(RHSA-2017:2444) Important: kernel-rt security and bug fix update
2017-08-08T22:31:18
ID RHSA-2017:2444 Type redhat Reporter RedHat Modified 2018-06-07T18:14:52
Description
The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.
Security Fix(es):
A use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important)
A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important)
The lrw_crypt() function in 'crypto/lrw.c' in the Linux kernel before 4.5 allows local users to cause a system crash and a denial of service by the NULL pointer dereference via accept(2) system call for AF_ALG socket without calling setkey() first to set a cipher key. (CVE-2015-8970, Moderate)
Red Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647 and Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970.
Bug Fix(es):
Writing model-specific register (MSR) registers during intel_idle initialization could previously cause exceptions. Consequently, a kernel panic occurred during this initialization. The function call to write to the MSR with
exception handling was modified to use wrmsrl_safe() instead of wrmsrl(). In this scenario, the kernel no longer panics. (BZ#1447438)
The ixgbe driver was using incorrect bitwise operations on received PTP flags. Consequently, systems that were using the ixgbe driver could not synchronize time using PTP. The provided patch corrected the bitwise operations on received PTP flags allowing these system to correctly synchronize time using PTP. (BZ#1469795) (BZ#1451821)
The kernel-rt packages have been upgraded to version 3.10.0-514.rt56.230,
which provides a number of security and bug fixes over the previous
version. (BZ#1463427)
{"id": "RHSA-2017:2444", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2017:2444) Important: kernel-rt security and bug fix update", "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* A use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important)\n\n* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important)\n\n* The lrw_crypt() function in 'crypto/lrw.c' in the Linux kernel before 4.5 allows local users to cause a system crash and a denial of service by the NULL pointer dereference via accept(2) system call for AF_ALG socket without calling setkey() first to set a cipher key. (CVE-2015-8970, Moderate)\n\nRed Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647 and Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970.\n\nBug Fix(es):\n\n* Writing model-specific register (MSR) registers during intel_idle initialization could previously cause exceptions. Consequently, a kernel panic occurred during this initialization. The function call to write to the MSR with\nexception handling was modified to use wrmsrl_safe() instead of wrmsrl(). In this scenario, the kernel no longer panics. (BZ#1447438)\n\n* The ixgbe driver was using incorrect bitwise operations on received PTP flags. Consequently, systems that were using the ixgbe driver could not synchronize time using PTP. The provided patch corrected the bitwise operations on received PTP flags allowing these system to correctly synchronize time using PTP. (BZ#1469795) (BZ#1451821)\n\nThe kernel-rt packages have been upgraded to version 3.10.0-514.rt56.230,\nwhich provides a number of security and bug fixes over the previous\nversion. (BZ#1463427)", "published": "2017-08-08T22:31:18", "modified": "2018-06-07T18:14:52", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://access.redhat.com/errata/RHSA-2017:2444", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2015-8970", "CVE-2016-10200", "CVE-2017-2647"], "lastseen": "2019-08-13T18:46:04", "viewCount": 48, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2019-08-13T18:46:04", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-10200", "CVE-2017-2647", "CVE-2015-8970"]}, {"type": "android", "idList": ["ANDROID:CVE-2016-10200"]}, {"type": "f5", "idList": ["F5:K68852819", "F5:K32115847"]}, {"type": "nessus", "idList": ["VIRTUOZZO_VZA-2017-021.NASL", "VIRTUOZZO_VZA-2017-019.NASL", "ORACLEVM_OVMSA-2017-0144.NASL", "REDHAT-RHSA-2017-2444.NASL", "REDHAT-RHSA-2020-3836.NASL", "REDHAT-RHSA-2017-2437.NASL", "ORACLELINUX_ELSA-2017-3607.NASL", "SL_20200826_KERNEL_ON_SL6_X.NASL", "REDHAT-RHSA-2020-3548.NASL", "F5_BIGIP_SOL68852819.NASL"]}, {"type": "redhat", "idList": ["RHSA-2017:2077", "RHSA-2020:3548", "RHSA-2017:1842", "RHSA-2017:2437", "RHSA-2020:3836"]}, {"type": "virtuozzo", "idList": ["VZA-2017-019", "VZA-2017-021"]}, {"type": "oraclelinux", "idList": ["ELSA-2017-3658", "ELSA-2017-3657", "ELSA-2018-4021", "ELSA-2017-1842", "ELSA-2020-3548", "ELSA-2017-3606", "ELSA-2017-1842-1", "ELSA-2017-3566", "ELSA-2017-3607", "ELSA-2017-3605"]}, {"type": "avleonov", "idList": ["AVLEONOV:B1FBE34AF90D9EFE8FB00EA97D833417"]}, {"type": "debian", "idList": ["DEBIAN:DLA-922-1:854C7"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310851530", "OPENVAS:1361412562311220191537", "OPENVAS:1361412562311220191474", "OPENVAS:1361412562310851529", "OPENVAS:1361412562310843312", "OPENVAS:1361412562311220191489", "OPENVAS:1361412562310843857", "OPENVAS:1361412562310890922", "OPENVAS:1361412562310871855", "OPENVAS:1361412562311220191478"]}, {"type": "suse", "idList": ["SUSE-SU-2017:1183-1", "OPENSUSE-SU-2017:0906-1", "SUSE-SU-2017:1301-1", "SUSE-SU-2017:1247-1", "SUSE-SU-2017:2389-1", "SUSE-SU-2017:2525-1", "SUSE-SU-2017:0494-1", "SUSE-SU-2017:1360-1", "SUSE-SU-2017:2342-1", "OPENSUSE-SU-2017:0907-1"]}, {"type": "centos", "idList": ["CESA-2017:1842"]}, {"type": "ubuntu", "idList": ["USN-3849-1", "USN-3422-1", "USN-3849-2", "USN-3422-2"]}], "modified": "2019-08-13T18:46:04", "rev": 2}, "vulnersScore": 6.1}, "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "kernel-rt-debug", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-debug-3.10.0-514.rt56.231.el6rt.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "kernel-rt-trace-debuginfo", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-trace-debuginfo-3.10.0-514.rt56.231.el6rt.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "kernel-rt-trace", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-trace-3.10.0-514.rt56.231.el6rt.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "kernel-rt-vanilla", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-vanilla-3.10.0-514.rt56.231.el6rt.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "kernel-rt-devel", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-devel-3.10.0-514.rt56.231.el6rt.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "kernel-rt-debuginfo", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-debuginfo-3.10.0-514.rt56.231.el6rt.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "noarch", "packageName": "kernel-rt-firmware", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-firmware-3.10.0-514.rt56.231.el6rt.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "kernel-rt-vanilla-devel", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-vanilla-devel-3.10.0-514.rt56.231.el6rt.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "kernel-rt-trace-devel", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-trace-devel-3.10.0-514.rt56.231.el6rt.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "kernel-rt-debug-devel", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-debug-devel-3.10.0-514.rt56.231.el6rt.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "kernel-rt-debuginfo-common-x86_64", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-debuginfo-common-x86_64-3.10.0-514.rt56.231.el6rt.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "kernel-rt-debug-debuginfo", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-debug-debuginfo-3.10.0-514.rt56.231.el6rt.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "kernel-rt-vanilla-debuginfo", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-vanilla-debuginfo-3.10.0-514.rt56.231.el6rt.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "kernel-rt", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-3.10.0-514.rt56.231.el6rt.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "noarch", "packageName": "kernel-rt-doc", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-doc-3.10.0-514.rt56.231.el6rt.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "src", "packageName": "kernel-rt", "packageVersion": "3.10.0-514.rt56.231.el6rt", "packageFilename": "kernel-rt-3.10.0-514.rt56.231.el6rt.src.rpm", "operator": "lt"}]}
{"cve": [{"lastseen": "2020-12-09T20:03:09", "description": "crypto/algif_skcipher.c in the Linux kernel before 4.4.2 does not verify that a setkey operation has been performed on an AF_ALG socket before an accept system call is processed, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted application that does not supply a key, related to the lrw_crypt function in crypto/lrw.c.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-11-28T03:59:00", "title": "CVE-2015-8970", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8970"], "modified": "2018-08-13T21:47:00", "cpe": ["cpe:/o:linux:linux_kernel:4.4.1"], "id": "CVE-2015-8970", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8970", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:4.4.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:07:33", "description": "Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c.", "edition": 5, "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-07T21:59:00", