sctp_stream_free (Xin Long) \n- sfc: disable softirqs for ptp TX (Alejandro Lucero) \n- perf symbol: Correct address for bss symbols (Leo Yan) \n- virtio-net: fix the race between refill work and close (Jason Wang) \n- netfilter: nf_queue: do not allow packet truncation below transport header offset (Florian Westphal) \n- sctp: fix sleep in atomic context bug in timer handlers (Duoming Zhou) \n- i40e: Fix interface init with MSI interrupts (no MSI-X) (Michal Maloszewski) \n- tcp: Fix a data-race around sysctl_tcp_comp_sack_nr. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns. (Kuniyuki Iwashima) \n- Documentation: fix sctp_wmem in ip-sysctl.rst (Xin Long) \n- tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_autocorking. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_min_tso_segs. (Kuniyuki Iwashima) \n- net: sungem_phy: Add of_node_put() for reference returned by of_get_parent() (Liang He) \n- igmp: Fix data-races around sysctl_igmp_qrv. (Kuniyuki Iwashima) \n- ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr (Ziyang Xuan) \n- net: ping6: Fix memleak in ipv6_renew_options(). (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_limit_output_bytes. (Kuniyuki Iwashima) \n- scsi: ufs: host: Hold reference returned by of_parse_phandle() (Liang He) \n- ice: do not setup vlan for loopback VSI (Maciej Fijalkowski) \n- ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS) (Maciej Fijalkowski) \n- tcp: Fix a data-race around sysctl_tcp_nometrics_save. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_frto. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_adv_win_scale. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_app_win. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_dsack. (Kuniyuki Iwashima) \n- ntfs: fix use-after-free in ntfs_ucsncmp() (ChenXiaoSong) \n- Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put (Luiz Augusto von Dentz) \n- LTS tag: v5.4.208 (Sherry Yang) \n- x86: drop bogus 'cc' clobber from __try_cmpxchg_user_asm() (Jan Beulich) \n- net: usb: ax88179_178a needs FLAG_SEND_ZLP (Jose Alonso) \n- tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() (Jiri Slaby) \n- tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() (Jiri Slaby) \n- tty: drop tty_schedule_flip() (Jiri Slaby) \n- tty: the rest, stop using tty_schedule_flip() (Jiri Slaby) \n- tty: drivers/tty/, stop using tty_schedule_flip() (Jiri Slaby) \n- Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks (Luiz Augusto von Dentz) \n- Bluetooth: SCO: Fix sco_send_frame returning skb->len (Luiz Augusto von Dentz) \n- Bluetooth: Fix passing NULL to PTR_ERR (Luiz Augusto von Dentz) \n- Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg (Luiz Augusto von Dentz) \n- Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg (Luiz Augusto von Dentz) \n- Bluetooth: Add bt_skb_sendmmsg helper (Luiz Augusto von Dentz) \n- Bluetooth: Add bt_skb_sendmsg helper (Luiz Augusto von Dentz) \n- ALSA: memalloc: Align buffer allocations in page size (Takashi Iwai) \n- bitfield.h: Fix 'type of reg too small for mask' test (Peter Zijlstra) \n- x86/mce: Deduplicate exception handling (Thomas Gleixner) \n- x86/uaccess: Implement macros for CMPXCHG on user addresses (Peter Zijlstra) \n- x86: get rid of small constant size cases in raw_copy_{to,from}_user() (Al Viro) \n- locking/refcount: Consolidate implementations of refcount_t (Will Deacon) \n- locking/refcount: Consolidate REFCOUNT_{MAX,SATURATED} definitions (Will Deacon) \n- locking/refcount: Move saturation warnings out of line (Will Deacon) \n- locking/refcount: Improve performance of generic REFCOUNT_FULL code (Will Deacon) \nheader (Will Deacon) \n- locking/refcount: Remove unused refcount_*_checked() variants (Will Deacon) \n- locking/refcount: Ensure integer operands are treated as signed (Will Deacon) \n- locking/refcount: Define constants for saturation and max refcount values (Will Deacon) \n- ima: remove the IMA_TEMPLATE Kconfig option (GUO Zihua) \n- dlm: fix pending remove if msg allocation fails (Alexander Aring) \n- bpf: Make sure mac_header was set before using it (Eric Dumazet) \n- mm/mempolicy: fix uninit-value in mpol_rebind_policy() (Wang Cheng) \n- spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers (Marc Kleine-Budde) \n- tcp: Fix data-races around sysctl_tcp_max_reordering. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_rfc1337. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_stdurg. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_retrans_collapse. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_slow_start_after_idle. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_recovery. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_early_retrans. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl knobs related to SYN option. (Kuniyuki Iwashima) \n- udp: Fix a data-race around sysctl_udp_l3mdev_accept. (Kuniyuki Iwashima) \n- ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh. (Kuniyuki Iwashima) \n- be2net: Fix buffer overflow in be_get_module_eeprom (Hristo Venev) \n- gpio: pca953x: only use single read/write for No AI mode (Haibo Chen) \n- ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero (Piotr Skajewski) \n- i40e: Fix erroneous adapter reinitialization during recovery process (Dawid Lukwinski) \n- iavf: Fix handling of dummy receive descriptors (Przemyslaw Patynowski) \n- tcp: Fix data-races around sysctl_tcp_fastopen. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_max_syn_backlog. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_tw_reuse. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_notsent_lowat. (Kuniyuki Iwashima) \n- tcp: Fix data-races around some timeout sysctl knobs. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_reordering. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_syncookies. (Kuniyuki Iwashima) \n- igmp: Fix a data-race around sysctl_igmp_max_memberships. (Kuniyuki Iwashima) \n- igmp: Fix data-races around sysctl_igmp_llm_reports. (Kuniyuki Iwashima) \n- net/tls: Fix race in TLS device down flow (Tariq Toukan) \n- net: stmmac: fix dma queue left shift overflow issue (Junxiao Chang) \n- i2c: cadence: Change large transfer count reset logic to be unconditional (Robert Hancock) \n- tcp: Fix a data-race around sysctl_tcp_probe_interval. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_probe_threshold. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_min_snd_mss. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_base_mss. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_mtu_probing. (Kuniyuki Iwashima) \n- tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. (Kuniyuki Iwashima) \n- ip: Fix a data-race around sysctl_fwmark_reflect. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_nonlocal_bind. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_fwd_use_pmtu. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_no_pmtu_disc. (Kuniyuki Iwashima) \n- igc: Reinstate IGC_REMOVED logic and implement it properly (Lennert Buytenhek) \n- perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() (Peter Zijlstra) \n- pinctrl: ralink: Check for null return of devm_kcalloc (William Dean) \n- power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe (Miaoqian Lin) \n- xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() (Hangyu Hua) \n- serial: mvebu-uart: correctly report configured baudrate value (Pali Rohar) \n- PCI: hv: Fix interrupt mapping for multi-MSI (Jeffrey Hugo) \n- PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() (Jeffrey Hugo) \n- PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI (Jeffrey Hugo) \n- PCI: hv: Fix multi-MSI to allow more than one MSI vector (Jeffrey Hugo) \n- mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication (Ido Schimmel) \n- riscv: add as-options for modules with assembly compontents (Ben Dooks) \n- pinctrl: stm32: fix optional IRQ support to gpios (Fabien Dessenne) \n- LTS tag: v5.4.207 (Sherry Yang) \n- can: m_can: m_can_tx_handler(): fix use after free of skb (Marc Kleine-Budde) \n- serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle (Ilpo Jarvinen) \n- serial: stm32: Clear prev values before setting RTS delays (Ilpo Jarvinen) \n- serial: 8250: fix return error code in serial8250_request_std_resource() (Yi Yang) \n- tty: serial: samsung_tty: set dma burst_size to 1 (Chanho Park) \n- usb: dwc3: gadget: Fix event pending check (Thinh Nguyen) \n- usb: typec: add missing uevent when partner support PD (Linyu Yuan) \n- USB: serial: ftdi_sio: add Belimo device ids (Lucien Buchmann) \n- signal handling: don't use BUG_ON() for debugging (Linus Torvalds) \n- ARM: dts: stm32: use the correct clock source for CEC on stm32mp151 (Gabriel Fernandez) \n- soc: ixp4xx/npe: Fix unused match warning (Linus Walleij) \n- x86: Clear .brk area at early boot (Juergen Gross) \n- irqchip: or1k-pic: Undefine mask_ack for level triggered hardware (Stafford Horne) \n- ASoC: madera: Fix event generation for rate controls (Charles Keepax) \n- ASoC: madera: Fix event generation for OUT1 demux (Charles Keepax) \n- ASoC: cs47l15: Fix event generation for low power mux control (Charles Keepax) \n- ASoC: wm5110: Fix DRE control (Charles Keepax) \n- ASoC: ops: Fix off by one in range control validation (Mark Brown) \n- net: sfp: fix memory leak in sfp_probe() (Jianglei Nie) \n- nvme: fix regression when disconnect a recovering ctrl (Ruozhu Li) \n- NFC: nxp-nci: don't print header length mismatch on i2c error (Michael Walle) \n- net: tipc: fix possible refcount leak in tipc_sk_create() (Hangyu Hua) \n- platform/x86: hp-wmi: Ignore Sanitization Mode event (Kai-Heng Feng) \n- cpufreq: pmac32-cpufreq: Fix refcount leak bug (Liang He) \n- netfilter: br_netfilter: do not skip all hooks with 0 priority (Florian Westphal) \n- virtio_mmio: Restore guest page size on resume (Stephan Gerhold) \n- virtio_mmio: Add missing PM calls to freeze/restore (Stephan Gerhold) \n- mm: sysctl: fix missing numa_stat when !CONFIG_HUGETLB_PAGE (Muchun Song) \n- sfc: fix kernel panic when creating VF (Inigo Huguet) \n- seg6: bpf: fix skb checksum in bpf_push_seg6_encap() (Andrea Mayer) \n- seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors (Andrea Mayer) \n- seg6: fix skb checksum evaluation in SRH encapsulation/insertion (Andrea Mayer) \n- sfc: fix use after free when disabling sriov (Inigo Huguet) \n- net: ftgmac100: Hold reference returned by of_get_child_by_name() (Liang He) \n- ipv4: Fix data-races around sysctl_ip_dynaddr. (Kuniyuki Iwashima) \n- raw: Fix a data-race around sysctl_raw_l3mdev_accept. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_ratemask. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_ratelimit. (Kuniyuki Iwashima) \n- drm/i915/gt: Serialize TLB invalidates with GT resets (Chris Wilson) \n- ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero (Michal Suchanek) \n- ARM: dts: at91: sama5d2: Fix typo in i2s1 node (Ryan Wanner) \n- ipv4: Fix a data-race around sysctl_fib_sync_mem. (Kuniyuki Iwashima) \n- icmp: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- cipso: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- net: Fix data-races around sysctl_mem. (Kuniyuki Iwashima) \n- inetpeer: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- net: stmmac: dwc-qos: Disable split header for Tegra194 (Jon Hunter) \n- ASoC: sgtl5000: Fix noise on shutdown/remove (Francesco Dolcini) \n- ima: Fix a potential integer overflow in ima_appraise_measurement (Huaxin Lu) \n- drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector() (Hangyu Hua) \n- ARM: 9210/1: Mark the FDT_FIXED sections as shareable (Zhen Lei) \n- ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle (Ard Biesheuvel) \n- ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count (Kris Bahnsen) \n- ext4: fix race condition between ext4_write and ext4_convert_inline_data (Baokun Li) \n- Revert 'evm: Fix memleak in init_desc' (Xiu Jianfeng) \n- nilfs2: fix incorrect masking of permission flags for symlinks (Ryusuke Konishi) \n- drm/panfrost: Fix shrinker list corruption by madvise IOCTL (Dmitry Osipenko) \n- cgroup: Use separate src/dst nodes when preloading css_sets for migration (Tejun Heo) \n- wifi: mac80211: fix queue selection for mesh/OCB interfaces (Felix Fietkau) \n- ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction (Ard Biesheuvel) \n- ARM: 9213/1: Print message about disabled Spectre workarounds only once (Dmitry Osipenko) \n- ip: fix dflt addr selection for connected nexthop (Nicolas Dichtel) \n- net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer (Steven Rostedt (Google)) \n- tracing/histograms: Fix memory leak problem (Zheng Yejian) \n- xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue (Juergen Gross) \n- ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop (Meng Tang) \n- ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221 (Meng Tang) \n- ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 (Meng Tang) \n- ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model (Meng Tang) \n- ALSA: hda - Add fixup for Dell Latitidue E5430 (Meng Tang)", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-21T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21499", "CVE-2022-3028"], "modified": "2022-10-21T00:00:00", "id": "ELSA-2022-9926", "href": "http://linux.oracle.com/errata/ELSA-2022-9926.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-21T06:45:48", "description": "[5.4.17-2136.312.3.4]\n- Revert 'fs: check FMODE_LSEEK to control internal pipe splicing' (Saeed Mirzamohammadi) [Orabug: 34666845]\n[5.4.17-2136.312.3.3]\ncpus_read_lock() deadlock (Tejun Heo) [Orabug: 34607590] \n- cgroup: Elide write-locking threadgroup_rwsem when updating csses on an empty subtree (Tejun Heo) [Orabug: 34607590] \n- cgroup: Optimize single thread migration (Michal Koutny) [Orabug: 34607590] \n- Revert 'cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()' (Imran Khan) [Orabug: 34607590] \ncpus_read_lock() deadlock' (Imran Khan) [Orabug: 34607590] \n- x86/MCE/AMD, EDAC/mce_amd: Support non-uniform MCA bank type enumeration (Yazen Ghannam) [Orabug: 34120320] \n- x86/MCE/AMD, EDAC/mce_amd: Add new SMCA bank types (Yazen Ghannam) [Orabug: 34120320] \n- x86/MCE/AMD, EDAC/mce_amd: Add new SMCA bank types (Muralidhara M K) [Orabug: 34120320] \n- x86/mce: Increase maximum number of banks to 64 (Akshay Gupta) [Orabug: 34120320] \n- x86/MCE/AMD, EDAC/amd64: Move address translation to AMD64 EDAC (Yazen Ghannam) [Orabug: 34120320] \n- x86/MCE/AMD: Export smca_get_bank_type symbol (Mukul Joshi) [Orabug: 34120320] \n- EDAC/amd64: Add support for AMD Family 19h Models 10h-1Fh and A0h-AFh (Yazen Ghannam) [Orabug: 34120320] \n- EDAC/amd64: Set proper family type for Family 19h Models 20h-2Fh (Yazen Ghannam) [Orabug: 34120320] \n- EDAC: Add RDDR5 and LRDDR5 memory types (Yazen Ghannam) [Orabug: 34120320] \n- hwmon: (k10temp) Support up to 12 CCDs on AMD Family of processors (Babu Moger) [Orabug: 34120320] \n- hwmon: (k10temp) Add support for AMD Family 19h Models 10h-1Fh and A0h-AFh (Babu Moger) [Orabug: 34120320] \n- x86/amd_nb: Add AMD Family 19h Models (10h-1Fh) and (A0h-AFh) PCI IDs (Yazen Ghannam) [Orabug: 34120320] \n- hwmon: (k10temp) Remove unused definitions (Babu Moger) [Orabug: 34120320] \n- hwmon: (k10temp) Remove residues of current and voltage (suma hegde) [Orabug: 34120320] \n- hwmon: (k10temp) Add support for yellow carp (Mario Limonciello) [Orabug: 34120320] \n- hwmon: (k10temp) Rework the temperature offset calculation (Mario Limonciello) [Orabug: 34120320] \n- hwmon: (k10temp) Don't show Tdie for all Zen/Zen2/Zen3 CPU/APU (Mario Limonciello) [Orabug: 34120320] \n- hwmon: (k10temp) Add additional missing Zen2 and Zen3 APUs (Mario Limonciello) [Orabug: 34120320] \n- hwmon: (k10temp) support Zen3 APUs (David Bartley) [Orabug: 34120320] \n- x86/amd_nb: Add AMD family 19h model 50h PCI ids (David Bartley) [Orabug: 34120320] \n- hwmon: (k10temp) Zen3 Ryzen Desktop CPUs support (Gabriel Craciunescu) [Orabug: 34120320] \n- hwmon: (k10temp) Remove support for displaying voltage and current on Zen CPUs (Guenter Roeck) [Orabug: 34120320] \n- hwmon: (k10temp) Add support for Zen3 CPUs (Wei Huang) [Orabug: 34120320] \n- hwmon: (k10temp) Take out debugfs code (Guenter Roeck) [Orabug: 34120320] \n- hwmon: (k10temp) Define SVI telemetry and current factors for Zen2 CPUs (Wei Huang) [Orabug: 34120320] \n- hwmon: (k10temp) Create common functions and macros for Zen CPU families (Wei Huang) [Orabug: 34120320] \n- hwmon: (k10temp) make some symbols static (Jason Yan) [Orabug: 34120320] \n- hwmon: (k10temp) Reorganize and simplify temperature support detection (Guenter Roeck) [Orabug: 34120320] \n- Revert 'hwmon: (k10temp) Add support for Zen3 CPUs' (Dave Kleikamp) [Orabug: 34120320] \n- uek-rpm: add missing nft_chain_nat.ko module (Venkat Venkatsubra) [Orabug: 34553255] \n- random: Fix incorrect type for 'rc' variable (Harshit Mogalapalli) [Orabug: 34601349] \n- hwmon: (opbmc) Add support for AST2600 based Pilot (Jan Zdarek) [Orabug: 34605428] \n- KVM: SVM: Clear the CR4 register on reset (Babu Moger) [Orabug: 34610277] \n- x86,swiotlb: Adjust SWIOTLB bounce buffer size for SEV guests (Ashish Kalra) [Orabug: 34626337]\n[5.4.17-2136.312.3.2]\n- netfilter: ebtables: reject blobs that don't provide all entry points (Florian Westphal) [Orabug: 34513978] \n- uek-rpm: Disable CONFIG_CRYPTO_STREEBOG (Victor Erminpour) [Orabug: 34557344] \n- uek-rpm: Disable CONFIG_CRYPTO_SM3 (Victor Erminpour) [Orabug: 34557344] \n- uek-rpm: Disable CONFIG_CRYPTO_SM4 (Victor Erminpour) [Orabug: 34557344] \n- uek-rpm: Add nftables support T93 and Ortano (Henry Willard) [Orabug: 34561703] \n- af_key: Do not call xfrm_probe_algs in parallel (Herbert Xu) [Orabug: 34566752] {CVE-2022-3028}\n- cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() (Tetsuo Handa) [Orabug: 34567777] \ncpus_read_lock() deadlock (Tejun Heo) [Orabug: 34567777]\n[5.4.17-2136.312.3.1]\n- audit: use extern storage class for audit_filter_syscall() (Ankur Arora) [Orabug: 33697500] \n- audit: annotate branch direction for audit_in_mask() (Ankur Arora) [Orabug: 33697500] \n- audit: cache ctx->major in audit_filter_syscall() (Ankur Arora) [Orabug: 33697500] \n- video: vga16fb: Only probe for EGA and VGA 16 color graphic cards (Javier Martinez Canillas) [Orabug: 34580817] \n- KVM: arm: vgic: Only use the virtual state when userspace accesses enable bits (Marc Zyngier) [Orabug: 34580807] \n- uek-rpm: mips: enable CRYTPTO_USER config options (Dave Kleikamp) [Orabug: 34580802]\n[5.4.17-2136.312.3]\n- LTS tag: v5.4.211 (Sherry Yang) \n- btrfs: raid56: don't trust any cached sector in __raid56_parity_recover() (Qu Wenruo) \n- btrfs: only write the sectors in the vertical stripe which has data stripes (Qu Wenruo) \n- can: j1939: j1939_session_destroy(): fix memory leak of skbs (Fedor Pchelkin) \n- can: j1939: j1939_sk_queue_activate_next_locked(): replace WARN_ON_ONCE with netdev_warn_once() (Fedor Pchelkin) \n- tracing/probes: Have kprobes and uprobes use too (Steven Rostedt (Google)) \n- MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0 (Nathan Chancellor) \n- video: fbdev: i740fb: Check the argument of i740_calc_vclk() (Zheyu Ma) \n- powerpc/64: Init jump labels before parse_early_param() (Zhouyi Zhou) \n- smb3: check xattr value length earlier (Steve French) \n- f2fs: fix to avoid use f2fs_bug_on() in f2fs_new_node_page() (Chao Yu) \n- ALSA: timer: Use deferred fasync helper (Takashi Iwai) \n- ALSA: core: Add async signal helpers (Takashi Iwai) \n- powerpc/32: Don't always pass -mcpu=powerpc to the compiler (Christophe Leroy) \n- watchdog: export lockup_detector_reconfigure (Laurent Dufour) \n- RISC-V: Add fast call path of crash_kexec() (Xianting Tian) \n- riscv: mmap with PROT_WRITE but no PROT_READ is invalid (Celeste Liu) \n- mips: cavium-octeon: Fix missing of_node_put() in octeon2_usb_clocks_start (Liang He) \n- vfio: Clear the caps->buf to NULL after free (Schspa Shi) \n- tty: serial: Fix refcount leak bug in ucc_uart.c (Liang He) \n- lib/list_debug.c: Detect uninitialized lists (Guenter Roeck) \n- ext4: avoid resizing to a partial cluster size (Kiselev, Oleg) \n- ext4: avoid remove directory when directory is corrupted (Ye Bin) \n- drivers:md:fix a potential use-after-free bug (Wentao_Liang) \n- nvmet-tcp: fix lockdep complaint on nvmet_tcp_wq flush during queue teardown (Sagi Grimberg) \n- dmaengine: sprd: Cleanup in .remove() after pm_runtime_get_sync() failed (Uwe Kleine-Konig) \n- selftests/kprobe: Do not test for GRP/ without event failures (Steven Rostedt (Google)) \n- um: add 'noreboot' command line option for PANIC_TIMEOUT=-1 setups (Jason A. Donenfeld) \n- PCI/ACPI: Guard ARM64-specific mcfg_quirks (Huacai Chen) \n- cxl: Fix a memory leak in an error handling path (Christophe JAILLET) \n- gadgetfs: ep_io - wait until IRQ finishes (Jozef Martiniak) \n- scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user input (James Smart) \n- clk: qcom: ipq8074: dont disable gcc_sleep_clk_src (Robert Marko) \n- vboxguest: Do not use devm for irq (Pascal Terjan) \n- usb: renesas: Fix refcount leak bug (Liang He) \n- usb: host: ohci-ppc-of: Fix refcount leak bug (Liang He) \n- drm/meson: Fix overflow implicit truncation warnings (Sai Prakash Ranjan) \n- irqchip/tegra: Fix overflow implicit truncation warnings (Sai Prakash Ranjan) \n- usb: gadget: uvc: call uvc uvcg_warn on completed status instead of uvcg_info (Michael Grzeschik) \n- usb: cdns3 fix use-after-free at workaround 2 (Frank Li) \n- PCI: Add ACS quirk for Broadcom BCM5750x NICs (Pavan Chebbi) \n- drm/meson: Fix refcount bugs in meson_vpu_has_available_connectors() (Liang He) \n- locking/atomic: Make test_and_*_bit() ordered on failure (Hector Martin) \n- gcc-plugins: Undefine LATENT_ENTROPY_PLUGIN when plugin disabled for a file (Andrew Donnellan) \n- igb: Add lock to avoid data race (Lin Ma) \n- fec: Fix timer capture timing in fec_ptp_enable_pps() (Csokas Bence) \n- i40e: Fix to stop tx_timeout recovery if GLOBR fails (Alan Brady) \n- ice: Ignore EEXIST when setting promisc mode (Grzegorz Siwik) \n- net: dsa: microchip: ksz9477: fix fdb_dump last invalid entry (Arun Ramadoss) \n- net: moxa: pass pdev instead of ndev to DMA functions (Sergei Antonov) \n- net: dsa: mv88e6060: prevent crash on an unused port (Sergei Antonov) \n- powerpc/pci: Fix get_phb_number() locking (Michael Ellerman) \n- netfilter: nf_tables: really skip inactive sets when allocating name (Pablo Neira Ayuso) \n- clk: rockchip: add sclk_mac_lbtest to rk3188_critical_clocks (Alex Bee) \n- iavf: Fix adminq error handling (Przemyslaw Patynowski) \n- nios2: add force_successful_syscall_return() (Al Viro) \n- nios2: restarts apply only to the first sigframe we build... (Al Viro) \n- nios2: fix syscall restart checks (Al Viro) \n- nios2: traced syscall does need to check the syscall number (Al Viro) \n- nios2: don't leave NULLs in sys_call_table[] (Al Viro) \n- nios2: page fault et.al. are *not* restartable syscalls... (Al Viro) \n- tee: add overflow check in register_shm_helper() (Jens Wiklander) \n- dpaa2-eth: trace the allocated address instead of page struct (Chen Lin) \n- atm: idt77252: fix use-after-free bugs caused by tst_timer (Duoming Zhou) \n- xen/xenbus: fix return type in xenbus_file_read() (Dan Carpenter) \n- nfp: ethtool: fix the display error of ethtool -m DEVNAME (Yu Xiao) \n- NTB: ntb_tool: uninitialized heap data in tool_fn_write() (Dan Carpenter) \n- tools build: Switch to new openssl API for test-libcrypto (Roberto Sassu) \n- tools/vm/slabinfo: use alphabetic order when two values are equal (Yuanzheng Song) \n- dt-bindings: arm: qcom: fix MSM8916 MTP compatibles (Krzysztof Kozlowski) \n- vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout() (Peilin Ye) \n- vsock: Fix memory leak in vsock_connect() (Peilin Ye) \n- plip: avoid rcu debug splat (Florian Westphal) \n- geneve: do not use RT_TOS for IPv6 flowlabel (Matthias May) \n- ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool (Sakari Ailus) \n- pinctrl: sunxi: Add I/O bias setting for H6 R-PIO (Samuel Holland) \n- pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed (Nikita Travkin) \n- pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map (Miaoqian Lin) \n- net: bgmac: Fix a BUG triggered by wrong bytes_compl (Sandor Bodo-Merle) \n- devlink: Fix use-after-free after a failed reload (Ido Schimmel) \n- SUNRPC: Reinitialise the backchannel request buffers before reuse (Trond Myklebust) \n- sunrpc: fix expiry of auth creds (Dan Aloni) \n- can: mcp251x: Fix race condition on receive interrupt (Sebastian Wurl) \n- NFSv4/pnfs: Fix a use-after-free bug in open (Trond Myklebust) \n- NFSv4.1: RECLAIM_COMPLETE must handle EACCES (Zhang Xianwei) \n- NFSv4: Fix races in the legacy idmapper upcall (Trond Myklebust) \n- NFSv4.1: Handle NFS4ERR_DELAY replies to OP_SEQUENCE correctly (Trond Myklebust) \n- NFSv4.1: Don't decrease the value of seq_nr_highest_sent (Trond Myklebust) \n- Documentation: ACPI: EINJ: Fix obsolete example (Qifu Zhang) \n- apparmor: Fix memleak in aa_simple_write_to_buffer() (Xiu Jianfeng) \n- apparmor: fix reference count leak in aa_pivotroot() (Xin Xiong) \n- apparmor: fix overlapping attachment computation (John Johansen) \n- apparmor: fix aa_label_asxprint return check (Tom Rix) \n- apparmor: Fix failed mount permission check error message (John Johansen) \n- apparmor: fix absroot causing audited secids to begin with = (John Johansen) \n- apparmor: fix quiet_denied for file rules (John Johansen) \n- can: ems_usb: fix clang's -Wunaligned-access warning (Marc Kleine-Budde) \n- tracing: Have filter accept 'common_cpu' to be consistent (Steven Rostedt (Google)) \n- btrfs: fix lost error handling when looking up extended ref on log replay (Filipe Manana) \n- mmc: pxamci: Fix an error handling path in pxamci_probe() (Christophe JAILLET) \n- mmc: pxamci: Fix another error handling path in pxamci_probe() (Christophe JAILLET) \n- ata: libata-eh: Add missing command name (Damien Le Moal) \n- ALSA: info: Fix llseek return value when using callback (Amadeusz Slawinski) \n- net_sched: cls_route: disallow handle of 0 (Jamal Hadi Salim) \n- net/9p: Initialize the iounit field during fid creation (Tyler Hicks) \n- Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression (Luiz Augusto von Dentz) \n- Revert 'net: usb: ax88179_178a needs FLAG_SEND_ZLP' (Jose Alonso) \n- scsi: sg: Allow waiting for commands to complete on removed device (Tony Battersby) \n- tcp: fix over estimation in sk_forced_mem_schedule() (Eric Dumazet) \n- btrfs: reject log replay if there is unsupported RO compat flag (Qu Wenruo) \n- iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) (Alexander Lobakin) \n- firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails (Sudeep Holla) \n- timekeeping: contribute wall clock to rng on time change (Jason A. Donenfeld) \n- ACPI: CPPC: Do not prevent CPPC from working in the future (Rafael J. Wysocki) \n- dm writecache: set a default MAX_WRITEBACK_JOBS (Mikulas Patocka) \n- dm thin: fix use-after-free crash in dm_sm_register_threshold_callback (Luo Meng) \n- dm raid: fix address sanitizer warning in raid_status (Mikulas Patocka) \n- dm raid: fix address sanitizer warning in raid_resume (Mikulas Patocka) \n- intel_th: pci: Add Meteor Lake-P support (Alexander Shishkin) \n- intel_th: pci: Add Raptor Lake-S PCH support (Alexander Shishkin) \n- intel_th: pci: Add Raptor Lake-S CPU support (Alexander Shishkin) \n- ext4: correct the misjudgment in ext4_iget_extra_inode (Baokun Li) \n- ext4: correct max_inline_xattr_value_size computing (Baokun Li) \n- ext4: fix extent status tree race in writeback error recovery path (Eric Whitney) \n- ext4: update s_overhead_clusters in the superblock during an on-line resize (Theodore Ts'o) \n- ext4: fix use-after-free in ext4_xattr_set_entry (Baokun Li) \n- ext4: make sure ext4_append() always allocates new block (Lukas Czerner) \n- ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h (Baokun Li) \n- btrfs: reset block group chunk force if we have to wait (Josef Bacik) \n- tpm: eventlog: Fix section mismatch for DEBUG_SECTION_MISMATCH (Huacai Chen) \n- kexec, KEYS, s390: Make use of built-in and secondary keyring for signature verification (Michal Suchanek) \n- spmi: trace: fix stack-out-of-bound access in SPMI tracing functions (David Collins) \n- x86/olpc: fix 'logical not is only applied to the left hand side' (Alexander Lobakin) \n- scsi: qla2xxx: Fix erroneous mailbox timeout after PCI error injection (Quinn Tran) \n- scsi: qla2xxx: Turn off multi-queue for 8G adapters (Quinn Tran) \n- scsi: qla2xxx: Fix discovery issues in FC-AL topology (Arun Easi) \n- scsi: zfcp: Fix missing auto port scan and thus missing target ports (Steffen Maier) \n- video: fbdev: s3fb: Check the size of screen before memset_io() (Zheyu Ma) \n- video: fbdev: arkfb: Check the size of screen before memset_io() (Zheyu Ma) \n- video: fbdev: vt8623fb: Check the size of screen before memset_io() (Zheyu Ma) \n- tools/thermal: Fix possible path truncations (Florian Fainelli) \n- video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock() (Zheyu Ma) \n- x86/numa: Use cpumask_available instead of hardcoded NULL check (Siddh Raman Pant) \n- scripts/faddr2line: Fix vmlinux detection on arm64 (Josh Poimboeuf) \n- genelf: Use HAVE_LIBCRYPTO_SUPPORT, not the never defined HAVE_LIBCRYPTO (Arnaldo Carvalho de Melo) \n- powerpc/pci: Fix PHB numbering when using opal-phbid (Michael Ellerman) \n- kprobes: Forbid probing on trampoline and BPF code areas (Chen Zhongjin) \n- perf symbol: Fail to read phdr workaround (Ian Rogers) \n- powerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address (Miaoqian Lin) \n- powerpc/xive: Fix refcount leak in xive_get_max_prio (Miaoqian Lin) \n- powerpc/spufs: Fix refcount leak in spufs_init_isolated_loader (Miaoqian Lin) \n- powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' and alias (Pali Rohar) \n- powerpc/32: Do not allow selection of e5500 or e6500 CPUs on PPC32 (Christophe Leroy) \n- video: fbdev: sis: fix typos in SiS_GetModeID() (Rustam Subkhankulov) \n- video: fbdev: amba-clcd: Fix refcount leak bugs (Liang He) \n- watchdog: armada_37xx_wdt: check the return value of devm_ioremap() in armada_37xx_wdt_probe() (William Dean) \n- ASoC: audio-graph-card: Add of_node_put() in fail path (Liang He) \n- fuse: Remove the control interface for virtio-fs (Xie Yongji) \n- ASoC: qcom: q6dsp: Fix an off-by-one in q6adm_alloc_copp() (Christophe JAILLET) \n- s390/zcore: fix race when reading from hardware system area (Alexander Gordeev) \n- iommu/arm-smmu: qcom_iommu: Add of_node_put() when breaking out of loop (Liang He) \n- mfd: max77620: Fix refcount leak in max77620_initialise_fps (Miaoqian Lin) \n- mfd: t7l66xb: Drop platform disable callback (Uwe Kleine-Konig) \n- kfifo: fix kfifo_to_user() return type (Dan Carpenter) \n- rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge (Miaoqian Lin) \n- iommu/exynos: Handle failed IOMMU device registration properly (Sam Protsenko) \n- tty: n_gsm: fix missing corner cases in gsmld_poll() (Daniel Starke) \n- tty: n_gsm: fix DM command (Daniel Starke) \n- tty: n_gsm: fix wrong T1 retry count handling (Daniel Starke) \n- vfio/ccw: Do not change FSM state in subchannel event (Eric Farman) \n- remoteproc: qcom: wcnss: Fix handling of IRQs (Sireesh Kodali) \n- tty: n_gsm: fix race condition in gsmld_write() (Daniel Starke) \n- tty: n_gsm: fix packet re-transmission without open control channel (Daniel Starke) \n- tty: n_gsm: fix non flow control frames during mux flow off (Daniel Starke) \n- profiling: fix shift too large makes kernel panic (Chen Zhongjin) \n- ASoC: codecs: wcd9335: move gains from SX_TLV to S8_TLV (Srinivas Kandagatla) \n- ASoC: codecs: msm8916-wcd-digital: move gains from SX_TLV to S8_TLV (Srinivas Kandagatla) \n- serial: 8250_dw: Store LSR into lsr_saved_flags in dw8250_tx_wait_empty() (Ilpo Jarvinen) \n- ASoC: mediatek: mt8173-rt5650: Fix refcount leak in mt8173_rt5650_dev_probe (Miaoqian Lin) \n- ASoC: codecs: da7210: add check for i2c_add_driver (Jiasheng Jiang) \n- ASoC: mt6797-mt6351: Fix refcount leak in mt6797_mt6351_dev_probe (Miaoqian Lin) \n- ASoC: mediatek: mt8173: Fix refcount leak in mt8173_rt5650_rt5676_dev_probe (Miaoqian Lin) \n- opp: Fix error check in dev_pm_opp_attach_genpd() (Tang Bin) \n- jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted (Zhihao Cheng) \n- ext4: recover csum seed of tmp_inode after migrating to extents (Li Lingfeng) \n- jbd2: fix outstanding credits assert in jbd2_journal_commit_transaction() (Zhang Yi) \n- null_blk: fix ida error handling in null_add_dev() (Dan Carpenter) \n- RDMA/rxe: Fix error unwind in rxe_create_qp() (Zhu Yanjun) \n- mm/mmap.c: fix missing call to vm_unacct_memory in mmap_region (Miaohe Lin) \n- platform/olpc: Fix uninitialized data in debugfs write (Dan Carpenter) \n- USB: serial: fix tty-port initialized comments (Johan Hovold) \n- PCI: tegra194: Fix link up retry sequence (Vidya Sagar) \n- PCI: tegra194: Fix Root Port interrupt handling (Vidya Sagar) \n- HID: alps: Declare U1_UNICORN_LEGACY support (Artem Borisov) \n- mmc: cavium-thunderx: Add of_node_put() when breaking out of loop (Liang He) \n- mmc: cavium-octeon: Add of_node_put() when breaking out of loop (Liang He) \n- gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data() (Liang He) \n- RDMA/hfi1: fix potential memory leak in setup_base_ctxt() (Jianglei Nie) \n- RDMA/siw: Fix duplicated reported IW_CM_EVENT_CONNECT_REPLY event (Cheng Xu) \n- RDMA/hns: Fix incorrect clearing of interrupt status register (Haoyue Xu) \n- usb: gadget: udc: amd5536 depends on HAS_DMA (Randy Dunlap) \n- scsi: smartpqi: Fix DMA direction for RAID requests (Mahesh Rajashekhara) \n- mmc: sdhci-of-at91: fix set_uhs_signaling rewriting of MC1R (Eugen Hristev) \n- memstick/ms_block: Fix a memory leak (Christophe JAILLET) \n- memstick/ms_block: Fix some incorrect memory allocation (Christophe JAILLET) \n- mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch (Miaoqian Lin) \n- staging: rtl8192u: Fix sleep in atomic context bug in dm_fsync_timer_callback (Duoming Zhou) \n- intel_th: msu: Fix vmalloced buffers (Alexander Shishkin) \n- intel_th: msu-sink: Potential dereference of null pointer (Jiasheng Jiang) \n- intel_th: Fix a resource leak in an error handling path (Christophe JAILLET) \n- soundwire: bus_type: fix remove and shutdown support (Pierre-Louis Bossart) \n- clk: qcom: camcc-sdm845: Fix topology around titan_top power domain (Vladimir Zapolskiy) \n- clk: qcom: ipq8074: set BRANCH_HALT_DELAY flag for UBI clocks (Robert Marko) \n- clk: qcom: ipq8074: fix NSS port frequency tables (Robert Marko) \n- usb: host: xhci: use snprintf() in xhci_decode_trb() (Sergey Shtylyov) \n- clk: qcom: clk-krait: unlock spin after mux completion (Ansuel Smith) \n- driver core: fix potential deadlock in __driver_attach (Zhang Wensheng) \n- misc: rtsx: Fix an error handling path in rtsx_pci_probe() (Christophe JAILLET) \n- clk: mediatek: reset: Fix written reset bit offset (Rex-BC Chen) \n- usb: xhci: tegra: Fix error check (Tang Bin) \n- usb: ohci-nxp: Fix refcount leak in ohci_hcd_nxp_probe (Miaoqian Lin) \n- usb: host: Fix refcount leak in ehci_hcd_ppc_of_probe (Miaoqian Lin) \n- fpga: altera-pr-ip: fix unsigned comparison with less than zero (Marco Pagani) \n- mtd: st_spi_fsm: Add a clk_disable_unprepare() in .probe()'s error path (Uwe Kleine-Konig) \n- mtd: partitions: Fix refcount leak in parse_redboot_of (Miaoqian Lin) \n- mtd: sm_ftl: Fix deadlock caused by cancel_work_sync in sm_release (Duoming Zhou) \n- HID: cp2112: prevent a buffer overflow in cp2112_xfer() (Harshit Mogalapalli) \n- mtd: rawnand: meson: Fix a potential double free issue (Christophe JAILLET) \n- mtd: maps: Fix refcount leak in ap_flash_init (Miaoqian Lin) \n- mtd: maps: Fix refcount leak in of_flash_probe_versatile (Miaoqian Lin) \n- clk: renesas: r9a06g032: Fix UART clkgrp bitsel (Ralph Siemsen) \n- dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock (Hangyu Hua) \n- net: rose: fix netdev reference changes (Eric Dumazet) \n- netdevsim: Avoid allocation warnings triggered from user space (Jakub Kicinski) \n- iavf: Fix max_rate limiting (Przemyslaw Patynowski) \n- crypto: inside-secure - Add missing MODULE_DEVICE_TABLE for of (Pali Rohar) \n- net/mlx5e: Fix the value of MLX5E_MAX_RQ_NUM_MTTS (Maxim Mikityanskiy) \n- wifi: libertas: Fix possible refcount leak in if_usb_probe() (Hangyu Hua) \n- wifi: iwlwifi: mvm: fix double list_add at iwl_mvm_mac_wake_tx_queue (Jose Ignacio Tornos Martinez) \n- wifi: wil6210: debugfs: fix uninitialized variable use in wil_write_file_wmi() (Ammar Faizi) \n- i2c: mux-gpmux: Add of_node_put() when breaking out of loop (Liang He) \n- i2c: cadence: Support PEC for SMBus block read (Lars-Peter Clausen) \n- Bluetooth: hci_intel: Add check for platform_driver_register (Jiasheng Jiang) \n- can: pch_can: pch_can_error(): initialize errc before using it (Vincent Mailhol) \n- can: error: specify the values of data[5..7] of CAN error frames (Vincent Mailhol) \n- can: usb_8dev: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- can: kvaser_usb_leaf: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- can: kvaser_usb_hydra: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- can: sun4i_can: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- can: hi311x: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- can: sja1000: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- can: rcar_can: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- can: pch_can: do not report txerr and rxerr during bus-off (Vincent Mailhol) \n- selftests/bpf: fix a test for snprintf() overflow (Dan Carpenter) \n- wifi: p54: add missing parentheses in p54_flush() (Rustam Subkhankulov) \n- wifi: p54: Fix an error handling path in p54spi_probe() (Christophe JAILLET) \n- wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi() (Dan Carpenter) \n- fs: check FMODE_LSEEK to control internal pipe splicing (Jason A. Donenfeld) \n- selftests: timers: clocksource-switch: fix passing errors from child (Wolfram Sang) \n- selftests: timers: valid-adjtimex: build fix for newer toolchains (Wolfram Sang) \n- libbpf: Fix the name of a reused map (Anquan Wu) \n- tcp: make retransmitted SKB fit into the send window (Yonglong Li) \n- drm/exynos/exynos7_drm_decon: free resources when clk_set_parent() failed. (Jian Zhang) \n- mediatek: mt76: mac80211: Fix missing of_node_put() in mt76_led_init() (Liang He) \n- media: platform: mtk-mdp: Fix mdp_ipi_comm structure alignment (AngeloGioacchino Del Regno) \n- crypto: hisilicon - Kunpeng916 crypto driver don't sleep when in softirq (Zhengchao Shao) \n- drm/msm/mdp5: Fix global state lock backoff (Rob Clark) \n- drm: bridge: sii8620: fix possible off-by-one (Hangyu Hua) \n- drm/mediatek: dpi: Only enable dpi after the bridge is enabled (Guillaume Ranquet) \n- drm/mediatek: dpi: Remove output format of YUV (Bo-Chen Chen) \n- drm/rockchip: Fix an error handling path rockchip_dp_probe() (Christophe JAILLET) \n- drm/rockchip: vop: Don't crash for invalid duplicate_state() (Brian Norris) \n- crypto: arm64/gcm - Select AEAD for GHASH_ARM64_CE (Qian Cai) \n- drm/vc4: dsi: Correct DSI divider calculations (Dave Stevenson) \n- drm/vc4: plane: Fix margin calculations for the right/bottom edges (Dave Stevenson) \n- drm/vc4: plane: Remove subpixel positioning check (Dom Cobley) \n- media: hdpvr: fix error value returns in hdpvr_read (Niels Dossche) \n- drm/mcde: Fix refcount leak in mcde_dsi_bind (Miaoqian Lin) \n- drm: bridge: adv7511: Add check for mipi_dsi_driver_register (Jiasheng Jiang) \n- wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd() (Alexey Kodanev) \n- ath9k: fix use-after-free in ath9k_hif_usb_rx_cb (Pavel Skripkin) \n- media: tw686x: Register the irq at the end of probe (Zheyu Ma) \n- i2c: Fix a potential use after free (Xu Wang) \n- drm: adv7511: override i2c address of cec before accessing it (Antonio Borneo) \n- drm/mediatek: Add pull-down MIPI operation in mtk_dsi_poweroff function (Xinlei Lee) \n- drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers() (Alexey Kodanev) \n- drm/mipi-dbi: align max_chunk to 2 in spi_transfer (Yunhao Tian) \n- wifi: rtlwifi: fix error codes in rtl_debugfs_set_write_h2c() (Dan Carpenter) \n- ath10k: do not enforce interrupt trigger type (Krzysztof Kozlowski) \n- dm: return early from dm_pr_call() if DM device is suspended (Mike Snitzer) \n- thermal/tools/tmon: Include pthread and time headers in tmon.h (Markus Mayer) \n- nohz/full, sched/rt: Fix missed tick-reenabling bug in dequeue_task_rt() (Nicolas Saenz Julienne) \n- regulator: of: Fix refcount leak bug in of_get_regulation_constraints() (Liang He) \n- blk-mq: don't create hctx debugfs dir until q->debugfs_dir is created (Ming Lei) \n- erofs: avoid consecutive detection for Highmem memory (Gao Xiang) \n- arm64: dts: mt7622: fix BPI-R64 WPS button (Nick Hainke) \n- bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe() (Yang Yingliang) \n- ARM: dts: qcom: pm8841: add required thermal-sensor-cells (Krzysztof Kozlowski) \n- soc: qcom: aoss: Fix refcount leak in qmp_cooling_devices_register (Miaoqian Lin) \n- cpufreq: zynq: Fix refcount leak in zynq_get_revision (Miaoqian Lin) \n- ARM: OMAP2+: Fix refcount leak in omap3xxx_prm_late_init (Miaoqian Lin) \n- ARM: OMAP2+: Fix refcount leak in omapdss_init_of (Miaoqian Lin) \n- ARM: dts: qcom: mdm9615: add missing PMIC GPIO reg (Krzysztof Kozlowski) \n- soc: fsl: guts: machine variable might be unset (Michael Walle) \n- ARM: dts: ast2600-evb: fix board compatible (Krzysztof Kozlowski) \n- ARM: dts: ast2500-evb: fix board compatible (Krzysztof Kozlowski) \n- x86/pmem: Fix platform-device leak in error path (Johan Hovold) \n- ARM: bcm: Fix refcount leak in bcm_kona_smc_init (Miaoqian Lin) \n- meson-mx-socinfo: Fix refcount leak in meson_mx_socinfo_init (Miaoqian Lin) \n- ARM: findbit: fix overflowing offset (Russell King (Oracle)) \n- spi: spi-rspi: Fix PIO fallback on RZ platforms (Biju Das) \n- selinux: Add boundary check in put_entry() (Xiu Jianfeng) \n- PM: hibernate: defer device probing when resuming from hibernation (Tetsuo Handa) \n- ARM: shmobile: rcar-gen2: Increase refcount for new reference (Liang He) \n- arm64: dts: allwinner: a64: orangepi-win: Fix LED node name (Samuel Holland) \n- arm64: dts: qcom: ipq8074: fix NAND node name (Robert Marko) \n- ACPI: LPSS: Fix missing check in register_device_clock() (huhai) \n- ACPI: PM: save NVS memory for Lenovo G40-45 (Manyi Li) \n- ACPI: EC: Remove duplicate ThinkPad X1 Carbon 6th entry from DMI quirks (Hans de Goede) \n- ARM: OMAP2+: display: Fix refcount leak bug (Liang He) \n- spi: synquacer: Add missing clk_disable_unprepare() (Guo Mengqi) \n- ARM: dts: imx6ul: fix qspi node compatible (Alexander Stein) \n- ARM: dts: imx6ul: fix lcdif node compatible (Alexander Stein) \n- ARM: dts: imx6ul: fix csi node compatible (Alexander Stein) \n- ARM: dts: imx6ul: change operating-points to uint32-matrix (Alexander Stein) \n- ARM: dts: imx6ul: add missing properties for sram (Alexander Stein) \n- wait: Fix __wait_event_hrtimeout for RT/DL tasks (Juri Lelli) \n- genirq: Don't return error on missing optional irq_request_resources() (Antonio Borneo) \n- ext2: Add more validity checks for inode counts (Jan Kara) \n- arm64: fix oops in concurrently setting insn_emulation sysctls (haibinzhang () \n- arm64: Do not forget syscall when starting a new thread. (Francis Laniel) \n- x86: Handle idle=nomwait cmdline properly for x86_idle (Wyes Karny) \n- epoll: autoremove wakers even more aggressively (Benjamin Segall) \n- netfilter: nf_tables: fix null deref due to zeroed list head (Florian Westphal) \n- arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC (Kunihiko Hayashi) \n- ARM: dts: uniphier: Fix USB interrupts for PXs2 SoC (Kunihiko Hayashi) \n- USB: HCD: Fix URB giveback issue in tasklet function (Weitao Wang) \n- coresight: Clear the connection field properly (Suzuki K Poulose) \n- MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK (Huacai Chen) \n- powerpc/powernv: Avoid crashing if rng is NULL (Michael Ellerman) \n- powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E (Christophe Leroy) \n- powerpc/fsl-pci: Fix Class Code of PCIe Root Port (Pali Rohar) \n- PCI: Add defines for normal and subtractive PCI bridges (Pali Rohar) \n- ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() (Alexander Lobakin) \n- md-raid10: fix KASAN warning (Mikulas Patocka) \n- serial: mvebu-uart: uart2 error bits clearing (Narendra Hadke) \n- fuse: limit nsec (Miklos Szeredi) \n- iio: light: isl29028: Fix the warning in isl29028_remove() (Zheyu Ma) \n- drm/amdgpu: Check BO's requested pinning domains against its preferred_domains (Leo Li) \n- drm/nouveau: fix another off-by-one in nvbios_addr (Timur Tabi) \n- drm/gem: Properly annotate WW context on drm_gem_lock_reservations() error (Dmitry Osipenko) \n- parisc: io_pgetevents_time64() needs compat syscall in 32-bit compat mode (Helge Deller) \n- parisc: Fix device names in /proc/iomem (Helge Deller) \n- ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh() (Jiachen Zhang) \n- usbnet: Fix linkwatch use-after-free on disconnect (Lukas Wunner) \n- fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters (Helge Deller) \n- thermal: sysfs: Fix cooling_device_stats_setup() error code path (Rafael J. Wysocki) \n- fs: Add missing umask strip in vfs_tmpfile (Yang Xu) \n- vfs: Check the truncate maximum size in inode_newsize_ok() (David Howells) \n- tty: vt: initialize unicode screen buffer (Tetsuo Handa) \n- ALSA: hda/realtek: Add quirk for another Asus K42JZ model (Meng Tang) \n- ALSA: hda/cirrus - support for iMac 12,1 model (Allen Ballway) \n- ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model (Meng Tang) \n- mm/mremap: hold the rmap lock in write mode when moving page table entries. (Aneesh Kumar K.V) \n- KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP (Sean Christopherson) \n- KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks (Sean Christopherson) \n- KVM: nVMX: Let userspace set nVMX MSR to any _host_ supported value (Sean Christopherson) \n- KVM: nVMX: Snapshot pre-VM-Enter DEBUGCTL for !nested_run_pending case (Sean Christopherson) \n- KVM: nVMX: Snapshot pre-VM-Enter BNDCFGS for !nested_run_pending case (Sean Christopherson) \n- HID: wacom: Don't register pad_input for touch switch (Ping Cheng) \n- HID: wacom: Only report rotation for art pen (Ping Cheng) \n- add barriers to buffer_uptodate and set_buffer_uptodate (Mikulas Patocka) \n- wifi: mac80211_hwsim: use 32-bit skb cookie (Johannes Berg) \n- wifi: mac80211_hwsim: add back erroneously removed cast (Johannes Berg) \n- wifi: mac80211_hwsim: fix race condition in pending packet (Jeongik Cha) \n- igc: Remove _I_PHY_ID checking (Sasha Neftin) \n- ALSA: bcd2000: Fix a UAF bug on the error path of probing (Zheyu Ma) \n- scsi: Revert 'scsi: qla2xxx: Fix disk failure to rediscover' (Nilesh Javali) \n- x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments (Nick Desaulniers) \n- Makefile: link with -z noexecstack --no-warn-rwx-segments (Nick Desaulniers) \n- LTS tag: v5.4.210 (Sherry Yang) \n- macintosh/adb: fix oob read in do_adb_query() function (Ning Qiang) \n- media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls (Chen-Yu Tsai) \n- selftests: KVM: Handle compiler optimizations in ucall (Raghavendra Rao Ananta) \n- KVM: Don't null dereference ops->destroy (Alexey Kardashevskiy) \n- selftests/bpf: Fix 'dubious pointer arithmetic' test (Jean-Philippe Brucker) \n- selftests/bpf: Fix test_align verifier log patterns (Stanislav Fomichev) \n- bpf: Test_verifier, #70 error message updates for 32-bit right shift (John Fastabend) \n- selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads (Jakub Sitnicki) \n- bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds() (John Fastabend) \n- ACPI: APEI: Better fix to avoid spamming the console with old error logs (Tony Luck) \n- ACPI: video: Shortening quirk list by identifying Clevo by board_name only (Werner Sembach) \n- ACPI: video: Force backlight native for some TongFang devices (Werner Sembach) \n- thermal: Fix NULL pointer dereferences in of_thermal_ functions (Subbaraman Narayanamurthy) \n- LTS tag: v5.4.209 (Sherry Yang) \n- scsi: core: Fix race between handling STS_RESOURCE and completion (Ming Lei) \n- mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle. (Wei Mingzhi) \n- ARM: crypto: comment out gcc warning that breaks clang builds (Greg Kroah-Hartman) \n- sctp: leave the err path free in sctp_stream_init to sctp_stream_free (Xin Long) \n- sfc: disable softirqs for ptp TX (Alejandro Lucero) \n- perf symbol: Correct address for bss symbols (Leo Yan) \n- virtio-net: fix the race between refill work and close (Jason Wang) \n- netfilter: nf_queue: do not allow packet truncation below transport header offset (Florian Westphal) \n- sctp: fix sleep in atomic context bug in timer handlers (Duoming Zhou) \n- i40e: Fix interface init with MSI interrupts (no MSI-X) (Michal Maloszewski) \n- tcp: Fix a data-race around sysctl_tcp_comp_sack_nr. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns. (Kuniyuki Iwashima) \n- Documentation: fix sctp_wmem in ip-sysctl.rst (Xin Long) \n- tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_autocorking. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_min_tso_segs. (Kuniyuki Iwashima) \n- net: sungem_phy: Add of_node_put() for reference returned by of_get_parent() (Liang He) \n- igmp: Fix data-races around sysctl_igmp_qrv. (Kuniyuki Iwashima) \n- ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr (Ziyang Xuan) \n- net: ping6: Fix memleak in ipv6_renew_options(). (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_limit_output_bytes. (Kuniyuki Iwashima) \n- scsi: ufs: host: Hold reference returned by of_parse_phandle() (Liang He) \n- ice: do not setup vlan for loopback VSI (Maciej Fijalkowski) \n- ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS) (Maciej Fijalkowski) \n- tcp: Fix a data-race around sysctl_tcp_nometrics_save. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_frto. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_adv_win_scale. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_app_win. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_dsack. (Kuniyuki Iwashima) \n- ntfs: fix use-after-free in ntfs_ucsncmp() (ChenXiaoSong) \n- Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put (Luiz Augusto von Dentz) \n- LTS tag: v5.4.208 (Sherry Yang) \n- x86: drop bogus 'cc' clobber from __try_cmpxchg_user_asm() (Jan Beulich) \n- net: usb: ax88179_178a needs FLAG_SEND_ZLP (Jose Alonso) \n- tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() (Jiri Slaby) \n- tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() (Jiri Slaby) \n- tty: drop tty_schedule_flip() (Jiri Slaby) \n- tty: the rest, stop using tty_schedule_flip() (Jiri Slaby) \n- tty: drivers/tty/, stop using tty_schedule_flip() (Jiri Slaby) \n- Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks (Luiz Augusto von Dentz) \n- Bluetooth: SCO: Fix sco_send_frame returning skb->len (Luiz Augusto von Dentz) \n- Bluetooth: Fix passing NULL to PTR_ERR (Luiz Augusto von Dentz) \n- Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg (Luiz Augusto von Dentz) \n- Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg (Luiz Augusto von Dentz) \n- Bluetooth: Add bt_skb_sendmmsg helper (Luiz Augusto von Dentz) \n- Bluetooth: Add bt_skb_sendmsg helper (Luiz Augusto von Dentz) \n- ALSA: memalloc: Align buffer allocations in page size (Takashi Iwai) \n- bitfield.h: Fix 'type of reg too small for mask' test (Peter Zijlstra) \n- x86/mce: Deduplicate exception handling (Thomas Gleixner) \n- x86/uaccess: Implement macros for CMPXCHG on user addresses (Peter Zijlstra) \n- x86: get rid of small constant size cases in raw_copy_{to,from}_user() (Al Viro) \n- locking/refcount: Consolidate implementations of refcount_t (Will Deacon) \n- locking/refcount: Consolidate REFCOUNT_{MAX,SATURATED} definitions (Will Deacon) \n- locking/refcount: Move saturation warnings out of line (Will Deacon) \n- locking/refcount: Improve performance of generic REFCOUNT_FULL code (Will Deacon) \nheader (Will Deacon) \n- locking/refcount: Remove unused refcount_*_checked() variants (Will Deacon) \n- locking/refcount: Ensure integer operands are treated as signed (Will Deacon) \n- locking/refcount: Define constants for saturation and max refcount values (Will Deacon) \n- ima: remove the IMA_TEMPLATE Kconfig option (GUO Zihua) \n- dlm: fix pending remove if msg allocation fails (Alexander Aring) \n- bpf: Make sure mac_header was set before using it (Eric Dumazet) \n- mm/mempolicy: fix uninit-value in mpol_rebind_policy() (Wang Cheng) \n- spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers (Marc Kleine-Budde) \n- tcp: Fix data-races around sysctl_tcp_max_reordering. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_rfc1337. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_stdurg. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_retrans_collapse. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_slow_start_after_idle. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_recovery. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_early_retrans. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl knobs related to SYN option. (Kuniyuki Iwashima) \n- udp: Fix a data-race around sysctl_udp_l3mdev_accept. (Kuniyuki Iwashima) \n- ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh. (Kuniyuki Iwashima) \n- be2net: Fix buffer overflow in be_get_module_eeprom (Hristo Venev) \n- gpio: pca953x: only use single read/write for No AI mode (Haibo Chen) \n- ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero (Piotr Skajewski) \n- i40e: Fix erroneous adapter reinitialization during recovery process (Dawid Lukwinski) \n- iavf: Fix handling of dummy receive descriptors (Przemyslaw Patynowski) \n- tcp: Fix data-races around sysctl_tcp_fastopen. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_max_syn_backlog. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_tw_reuse. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_notsent_lowat. (Kuniyuki Iwashima) \n- tcp: Fix data-races around some timeout sysctl knobs. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_reordering. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_syncookies. (Kuniyuki Iwashima) \n- igmp: Fix a data-race around sysctl_igmp_max_memberships. (Kuniyuki Iwashima) \n- igmp: Fix data-races around sysctl_igmp_llm_reports. (Kuniyuki Iwashima) \n- net/tls: Fix race in TLS device down flow (Tariq Toukan) \n- net: stmmac: fix dma queue left shift overflow issue (Junxiao Chang) \n- i2c: cadence: Change large transfer count reset logic to be unconditional (Robert Hancock) \n- tcp: Fix a data-race around sysctl_tcp_probe_interval. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_probe_threshold. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_min_snd_mss. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_base_mss. (Kuniyuki Iwashima) \n- tcp: Fix data-races around sysctl_tcp_mtu_probing. (Kuniyuki Iwashima) \n- tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. (Kuniyuki Iwashima) \n- ip: Fix a data-race around sysctl_fwmark_reflect. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_nonlocal_bind. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_fwd_use_pmtu. (Kuniyuki Iwashima) \n- ip: Fix data-races around sysctl_ip_no_pmtu_disc. (Kuniyuki Iwashima) \n- igc: Reinstate IGC_REMOVED logic and implement it properly (Lennert Buytenhek) \n- perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() (Peter Zijlstra) \n- pinctrl: ralink: Check for null return of devm_kcalloc (William Dean) \n- power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe (Miaoqian Lin) \n- xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() (Hangyu Hua) \n- serial: mvebu-uart: correctly report configured baudrate value (Pali Rohar) \n- PCI: hv: Fix interrupt mapping for multi-MSI (Jeffrey Hugo) \n- PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() (Jeffrey Hugo) \n- PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI (Jeffrey Hugo) \n- PCI: hv: Fix multi-MSI to allow more than one MSI vector (Jeffrey Hugo) \n- mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication (Ido Schimmel) \n- riscv: add as-options for modules with assembly compontents (Ben Dooks) \n- pinctrl: stm32: fix optional IRQ support to gpios (Fabien Dessenne) \n- LTS tag: v5.4.207 (Sherry Yang) \n- can: m_can: m_can_tx_handler(): fix use after free of skb (Marc Kleine-Budde) \n- serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle (Ilpo Jarvinen) \n- serial: stm32: Clear prev values before setting RTS delays (Ilpo Jarvinen) \n- serial: 8250: fix return error code in serial8250_request_std_resource() (Yi Yang) \n- tty: serial: samsung_tty: set dma burst_size to 1 (Chanho Park) \n- usb: dwc3: gadget: Fix event pending check (Thinh Nguyen) \n- usb: typec: add missing uevent when partner support PD (Linyu Yuan) \n- USB: serial: ftdi_sio: add Belimo device ids (Lucien Buchmann) \n- signal handling: don't use BUG_ON() for debugging (Linus Torvalds) \n- ARM: dts: stm32: use the correct clock source for CEC on stm32mp151 (Gabriel Fernandez) \n- soc: ixp4xx/npe: Fix unused match warning (Linus Walleij) \n- x86: Clear .brk area at early boot (Juergen Gross) \n- irqchip: or1k-pic: Undefine mask_ack for level triggered hardware (Stafford Horne) \n- ASoC: madera: Fix event generation for rate controls (Charles Keepax) \n- ASoC: madera: Fix event generation for OUT1 demux (Charles Keepax) \n- ASoC: cs47l15: Fix event generation for low power mux control (Charles Keepax) \n- ASoC: wm5110: Fix DRE control (Charles Keepax) \n- ASoC: ops: Fix off by one in range control validation (Mark Brown) \n- net: sfp: fix memory leak in sfp_probe() (Jianglei Nie) \n- nvme: fix regression when disconnect a recovering ctrl (Ruozhu Li) \n- NFC: nxp-nci: don't print header length mismatch on i2c error (Michael Walle) \n- net: tipc: fix possible refcount leak in tipc_sk_create() (Hangyu Hua) \n- platform/x86: hp-wmi: Ignore Sanitization Mode event (Kai-Heng Feng) \n- cpufreq: pmac32-cpufreq: Fix refcount leak bug (Liang He) \n- netfilter: br_netfilter: do not skip all hooks with 0 priority (Florian Westphal) \n- virtio_mmio: Restore guest page size on resume (Stephan Gerhold) \n- virtio_mmio: Add missing PM calls to freeze/restore (Stephan Gerhold) \n- mm: sysctl: fix missing numa_stat when !CONFIG_HUGETLB_PAGE (Muchun Song) \n- sfc: fix kernel panic when creating VF (Inigo Huguet) \n- seg6: bpf: fix skb checksum in bpf_push_seg6_encap() (Andrea Mayer) \n- seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors (Andrea Mayer) \n- seg6: fix skb checksum evaluation in SRH encapsulation/insertion (Andrea Mayer) \n- sfc: fix use after free when disabling sriov (Inigo Huguet) \n- net: ftgmac100: Hold reference returned by of_get_child_by_name() (Liang He) \n- ipv4: Fix data-races around sysctl_ip_dynaddr. (Kuniyuki Iwashima) \n- raw: Fix a data-race around sysctl_raw_l3mdev_accept. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_ratemask. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_ratelimit. (Kuniyuki Iwashima) \n- drm/i915/gt: Serialize TLB invalidates with GT resets (Chris Wilson) \n- ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero (Michal Suchanek) \n- ARM: dts: at91: sama5d2: Fix typo in i2s1 node (Ryan Wanner) \n- ipv4: Fix a data-race around sysctl_fib_sync_mem. (Kuniyuki Iwashima) \n- icmp: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- cipso: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- net: Fix data-races around sysctl_mem. (Kuniyuki Iwashima) \n- inetpeer: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- net: stmmac: dwc-qos: Disable split header for Tegra194 (Jon Hunter) \n- ASoC: sgtl5000: Fix noise on shutdown/remove (Francesco Dolcini) \n- ima: Fix a potential integer overflow in ima_appraise_measurement (Huaxin Lu) \n- drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector() (Hangyu Hua) \n- ARM: 9210/1: Mark the FDT_FIXED sections as shareable (Zhen Lei) \n- ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle (Ard Biesheuvel) \n- ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count (Kris Bahnsen) \n- ext4: fix race condition between ext4_write and ext4_convert_inline_data (Baokun Li) \n- Revert 'evm: Fix memleak in init_desc' (Xiu Jianfeng) \n- nilfs2: fix incorrect masking of permission flags for symlinks (Ryusuke Konishi) \n- drm/panfrost: Fix shrinker list corruption by madvise IOCTL (Dmitry Osipenko) \n- cgroup: Use separate src/dst nodes when preloading css_sets for migration (Tejun Heo) \n- wifi: mac80211: fix queue selection for mesh/OCB interfaces (Felix Fietkau) \n- ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction (Ard Biesheuvel) \n- ARM: 9213/1: Print message about disabled Spectre workarounds only once (Dmitry Osipenko) \n- ip: fix dflt addr selection for connected nexthop (Nicolas Dichtel) \n- net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer (Steven Rostedt (Google)) \n- tracing/histograms: Fix memory leak problem (Zheng Yejian) \n- xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue (Juergen Gross) \n- ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop (Meng Tang) \n- ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221 (Meng Tang) \n- ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 (Meng Tang) \n- ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model (Meng Tang) \n- ALSA: hda - Add fixup for Dell Latitidue E5430 (Meng Tang)", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-21T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel-container security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21499", "CVE-2022-3028"], "modified": "2022-10-21T00:00:00", "id": "ELSA-2022-9927", "href": "http://linux.oracle.com/errata/ELSA-2022-9927.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-10T18:18:05", "description": "[4.14.35-2047.518.4]\n- xfs: avoid race between writeback and data/cow fork changes (Wengang Wang) [Orabug: 34508036]\n[4.14.35-2047.518.3]\n- KVM: SVM: Clear the CR4 register on reset (Babu Moger) [Orabug: 34617675]\n[4.14.35-2047.518.2]\n- af_key: Do not call xfrm_probe_algs in parallel (Herbert Xu) [Orabug: 34566753] {CVE-2022-3028}\n- l2tp: fix tunnel lookup use-after-free race (James Chapman) [Orabug: 32504113]\n[4.14.35-2047.518.1]\n- xfs: fix out of bound access (Junxiao Bi) [Orabug: 33089469] [Orabug: 34535011] \n- KVM: x86: use raw clock values consistently (Paolo Bonzini) [Orabug: 34362737] \n- KVM: x86: reorganize pvclock_gtod_data members (Paolo Bonzini) [Orabug: 34362737] \n- KVM: x86: switch KVMCLOCK base to monotonic raw clock (Marcelo Tosatti) [Orabug: 34362737] \n- netfilter: ebtables: reject blobs that don't provide all entry points (Florian Westphal) [Orabug: 32176166] \n- sysfs: turn WARN() into pr_warn() (Greg Kroah-Hartman) [Orabug: 32176118]\n[4.14.35-2047.518.0]\n- lockdown: also lock down previous kgdb use (Daniel Thompson) [Orabug: 34543517] {CVE-2022-21499}\n- Revert 'debug: Lock down kgdb' (Alok Tiwari) [Orabug: 34543517] \n- vmcoreinfo: add kallsyms_num_syms symbol (Stephen Brennan) [Orabug: 34475880] \n- vmcoreinfo: include kallsyms symbols (Stephen Brennan) [Orabug: 34475880] \n- kallsyms: move declarations to internal header (Stephen Brennan) [Orabug: 34475880] \n- mpt3sas: avoid SOFT_RESET on shutdown (John Donnelly) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Update driver version to 39.100.00.00 (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Use firmware recommended queue depth (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Transition IOC to Ready state during shutdown (Sreekanth Reddy) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Fix fall-through warnings for Clang (Gustavo A. R. Silva) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Handle firmware faults during first half of IOC init (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Fix deadlock while cancelling the running firmware event (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Documentation cleanup (Randy Dunlap) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Fix timeouts observed while reenabling IRQ (Sreekanth Reddy) [Orabug: 34408138] \n- scsi: mpt3sas: Fix two kernel-doc headers (Bart Van Assche) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Fix out-of-bounds warnings in _ctl_addnl_diag_query (Gustavo A. R. Silva) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Fix endianness for ActiveCablePowerRequirement (Sreekanth Reddy) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Only one vSES is present even when IOC has multi vSES (Sreekanth Reddy) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Fix a typo (Bhaskar Chowdhury) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Fix a few kernel-doc issues (Lee Jones) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Force reply post buffer allocations to be within same 4 GB region (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Force reply buffer allocations to be within same 4 GB region (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Force sense buffer allocations to be within same 4 GB region (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Force chain buffer allocations to be within same 4 GB region (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Force PCIe scatterlist allocations to be within same 4 GB region (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Replace unnecessary dynamic allocation with a static one (Gustavo A. R. Silva) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Do not use GFP_KERNEL in atomic context (Christophe JAILLET) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Fix some kernel-doc misnaming issues (Lee Jones) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Fix a couple of misdocumented functions/params (Lee Jones) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Fix a bunch of potential naming doc-rot (Lee Jones) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Move a little data from the stack onto the heap (Lee Jones) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Fix misspelling of _base_put_smid_default_atomic() (Lee Jones) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Additional diagnostic buffer query interface (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Fix ReplyPostFree pool allocation (Sreekanth Reddy) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Simplify bool comparison (YANG LI) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Fix spelling mistake in Kconfig 'compatiblity' -> 'compatibility' (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Signedness bug in _base_get_diag_triggers() (Dan Carpenter) [Orabug: 33666018] [Orabug: 34408138] \n- scsi: mpt3sas: Block PCI config access from userspace during reset (Sreekanth Reddy) [Orabug: 34408138] \n- Linux 4.14.290 (Greg Kroah-Hartman) \n- PCI: hv: Fix interrupt mapping for multi-MSI (Jeffrey Hugo) \n- PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() (Jeffrey Hugo) \n- PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI (Jeffrey Hugo) \n- PCI: hv: Fix multi-MSI to allow more than one MSI vector (Jeffrey Hugo) \n- net: usb: ax88179_178a needs FLAG_SEND_ZLP (Jose Alonso) \n- tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() (Jiri Slaby) \n- tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() (Jiri Slaby) \n- tty: drop tty_schedule_flip() (Jiri Slaby) \n- tty: the rest, stop using tty_schedule_flip() (Jiri Slaby) \n- tty: drivers/tty/, stop using tty_schedule_flip() (Jiri Slaby) \n- Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks (Luiz Augusto von Dentz) \n- Bluetooth: SCO: Fix sco_send_frame returning skb->len (Luiz Augusto von Dentz) \n- Bluetooth: Fix passing NULL to PTR_ERR (Luiz Augusto von Dentz) \n- Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg (Luiz Augusto von Dentz) \n- Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg (Luiz Augusto von Dentz) \n- Bluetooth: Add bt_skb_sendmmsg helper (Luiz Augusto von Dentz) \n- Bluetooth: Add bt_skb_sendmsg helper (Luiz Augusto von Dentz) \n- ALSA: memalloc: Align buffer allocations in page size (Takashi Iwai) \n- tilcdc: tilcdc_external: fix an incorrect NULL check on list iterator (Xiaomeng Tong) \n- drm/tilcdc: Remove obsolete crtc_mode_valid() hack (Jyri Sarha) \n- bpf: Make sure mac_header was set before using it (Eric Dumazet) \n- mm/mempolicy: fix uninit-value in mpol_rebind_policy() (Wang Cheng) \n- Revert 'Revert 'char/random: silence a lockdep splat with printk()'' (Jason A. Donenfeld) \n- be2net: Fix buffer overflow in be_get_module_eeprom (Hristo Venev) \n- tcp: Fix a data-race around sysctl_tcp_notsent_lowat. (Kuniyuki Iwashima) \n- igmp: Fix a data-race around sysctl_igmp_max_memberships. (Kuniyuki Iwashima) \n- igmp: Fix data-races around sysctl_igmp_llm_reports. (Kuniyuki Iwashima) \n- net: stmmac: fix dma queue left shift overflow issue (Junxiao Chang) \n- i2c: cadence: Change large transfer count reset logic to be unconditional (Robert Hancock) \n- tcp: Fix a data-race around sysctl_tcp_probe_interval. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_probe_threshold. (Kuniyuki Iwashima) \n- tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. (Kuniyuki Iwashima) \n- ip: Fix a data-race around sysctl_fwmark_reflect. (Kuniyuki Iwashima) \n- perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() (Peter Zijlstra) \n- power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe (Miaoqian Lin) \n- xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() (Hangyu Hua) \n- xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE (Demi Marie Obenour) \n- Linux 4.14.289 (Greg Kroah-Hartman) \n- can: m_can: m_can_tx_handler(): fix use after free of skb (Marc Kleine-Budde) \n- mm: invalidate hwpoison page cache page in fault path (Rik van Riel) \n- serial: 8250: fix return error code in serial8250_request_std_resource() (Yi Yang) \n- tty: serial: samsung_tty: set dma burst_size to 1 (Chanho Park) \n- usb: dwc3: gadget: Fix event pending check (Thinh Nguyen) \n- USB: serial: ftdi_sio: add Belimo device ids (Lucien Buchmann) \n- signal handling: don't use BUG_ON() for debugging (Linus Torvalds) \n- x86: Clear .brk area at early boot (Juergen Gross) \n- irqchip: or1k-pic: Undefine mask_ack for level triggered hardware (Stafford Horne) \n- ASoC: wm5110: Fix DRE control (Charles Keepax) \n- ASoC: ops: Fix off by one in range control validation (Mark Brown) \n- net: sfp: fix memory leak in sfp_probe() (Jianglei Nie) \n- NFC: nxp-nci: don't print header length mismatch on i2c error (Michael Walle) \n- net: tipc: fix possible refcount leak in tipc_sk_create() (Hangyu Hua) \n- platform/x86: hp-wmi: Ignore Sanitization Mode event (Kai-Heng Feng) \n- cpufreq: pmac32-cpufreq: Fix refcount leak bug (Liang He) \n- netfilter: br_netfilter: do not skip all hooks with 0 priority (Florian Westphal) \n- virtio_mmio: Restore guest page size on resume (Stephan Gerhold) \n- virtio_mmio: Add missing PM calls to freeze/restore (Stephan Gerhold) \n- sfc: fix kernel panic when creating VF (Inigo Huguet) \n- seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors (Andrea Mayer) \n- seg6: fix skb checksum evaluation in SRH encapsulation/insertion (Andrea Mayer) \n- sfc: fix use after free when disabling sriov (Inigo Huguet) \n- ipv4: Fix data-races around sysctl_ip_dynaddr. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_ratemask. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_ratelimit. (Kuniyuki Iwashima) \n- ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero (Michal Suchanek) \n- icmp: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- cipso: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- net: Fix data-races around sysctl_mem. (Kuniyuki Iwashima) \n- inetpeer: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle (Ard Biesheuvel) \n- xhci: make xhci_handshake timeout for xhci_reset() adjustable (Mathias Nyman) \n- xhci: bail out early if driver can't accress host in resume (Mathias Nyman) \n- net: dsa: bcm_sf2: force pause link settings (Doug Berger) \n- nilfs2: fix incorrect masking of permission flags for symlinks (Ryusuke Konishi) \n- cgroup: Use separate src/dst nodes when preloading css_sets for migration (Tejun Heo) \n- ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction (Ard Biesheuvel) \n- ARM: 9213/1: Print message about disabled Spectre workarounds only once (Dmitry Osipenko) \n- net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer (Steven Rostedt (Google)) \n- xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue (Juergen Gross) \n- ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model (Meng Tang) \n- ALSA: hda - Add fixup for Dell Latitidue E5430 (Meng Tang)", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-10T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21499", "CVE-2022-3028"], "modified": "2022-10-10T00:00:00", "id": "ELSA-2022-9870", "href": "http://linux.oracle.com/errata/ELSA-2022-9870.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-10T19:43:42", "description": "[4.14.35-2047.518.4.el7]\n- xfs: avoid race between writeback and data/cow fork changes (Wengang Wang)\n [Orabug: 34508036]\n[4.14.35-2047.518.3.el7]\n- KVM: SVM: Clear the CR4 register on reset (Babu Moger) [Orabug: 34617675]\n[4.14.35-2047.518.2.el7]\n- af_key: Do not call xfrm_probe_algs in parallel (Herbert Xu) [Orabug: 34566753] {CVE-2022-3028}\n- l2tp: fix tunnel lookup use-after-free race (James Chapman) [Orabug: 32504113]\n[4.14.35-2047.518.1.el7]\n- xfs: fix out of bound access (Junxiao Bi) [Orabug: 33089469] [Orabug: 34535011]\n- KVM: x86: use raw clock values consistently (Paolo Bonzini) [Orabug: 34362737]\n- KVM: x86: reorganize pvclock_gtod_data members (Paolo Bonzini) [Orabug: 34362737]\n- KVM: x86: switch KVMCLOCK base to monotonic raw clock (Marcelo Tosatti) [Orabug: 34362737]\n- netfilter: ebtables: reject blobs that don't provide all entry points (Florian Westphal) [Orabug: 32176166]\n- sysfs: turn WARN() into pr_warn() (Greg Kroah-Hartman) [Orabug: 32176118]\n[4.14.35-2047.518.0.el7]\n- lockdown: also lock down previous kgdb use (Daniel Thompson) [Orabug: 34543517] {CVE-2022-21499}\n- Revert 'debug: Lock down kgdb' (Alok Tiwari) [Orabug: 34543517] {CVE-2022-21499}\n- vmcoreinfo: add kallsyms_num_syms symbol (Stephen Brennan) [Orabug: 34475880]\n- vmcoreinfo: include kallsyms symbols (Stephen Brennan) [Orabug: 34475880]\n- kallsyms: move declarations to internal header (Stephen Brennan) [Orabug: 34475880]\n- mpt3sas: avoid SOFT_RESET on shutdown (John Donnelly) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Update driver version to 39.100.00.00 (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Use firmware recommended queue depth (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Transition IOC to Ready state during shutdown (Sreekanth Reddy) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Fix fall-through warnings for Clang (Gustavo A. R. Silva) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Handle firmware faults during first half of IOC init (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Fix deadlock while cancelling the running firmware event (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Documentation cleanup (Randy Dunlap) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Fix timeouts observed while reenabling IRQ (Sreekanth Reddy) [Orabug: 34408138]\n- scsi: mpt3sas: Fix two kernel-doc headers (Bart Van Assche) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Fix out-of-bounds warnings in _ctl_addnl_diag_query (Gustavo A. R. Silva) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Fix endianness for ActiveCablePowerRequirement (Sreekanth Reddy) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Only one vSES is present even when IOC has multi vSES (Sreekanth Reddy) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Fix a typo (Bhaskar Chowdhury) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Fix a few kernel-doc issues (Lee Jones) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Force reply post buffer allocations to be within same 4 GB region (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Force reply buffer allocations to be within same 4 GB region (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Force sense buffer allocations to be within same 4 GB region (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Force chain buffer allocations to be within same 4 GB region (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Force PCIe scatterlist allocations to be within same 4 GB region (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Replace unnecessary dynamic allocation with a static one (Gustavo A. R. Silva) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Do not use GFP_KERNEL in atomic context (Christophe JAILLET) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Fix some kernel-doc misnaming issues (Lee Jones) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Fix a couple of misdocumented functions/params (Lee Jones) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Fix a bunch of potential naming doc-rot (Lee Jones) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Move a little data from the stack onto the heap (Lee Jones) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Fix misspelling of _base_put_smid_default_atomic() (Lee Jones) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Additional diagnostic buffer query interface (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Fix ReplyPostFree pool allocation (Sreekanth Reddy) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Simplify bool comparison (YANG LI) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Fix spelling mistake in Kconfig 'compatiblity' -> 'compatibility' (Suganath Prabu S) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Signedness bug in _base_get_diag_triggers() (Dan Carpenter) [Orabug: 33666018] [Orabug: 34408138]\n- scsi: mpt3sas: Block PCI config access from userspace during reset (Sreekanth Reddy) [Orabug: 34408138]\n- Linux 4.14.290 (Greg Kroah-Hartman) \n- PCI: hv: Fix interrupt mapping for multi-MSI (Jeffrey Hugo) \n- PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() (Jeffrey Hugo) \n- PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI (Jeffrey Hugo) \n- PCI: hv: Fix multi-MSI to allow more than one MSI vector (Jeffrey Hugo) \n- net: usb: ax88179_178a needs FLAG_SEND_ZLP (Jose Alonso) \n- tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() (Jiri Slaby) \n- tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() (Jiri Slaby) \n- tty: drop tty_schedule_flip() (Jiri Slaby) \n- tty: the rest, stop using tty_schedule_flip() (Jiri Slaby) \n- tty: drivers/tty/, stop using tty_schedule_flip() (Jiri Slaby) \n- Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks (Luiz Augusto von Dentz) \n- Bluetooth: SCO: Fix sco_send_frame returning skb->len (Luiz Augusto von Dentz) \n- Bluetooth: Fix passing NULL to PTR_ERR (Luiz Augusto von Dentz) \n- Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg (Luiz Augusto von Dentz) \n- Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg (Luiz Augusto von Dentz) \n- Bluetooth: Add bt_skb_sendmmsg helper (Luiz Augusto von Dentz) \n- Bluetooth: Add bt_skb_sendmsg helper (Luiz Augusto von Dentz) \n- ALSA: memalloc: Align buffer allocations in page size (Takashi Iwai) \n- tilcdc: tilcdc_external: fix an incorrect NULL check on list iterator (Xiaomeng Tong) \n- drm/tilcdc: Remove obsolete crtc_mode_valid() hack (Jyri Sarha) \n- bpf: Make sure mac_header was set before using it (Eric Dumazet) \n- mm/mempolicy: fix uninit-value in mpol_rebind_policy() (Wang Cheng) \n- Revert 'Revert 'char/random: silence a lockdep splat with printk()'' (Jason A. Donenfeld) \n- be2net: Fix buffer overflow in be_get_module_eeprom (Hristo Venev) \n- tcp: Fix a data-race around sysctl_tcp_notsent_lowat. (Kuniyuki Iwashima) \n- igmp: Fix a data-race around sysctl_igmp_max_memberships. (Kuniyuki Iwashima) \n- igmp: Fix data-races around sysctl_igmp_llm_reports. (Kuniyuki Iwashima) \n- net: stmmac: fix dma queue left shift overflow issue (Junxiao Chang) \n- i2c: cadence: Change large transfer count reset logic to be unconditional (Robert Hancock) \n- tcp: Fix a data-race around sysctl_tcp_probe_interval. (Kuniyuki Iwashima) \n- tcp: Fix a data-race around sysctl_tcp_probe_threshold. (Kuniyuki Iwashima) \n- tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. (Kuniyuki Iwashima) \n- ip: Fix a data-race around sysctl_fwmark_reflect. (Kuniyuki Iwashima) \n- perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() (Peter Zijlstra) \n- power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe (Miaoqian Lin) \n- xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() (Hangyu Hua) \n- xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE (Demi Marie Obenour) \n- Linux 4.14.289 (Greg Kroah-Hartman) \n- can: m_can: m_can_tx_handler(): fix use after free of skb (Marc Kleine-Budde) \n- mm: invalidate hwpoison page cache page in fault path (Rik van Riel) \n- serial: 8250: fix return error code in serial8250_request_std_resource() (Yi Yang) \n- tty: serial: samsung_tty: set dma burst_size to 1 (Chanho Park) \n- usb: dwc3: gadget: Fix event pending check (Thinh Nguyen) \n- USB: serial: ftdi_sio: add Belimo device ids (Lucien Buchmann) \n- signal handling: don't use BUG_ON() for debugging (Linus Torvalds) \n- x86: Clear .brk area at early boot (Juergen Gross) \n- irqchip: or1k-pic: Undefine mask_ack for level triggered hardware (Stafford Horne) \n- ASoC: wm5110: Fix DRE control (Charles Keepax) \n- ASoC: ops: Fix off by one in range control validation (Mark Brown) \n- net: sfp: fix memory leak in sfp_probe() (Jianglei Nie) \n- NFC: nxp-nci: don't print header length mismatch on i2c error (Michael Walle) \n- net: tipc: fix possible refcount leak in tipc_sk_create() (Hangyu Hua) \n- platform/x86: hp-wmi: Ignore Sanitization Mode event (Kai-Heng Feng) \n- cpufreq: pmac32-cpufreq: Fix refcount leak bug (Liang He) \n- netfilter: br_netfilter: do not skip all hooks with 0 priority (Florian Westphal) \n- virtio_mmio: Restore guest page size on resume (Stephan Gerhold) \n- virtio_mmio: Add missing PM calls to freeze/restore (Stephan Gerhold) \n- sfc: fix kernel panic when creating VF (Inigo Huguet) \n- seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors (Andrea Mayer) \n- seg6: fix skb checksum evaluation in SRH encapsulation/insertion (Andrea Mayer) \n- sfc: fix use after free when disabling sriov (Inigo Huguet) \n- ipv4: Fix data-races around sysctl_ip_dynaddr. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_ratemask. (Kuniyuki Iwashima) \n- icmp: Fix a data-race around sysctl_icmp_ratelimit. (Kuniyuki Iwashima) \n- ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero (Michal Suchanek) \n- icmp: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- cipso: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- net: Fix data-races around sysctl_mem. (Kuniyuki Iwashima) \n- inetpeer: Fix data-races around sysctl. (Kuniyuki Iwashima) \n- ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle (Ard Biesheuvel) \n- xhci: make xhci_handshake timeout for xhci_reset() adjustable (Mathias Nyman) \n- xhci: bail out early if driver can't accress host in resume (Mathias Nyman) \n- net: dsa: bcm_sf2: force pause link settings (Doug Berger) \n- nilfs2: fix incorrect masking of permission flags for symlinks (Ryusuke Konishi) \n- cgroup: Use separate src/dst nodes when preloading css_sets for migration (Tejun Heo) \n- ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction (Ard Biesheuvel) \n- ARM: 9213/1: Print message about disabled Spectre workarounds only once (Dmitry Osipenko) \n- net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer (Steven Rostedt (Google)) \n- xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue (Juergen Gross) \n- ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model (Meng Tang) \n- ALSA: hda - Add fixup for Dell Latitidue E5430 (Meng Tang)", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-10T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel-container security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21499", "CVE-2022-3028"], "modified": "2022-10-10T00:00:00", "id": "ELSA-2022-9871", "href": "http://linux.oracle.com/errata/ELSA-2022-9871.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-04T18:32:37", "description": "[4.1.12-124.67.3]\n- media: imon: Fix null-ptr-deref in imon_probe (Arvind Yadav) [Orabug: 31225377] {CVE-2017-16537}\n- fbcon: remove soft scrollback code (Linus Torvalds) [Orabug: 31914703] {CVE-2020-14390}\n- inet: use bigger hash table for IP ID generation (Eric Dumazet) [Orabug: 33778986] {CVE-2021-45486}\n- ipv4: speedup ip_idents_reserve() (Eric Dumazet) [Orabug: 33778986]\n[4.1.12-124.67.2]\n- media: v4l: ioctl: Fix memory leak in video_usercopy (Sakari Ailus) [Orabug: 32759975] {CVE-2021-30002}\n- usbnet: silence an unnecessary warning (Oliver Neukum) [Orabug: 23589045] \n- futex: Remove requirement for lock_page() in get_futex_key() (Mel Gorman) [Orabug: 29048998] {CVE-2018-9422}\n- mwifiex: Fix skb_over_panic in mwifiex_usb_recv() (Zekun Shen) [Orabug: 33784271] {CVE-2021-43976}\n- af_key: Do not call xfrm_probe_algs in parallel (Herbert Xu) [Orabug: 34566754] {CVE-2022-3028}\n- ext4: fix kernel infoleak via ext4_extent_header (Anirudh Rayabharam) [Orabug: 34579226] {CVE-2022-0850}\n- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup (Jann Horn) [Orabug: 34594265] {CVE-2022-2964}\n- net: usb: ax88179_178a: initialize local variables before use (Phillip Potter) [Orabug: 34594265] \n- net: usb: ax88179_178a: fix packet alignment padding (Jeremy Kerr) [Orabug: 34594265] \n- ax88179_178a: Check for supported Wake-on-LAN modes (Florian Fainelli) [Orabug: 34594265] \n- Net Driver: Add Cypress GX3 VID=04b4 PID=3610. (Allan Chou) [Orabug: 34594265]\n[4.1.12-124.67.1]\n- KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings (Eric Biggers) [Orabug: 27902747] {CVE-2017-7472}\n- KEYS: prevent creating a different user's keyrings (Eric Biggers) [Orabug: 29013653] {CVE-2017-18270}\n- scsi: sg: add sg_remove_request in sg_write (Wu Bo) [Orabug: 31350699] {CVE-2020-12770}\n- xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() (Hangyu Hua) [Orabug: 34503626] {CVE-2022-36879}\n- ext4: verify dir block before splitting it (Jan Kara) [Orabug: 34555416] {CVE-2022-1184}\n- dm verity: set DM_TARGET_IMMUTABLE feature flag (Sarthak Kukreti) [Orabug: 34555434] {CVE-2022-2503}", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-04T00:00:00", "type": "oraclelinux", "title": "Unbreakable Enterprise kernel security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16537", "CVE-2017-18270", "CVE-2017-7472", "CVE-2018-9422", "CVE-2020-12770", "CVE-2020-14390", "CVE-2021-30002", "CVE-2021-43976", "CVE-2021-45486", "CVE-2022-0850", "CVE-2022-1184", "CVE-2022-2503", "CVE-2022-2964", "CVE-2022-3028", "CVE-2022-36879"], "modified": "2022-10-04T00:00:00", "id": "ELSA-2022-9852", "href": "http://linux.oracle.com/errata/ELSA-2022-9852.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "redhatcve": [{"lastseen": "2023-03-08T02:12:44", "description": "A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket.\n", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-29T14:43:03", "type": "redhatcve", "title": "CVE-2022-3028", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-3028"], "modified": "2023-03-07T23:37:45", "id": "RH:CVE-2022-3028", "href": "https://access.redhat.com/security/cve/cve-2022-3028", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-03-29T03:13:21", "description": "The version of kernel installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-3028 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-28T00:00:00", "type": "nessus", "title": "CBL Mariner 2.0 Security Update: kernel (CVE-2022-3028)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3028"], "modified": "2023-03-28T00:00:00", "cpe": ["p-cpe:/a:microsoft:cbl-mariner:bpftool", "p-cpe:/a:microsoft:cbl-mariner:kernel", "p-cpe:/a:microsoft:cbl-mariner:kernel-debuginfo", "p-cpe:/a:microsoft:cbl-mariner:kernel-devel", "p-cpe:/a:microsoft:cbl-mariner:kernel-docs", "p-cpe:/a:microsoft:cbl-mariner:kernel-drivers-accessibility", "p-cpe:/a:microsoft:cbl-mariner:kernel-drivers-sound", "p-cpe:/a:microsoft:cbl-mariner:kernel-dtb", "p-cpe:/a:microsoft:cbl-mariner:kernel-oprofile", "p-cpe:/a:microsoft:cbl-mariner:kernel-tools", "p-cpe:/a:microsoft:cbl-mariner:python3-perf", "x-cpe:/o:microsoft:cbl-mariner"], "id": "MARINER_KERNEL_CVE-2022-3028.NASL", "href": "https://www.tenable.com/plugins/nessus/173601", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(173601);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/28\");\n\n script_cve_id(\"CVE-2022-3028\");\n\n script_name(english:\"CBL Mariner 2.0 Security Update: kernel (CVE-2022-3028)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CBL Mariner host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of kernel installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore,\naffected by a vulnerability as referenced in the CVE-2022-3028 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://nvd.nist.gov/vuln/detail/CVE-2022-3028\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3028\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/03/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:microsoft:cbl-mariner:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:microsoft:cbl-mariner:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:microsoft:cbl-mariner:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:microsoft:cbl-mariner:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:microsoft:cbl-mariner:kernel-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:microsoft:cbl-mariner:kernel-drivers-accessibility\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:microsoft:cbl-mariner:kernel-drivers-sound\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:microsoft:cbl-mariner:kernel-dtb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:microsoft:cbl-mariner:kernel-oprofile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:microsoft:cbl-mariner:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:microsoft:cbl-mariner:python3-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:microsoft:cbl-mariner\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MarinerOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CBLMariner/release\", \"Host/CBLMariner/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/CBLMariner/release');\nif (isnull(release) || 'CBL-Mariner' >!< release) audit(AUDIT_OS_NOT, 'CBL-Mariner');\nvar os_ver = pregmatch(pattern: \"CBL-Mariner ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CBL-Mariner');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^2([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'CBL-Mariner 2.0', 'CBL-Mariner ' + os_ver);\n\nif (!get_kb_item('Host/CBLMariner/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu)\n audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CBL-Mariner', cpu);\n\nvar pkgs = [\n {'reference':'bpftool-5.15.67.1-4.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'bpftool-5.15.67.1-4.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-5.15.67.1-4.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-5.15.67.1-4.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-5.15.67.1-4.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-5.15.67.1-4.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-5.15.67.1-4.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-5.15.67.1-4.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-docs-5.15.67.1-4.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-docs-5.15.67.1-4.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-drivers-accessibility-5.15.67.1-4.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-drivers-accessibility-5.15.67.1-4.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-drivers-sound-5.15.67.1-4.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-drivers-sound-5.15.67.1-4.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-dtb-5.15.67.1-4.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-5.15.67.1-4.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-5.15.67.1-4.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-5.15.67.1-4.cm2', 'cpu':'x86_64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-perf-5.15.67.1-4.cm2', 'cpu':'aarch64', 'release':'2.0', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'CBLMariner-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel / kernel-debuginfo / kernel-devel / kernel-docs / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-03T00:55:24", "description": "The remote Oracle Linux 7 / 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-9999 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-16T00:00:00", "type": "nessus", "title": "Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2022-9999)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3028"], "modified": "2022-11-24T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:kernel-uek-container", "p-cpe:/a:oracle:linux:kernel-uek-container-debug"], "id": "ORACLELINUX_ELSA-2022-9999.NASL", "href": "https://www.tenable.com/plugins/nessus/167587", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-9999.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(167587);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/24\");\n\n script_cve_id(\"CVE-2022-3028\");\n\n script_name(english:\"Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2022-9999)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 / 8 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2022-9999 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-9999.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel-uek-container and / or kernel-uek-container-debug packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3028\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container-debug\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(os_release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(7|8)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7 / 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['5.4.17-2136.313.6.el7', '5.4.17-2136.313.6.el8'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2022-9999');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '5.4';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-container-5.4.17-2136.313.6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-5.4.17'},\n {'reference':'kernel-uek-container-debug-5.4.17-2136.313.6.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-debug-5.4.17'},\n {'reference':'kernel-uek-container-5.4.17-2136.313.6.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-5.4.17'},\n {'reference':'kernel-uek-container-debug-5.4.17-2136.313.6.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-debug-5.4.17'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release) {\n if (exists_check) {\n if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek-container / kernel-uek-container-debug');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-03T20:36:59", "description": "The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-9931 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-24T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : Unbreakable Enterprise kernel-container (ELSA-2022-9931)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3028"], "modified": "2022-11-28T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:kernel-uek-container", "p-cpe:/a:oracle:linux:kernel-uek-container-debug"], "id": "ORACLELINUX_ELSA-2022-9931.NASL", "href": "https://www.tenable.com/plugins/nessus/166437", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-9931.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166437);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/28\");\n\n script_cve_id(\"CVE-2022-3028\");\n\n script_name(english:\"Oracle Linux 8 : Unbreakable Enterprise kernel-container (ELSA-2022-9931)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2022-9931 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-9931.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel-uek-container and / or kernel-uek-container-debug packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3028\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container-debug\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(os_release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['5.15.0-3.60.5.1.el8'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2022-9931');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '5.15';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-container-5.15.0-3.60.5.1.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-5.15.0'},\n {'reference':'kernel-uek-container-debug-5.15.0-3.60.5.1.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-debug-5.15.0'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release) {\n if (exists_check) {\n if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek-container / kernel-uek-container-debug');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-04T02:57:03", "description": "The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2022-9998 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-15T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : Unbreakable Enterprise kernel (ELSA-2022-9998)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-3028"], "modified": "2022-11-24T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc"], "id": "ORACLELINUX_ELSA-2022-9998.NASL", "href": "https://www.tenable.com/plugins/nessus/167543", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-9998.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(167543);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/24\");\n\n script_cve_id(\"CVE-2022-3028\");\n\n script_name(english:\"Oracle Linux 8 : Unbreakable Enterprise kernel (ELSA-2022-9998)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nELSA-2022-9998 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-9998.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3028\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(os_release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['5.4.17-2136.313.6.el8uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2022-9998');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '5.4';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-5.4.17-2136.313.6.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-5.4.17-2136.313.6.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2136.313.6.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2136.313.6.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2136.313.6.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2136.313.6.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2136.313.6.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2136.313.6.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-doc-5.4.17-2136.313.6.el8uek', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-5.4.17'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release) {\n if (exists_check) {\n if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-debug / kernel-uek-debug-devel / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-03T14:02:13", "description": "The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-9870 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown.\n An attacker with access to a serial port could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. (CVE-2022-21499)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-10T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2022-9870)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21499", "CVE-2022-3028"], "modified": "2022-10-10T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-headers", "p-cpe:/a:oracle:linux:kernel-uek-tools", "p-cpe:/a:oracle:linux:kernel-uek-tools-libs", "p-cpe:/a:oracle:linux:kernel-uek-tools-libs-devel", "p-cpe:/a:oracle:linux:perf", "p-cpe:/a:oracle:linux:python-perf"], "id": "ORACLELINUX_ELSA-2022-9870.NASL", "href": "https://www.tenable.com/plugins/nessus/165985", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-9870.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165985);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/10/10\");\n\n script_cve_id(\"CVE-2022-3028\", \"CVE-2022-21499\");\n\n script_name(english:\"Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2022-9870)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2022-9870 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown.\n An attacker with access to a serial port could trigger the debugger so it is important that the debugger\n respect the lockdown mode when/if it is triggered. (CVE-2022-21499)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-9870.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21499\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-3028\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-perf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['4.14.35-2047.518.4.el7uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2022-9870');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '4.14';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-4.14.35-2047.518.4.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.14.35'},\n {'reference':'kernel-uek-4.14.35-2047.518.4.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.14.35'},\n {'reference':'kernel-uek-debug-4.14.35-2047.518.4.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.14.35'},\n {'reference':'kernel-uek-debug-4.14.35-2047.518.4.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.14.35'},\n {'reference':'kernel-uek-debug-devel-4.14.35-2047.518.4.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.14.35'},\n {'reference':'kernel-uek-debug-devel-4.14.35-2047.518.4.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.14.35'},\n {'reference':'kernel-uek-devel-4.14.35-2047.518.4.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.14.35'},\n {'reference':'kernel-uek-devel-4.14.35-2047.518.4.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.14.35'},\n {'reference':'kernel-uek-doc-4.14.35-2047.518.4.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-4.14.35'},\n {'reference':'kernel-uek-headers-4.14.35-2047.518.4.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-headers-4.14.35'},\n {'reference':'kernel-uek-tools-4.14.35-2047.518.4.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-4.14.35'},\n {'reference':'kernel-uek-tools-4.14.35-2047.518.4.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-4.14.35'},\n {'reference':'kernel-uek-tools-libs-4.14.35-2047.518.4.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-libs-4.14.35'},\n {'reference':'kernel-uek-tools-libs-devel-4.14.35-2047.518.4.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-tools-libs-devel-4.14.35'},\n {'reference':'perf-4.14.35-2047.518.4.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'perf-4.14.35'},\n {'reference':'python-perf-4.14.35-2047.518.4.el7uek', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'python-perf-4.14.35'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-debug / kernel-uek-debug-devel / etc');\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-03T07:09:19", "description": "The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-9927 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown.\n An attacker with access to a serial port could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. (CVE-2022-21499)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-20T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : Unbreakable Enterprise kernel-container (ELSA-2022-9927)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21499", "CVE-2022-3028"], "modified": "2022-10-20T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:kernel-uek-container", "p-cpe:/a:oracle:linux:kernel-uek-container-debug"], "id": "ORACLELINUX_ELSA-2022-9927.NASL", "href": "https://www.tenable.com/plugins/nessus/166346", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-9927.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166346);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/10/20\");\n\n script_cve_id(\"CVE-2022-3028\", \"CVE-2022-21499\");\n\n script_name(english:\"Oracle Linux 8 : Unbreakable Enterprise kernel-container (ELSA-2022-9927)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2022-9927 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown.\n An attacker with access to a serial port could trigger the debugger so it is important that the debugger\n respect the lockdown mode when/if it is triggered. (CVE-2022-21499)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-9927.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel-uek-container and / or kernel-uek-container-debug packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21499\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-3028\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container-debug\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(os_release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['5.4.17-2136.312.3.4.el8'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2022-9927');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '5.4';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-container-5.4.17-2136.312.3.4.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-5.4.17'},\n {'reference':'kernel-uek-container-debug-5.4.17-2136.312.3.4.el8', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-debug-5.4.17'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release) {\n if (exists_check) {\n if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek-container / kernel-uek-container-debug');\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-03T00:52:03", "description": "The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-9926 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown.\n An attacker with access to a serial port could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. (CVE-2022-21499)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-20T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : Unbreakable Enterprise kernel (ELSA-2022-9926)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21499", "CVE-2022-3028"], "modified": "2022-10-20T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc"], "id": "ORACLELINUX_ELSA-2022-9926.NASL", "href": "https://www.tenable.com/plugins/nessus/166348", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-9926.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166348);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/10/20\");\n\n script_cve_id(\"CVE-2022-3028\", \"CVE-2022-21499\");\n\n script_name(english:\"Oracle Linux 8 : Unbreakable Enterprise kernel (ELSA-2022-9926)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2022-9926 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown.\n An attacker with access to a serial port could trigger the debugger so it is important that the debugger\n respect the lockdown mode when/if it is triggered. (CVE-2022-21499)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-9926.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21499\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-3028\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(os_release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['5.4.17-2136.312.3.4.el8uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2022-9926');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '5.4';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-5.4.17-2136.312.3.4.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-5.4.17-2136.312.3.4.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2136.312.3.4.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-5.4.17-2136.312.3.4.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2136.312.3.4.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-debug-devel-5.4.17-2136.312.3.4.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2136.312.3.4.el8uek', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-devel-5.4.17-2136.312.3.4.el8uek', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-5.4.17'},\n {'reference':'kernel-uek-doc-5.4.17-2136.312.3.4.el8uek', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-5.4.17'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release) {\n if (exists_check) {\n if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-debug / kernel-uek-debug-devel / etc');\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-04T00:34:23", "description": "The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2022-9871 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown.\n An attacker with access to a serial port could trigger the debugger so it is important that the debugger respect the lockdown mode when/if it is triggered. (CVE-2022-21499)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-10T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : Unbreakable Enterprise kernel-container (ELSA-2022-9871)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21499", "CVE-2022-3028"], "modified": "2022-10-10T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-uek-container"], "id": "ORACLELINUX_ELSA-2022-9871.NASL", "href": "https://www.tenable.com/plugins/nessus/165984", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-9871.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165984);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/10/10\");\n\n script_cve_id(\"CVE-2022-3028\", \"CVE-2022-21499\");\n\n script_name(english:\"Oracle Linux 7 : Unbreakable Enterprise kernel-container (ELSA-2022-9871)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the\nELSA-2022-9871 advisory.\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - KGDB and KDB allow read and write access to kernel memory, and thus should be restricted during lockdown.\n An attacker with access to a serial port could trigger the debugger so it is important that the debugger\n respect the lockdown mode when/if it is triggered. (CVE-2022-21499)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-9871.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel-uek-container package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21499\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-3028\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-container\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['4.14.35-2047.518.4.el7'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2022-9871');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '4.14';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-container-4.14.35-2047.518.4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-container-4.14.35'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek-container');\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-03T02:47:49", "description": "The remote Ubuntu 16.04 ESM / 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5727-2 advisory.\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service. (CVE-2022-2153)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability. (CVE-2022-3635)\n\n - In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-237540956References: Upstream kernel (CVE-2022-20422)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-19T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 ESM / 18.04 LTS : Linux kernel (GCP) vulnerabilities (USN-5727-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-20422", "CVE-2022-2153", "CVE-2022-2978", "CVE-2022-3028", "CVE-2022-3635", "CVE-2022-36879", "CVE-2022-40768"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04:-:esm", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1138-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp"], "id": "UBUNTU_USN-5727-2.NASL", "href": "https://www.tenable.com/plugins/nessus/167919", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5727-2. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(167919);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2022-2153\",\n \"CVE-2022-2978\",\n \"CVE-2022-3028\",\n \"CVE-2022-3635\",\n \"CVE-2022-20422\",\n \"CVE-2022-36879\",\n \"CVE-2022-40768\"\n );\n script_xref(name:\"USN\", value:\"5727-2\");\n\n script_name(english:\"Ubuntu 16.04 ESM / 18.04 LTS : Linux kernel (GCP) vulnerabilities (USN-5727-2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 ESM / 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the USN-5727-2 advisory.\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it\n possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This\n flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel\n oops condition that results in a denial of service. (CVE-2022-2153)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function\n security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use\n this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue\n is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation\n leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the\n identifier assigned to this vulnerability. (CVE-2022-3635)\n\n - In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race\n condition. This could lead to local escalation of privilege with no additional execution privileges\n needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid\n ID: A-237540956References: Upstream kernel (CVE-2022-20422)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in\n net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information\n from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5727-2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-2978\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:esm\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1138-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! preg(pattern:\"^(16\\.04|18\\.04)$\", string:os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n if (! preg(pattern:\"^(4.15.0-\\d{4}-gcp)$\", string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n var extra = '';\n var kernel_mappings = {\n \"4.15.0-\\d{4}-gcp\" : \"4.15.0-1138\"\n };\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D+)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-5727-2');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-2153', 'CVE-2022-2978', 'CVE-2022-3028', 'CVE-2022-3635', 'CVE-2022-20422', 'CVE-2022-36879', 'CVE-2022-40768');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5727-2');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-25T04:48:14", "description": "The remote Ubuntu 16.04 ESM / 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5727-1 advisory.\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service. (CVE-2022-2153)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability. (CVE-2022-3635)\n\n - In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-237540956References: Upstream kernel (CVE-2022-20422)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-17T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 ESM / 18.04 LTS : Linux kernel vulnerabilities (USN-5727-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-20422", "CVE-2022-2153", "CVE-2022-2978", "CVE-2022-3028", "CVE-2022-3635", "CVE-2022-36879", "CVE-2022-40768"], "modified": "2023-03-22T00:00:00", "cpe": ["cpe:2.3:o:canonical:ubuntu_linux:18.04:-:lts:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-generic:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-lowlatency:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-aws:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-kvm:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-generic-lpae:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-aws-hwe:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-oracle:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-raspi2:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-snapdragon:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-dell300x:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:-:esm:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-4.15.0-1055-dell300x:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-4.15.0-1108-oracle:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-4.15.0-1121-raspi2:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-4.15.0-1129-kvm:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-4.15.0-1139-snapdragon:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-4.15.0-1143-aws:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-4.15.0-1143-aws-hwe:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-4.15.0-197-generic:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-4.15.0-197-generic-lpae:*:*:*:*:*:*:*", "p-cpe:2.3:a:canonical:ubuntu_linux:linux-image-4.15.0-197-lowlatency:*:*:*:*:*:*:*"], "id": "UBUNTU_USN-5727-1.NASL", "href": "https://www.tenable.com/plugins/nessus/167770", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5727-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(167770);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/22\");\n\n script_cve_id(\n \"CVE-2022-2153\",\n \"CVE-2022-2978\",\n \"CVE-2022-3028\",\n \"CVE-2022-3635\",\n \"CVE-2022-20422\",\n \"CVE-2022-36879\",\n \"CVE-2022-40768\"\n );\n script_xref(name:\"USN\", value:\"5727-1\");\n\n script_name(english:\"Ubuntu 16.04 ESM / 18.04 LTS : Linux kernel vulnerabilities (USN-5727-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 ESM / 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the USN-5727-1 advisory.\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it\n possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This\n flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel\n oops condition that results in a denial of service. (CVE-2022-2153)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function\n security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use\n this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue\n is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation\n leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the\n identifier assigned to this vulnerability. (CVE-2022-3635)\n\n - In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race\n condition. This could lead to local escalation of privilege with no additional execution privileges\n needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid\n ID: A-237540956References: Upstream kernel (CVE-2022-20422)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in\n net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information\n from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5727-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-2978\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:esm\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1055-dell300x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1108-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1121-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1129-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1139-snapdragon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1143-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-1143-aws-hwe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-197-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-197-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-4.15.0-197-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws-hwe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-dell300x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-snapdragon\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! preg(pattern:\"^(16\\.04|18\\.04)$\", string:os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n if (! preg(pattern:\"^(4.15.0-\\d{3}-(generic|generic-lpae|lowlatency)|4.15.0-\\d{4}-(aws|aws-hwe|dell300x|kvm|oracle|raspi2|snapdragon))$\", string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n var extra = '';\n var kernel_mappings = {\n \"4.15.0-\\d{3}-(generic|generic-lpae|lowlatency)\" : \"4.15.0-197\",\n \"4.15.0-\\d{3}-(generic|lowlatency)\" : \"4.15.0-197\",\n \"4.15.0-\\d{4}-(aws|aws-hwe)\" : \"4.15.0-1143\",\n \"4.15.0-\\d{4}-aws\" : \"4.15.0-1143\",\n \"4.15.0-\\d{4}-dell300x\" : \"4.15.0-1055\",\n \"4.15.0-\\d{4}-kvm\" : \"4.15.0-1129\",\n \"4.15.0-\\d{4}-oracle\" : \"4.15.0-1108\",\n \"4.15.0-\\d{4}-raspi2\" : \"4.15.0-1121\",\n \"4.15.0-\\d{4}-snapdragon\" : \"4.15.0-1139\"\n };\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D+)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-5727-1');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-2153', 'CVE-2022-2978', 'CVE-2022-3028', 'CVE-2022-3635', 'CVE-2022-20422', 'CVE-2022-36879', 'CVE-2022-40768');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5727-1');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-23T00:11:09", "description": "The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5729-1 advisory.\n\n - An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data. (CVE-2022-2905)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability. (CVE-2022-3625)\n\n - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability. (CVE-2022-3635)\n\n - In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-237540956References: Upstream kernel (CVE-2022-20422)\n\n - An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain. (CVE-2022-39190)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-17T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel vulnerabilities (USN-5729-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-20422", "CVE-2022-2905", "CVE-2022-2978", "CVE-2022-3028", "CVE-2022-3625", "CVE-2022-3635", "CVE-2022-39190", "CVE-2022-40768"], "modified": "2023-03-22T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:22.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1008-gkeop", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1018-ibm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1020-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1021-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1022-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1022-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1023-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-53-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-53-generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-53-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-53-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-53-lowlatency-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop", "p-cpe:/a:canonical:ubuntu_linux:linux-image-ibm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-64k", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle"], "id": "UBUNTU_USN-5729-1.NASL", "href": "https://www.tenable.com/plugins/nessus/167767", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5729-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(167767);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/22\");\n\n script_cve_id(\n \"CVE-2022-2905\",\n \"CVE-2022-2978\",\n \"CVE-2022-3028\",\n \"CVE-2022-3625\",\n \"CVE-2022-3635\",\n \"CVE-2022-20422\",\n \"CVE-2022-39190\",\n \"CVE-2022-40768\"\n );\n script_xref(name:\"USN\", value:\"5729-1\");\n\n script_name(english:\"Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel vulnerabilities (USN-5729-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the USN-5729-1 advisory.\n\n - An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the\n bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to\n gain unauthorized access to data. (CVE-2022-2905)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function\n security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use\n this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function\n devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The\n manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier\n VDB-211929 was assigned to this vulnerability. (CVE-2022-3625)\n\n - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue\n is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation\n leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the\n identifier assigned to this vulnerability. (CVE-2022-3635)\n\n - In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race\n condition. This could lead to local escalation of privilege with no additional execution privileges\n needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid\n ID: A-237540956References: Upstream kernel (CVE-2022-20422)\n\n - An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of\n service can occur upon binding to an already bound chain. (CVE-2022-39190)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information\n from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5729-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3625\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1008-gkeop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1018-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1020-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1021-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1022-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1022-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1023-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-53-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-53-generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-53-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-53-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-53-lowlatency-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency-64k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! preg(pattern:\"^(20\\.04|22\\.04)$\", string:os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04 / 22.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n if (! preg(pattern:\"^(5.15.0-\\d{2}-(generic|generic-64k|generic-lpae|lowlatency|lowlatency-64k)|5.15.0-\\d{4}-(azure|gcp|gke|gkeop|ibm|kvm|oracle))$\", string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n var extra = '';\n var kernel_mappings = {\n \"5.15.0-\\d{2}-(generic|generic-64k|generic-lpae|lowlatency|lowlatency-64k)\" : \"5.15.0-53\",\n \"5.15.0-\\d{4}-azure\" : \"5.15.0-1023\",\n \"5.15.0-\\d{4}-gcp\" : \"5.15.0-1022\",\n \"5.15.0-\\d{4}-gke\" : \"5.15.0-1020\",\n \"5.15.0-\\d{4}-gkeop\" : \"5.15.0-1008\",\n \"5.15.0-\\d{4}-ibm\" : \"5.15.0-1018\",\n \"5.15.0-\\d{4}-kvm\" : \"5.15.0-1021\",\n \"5.15.0-\\d{4}-oracle\" : \"5.15.0-1022\"\n };\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D+)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-5729-1');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-2905', 'CVE-2022-2978', 'CVE-2022-3028', 'CVE-2022-3625', 'CVE-2022-3635', 'CVE-2022-20422', 'CVE-2022-39190', 'CVE-2022-40768');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5729-1');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-23T00:09:57", "description": "The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5729-2 advisory.\n\n - An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to gain unauthorized access to data. (CVE-2022-2905)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability. (CVE-2022-3625)\n\n - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability. (CVE-2022-3635)\n\n - In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-237540956References: Upstream kernel (CVE-2022-20422)\n\n - An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of service can occur upon binding to an already bound chain. (CVE-2022-39190)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-19T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel vulnerabilities (USN-5729-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-20422", "CVE-2022-2905", "CVE-2022-2978", "CVE-2022-3028", "CVE-2022-3625", "CVE-2022-3635", "CVE-2022-39190", "CVE-2022-40768"], "modified": "2023-03-22T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:22.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1018-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1018-raspi-nolpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1020-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1022-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-nolpae"], "id": "UBUNTU_USN-5729-2.NASL", "href": "https://www.tenable.com/plugins/nessus/167921", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5729-2. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(167921);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/22\");\n\n script_cve_id(\n \"CVE-2022-2905\",\n \"CVE-2022-2978\",\n \"CVE-2022-3028\",\n \"CVE-2022-3625\",\n \"CVE-2022-3635\",\n \"CVE-2022-20422\",\n \"CVE-2022-39190\",\n \"CVE-2022-40768\"\n );\n script_xref(name:\"USN\", value:\"5729-2\");\n\n script_name(english:\"Ubuntu 20.04 LTS / 22.04 LTS : Linux kernel vulnerabilities (USN-5729-2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the USN-5729-2 advisory.\n\n - An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the\n bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to\n gain unauthorized access to data. (CVE-2022-2905)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function\n security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use\n this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function\n devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The\n manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier\n VDB-211929 was assigned to this vulnerability. (CVE-2022-3625)\n\n - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue\n is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation\n leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the\n identifier assigned to this vulnerability. (CVE-2022-3635)\n\n - In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race\n condition. This could lead to local escalation of privilege with no additional execution privileges\n needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid\n ID: A-237540956References: Upstream kernel (CVE-2022-20422)\n\n - An issue was discovered in net/netfilter/nf_tables_api.c in the Linux kernel before 5.19.6. A denial of\n service can occur upon binding to an already bound chain. (CVE-2022-39190)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information\n from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5729-2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-3625\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1018-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1018-raspi-nolpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1020-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.15.0-1022-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi-nolpae\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! preg(pattern:\"^(20\\.04|22\\.04)$\", string:os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04 / 22.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n if (! preg(pattern:\"^(5.15.0-\\d{4}-(gcp|gke|raspi|raspi-nolpae))$\", string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n var extra = '';\n var kernel_mappings = {\n \"5.15.0-\\d{4}-(raspi|raspi-nolpae)\" : \"5.15.0-1018\",\n \"5.15.0-\\d{4}-gcp\" : \"5.15.0-1022\",\n \"5.15.0-\\d{4}-gke\" : \"5.15.0-1020\"\n };\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D+)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-5729-2');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-2905', 'CVE-2022-2978', 'CVE-2022-3028', 'CVE-2022-3625', 'CVE-2022-3635', 'CVE-2022-20422', 'CVE-2022-39190', 'CVE-2022-40768');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5729-2');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-05T03:17:43", "description": "The remote Ubuntu 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5693-1 advisory.\n\n - There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that allow attackers to crash linux kernel without any privileges. (CVE-2022-2318)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\n - An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c. (CVE-2022-41674)\n\n - A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code. (CVE-2022-42719)\n\n - Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after- free conditions to potentially execute code. (CVE-2022-42720)\n\n - A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in turn, potentially execute code. (CVE-2022-42721)\n\n - In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon protection of P2P devices. (CVE-2022-42722)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-19T00:00:00", "type": "nessus", "title": "Ubuntu 22.04 LTS : Linux kernel (OEM) vulnerabilities (USN-5693-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-2318", "CVE-2022-2602", "CVE-2022-2978", "CVE-2022-3028", "CVE-2022-40768", "CVE-2022-41674", "CVE-2022-42719", "CVE-2022-42720", "CVE-2022-42721", "CVE-2022-42722"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:22.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.17.0-1020-oem", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oem"], "id": "UBUNTU_USN-5693-1.NASL", "href": "https://www.tenable.com/plugins/nessus/166272", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5693-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166272);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2022-2318\",\n \"CVE-2022-2602\",\n \"CVE-2022-2978\",\n \"CVE-2022-3028\",\n \"CVE-2022-40768\",\n \"CVE-2022-41674\",\n \"CVE-2022-42719\",\n \"CVE-2022-42720\",\n \"CVE-2022-42721\",\n \"CVE-2022-42722\"\n );\n script_xref(name:\"USN\", value:\"5693-1\");\n\n script_name(english:\"Ubuntu 22.04 LTS : Linux kernel (OEM) vulnerabilities (USN-5693-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe USN-5693-1 advisory.\n\n - There are use-after-free vulnerabilities caused by timer handler in net/rose/rose_timer.c of linux that\n allow attackers to crash linux kernel without any privileges. (CVE-2022-2318)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function\n security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use\n this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information\n from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\n - An issue was discovered in the Linux kernel before 5.19.16. Attackers able to inject WLAN frames could\n cause a buffer overflow in the ieee80211_bss_info_update function in net/mac80211/scan.c. (CVE-2022-41674)\n\n - A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through\n 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and\n potentially execute code. (CVE-2022-42719)\n\n - Various refcounting bugs in the multi-BSS handling in the mac80211 stack in the Linux kernel 5.1 through\n 5.19.x before 5.19.16 could be used by local attackers (able to inject WLAN frames) to trigger use-after-\n free conditions to potentially execute code. (CVE-2022-42720)\n\n - A list management bug in BSS handling in the mac80211 stack in the Linux kernel 5.1 through 5.19.x before\n 5.19.16 could be used by local attackers (able to inject WLAN frames) to corrupt a linked list and, in\n turn, potentially execute code. (CVE-2022-42721)\n\n - In the Linux kernel 5.8 through 5.19.x before 5.19.16, local attackers able to inject WLAN frames into the\n mac80211 stack could cause a NULL pointer dereference denial-of-service attack against the beacon\n protection of P2P devices. (CVE-2022-42722)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5693-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-2318\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-42719\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:22.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.17.0-1020-oem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oem\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! preg(pattern:\"^(22\\.04)$\", string:os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 22.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n if (! preg(pattern:\"^(5.17.0-\\d{4}-oem)$\", string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n var extra = '';\n var kernel_mappings = {\n \"5.17.0-\\d{4}-oem\" : \"5.17.0-1020\"\n };\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D+)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-5693-1');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-2318', 'CVE-2022-2602', 'CVE-2022-2978', 'CVE-2022-3028', 'CVE-2022-40768', 'CVE-2022-41674', 'CVE-2022-42719', 'CVE-2022-42720', 'CVE-2022-42721', 'CVE-2022-42722');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5693-1');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-03-15T06:31:58", "description": "The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3263-1 advisory.\n\n - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)\n\n - An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session or terminate that session. (CVE-2020-36516)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation (CVE-2022-2588)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - A heap-based buffer overflow was found in the Linux kernel's LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged code on the target system to exploit this vulnerability. (CVE-2022-2991)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2022:3263-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.8, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-3900", "CVE-2020-36516", "CVE-2022-20368", "CVE-2022-20369", "CVE-2022-21385", "CVE-2022-2588", "CVE-2022-26373", "CVE-2022-2991", "CVE-2022-3028", "CVE-2022-36879", "CVE-2022-39188"], "modified": "2023-03-10T00:00:00", "cpe": ["cpe:2.3:o:novell:suse_linux:12:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-source:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-syms:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-base:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-macros:*:*:*:*:*:*:*"], "id": "SUSE_SU-2022-3263-1.NASL", "href": "https://www.tenable.com/plugins/nessus/165193", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2022:3263-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165193);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/10\");\n\n script_cve_id(\n \"CVE-2019-3900\",\n \"CVE-2020-36516\",\n \"CVE-2022-2588\",\n \"CVE-2022-2991\",\n \"CVE-2022-3028\",\n \"CVE-2022-20368\",\n \"CVE-2022-20369\",\n \"CVE-2022-21385\",\n \"CVE-2022-26373\",\n \"CVE-2022-36879\",\n \"CVE-2022-39188\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2022:3263-1\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2022:3263-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2022:3263-1 advisory.\n\n - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including\n v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster\n than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the\n vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)\n\n - An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the\n hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session\n or terminate that session. (CVE-2020-36516)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel\n (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input\n validation. This could lead to local escalation of privilege with System execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the\n machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector\n (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation\n (CVE-2022-2588)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow\n an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - A heap-based buffer overflow was found in the Linux kernel's LightNVM subsystem. The issue results from\n the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length\n heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary\n code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged\n code on the target system to exploit this vulnerability. (CVE-2022-2991)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in\n net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race\n condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale\n TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133374\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191881\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1196616\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201420\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201726\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201948\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202096\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202347\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202393\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202897\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203098\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203107\");\n # https://lists.suse.com/pipermail/sle-security-updates/2022-September/012222.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b887bf85\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2019-3900\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36516\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-20368\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-20369\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-21385\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-26373\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2991\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3028\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-36879\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-39188\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-36516\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-20368\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES12 SP3\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'kernel-default-4.4.180-94.174.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.3']},\n {'reference':'kernel-default-base-4.4.180-94.174.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.3']},\n {'reference':'kernel-default-devel-4.4.180-94.174.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.3']},\n {'reference':'kernel-devel-4.4.180-94.174.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.3']},\n {'reference':'kernel-macros-4.4.180-94.174.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.3']},\n {'reference':'kernel-source-4.4.180-94.174.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.3']},\n {'reference':'kernel-syms-4.4.180-94.174.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.3']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-default / kernel-default-base / kernel-default-devel / etc');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:C"}}, {"lastseen": "2023-03-10T19:23:38", "description": "The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3422-1 advisory.\n\n - A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information. (CVE-2021-4203)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation (CVE-2022-2588)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured. (CVE-2022-2663)\n\n - A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after- free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-29T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2022:3422-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4203", "CVE-2022-20368", "CVE-2022-20369", "CVE-2022-21385", "CVE-2022-2588", "CVE-2022-26373", "CVE-2022-2663", "CVE-2022-2977", "CVE-2022-3028", "CVE-2022-36879", "CVE-2022-39188"], "modified": "2023-03-10T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt", "p-cpe:/a:novell:suse_linux:dlm-kmp-rt", "p-cpe:/a:novell:suse_linux:gfs2-kmp-rt", "p-cpe:/a:novell:suse_linux:kernel-devel-rt", "p-cpe:/a:novell:suse_linux:kernel-rt", "p-cpe:/a:novell:suse_linux:kernel-rt-base", "p-cpe:/a:novell:suse_linux:kernel-rt-devel", "p-cpe:/a:novell:suse_linux:kernel-rt_debug", "p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel", "p-cpe:/a:novell:suse_linux:kernel-source-rt", "p-cpe:/a:novell:suse_linux:kernel-syms-rt", "p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2022-3422-1.NASL", "href": "https://www.tenable.com/plugins/nessus/165562", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2022:3422-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165562);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/10\");\n\n script_cve_id(\n \"CVE-2021-4203\",\n \"CVE-2022-2588\",\n \"CVE-2022-2663\",\n \"CVE-2022-2977\",\n \"CVE-2022-3028\",\n \"CVE-2022-20368\",\n \"CVE-2022-20369\",\n \"CVE-2022-21385\",\n \"CVE-2022-26373\",\n \"CVE-2022-36879\",\n \"CVE-2022-39188\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2022:3422-1\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2022:3422-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2022:3422-1 advisory.\n\n - A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and\n SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a\n user privileges may crash the system or leak internal kernel information. (CVE-2021-4203)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel\n (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input\n validation. This could lead to local escalation of privilege with System execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the\n machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector\n (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation\n (CVE-2022-2588)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow\n an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and\n incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted\n IRC with nf_conntrack_irc configured. (CVE-2022-2663)\n\n - A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where\n virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-\n free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in\n net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race\n condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale\n TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1054914\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1065729\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1120716\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179310\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190397\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191881\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1194535\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1197158\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1199617\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201264\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201420\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201442\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201610\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201726\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201948\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202017\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202096\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202097\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202347\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202393\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202396\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202528\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202577\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202672\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202830\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202897\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203013\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203098\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203107\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203126\");\n # https://lists.suse.com/pipermail/sle-security-updates/2022-September/012397.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?91355af3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-4203\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-20368\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-20369\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-21385\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-26373\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2663\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2977\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3028\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-36879\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-39188\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4203\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-2977\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-rt_debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'cluster-md-kmp-rt-4.12.14-10.100.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SUSE-Linux-Enterprise-RT-release-12.5']},\n {'reference':'dlm-kmp-rt-4.12.14-10.100.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SUSE-Linux-Enterprise-RT-release-12.5']},\n {'reference':'gfs2-kmp-rt-4.12.14-10.100.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SUSE-Linux-Enterprise-RT-release-12.5']},\n {'reference':'kernel-devel-rt-4.12.14-10.100.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SUSE-Linux-Enterprise-RT-release-12.5']},\n {'reference':'kernel-rt-4.12.14-10.100.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SUSE-Linux-Enterprise-RT-release-12.5']},\n {'reference':'kernel-rt-base-4.12.14-10.100.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SUSE-Linux-Enterprise-RT-release-12.5']},\n {'reference':'kernel-rt-devel-4.12.14-10.100.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SUSE-Linux-Enterprise-RT-release-12.5']},\n {'reference':'kernel-rt_debug-4.12.14-10.100.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SUSE-Linux-Enterprise-RT-release-12.5']},\n {'reference':'kernel-rt_debug-devel-4.12.14-10.100.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SUSE-Linux-Enterprise-RT-release-12.5']},\n {'reference':'kernel-source-rt-4.12.14-10.100.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SUSE-Linux-Enterprise-RT-release-12.5']},\n {'reference':'kernel-syms-rt-4.12.14-10.100.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SUSE-Linux-Enterprise-RT-release-12.5']},\n {'reference':'ocfs2-kmp-rt-4.12.14-10.100.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SUSE-Linux-Enterprise-RT-release-12.5']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-rt / dlm-kmp-rt / gfs2-kmp-rt / kernel-devel-rt / etc');\n}\n", "cvss": {"score": 4.9, "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:P"}}, {"lastseen": "2023-03-14T22:30:06", "description": "The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3294-1 advisory.\n\n - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)\n\n - An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session or terminate that session. (CVE-2020-36516)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation (CVE-2022-2588)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - A heap-based buffer overflow was found in the Linux kernel's LightNVM subsystem. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged code on the target system to exploit this vulnerability. (CVE-2022-2991)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-17T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2022:3294-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 6.8, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-3900", "CVE-2020-36516", "CVE-2022-20368", "CVE-2022-20369", "CVE-2022-21385", "CVE-2022-2588", "CVE-2022-26373", "CVE-2022-2991", "CVE-2022-3028", "CVE-2022-36879", "CVE-2022-39188"], "modified": "2023-03-10T00:00:00", "cpe": ["cpe:2.3:o:novell:suse_linux:12:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-source:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-syms:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-base:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-macros:*:*:*:*:*:*:*"], "id": "SUSE_SU-2022-3294-1.NASL", "href": "https://www.tenable.com/plugins/nessus/165232", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2022:3294-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165232);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/10\");\n\n script_cve_id(\n \"CVE-2019-3900\",\n \"CVE-2020-36516\",\n \"CVE-2022-2588\",\n \"CVE-2022-2991\",\n \"CVE-2022-3028\",\n \"CVE-2022-20368\",\n \"CVE-2022-20369\",\n \"CVE-2022-21385\",\n \"CVE-2022-26373\",\n \"CVE-2022-36879\",\n \"CVE-2022-39188\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2022:3294-1\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2022:3294-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2022:3294-1 advisory.\n\n - An infinite loop issue was found in the vhost_net kernel module in Linux Kernel up to and including\n v5.1-rc6, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster\n than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the\n vhost_net kernel thread, resulting in a DoS scenario. (CVE-2019-3900)\n\n - An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the\n hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session\n or terminate that session. (CVE-2020-36516)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel\n (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input\n validation. This could lead to local escalation of privilege with System execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the\n machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector\n (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation\n (CVE-2022-2588)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow\n an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - A heap-based buffer overflow was found in the Linux kernel's LightNVM subsystem. The issue results from\n the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length\n heap-based buffer. This vulnerability allows a local attacker to escalate privileges and execute arbitrary\n code in the context of the kernel. The attacker must first obtain the ability to execute high-privileged\n code on the target system to exploit this vulnerability. (CVE-2022-2991)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in\n net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race\n condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale\n TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1133374\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191881\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1196616\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201420\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201726\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201948\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202096\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202347\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202393\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202897\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203098\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203107\");\n # https://lists.suse.com/pipermail/sle-security-updates/2022-September/012274.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1cc40e1a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2019-3900\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36516\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-20368\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-20369\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-21385\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-26373\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2991\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3028\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-36879\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-39188\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-36516\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-20368\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'kernel-default-4.4.121-92.188.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.2']},\n {'reference':'kernel-default-base-4.4.121-92.188.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.2']},\n {'reference':'kernel-default-devel-4.4.121-92.188.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.2']},\n {'reference':'kernel-devel-4.4.121-92.188.1', 'sp':'2', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.2']},\n {'reference':'kernel-macros-4.4.121-92.188.1', 'sp':'2', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.2']},\n {'reference':'kernel-source-4.4.121-92.188.1', 'sp':'2', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.2']},\n {'reference':'kernel-syms-4.4.121-92.188.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-bcl-release-12.2']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-default / kernel-default-base / kernel-default-devel / etc');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:C"}}, {"lastseen": "2023-03-15T06:33:06", "description": "The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3282-1 advisory.\n\n - An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session or terminate that session. (CVE-2020-36516)\n\n - A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information. (CVE-2021-4203)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation (CVE-2022-2588)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-2639)\n\n - Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions. (CVE-2022-29581)\n\n - A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after- free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-17T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2022:3282-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-36516", "CVE-2021-4203", "CVE-2022-20368", "CVE-2022-20369", "CVE-2022-21385", "CVE-2022-2588", "CVE-2022-26373", "CVE-2022-2639", "CVE-2022-29581", "CVE-2022-2977", "CVE-2022-3028", "CVE-2022-36879"], "modified": "2023-03-10T00:00:00", "cpe": ["cpe:2.3:o:novell:suse_linux:12:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-azure:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-azure-base:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-azure-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-syms-azure:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-devel-azure:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-source-azure:*:*:*:*:*:*:*"], "id": "SUSE_SU-2022-3282-1.NASL", "href": "https://www.tenable.com/plugins/nessus/165228", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2022:3282-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165228);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/10\");\n\n script_cve_id(\n \"CVE-2020-36516\",\n \"CVE-2021-4203\",\n \"CVE-2022-2588\",\n \"CVE-2022-2639\",\n \"CVE-2022-2977\",\n \"CVE-2022-3028\",\n \"CVE-2022-20368\",\n \"CVE-2022-20369\",\n \"CVE-2022-21385\",\n \"CVE-2022-26373\",\n \"CVE-2022-29581\",\n \"CVE-2022-36879\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2022:3282-1\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2022:3282-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2022:3282-1 advisory.\n\n - An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the\n hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session\n or terminate that session. (CVE-2020-36516)\n\n - A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and\n SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a\n user privileges may crash the system or leak internal kernel information. (CVE-2021-4203)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel\n (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input\n validation. This could lead to local escalation of privilege with System execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the\n machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector\n (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation\n (CVE-2022-2588)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow\n an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of\n actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size()\n function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This\n flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-2639)\n\n - Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to\n cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14\n and later versions. (CVE-2022-29581)\n\n - A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where\n virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-\n free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in\n net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1054914\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1065729\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1120716\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179310\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190397\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191881\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1194535\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1196616\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1197158\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1199617\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1199665\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201019\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201264\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201420\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201442\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201610\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201705\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201726\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201948\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202017\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202096\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202154\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202347\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202393\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202396\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202528\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202577\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202672\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202830\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202897\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203013\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203098\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203126\");\n # https://lists.suse.com/pipermail/sle-security-updates/2022-September/012250.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5e679c09\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36516\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-4203\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-20368\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-20369\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-21385\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-26373\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2639\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-29581\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2977\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3028\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-36879\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-29581\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-2977\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-azure-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'kernel-azure-4.12.14-16.109.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']},\n {'reference':'kernel-azure-base-4.12.14-16.109.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']},\n {'reference':'kernel-azure-devel-4.12.14-16.109.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']},\n {'reference':'kernel-devel-azure-4.12.14-16.109.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']},\n {'reference':'kernel-source-azure-4.12.14-16.109.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']},\n {'reference':'kernel-syms-azure-4.12.14-16.109.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-azure / kernel-azure-base / kernel-azure-devel / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-15T02:39:19", "description": "The remote SUSE Linux SLED12 / SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3265-1 advisory.\n\n - An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session or terminate that session. (CVE-2020-36516)\n\n - A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information. (CVE-2021-4203)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation (CVE-2022-2588)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-2639)\n\n - Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14 and later versions. (CVE-2022-29581)\n\n - A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after- free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2022:3265-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-36516", "CVE-2021-4203", "CVE-2022-20368", "CVE-2022-20369", "CVE-2022-21385", "CVE-2022-2588", "CVE-2022-26373", "CVE-2022-2639", "CVE-2022-29581", "CVE-2022-2977", "CVE-2022-3028", "CVE-2022-36879"], "modified": "2023-03-10T00:00:00", "cpe": ["cpe:2.3:o:novell:suse_linux:12:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-source:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-syms:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-base:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-extra:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-man:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-obs-build:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-kgraft:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:cluster-md-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:dlm-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:gfs2-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-kgraft-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-macros:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:ocfs2-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kgraft-patch-4_12_14-122_133-default:*:*:*:*:*:*:*"], "id": "SUSE_SU-2022-3265-1.NASL", "href": "https://www.tenable.com/plugins/nessus/165196", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2022:3265-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165196);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/10\");\n\n script_cve_id(\n \"CVE-2020-36516\",\n \"CVE-2021-4203\",\n \"CVE-2022-2588\",\n \"CVE-2022-2639\",\n \"CVE-2022-2977\",\n \"CVE-2022-3028\",\n \"CVE-2022-20368\",\n \"CVE-2022-20369\",\n \"CVE-2022-21385\",\n \"CVE-2022-26373\",\n \"CVE-2022-29581\",\n \"CVE-2022-36879\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2022:3265-1\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2022:3265-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLED12 / SLES12 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the SUSE-SU-2022:3265-1 advisory.\n\n - An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the\n hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session\n or terminate that session. (CVE-2020-36516)\n\n - A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and\n SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a\n user privileges may crash the system or leak internal kernel information. (CVE-2021-4203)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel\n (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input\n validation. This could lead to local escalation of privilege with System execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the\n machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector\n (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation\n (CVE-2022-2588)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow\n an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of\n actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size()\n function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This\n flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-2639)\n\n - Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to\n cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14\n and later versions. (CVE-2022-29581)\n\n - A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where\n virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-\n free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in\n net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1054914\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1065729\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1078216\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1093777\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1094120\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1107937\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1120716\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1141488\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1179310\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1181862\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189904\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190397\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191881\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1194535\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1196616\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1197158\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1198388\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1199617\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1199665\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201019\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201264\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201420\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201442\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201610\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201705\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201726\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201948\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202017\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202096\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202154\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202347\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202393\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202396\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202528\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202577\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202672\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202830\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202897\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203013\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203098\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203126\");\n # https://lists.suse.com/pipermail/sle-updates/2022-September/025152.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3c402de3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36516\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-4203\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-20368\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-20369\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-21385\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-26373\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2639\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-29581\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2977\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3028\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-36879\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-29581\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-2977\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-kgraft\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-kgraft-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-4_12_14-122_133-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED12 / SLES12', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(5)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLED12 SP5\", os_ver + \" SP\" + service_pack);\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'kernel-default-4.12.14-122.133.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']},\n {'reference':'kernel-default-base-4.12.14-122.133.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']},\n {'reference':'kernel-default-devel-4.12.14-122.133.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']},\n {'reference':'kernel-default-extra-4.12.14-122.133.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLED12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sle-we-release-12.5', 'sles-release-12.5']},\n {'reference':'kernel-default-extra-4.12.14-122.133.1', 'sp':'5', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sle-we-release-12.5', 'sles-release-12.5']},\n {'reference':'kernel-default-man-4.12.14-122.133.1', 'sp':'5', 'cpu':'s390x', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']},\n {'reference':'kernel-devel-4.12.14-122.133.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']},\n {'reference':'kernel-macros-4.12.14-122.133.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']},\n {'reference':'kernel-obs-build-4.12.14-122.133.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sle-sdk-release-12.5', 'sles-release-12.5']},\n {'reference':'kernel-source-4.12.14-122.133.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']},\n {'reference':'kernel-syms-4.12.14-122.133.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5', 'sles-release-12.5']},\n {'reference':'cluster-md-kmp-default-4.12.14-122.133.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-12.5']},\n {'reference':'dlm-kmp-default-4.12.14-122.133.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-12.5']},\n {'reference':'gfs2-kmp-default-4.12.14-122.133.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-12.5']},\n {'reference':'ocfs2-kmp-default-4.12.14-122.133.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-12.5']},\n {'reference':'kernel-default-kgraft-4.12.14-122.133.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-live-patching-release-12.5']},\n {'reference':'kernel-default-kgraft-devel-4.12.14-122.133.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-live-patching-release-12.5']},\n {'reference':'kgraft-patch-4_12_14-122_133-default-1-8.3.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-live-patching-release-12.5']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-default / dlm-kmp-default / gfs2-kmp-default / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-25T05:03:15", "description": "The version of kernel installed on the remote host is prior to 4.14.294-150.533. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2022-1636 advisory.\n\n - When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds. (CVE-2021-33655)\n\n - A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.\n Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel. (CVE-2021-4159)\n\n - An out-of-bounds read flaw was found in the Linux kernel's TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory. (CVE-2022-1462)\n\n - A use-after-free flaw was found in the Linux kernel's Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-1679)\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service. (CVE-2022-2153)\n\n - An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured. (CVE-2022-2663)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges. (CVE-2022-36123)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len. (CVE-2022-36946)\n\n - An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free. (CVE-2022-40307)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation (CVE-2022-2588)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-10T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : kernel (ALAS-2022-1636)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33655", "CVE-2021-4159", "CVE-2022-1462", "CVE-2022-1679", "CVE-2022-2153", "CVE-2022-2588", "CVE-2022-2663", "CVE-2022-3028", "CVE-2022-36123", "CVE-2022-36879", "CVE-2022-36946", "CVE-2022-40307"], "modified": "2023-01-12T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:kernel-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:kernel-headers", "p-cpe:/a:amazon:linux:kernel-tools", "p-cpe:/a:amazon:linux:kernel-tools-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools-devel", "p-cpe:/a:amazon:linux:perf", "p-cpe:/a:amazon:linux:perf-debuginfo", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2022-1636.NASL", "href": "https://www.tenable.com/plugins/nessus/165986", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2022-1636.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165986);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/12\");\n\n script_cve_id(\n \"CVE-2021-4159\",\n \"CVE-2021-33655\",\n \"CVE-2022-1462\",\n \"CVE-2022-1679\",\n \"CVE-2022-2153\",\n \"CVE-2022-2588\",\n \"CVE-2022-2663\",\n \"CVE-2022-3028\",\n \"CVE-2022-36123\",\n \"CVE-2022-36879\",\n \"CVE-2022-36946\",\n \"CVE-2022-40307\"\n );\n\n script_name(english:\"Amazon Linux AMI : kernel (ALAS-2022-1636)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of kernel installed on the remote host is prior to 4.14.294-150.533. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS-2022-1636 advisory.\n\n - When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of\n bounds. (CVE-2021-33655)\n\n - A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.\n Internal memory locations could be returned to userspace. A local attacker with the permissions to insert\n eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit\n mitigations in place for the kernel. (CVE-2021-4159)\n\n - An out-of-bounds read flaw was found in the Linux kernel's TeleTYpe subsystem. The issue occurs in how a\n user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage\n of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read\n unauthorized random data from memory. (CVE-2022-1462)\n\n - A use-after-free flaw was found in the Linux kernel's Atheros wireless adapter driver in the way a user\n forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local\n user to crash or potentially escalate their privileges on the system. (CVE-2022-1679)\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it\n possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This\n flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel\n oops condition that results in a denial of service. (CVE-2022-2153)\n\n - An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and\n incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted\n IRC with nf_conntrack_irc configured. (CVE-2022-2663)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This\n allows Xen PV guest OS users to cause a denial of service or gain privileges. (CVE-2022-36123)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in\n net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote\n attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte\n nfta_payload attribute, an skb_pull can encounter a negative skb->len. (CVE-2022-36946)\n\n - An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a\n race condition with a resultant use-after-free. (CVE-2022-40307)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation\n (CVE-2022-2588)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2022-1636.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-33655.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-4159.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-1462.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-1679.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-2153.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-2588.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-2663.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-3028.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-36123.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-36879.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-36946.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-40307.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update kernel' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1679\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-36123\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\ninclude(\"hotfixes.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d+|-\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nvar os_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (get_one_kb_item(\"Host/kpatch/kernel-cves\"))\n{\n set_hotfix_type(\"kpatch\");\n var cve_list = make_list(\"CVE-2021-4159\", \"CVE-2021-33655\", \"CVE-2022-1462\", \"CVE-2022-1679\", \"CVE-2022-2153\", \"CVE-2022-2588\", \"CVE-2022-2663\", \"CVE-2022-3028\", \"CVE-2022-36123\", \"CVE-2022-36879\", \"CVE-2022-36946\", \"CVE-2022-40307\");\n if (hotfix_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"kpatch hotfix for ALAS-2022-1636\");\n }\n else\n {\n __rpm_report = hotfix_reporting_text();\n }\n}\nvar pkgs = [\n {'reference':'kernel-4.14.294-150.533.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-4.14.294-150.533.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-4.14.294-150.533.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-4.14.294-150.533.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-common-i686-4.14.294-150.533.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-common-x86_64-4.14.294-150.533.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.14.294-150.533.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.14.294-150.533.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.14.294-150.533.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.14.294-150.533.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.14.294-150.533.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.14.294-150.533.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-debuginfo-4.14.294-150.533.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-debuginfo-4.14.294-150.533.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-devel-4.14.294-150.533.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-devel-4.14.294-150.533.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.14.294-150.533.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.14.294-150.533.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-debuginfo-4.14.294-150.533.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-debuginfo-4.14.294-150.533.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debuginfo / kernel-debuginfo-common-x86_64 / etc\");\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-18T22:14:04", "description": "The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5728-3 advisory.\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service. (CVE-2022-2153)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability. (CVE-2022-3625)\n\n - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability. (CVE-2022-3635)\n\n - In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-237540956References: Upstream kernel (CVE-2022-20422)\n\n - Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions. (CVE-2022-29901)\n\n - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\n - mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move. (CVE-2022-41222)\n\n - mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.\n (CVE-2022-42703)\n\n - A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code. (CVE-2022-42719)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-29T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS : Linux kernel (GCP) vulnerabilities (USN-5728-3)", "bulletinFamily": "scanner", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20422", "CVE-2022-2153", "CVE-2022-2978", "CVE-2022-29901", "CVE-2022-3028", "CVE-2022-3625", "CVE-2022-3635", "CVE-2022-39188", "CVE-2022-40768", "CVE-2022-41222", "CVE-2022-42703", "CVE-2022-42719"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1093-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp"], "id": "UBUNTU_USN-5728-3.NASL", "href": "https://www.tenable.com/plugins/nessus/168282", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5728-3. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(168282);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2022-2153\",\n \"CVE-2022-2978\",\n \"CVE-2022-3028\",\n \"CVE-2022-3625\",\n \"CVE-2022-3635\",\n \"CVE-2022-20422\",\n \"CVE-2022-29901\",\n \"CVE-2022-39188\",\n \"CVE-2022-40768\",\n \"CVE-2022-41222\",\n \"CVE-2022-42703\",\n \"CVE-2022-42719\"\n );\n script_xref(name:\"USN\", value:\"5728-3\");\n\n script_name(english:\"Ubuntu 18.04 LTS : Linux kernel (GCP) vulnerabilities (USN-5728-3)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe USN-5728-3 advisory.\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it\n possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This\n flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel\n oops condition that results in a denial of service. (CVE-2022-2153)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function\n security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use\n this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function\n devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The\n manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier\n VDB-211929 was assigned to this vulnerability. (CVE-2022-3625)\n\n - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue\n is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation\n leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the\n identifier assigned to this vulnerability. (CVE-2022-3635)\n\n - In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race\n condition. This could lead to local escalation of privilege with no additional execution privileges\n needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid\n ID: A-237540956References: Upstream kernel (CVE-2022-20422)\n\n - Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their\n retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can\n hijack return instructions to achieve arbitrary speculative code execution under certain\n microarchitecture-dependent conditions. (CVE-2022-29901)\n\n - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race\n condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale\n TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information\n from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\n - mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is\n not held during a PUD move. (CVE-2022-41222)\n\n - mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.\n (CVE-2022-42703)\n\n - A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through\n 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and\n potentially execute code. (CVE-2022-42719)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5728-3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-29901\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-42719\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1093-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! preg(pattern:\"^(18\\.04)$\", string:os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n if (! preg(pattern:\"^(5.4.0-\\d{4}-gcp)$\", string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n var extra = '';\n var kernel_mappings = {\n \"5.4.0-\\d{4}-gcp\" : \"5.4.0-1093\"\n };\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D+)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-5728-3');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-2153', 'CVE-2022-2978', 'CVE-2022-3028', 'CVE-2022-3625', 'CVE-2022-3635', 'CVE-2022-20422', 'CVE-2022-29901', 'CVE-2022-39188', 'CVE-2022-40768', 'CVE-2022-41222', 'CVE-2022-42703', 'CVE-2022-42719');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5728-3');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-01-18T22:11:11", "description": "The remote Ubuntu 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5728-1 advisory.\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service. (CVE-2022-2153)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability. (CVE-2022-3625)\n\n - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability. (CVE-2022-3635)\n\n - In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-237540956References: Upstream kernel (CVE-2022-20422)\n\n - Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions. (CVE-2022-29901)\n\n - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\n - mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move. (CVE-2022-41222)\n\n - mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.\n (CVE-2022-42703)\n\n - A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code. (CVE-2022-42719)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-17T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-5728-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20422", "CVE-2022-2153", "CVE-2022-2978", "CVE-2022-29901", "CVE-2022-3028", "CVE-2022-3625", "CVE-2022-3635", "CVE-2022-39188", "CVE-2022-40768", "CVE-2022-41222", "CVE-2022-42703", "CVE-2022-42719"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1037-ibm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1050-bluefield", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1074-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1079-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1087-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1089-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1093-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1095-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-132-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-132-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-132-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-aws", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azure", "p-cpe:/a:canonical:ubuntu_linux:linux-image-bluefield", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic", "p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae", "p-cpe:/a:canonical:ubuntu_linux:linux-image-ibm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm", "p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency", "p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi"], "id": "UBUNTU_USN-5728-1.NASL", "href": "https://www.tenable.com/plugins/nessus/167771", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5728-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(167771);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2022-2153\",\n \"CVE-2022-2978\",\n \"CVE-2022-3028\",\n \"CVE-2022-3625\",\n \"CVE-2022-3635\",\n \"CVE-2022-20422\",\n \"CVE-2022-29901\",\n \"CVE-2022-39188\",\n \"CVE-2022-40768\",\n \"CVE-2022-41222\",\n \"CVE-2022-42703\",\n \"CVE-2022-42719\"\n );\n script_xref(name:\"USN\", value:\"5728-1\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-5728-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the USN-5728-1 advisory.\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it\n possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This\n flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel\n oops condition that results in a denial of service. (CVE-2022-2153)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function\n security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use\n this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function\n devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The\n manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier\n VDB-211929 was assigned to this vulnerability. (CVE-2022-3625)\n\n - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue\n is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation\n leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the\n identifier assigned to this vulnerability. (CVE-2022-3635)\n\n - In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race\n condition. This could lead to local escalation of privilege with no additional execution privileges\n needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid\n ID: A-237540956References: Upstream kernel (CVE-2022-20422)\n\n - Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their\n retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can\n hijack return instructions to achieve arbitrary speculative code execution under certain\n microarchitecture-dependent conditions. (CVE-2022-29901)\n\n - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race\n condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale\n TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information\n from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\n - mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is\n not held during a PUD move. (CVE-2022-41222)\n\n - mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.\n (CVE-2022-42703)\n\n - A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through\n 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and\n potentially execute code. (CVE-2022-42719)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5728-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-29901\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-42719\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1037-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1050-bluefield\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1074-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1079-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1087-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1089-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1093-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1095-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-132-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-132-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-132-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-bluefield\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gcp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-generic-lpae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-ibm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-lowlatency\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-oracle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! preg(pattern:\"^(18\\.04|20\\.04)$\", string:os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n if (! preg(pattern:\"^(5.4.0-\\d{3}-(generic|generic-lpae|lowlatency)|5.4.0-\\d{4}-(aws|azure|bluefield|gcp|ibm|kvm|oracle|raspi))$\", string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n var extra = '';\n var kernel_mappings = {\n \"5.4.0-\\d{3}-(generic|generic-lpae|lowlatency)\" : \"5.4.0-132\",\n \"5.4.0-\\d{4}-aws\" : \"5.4.0-1089\",\n \"5.4.0-\\d{4}-azure\" : \"5.4.0-1095\",\n \"5.4.0-\\d{4}-bluefield\" : \"5.4.0-1050\",\n \"5.4.0-\\d{4}-gcp\" : \"5.4.0-1093\",\n \"5.4.0-\\d{4}-ibm\" : \"5.4.0-1037\",\n \"5.4.0-\\d{4}-kvm\" : \"5.4.0-1079\",\n \"5.4.0-\\d{4}-oracle\" : \"5.4.0-1087\",\n \"5.4.0-\\d{4}-raspi\" : \"5.4.0-1074\"\n };\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D+)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-5728-1');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-2153', 'CVE-2022-2978', 'CVE-2022-3028', 'CVE-2022-3625', 'CVE-2022-3635', 'CVE-2022-20422', 'CVE-2022-29901', 'CVE-2022-39188', 'CVE-2022-40768', 'CVE-2022-41222', 'CVE-2022-42703', 'CVE-2022-42719');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5728-1');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-01-18T22:15:38", "description": "The remote Ubuntu 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5728-2 advisory.\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service. (CVE-2022-2153)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier VDB-211929 was assigned to this vulnerability. (CVE-2022-3625)\n\n - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the identifier assigned to this vulnerability. (CVE-2022-3635)\n\n - In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-237540956References: Upstream kernel (CVE-2022-20422)\n\n - Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can hijack return instructions to achieve arbitrary speculative code execution under certain microarchitecture-dependent conditions. (CVE-2022-29901)\n\n - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\n - mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move. (CVE-2022-41222)\n\n - mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.\n (CVE-2022-42703)\n\n - A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and potentially execute code. (CVE-2022-42719)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-19T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-5728-2)", "bulletinFamily": "scanner", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 1.9, "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-20422", "CVE-2022-2153", "CVE-2022-2978", "CVE-2022-29901", "CVE-2022-3028", "CVE-2022-3625", "CVE-2022-3635", "CVE-2022-39188", "CVE-2022-40768", "CVE-2022-41222", "CVE-2022-42703", "CVE-2022-42719"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1057-gkeop", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1074-raspi", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1087-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1095-azurefde", "p-cpe:/a:canonical:ubuntu_linux:linux-image-azurefde", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gke", "p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop", "p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi"], "id": "UBUNTU_USN-5728-2.NASL", "href": "https://www.tenable.com/plugins/nessus/167920", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5728-2. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(167920);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2022-2153\",\n \"CVE-2022-2978\",\n \"CVE-2022-3028\",\n \"CVE-2022-3625\",\n \"CVE-2022-3635\",\n \"CVE-2022-20422\",\n \"CVE-2022-29901\",\n \"CVE-2022-39188\",\n \"CVE-2022-40768\",\n \"CVE-2022-41222\",\n \"CVE-2022-42703\",\n \"CVE-2022-42719\"\n );\n script_xref(name:\"USN\", value:\"5728-2\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-5728-2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS / 20.04 LTS host has a package installed that is affected by multiple vulnerabilities as\nreferenced in the USN-5728-2 advisory.\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it\n possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This\n flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel\n oops condition that results in a denial of service. (CVE-2022-2153)\n\n - A flaw use after free in the Linux kernel NILFS file system was found in the way user triggers function\n security_inode_alloc to fail with following call to function nilfs_mdt_destroy. A local user could use\n this flaw to crash the system or potentially escalate their privileges on the system. (CVE-2022-2978)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - A vulnerability was found in Linux Kernel. It has been classified as critical. This affects the function\n devlink_param_set/devlink_param_get of the file net/core/devlink.c of the component IPsec. The\n manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier\n VDB-211929 was assigned to this vulnerability. (CVE-2022-3625)\n\n - A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue\n is the function tst_timer of the file drivers/atm/idt77252.c of the component IPsec. The manipulation\n leads to use after free. It is recommended to apply a patch to fix this issue. VDB-211934 is the\n identifier assigned to this vulnerability. (CVE-2022-3635)\n\n - In emulation_proc_handler of armv8_deprecated.c, there is a possible way to corrupt memory due to a race\n condition. This could lead to local escalation of privilege with no additional execution privileges\n needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid\n ID: A-237540956References: Upstream kernel (CVE-2022-20422)\n\n - Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their\n retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can\n hijack return instructions to achieve arbitrary speculative code execution under certain\n microarchitecture-dependent conditions. (CVE-2022-29901)\n\n - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race\n condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale\n TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)\n\n - drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local users to obtain sensitive information\n from kernel memory because stex_queuecommand_lck lacks a memset for the PASSTHRU_CMD case.\n (CVE-2022-40768)\n\n - mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is\n not held during a PUD move. (CVE-2022-41222)\n\n - mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.\n (CVE-2022-42703)\n\n - A use-after-free in the mac80211 stack when parsing a multi-BSSID element in the Linux kernel 5.2 through\n 5.19.x before 5.19.16 could be used by attackers (able to inject WLAN frames) to crash the kernel and\n potentially execute code. (CVE-2022-42719)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5728-2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-29901\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-42719\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/07/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/11/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/11/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1057-gkeop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1074-raspi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1087-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-5.4.0-1095-azurefde\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-azurefde\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gke\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-gkeop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:linux-image-raspi\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2022-2023 Canonical, Inc. / NASL script (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\ninclude('ksplice.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! preg(pattern:\"^(18\\.04|20\\.04)$\", string:os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar machine_kernel_release = get_kb_item_or_exit('Host/uname-r');\nif (machine_kernel_release)\n{\n if (! preg(pattern:\"^(5.4.0-\\d{4}-(azure-fde|gke|gkeop|raspi))$\", string:machine_kernel_release)) audit(AUDIT_INST_VER_NOT_VULN, 'kernel ' + machine_kernel_release);\n var extra = '';\n var kernel_mappings = {\n \"5.4.0-\\d{4}-azure-fde\" : \"5.4.0-1095\",\n \"5.4.0-\\d{4}-gke\" : \"5.4.0-1087\",\n \"5.4.0-\\d{4}-gkeop\" : \"5.4.0-1057\",\n \"5.4.0-\\d{4}-raspi\" : \"5.4.0-1074\"\n };\n var trimmed_kernel_release = ereg_replace(string:machine_kernel_release, pattern:\"(-\\D+)$\", replace:'');\n foreach var kernel_regex (keys(kernel_mappings)) {\n if (preg(pattern:kernel_regex, string:machine_kernel_release)) {\n if (deb_ver_cmp(ver1:trimmed_kernel_release, ver2:kernel_mappings[kernel_regex]) < 0)\n {\n extra = extra + 'Running Kernel level of ' + trimmed_kernel_release + ' does not meet the minimum fixed level of ' + kernel_mappings[kernel_regex] + ' for this advisory.\\n\\n';\n }\n else\n {\n audit(AUDIT_PATCH_INSTALLED, 'Kernel package for USN-5728-2');\n }\n }\n }\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n var cve_list = make_list('CVE-2022-2153', 'CVE-2022-2978', 'CVE-2022-3028', 'CVE-2022-3625', 'CVE-2022-3635', 'CVE-2022-20422', 'CVE-2022-29901', 'CVE-2022-39188', 'CVE-2022-40768', 'CVE-2022-41222', 'CVE-2022-42703', 'CVE-2022-42719');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for USN-5728-2');\n }\n else\n {\n extra = extra + ksplice_reporting_text();\n }\n}\nif (extra) {\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : extra\n );\n exit(0);\n}\n", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-03-22T22:16:40", "description": "The version of kernel installed on the remote host is prior to 5.4.214-120.368. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2KERNEL-5.4-2022-036 advisory.\n\n - A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.\n Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel. (CVE-2021-4159)\n\n - A use-after-free flaw was found in the Linux kernel's Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-1679)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service. (CVE-2022-2153)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured. (CVE-2022-2663)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free. (CVE-2022-40307)\n\n - mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is not held during a PUD move. (CVE-2022-41222)\n\n - A use-after-free flaw was found in the Linux kernel's Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-1679) (CVE-2022-2586)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation (CVE-2022-2588)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-14T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : kernel (ALASKERNEL-5.4-2022-036)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-4159", "CVE-2022-1679", "CVE-2022-20369", "CVE-2022-2153", "CVE-2022-2586", "CVE-2022-2588", "CVE-2022-26373", "CVE-2022-2663", "CVE-2022-3028", "CVE-2022-3625", "CVE-2022-39188", "CVE-2022-40307", "CVE-2022-41222"], "modified": "2023-03-22T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:bpftool", "p-cpe:/a:amazon:linux:bpftool-debuginfo", "p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:kernel-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:kernel-headers", "p-cpe:/a:amazon:linux:kernel-tools", "p-cpe:/a:amazon:linux:kernel-tools-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools-devel", "p-cpe:/a:amazon:linux:perf", "p-cpe:/a:amazon:linux:perf-debuginfo", "p-cpe:/a:amazon:linux:python-perf", "p-cpe:/a:amazon:linux:python-perf-debuginfo", "cpe:/o:amazon:linux:2"], "id": "AL2_ALASKERNEL-5_4-2022-036.NASL", "href": "https://www.tenable.com/plugins/nessus/166131", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALASKERNEL-5.4-2022-036.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166131);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/22\");\n\n script_cve_id(\n \"CVE-2021-4159\",\n \"CVE-2022-1679\",\n \"CVE-2022-2153\",\n \"CVE-2022-2586\",\n \"CVE-2022-2588\",\n \"CVE-2022-2663\",\n \"CVE-2022-3028\",\n \"CVE-2022-3625\",\n \"CVE-2022-20369\",\n \"CVE-2022-26373\",\n \"CVE-2022-39188\",\n \"CVE-2022-40307\",\n \"CVE-2022-41222\"\n );\n\n script_name(english:\"Amazon Linux 2 : kernel (ALASKERNEL-5.4-2022-036)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of kernel installed on the remote host is prior to 5.4.214-120.368. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS2KERNEL-5.4-2022-036 advisory.\n\n - A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.\n Internal memory locations could be returned to userspace. A local attacker with the permissions to insert\n eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit\n mitigations in place for the kernel. (CVE-2021-4159)\n\n - A use-after-free flaw was found in the Linux kernel's Atheros wireless adapter driver in the way a user\n forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local\n user to crash or potentially escalate their privileges on the system. (CVE-2022-1679)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input\n validation. This could lead to local escalation of privilege with System execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it\n possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This\n flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel\n oops condition that results in a denial of service. (CVE-2022-2153)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow\n an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and\n incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted\n IRC with nf_conntrack_irc configured. (CVE-2022-2663)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a\n race condition with a resultant use-after-free. (CVE-2022-40307)\n\n - mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is\n not held during a PUD move. (CVE-2022-41222)\n\n - A use-after-free flaw was found in the Linux kernel's Atheros wireless adapter driver in the way a user\n forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local\n user to crash or potentially escalate their privileges on the system. (CVE-2022-1679) (CVE-2022-2586)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation\n (CVE-2022-2588)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2022-036.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-4159.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-1679.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-20369.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-2153.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-2586.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-2588.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-26373.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-2663.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-3028.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-3625.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-39188.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-40307.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-41222.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/faqs.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update kernel' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1679\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-3625\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:bpftool-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"kpatch.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\ninclude(\"hotfixes.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar alas_release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d+|-\\d+)\", string:alas_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (get_one_kb_item(\"Host/kpatch/kernel-cves\"))\n{\n set_hotfix_type(\"kpatch\");\n var cve_list = make_list(\"CVE-2021-4159\", \"CVE-2022-1679\", \"CVE-2022-2153\", \"CVE-2022-2586\", \"CVE-2022-2588\", \"CVE-2022-2663\", \"CVE-2022-3028\", \"CVE-2022-3625\", \"CVE-2022-20369\", \"CVE-2022-26373\", \"CVE-2022-39188\", \"CVE-2022-40307\", \"CVE-2022-41222\");\n if (hotfix_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"kpatch hotfix for ALASKERNEL-5.4-2022-036\");\n }\n else\n {\n __rpm_report = hotfix_reporting_text();\n }\n}\nvar pkgs = [\n {'reference':'bpftool-5.4.214-120.368.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'bpftool-5.4.214-120.368.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'bpftool-debuginfo-5.4.214-120.368.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'bpftool-debuginfo-5.4.214-120.368.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-5.4.214-120.368.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-5.4.214-120.368.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-5.4.214-120.368.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-5.4.214-120.368.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-common-aarch64-5.4.214-120.368.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-debuginfo-common-x86_64-5.4.214-120.368.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-devel-5.4.214-120.368.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-devel-5.4.214-120.368.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-headers-5.4.214-120.368.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-headers-5.4.214-120.368.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-headers-5.4.214-120.368.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-5.4.214-120.368.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-5.4.214-120.368.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-debuginfo-5.4.214-120.368.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-debuginfo-5.4.214-120.368.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-devel-5.4.214-120.368.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'kernel-tools-devel-5.4.214-120.368.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-5.4.214-120.368.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-5.4.214-120.368.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-debuginfo-5.4.214-120.368.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'perf-debuginfo-5.4.214-120.368.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-5.4.214-120.368.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-5.4.214-120.368.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-debuginfo-5.4.214-120.368.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'},\n {'reference':'python-perf-debuginfo-5.4.214-120.368.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-5.4'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bpftool / bpftool-debuginfo / kernel / etc\");\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-15T04:32:45", "description": "The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3291-1 advisory.\n\n - An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session or terminate that session. (CVE-2020-36516)\n\n - A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information. (CVE-2021-4203)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation (CVE-2022-2588)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-2639)\n\n - An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured. (CVE-2022-2663)\n\n - A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after- free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-17T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : kernel (SUSE-SU-2022:3291-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.9, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-36516", "CVE-2021-4203", "CVE-2022-20368", "CVE-2022-20369", "CVE-2022-21385", "CVE-2022-2588", "CVE-2022-26373", "CVE-2022-2639", "CVE-2022-2663", "CVE-2022-2977", "CVE-2022-3028", "CVE-2022-36879", "CVE-2022-39188"], "modified": "2023-03-10T00:00:00", "cpe": ["cpe:2.3:o:novell:suse_linux:15:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-source:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-syms:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-base:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-man:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-obs-build:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:reiserfs-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-vanilla-base:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-livepatch:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:cluster-md-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:dlm-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:gfs2-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-macros:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:ocfs2-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-livepatch-4_12_14-150000_150_101-default:*:*:*:*:*:*:*"], "id": "SUSE_SU-2022-3291-1.NASL", "href": "https://www.tenable.com/plugins/nessus/165234", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2022:3291-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165234);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/10\");\n\n script_cve_id(\n \"CVE-2020-36516\",\n \"CVE-2021-4203\",\n \"CVE-2022-2588\",\n \"CVE-2022-2639\",\n \"CVE-2022-2663\",\n \"CVE-2022-2977\",\n \"CVE-2022-3028\",\n \"CVE-2022-20368\",\n \"CVE-2022-20369\",\n \"CVE-2022-21385\",\n \"CVE-2022-26373\",\n \"CVE-2022-36879\",\n \"CVE-2022-39188\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2022:3291-1\");\n\n script_name(english:\"SUSE SLES15 Security Update : kernel (SUSE-SU-2022:3291-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2022:3291-1 advisory.\n\n - An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the\n hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session\n or terminate that session. (CVE-2020-36516)\n\n - A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and\n SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a\n user privileges may crash the system or leak internal kernel information. (CVE-2021-4203)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel\n (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input\n validation. This could lead to local escalation of privilege with System execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the\n machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector\n (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation\n (CVE-2022-2588)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow\n an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of\n actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size()\n function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This\n flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-2639)\n\n - An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and\n incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted\n IRC with nf_conntrack_irc configured. (CVE-2022-2663)\n\n - A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where\n virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-\n free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in\n net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - An issue was discovered in include/asm-generic/tlb.h in the Linux kernel before 5.19. Because of a race\n condition (unmap_mapping_range versus munmap), a device driver can free a page while it still has stale\n TLB entries. This only occurs in situations with VM_PFNMAP VMAs. (CVE-2022-39188)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1169514\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177440\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188944\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191881\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1194535\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1196616\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201019\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201420\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201705\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201726\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201948\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202096\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202097\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202154\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202347\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202393\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202396\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202672\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202897\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203098\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203107\");\n # https://lists.suse.com/pipermail/sle-security-updates/2022-September/012271.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?541192dc\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36516\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-4203\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-20368\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-20369\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-21385\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-26373\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2639\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2663\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2977\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3028\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-36879\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-39188\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4203\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-2977\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-livepatch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-livepatch-4_12_14-150000_150_101-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-obs-build\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-vanilla-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:reiserfs-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'kernel-default-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15', 'SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-default-base-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15', 'SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-default-devel-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15', 'SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-devel-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15', 'SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-macros-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15', 'SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-obs-build-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15', 'SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-source-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15', 'SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-syms-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15', 'SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-vanilla-base-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15', 'SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'reiserfs-kmp-default-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'kernel-default-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-default-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-default-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-default-base-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-default-base-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-default-base-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-default-devel-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-default-devel-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-default-devel-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-devel-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15', 'sles-ltss-release-15']},\n {'reference':'kernel-macros-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15', 'sles-ltss-release-15']},\n {'reference':'kernel-obs-build-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-obs-build-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-obs-build-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-source-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15', 'sles-ltss-release-15']},\n {'reference':'kernel-syms-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-syms-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-syms-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-vanilla-base-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-vanilla-base-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'kernel-vanilla-base-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'cluster-md-kmp-default-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-15']},\n {'reference':'dlm-kmp-default-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-15']},\n {'reference':'gfs2-kmp-default-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-15']},\n {'reference':'ocfs2-kmp-default-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-15']},\n {'reference':'kernel-default-livepatch-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-live-patching-release-15']},\n {'reference':'kernel-livepatch-4_12_14-150000_150_101-default-1-150000.1.3.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-live-patching-release-15']},\n {'reference':'kernel-default-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'kernel-default-base-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'kernel-default-devel-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'kernel-default-man-4.12.14-150000.150.101.1', 'sp':'0', 'cpu':'s390x', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'kernel-obs-build-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'kernel-syms-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'kernel-vanilla-base-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'reiserfs-kmp-default-4.12.14-150000.150.101.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n if ('ltss' >< tolower(check)) ltss_caveat_required = TRUE;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'cluster-md-kmp-default / dlm-kmp-default / gfs2-kmp-default / etc');\n}\n", "cvss": {"score": 4.9, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:P"}}, {"lastseen": "2023-02-21T04:47:13", "description": "The version of kernel installed on the remote host is prior to 4.14.294-220.533. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2022-1852 advisory.\n\n - When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of bounds. (CVE-2021-33655)\n\n - A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.\n Internal memory locations could be returned to userspace. A local attacker with the permissions to insert eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit mitigations in place for the kernel. (CVE-2021-4159)\n\n - An out-of-bounds read flaw was found in the Linux kernel's TeleTYpe subsystem. The issue occurs in how a user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read unauthorized random data from memory. (CVE-2022-1462)\n\n - A use-after-free flaw was found in the Linux kernel's Atheros wireless adapter driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-1679)\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service. (CVE-2022-2153)\n\n - An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted IRC with nf_conntrack_irc configured. (CVE-2022-2663)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges. (CVE-2022-36123)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len. (CVE-2022-36946)\n\n - An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a race condition with a resultant use-after-free. (CVE-2022-40307)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation (CVE-2022-2588)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-10T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : kernel (ALAS-2022-1852)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33655", "CVE-2021-4159", "CVE-2022-1462", "CVE-2022-1679", "CVE-2022-2153", "CVE-2022-2588", "CVE-2022-2663", "CVE-2022-3028", "CVE-2022-36123", "CVE-2022-36879", "CVE-2022-36946", "CVE-2022-39188", "CVE-2022-40307"], "modified": "2023-02-20T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:kernel", "p-cpe:/a:amazon:linux:kernel-debuginfo", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64", "p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:amazon:linux:kernel-devel", "p-cpe:/a:amazon:linux:kernel-headers", "p-cpe:/a:amazon:linux:kernel-livepatch-4.14.294-220.533", "p-cpe:/a:amazon:linux:kernel-tools", "p-cpe:/a:amazon:linux:kernel-tools-debuginfo", "p-cpe:/a:amazon:linux:kernel-tools-devel", "p-cpe:/a:amazon:linux:perf", "p-cpe:/a:amazon:linux:perf-debuginfo", "p-cpe:/a:amazon:linux:python-perf", "p-cpe:/a:amazon:linux:python-perf-debuginfo", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2022-1852.NASL", "href": "https://www.tenable.com/plugins/nessus/165990", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2022-1852.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165990);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/20\");\n\n script_cve_id(\n \"CVE-2021-4159\",\n \"CVE-2021-33655\",\n \"CVE-2022-1462\",\n \"CVE-2022-1679\",\n \"CVE-2022-2153\",\n \"CVE-2022-2588\",\n \"CVE-2022-2663\",\n \"CVE-2022-3028\",\n \"CVE-2022-36123\",\n \"CVE-2022-36879\",\n \"CVE-2022-36946\",\n \"CVE-2022-39188\",\n \"CVE-2022-40307\"\n );\n\n script_name(english:\"Amazon Linux 2 : kernel (ALAS-2022-1852)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of kernel installed on the remote host is prior to 4.14.294-220.533. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS2-2022-1852 advisory.\n\n - When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of\n bounds. (CVE-2021-33655)\n\n - A vulnerability was found in the Linux kernel's EBPF verifier when handling internal data structures.\n Internal memory locations could be returned to userspace. A local attacker with the permissions to insert\n eBPF code to the kernel can use this to leak internal kernel memory details defeating some of the exploit\n mitigations in place for the kernel. (CVE-2021-4159)\n\n - An out-of-bounds read flaw was found in the Linux kernel's TeleTYpe subsystem. The issue occurs in how a\n user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage\n of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read\n unauthorized random data from memory. (CVE-2022-1462)\n\n - A use-after-free flaw was found in the Linux kernel's Atheros wireless adapter driver in the way a user\n forces the ath9k_htc_wait_for_target function to fail with some input messages. This flaw allows a local\n user to crash or potentially escalate their privileges on the system. (CVE-2022-1679)\n\n - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it\n possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This\n flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel\n oops condition that results in a denial of service. (CVE-2022-2153)\n\n - An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and\n incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted\n IRC with nf_conntrack_irc configured. (CVE-2022-2663)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This\n allows Xen PV guest OS users to cause a denial of service or gain privileges. (CVE-2022-36123)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in\n net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote\n attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte\n nfta_payload attribute, an skb_pull can encounter a negative skb->len. (CVE-2022-36946)\n\n - An issue was discovered in the Linux kernel through 5.19.8. drivers/firmware/efi/capsule-loader.c has a\n race condition with a resultant use-after-free. (CVE-2022-40307)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation\n (CVE-2022-2588)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2022-1852.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/../../faqs.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-33655.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-4159.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-1462.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-1679.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-2153.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-2588.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-2663.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-3028.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-36123.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-36879.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-36946.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-39188.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-40307.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update kernel' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-1679\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-36123\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-livepatch-4.14.294-220.533\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:kernel-tools-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"kpatch.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\ninclude(\"hotfixes.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar alas_release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d+|-\\d+)\", string:alas_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (get_one_kb_item(\"Host/kpatch/kernel-cves\"))\n{\n set_hotfix_type(\"kpatch\");\n var cve_list = make_list(\"CVE-2021-4159\", \"CVE-2021-33655\", \"CVE-2022-1462\", \"CVE-2022-1679\", \"CVE-2022-2153\", \"CVE-2022-2588\", \"CVE-2022-2663\", \"CVE-2022-3028\", \"CVE-2022-36123\", \"CVE-2022-36879\", \"CVE-2022-36946\", \"CVE-2022-39188\", \"CVE-2022-40307\");\n if (hotfix_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"kpatch hotfix for ALAS-2022-1852\");\n }\n else\n {\n __rpm_report = hotfix_reporting_text();\n }\n}\nvar pkgs = [\n {'reference':'kernel-4.14.294-220.533.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-4.14.294-220.533.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-4.14.294-220.533.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-4.14.294-220.533.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-common-aarch64-4.14.294-220.533.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-debuginfo-common-x86_64-4.14.294-220.533.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.14.294-220.533.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-devel-4.14.294-220.533.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.14.294-220.533.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.14.294-220.533.amzn2', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-headers-4.14.294-220.533.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-livepatch-4.14.294-220.533-1.0-0.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.14.294-220.533.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-4.14.294-220.533.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-debuginfo-4.14.294-220.533.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-debuginfo-4.14.294-220.533.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-devel-4.14.294-220.533.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'kernel-tools-devel-4.14.294-220.533.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.14.294-220.533.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-4.14.294-220.533.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-debuginfo-4.14.294-220.533.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perf-debuginfo-4.14.294-220.533.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-4.14.294-220.533.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-4.14.294-220.533.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-debuginfo-4.14.294-220.533.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-perf-debuginfo-4.14.294-220.533.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-debuginfo / kernel-debuginfo-common-x86_64 / etc\");\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-25T20:55:27", "description": "According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A race condition in the Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing/opening of ttys could lead to a use-after-free. (CVE-2020-36557)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5 (CVE-2022-2503)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-2639)\n\n - An out-of-bounds memory access flaw was found in the Linux kernel Intel's iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system. (CVE-2022-2873)\n\n - A flaw was found in the Linux kernel's driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.\n (CVE-2022-2964)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges. (CVE-2022-36123)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len. (CVE-2022-36946)\n\n - kernel: nf_tables cross-table potential use-after-free may lead to local privilege escalation (CVE-2022-2586)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation (CVE-2022-2588)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-12-28T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.10.0 : kernel (EulerOS-SA-2022-2906)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-36557", "CVE-2022-20368", "CVE-2022-20369", "CVE-2022-2503", "CVE-2022-2586", "CVE-2022-2588", "CVE-2022-26373", "CVE-2022-2639", "CVE-2022-2873", "CVE-2022-2964", "CVE-2022-3028", "CVE-2022-36123", "CVE-2022-36879", "CVE-2022-36946"], "modified": "2023-01-12T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:bpftool", "p-cpe:/a:huawei:euleros:kernel", "p-cpe:/a:huawei:euleros:kernel-abi-stablelists", "p-cpe:/a:huawei:euleros:kernel-tools", "p-cpe:/a:huawei:euleros:kernel-tools-libs", "p-cpe:/a:huawei:euleros:python3-perf", "cpe:/o:huawei:euleros:uvp:2.10.0"], "id": "EULEROS_SA-2022-2906.NASL", "href": "https://www.tenable.com/plugins/nessus/169386", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(169386);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/12\");\n\n script_cve_id(\n \"CVE-2020-36557\",\n \"CVE-2022-2503\",\n \"CVE-2022-2586\",\n \"CVE-2022-2588\",\n \"CVE-2022-2639\",\n \"CVE-2022-2873\",\n \"CVE-2022-2964\",\n \"CVE-2022-3028\",\n \"CVE-2022-20368\",\n \"CVE-2022-20369\",\n \"CVE-2022-26373\",\n \"CVE-2022-36123\",\n \"CVE-2022-36879\",\n \"CVE-2022-36946\"\n );\n\n script_name(english:\"EulerOS Virtualization 2.10.0 : kernel (EulerOS-SA-2022-2906)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - A race condition in the Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing/opening of\n ttys could lead to a use-after-free. (CVE-2020-36557)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel\n (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input\n validation. This could lead to local escalation of privilege with System execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to\n restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently\n allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass\n verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and\n unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for\n peripherals that do not verify firmware updates. We recommend upgrading past commit\n 4caae58406f8ceb741603eee460d79bacca9b1b5 (CVE-2022-2503)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow\n an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of\n actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size()\n function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This\n flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-2639)\n\n - An out-of-bounds memory access flaw was found in the Linux kernel Intel's iSMT SMBus host controller\n driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input\n data. This flaw allows a local user to crash the system. (CVE-2022-2873)\n\n - A flaw was found in the Linux kernel's driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet\n Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.\n (CVE-2022-2964)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This\n allows Xen PV guest OS users to cause a denial of service or gain privileges. (CVE-2022-36123)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in\n net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote\n attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte\n nfta_payload attribute, an skb_pull can encounter a negative skb->len. (CVE-2022-36946)\n\n - kernel: nf_tables cross-table potential use-after-free may lead to local privilege escalation\n (CVE-2022-2586)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation\n (CVE-2022-2588)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-2906\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9f9aaa9d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-36123\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/12/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/12/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:bpftool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-abi-stablelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python3-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.10.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar _release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(_release) || _release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.10.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.10.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu && \"x86\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"x86\" >!< cpu) audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"bpftool-4.18.0-147.5.2.13.h996.eulerosv2r10\",\n \"kernel-4.18.0-147.5.2.13.h996.eulerosv2r10\",\n \"kernel-abi-stablelists-4.18.0-147.5.2.13.h996.eulerosv2r10\",\n \"kernel-tools-4.18.0-147.5.2.13.h996.eulerosv2r10\",\n \"kernel-tools-libs-4.18.0-147.5.2.13.h996.eulerosv2r10\",\n \"python3-perf-4.18.0-147.5.2.13.h996.eulerosv2r10\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-27T06:54:29", "description": "The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-9852 advisory.\n\n - The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.\n (CVE-2017-7472)\n\n - The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16537)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A flaw was found in the Linux kernel in versions before 5.9-rc6. When changing screen size, an out-of- bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2020-14390)\n\n - In get_futex_key of futex.c, there is a use-after-free due to improper locking. This could lead to local escalation of privilege with no additional privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-74250718 References: Upstream kernel. (CVE-2018-9422)\n\n - A vulnerability was found in linux kernel, where an information leak occurs via ext4_extent_header to userspace. (CVE-2022-0850)\n\n - A flaw was found in the Linux kernel's driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.\n (CVE-2022-2964)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5 (CVE-2022-2503)\n\n - In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service. (CVE-2017-18270)\n\n - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.\n (CVE-2021-30002)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel's filesystem sub- component. This flaw allows a local attacker with a user privilege to cause a denial of service.\n (CVE-2022-1184)\n\n - In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).\n (CVE-2021-43976)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small. (CVE-2021-45486)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-05T00:00:00", "type": "nessus", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2022-9852)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16537", "CVE-2017-18270", "CVE-2017-7472", "CVE-2018-9422", "CVE-2020-12770", "CVE-2020-14390", "CVE-2021-30002", "CVE-2021-43976", "CVE-2021-45486", "CVE-2022-0850", "CVE-2022-1184", "CVE-2022-2503", "CVE-2022-2964", "CVE-2022-3028", "CVE-2022-36879"], "modified": "2023-03-23T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek-firmware"], "id": "ORACLELINUX_ELSA-2022-9852.NASL", "href": "https://www.tenable.com/plugins/nessus/165663", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2022-9852.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165663);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/23\");\n\n script_cve_id(\n \"CVE-2017-7472\",\n \"CVE-2017-16537\",\n \"CVE-2017-18270\",\n \"CVE-2018-9422\",\n \"CVE-2020-12770\",\n \"CVE-2020-14390\",\n \"CVE-2021-30002\",\n \"CVE-2021-43976\",\n \"CVE-2021-45486\",\n \"CVE-2022-0850\",\n \"CVE-2022-1184\",\n \"CVE-2022-2503\",\n \"CVE-2022-2964\",\n \"CVE-2022-3028\",\n \"CVE-2022-36879\"\n );\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2022-9852)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe ELSA-2022-9852 advisory.\n\n - The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service\n (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.\n (CVE-2017-7472)\n\n - The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users\n to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified\n other impact via a crafted USB device. (CVE-2017-16537)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a\n certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A flaw was found in the Linux kernel in versions before 5.9-rc6. When changing screen size, an out-of-\n bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of\n the flaw, privilege escalation cannot be fully ruled out. (CVE-2020-14390)\n\n - In get_futex_key of futex.c, there is a use-after-free due to improper locking. This could lead to local\n escalation of privilege with no additional privileges needed. User interaction is not needed for\n exploitation. Product: Android Versions: Android kernel Android ID: A-74250718 References: Upstream\n kernel. (CVE-2018-9422)\n\n - A vulnerability was found in linux kernel, where an information leak occurs via ext4_extent_header to\n userspace. (CVE-2022-0850)\n\n - A flaw was found in the Linux kernel's driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet\n Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.\n (CVE-2022-2964)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in\n net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to\n restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently\n allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass\n verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and\n unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for\n peripherals that do not verify firmware updates. We recommend upgrading past commit\n 4caae58406f8ceb741603eee460d79bacca9b1b5 (CVE-2022-2503)\n\n - In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands,\n setting unwanted defaults or causing a denial of service. (CVE-2017-18270)\n\n - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in\n drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.\n (CVE-2021-30002)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel's filesystem sub-\n component. This flaw allows a local attacker with a user privilege to cause a denial of service.\n (CVE-2022-1184)\n\n - In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows\n an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).\n (CVE-2021-43976)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak\n because the hash table is very small. (CVE-2021-45486)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2022-9852.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-9422\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-2964\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"linux_alt_patch_detect.nasl\", \"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 6 / 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['4.1.12-124.67.3.el6uek', '4.1.12-124.67.3.el7uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for ELSA-2022-9852');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '4.1';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-4.1.12-124.67.3.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},\n {'reference':'kernel-uek-debug-4.1.12-124.67.3.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.1.12'},\n {'reference':'kernel-uek-debug-devel-4.1.12-124.67.3.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.1.12'},\n {'reference':'kernel-uek-devel-4.1.12-124.67.3.el6uek', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.1.12'},\n {'reference':'kernel-uek-doc-4.1.12-124.67.3.el6uek', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-4.1.12'},\n {'reference':'kernel-uek-firmware-4.1.12-124.67.3.el6uek', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'},\n {'reference':'kernel-uek-4.1.12-124.67.3.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},\n {'reference':'kernel-uek-debug-4.1.12-124.67.3.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-4.1.12'},\n {'reference':'kernel-uek-debug-devel-4.1.12-124.67.3.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-debug-devel-4.1.12'},\n {'reference':'kernel-uek-devel-4.1.12-124.67.3.el7uek', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-devel-4.1.12'},\n {'reference':'kernel-uek-doc-4.1.12-124.67.3.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-doc-4.1.12'},\n {'reference':'kernel-uek-firmware-4.1.12-124.67.3.el7uek', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-debug / kernel-uek-debug-devel / etc');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-27T21:54:56", "description": "The remote OracleVM system is missing necessary patches to address security updates:\n\n - The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. (CVE-2017-16537)\n\n - In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands, setting unwanted defaults or causing a denial of service. (CVE-2017-18270)\n\n - The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.\n (CVE-2017-7472)\n\n - In get_futex_key of futex.c, there is a use-after-free due to improper locking. This could lead to local escalation of privilege with no additional privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-74250718 References: Upstream kernel. (CVE-2018-9422)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A flaw was found in the Linux kernel in versions before 5.9-rc6. When changing screen size, an out-of- bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of the flaw, privilege escalation cannot be fully ruled out. (CVE-2020-14390)\n\n - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.\n (CVE-2021-30002)\n\n - In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).\n (CVE-2021-43976)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small. (CVE-2021-45486)\n\n - A vulnerability was found in linux kernel, where an information leak occurs via ext4_extent_header to userspace. (CVE-2022-0850)\n\n - A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel's filesystem sub- component. This flaw allows a local attacker with a user privilege to cause a denial of service.\n (CVE-2022-1184)\n\n - Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5 (CVE-2022-2503)\n\n - A flaw was found in the Linux kernel's driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.\n (CVE-2022-2964)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-10-11T00:00:00", "type": "nessus", "title": "OracleVM 3.4 : kernel-uek (OVMSA-2022-0026)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16537", "CVE-2017-18270", "CVE-2017-7472", "CVE-2018-9422", "CVE-2020-12770", "CVE-2020-14390", "CVE-2021-30002", "CVE-2021-43976", "CVE-2021-45486", "CVE-2022-0850", "CVE-2022-1184", "CVE-2022-2503", "CVE-2022-2964", "CVE-2022-3028", "CVE-2022-36879"], "modified": "2022-10-12T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware", "cpe:/o:oracle:vm_server:3.4"], "id": "ORACLEVM_OVMSA-2022-0026.NASL", "href": "https://www.tenable.com/plugins/nessus/166048", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were\n# extracted from OracleVM Security Advisory OVMSA-2022-0026.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(166048);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/10/12\");\n\n script_cve_id(\n \"CVE-2017-7472\",\n \"CVE-2017-16537\",\n \"CVE-2017-18270\",\n \"CVE-2018-9422\",\n \"CVE-2020-12770\",\n \"CVE-2020-14390\",\n \"CVE-2021-30002\",\n \"CVE-2021-43976\",\n \"CVE-2021-45486\",\n \"CVE-2022-0850\",\n \"CVE-2022-1184\",\n \"CVE-2022-2503\",\n \"CVE-2022-2964\",\n \"CVE-2022-3028\",\n \"CVE-2022-36879\"\n );\n\n script_name(english:\"OracleVM 3.4 : kernel-uek (OVMSA-2022-0026)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote OracleVM host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote OracleVM system is missing necessary patches to address security updates:\n\n - The imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users\n to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified\n other impact via a crafted USB device. (CVE-2017-16537)\n\n - In the Linux kernel before 4.13.5, a local user could create keyrings for other users via keyctl commands,\n setting unwanted defaults or causing a denial of service. (CVE-2017-18270)\n\n - The KEYS subsystem in the Linux kernel before 4.10.13 allows local users to cause a denial of service\n (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls.\n (CVE-2017-7472)\n\n - In get_futex_key of futex.c, there is a use-after-free due to improper locking. This could lead to local\n escalation of privilege with no additional privileges needed. User interaction is not needed for\n exploitation. Product: Android Versions: Android kernel Android ID: A-74250718 References: Upstream\n kernel. (CVE-2018-9422)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a\n certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A flaw was found in the Linux kernel in versions before 5.9-rc6. When changing screen size, an out-of-\n bounds memory write can occur leading to memory corruption or a denial of service. Due to the nature of\n the flaw, privilege escalation cannot be fully ruled out. (CVE-2020-14390)\n\n - An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy in\n drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments, aka CID-fb18802a338b.\n (CVE-2021-30002)\n\n - In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wireless/marvell/mwifiex/usb.c allows\n an attacker (who can connect a crafted USB device) to cause a denial of service (skb_over_panic).\n (CVE-2021-43976)\n\n - In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak\n because the hash table is very small. (CVE-2021-45486)\n\n - A vulnerability was found in linux kernel, where an information leak occurs via ext4_extent_header to\n userspace. (CVE-2022-0850)\n\n - A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel's filesystem sub-\n component. This flaw allows a local attacker with a user privilege to cause a denial of service.\n (CVE-2022-1184)\n\n - Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to\n restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently\n allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass\n verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and\n unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for\n peripherals that do not verify firmware updates. We recommend upgrading past commit\n 4caae58406f8ceb741603eee460d79bacca9b1b5 (CVE-2022-2503)\n\n - A flaw was found in the Linux kernel's driver for the ASIX AX88179_178A-based USB 2.0/3.0 Gigabit Ethernet\n Devices. The vulnerability contains multiple out-of-bounds reads and possible out-of-bounds writes.\n (CVE-2022-2964)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in\n net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2017-16537.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2017-18270.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2017-7472.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2018-9422.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-12770.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2020-14390.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2021-30002.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2021-43976.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2021-45486.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2022-0850.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2022-1184.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2022-2503.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2022-2964.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2022-3028.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/cve/CVE-2022-36879.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/OVMSA-2022-0026.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kernel-uek / kernel-uek-firmware packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-9422\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-2964\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/10/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\ninclude('ksplice.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.4\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nvar machine_uptrack_level = get_one_kb_item('Host/uptrack-uname-r');\nif (machine_uptrack_level)\n{\n var trimmed_uptrack_level = ereg_replace(string:machine_uptrack_level, pattern:\"\\.(x86_64|i[3-6]86|aarch64)$\", replace:'');\n var fixed_uptrack_levels = ['4.1.12-124.67.3.el6uek'];\n foreach var fixed_uptrack_level ( fixed_uptrack_levels ) {\n if (rpm_spec_vers_cmp(a:trimmed_uptrack_level, b:fixed_uptrack_level) >= 0)\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for OVMSA-2022-0026');\n }\n }\n __rpm_report = 'Running KSplice level of ' + trimmed_uptrack_level + ' does not meet the minimum fixed level of ' + join(fixed_uptrack_levels, sep:' / ') + ' for this advisory.\\n\\n';\n}\n\nvar kernel_major_minor = get_kb_item('Host/uname/major_minor');\nif (empty_or_null(kernel_major_minor)) exit(1, 'Unable to determine kernel major-minor level.');\nvar expected_kernel_major_minor = '4.1';\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, 'running kernel level ' + expected_kernel_major_minor + ', it is running kernel level ' + kernel_major_minor);\n\nvar pkgs = [\n {'reference':'kernel-uek-4.1.12-124.67.3.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-4.1.12'},\n {'reference':'kernel-uek-firmware-4.1.12-124.67.3.el6uek', 'cpu':'x86_64', 'release':'3.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'kernel-uek-firmware-4.1.12'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'OVS' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release && (!exists_check || rpm_exists(release:release, rpm:exists_check))) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel-uek / kernel-uek-firmware');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-15T14:26:38", "description": "The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3274-1 advisory.\n\n - An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session or terminate that session. (CVE-2020-36516)\n\n - A race condition in the Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing/opening of ttys could lead to a use-after-free. (CVE-2020-36557)\n\n - A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer dereference and general protection fault. (CVE-2020-36558)\n\n - A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a user privileges may crash the system or leak internal kernel information. (CVE-2021-4203)\n\n - In various methods of kernel base drivers, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-182388481References: Upstream kernel (CVE-2022-20166)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation (CVE-2022-2588)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-2639)\n\n - A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after- free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem) when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte nfta_payload attribute, an skb_pull can encounter a negative skb->len. (CVE-2022-36946)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : kernel (SUSE-SU-2022:3274-1)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.9, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-36516", "CVE-2020-36557", "CVE-2020-36558", "CVE-2021-4203", "CVE-2022-20166", "CVE-2022-20368", "CVE-2022-20369", "CVE-2022-21385", "CVE-2022-2588", "CVE-2022-26373", "CVE-2022-2639", "CVE-2022-2977", "CVE-2022-3028", "CVE-2022-36879", "CVE-2022-36946"], "modified": "2023-03-10T00:00:00", "cpe": ["cpe:2.3:o:novell:suse_linux:12:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-source:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-syms:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-base:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-man:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-kgraft:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:cluster-md-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:dlm-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:gfs2-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-default-kgraft-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-devel:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kernel-macros:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:ocfs2-kmp-default:*:*:*:*:*:*:*", "p-cpe:2.3:a:novell:suse_linux:kgraft-patch-4_12_14-95_108-default:*:*:*:*:*:*:*"], "id": "SUSE_SU-2022-3274-1.NASL", "href": "https://www.tenable.com/plugins/nessus/165189", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2022:3274-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(165189);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/03/10\");\n\n script_cve_id(\n \"CVE-2020-36516\",\n \"CVE-2020-36557\",\n \"CVE-2020-36558\",\n \"CVE-2021-4203\",\n \"CVE-2022-2588\",\n \"CVE-2022-2639\",\n \"CVE-2022-2977\",\n \"CVE-2022-3028\",\n \"CVE-2022-20166\",\n \"CVE-2022-20368\",\n \"CVE-2022-20369\",\n \"CVE-2022-21385\",\n \"CVE-2022-26373\",\n \"CVE-2022-36879\",\n \"CVE-2022-36946\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2022:3274-1\");\n\n script_name(english:\"SUSE SLES12 Security Update : kernel (SUSE-SU-2022:3274-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2022:3274-1 advisory.\n\n - An issue was discovered in the Linux kernel through 5.16.11. The mixed IPID assignment method with the\n hash-based IPID assignment policy allows an off-path attacker to inject data into a victim's TCP session\n or terminate that session. (CVE-2020-36516)\n\n - A race condition in the Linux kernel before 5.6.2 between the VT_DISALLOCATE ioctl and closing/opening of\n ttys could lead to a use-after-free. (CVE-2020-36557)\n\n - A race condition in the Linux kernel before 5.5.7 involving VT_RESIZEX could lead to a NULL pointer\n dereference and general protection fault. (CVE-2020-36558)\n\n - A use-after-free read flaw was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and\n SO_PEERGROUPS race with listen() (and connect()) in the Linux kernel. In this flaw, an attacker with a\n user privileges may crash the system or leak internal kernel information. (CVE-2021-4203)\n\n - In various methods of kernel base drivers, there is a possible out of bounds write due to a heap buffer\n overflow. This could lead to local escalation of privilege with System execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-182388481References: Upstream kernel (CVE-2022-20166)\n\n - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel\n (CVE-2022-20368)\n\n - In v4l2_m2m_querybuf of v4l2-mem2mem.c, there is a possible out of bounds write due to improper input\n validation. This could lead to local escalation of privilege with System execution privileges needed. User\n interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:\n A-223375145References: Upstream kernel (CVE-2022-20369)\n\n - A flaw in net_rds_alloc_sgs() in Oracle Linux kernels allows unprivileged local users to crash the\n machine. CVSS 3.1 Base Score 6.2 (Availability impacts). CVSS Vector\n (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (CVE-2022-21385)\n\n - kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation\n (CVE-2022-2588)\n\n - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow\n an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)\n\n - An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of\n actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size()\n function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This\n flaw allows a local user to crash or potentially escalate their privileges on the system. (CVE-2022-2639)\n\n - A flaw was found in the Linux kernel implementation of proxied virtualized TPM devices. On a system where\n virtualized TPM devices are configured (this is not the default) a local attacker can create a use-after-\n free and create a situation where it may be possible to escalate privileges on the system. (CVE-2022-2977)\n\n - A race condition was found in the Linux kernel's IP framework for transforming packets (XFRM subsystem)\n when multiple calls to xfrm_probe_algs occurred simultaneously. This flaw could allow a local attacker to\n potentially trigger an out-of-bounds write or leak kernel heap memory by performing an out-of-bounds read\n and copying it into a socket. (CVE-2022-3028)\n\n - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in\n net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)\n\n - nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote\n attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte\n nfta_payload attribute, an skb_pull can encounter a negative skb->len. (CVE-2022-36946)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1172145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1177440\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1188944\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1191881\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1194535\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1196616\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1200598\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1200770\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1200910\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201019\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201420\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201429\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201705\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201726\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201940\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1201948\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202096\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202154\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202346\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202347\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202393\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202396\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202672\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202897\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1202898\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1203098\");\n # https://lists.suse.com/pipermail/sle-security-updates/2022-September/012234.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c588e473\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36516\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36557\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-36558\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-4203\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-20166\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-20368\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-20369\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-21385\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2588\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-26373\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2639\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-2977\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-3028\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-36879\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-36946\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4203\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-2977\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/02/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:cluster-md-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:dlm-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:gfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-kgraft\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-kgraft-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-macros\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kgraft-patch-4_12_14-95_108-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ocfs2-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(4)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES12 SP4\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'kernel-default-4.12.14-95.108.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'kernel-default-base-4.12.14-95.108.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'kernel-default-devel-4.12.14-95.108.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'kernel-devel-4.12.14-95.108.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'kernel-macros-4.12.14-95.108.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'kernel-source-4.12.14-95.108.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'kernel-syms-4.12.14-95.108.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'cluster-md-kmp-default-4.12.14-95.108.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-12.4']},\n {'reference':'dlm-kmp-default-4.12.14-95.108.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-12.4']},\n {'reference':'gfs2-kmp-default-4.12.14-95.108.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-12.4']},\n {'reference':'ocfs2-kmp-default-4.12.14-95.108.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-12.4']},\n {'reference':'kernel-default-kgraft-4.12.14-95.108.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-live-patching-release-12.4']},\n {'reference':'kernel-default-kgraft-devel-4.12.14-95.108.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-live-patching-release-12.4']},\n {'reference':'kgraft-patch-4_12_14-95_108-default-1-6.3.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-live-patching-release-12.4']},\n {'reference':'kernel-default-4.12.14-95.108.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'kernel-default-base-4.12.14-95.108.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'kernel-default-devel-4.12.14-95.108.1', 'sp':'4', 'release':'SLES12', 'r

Oracle Linux 8 : Unbreakable Enterprise kernel (ELSA-2022-9930)

Description

Related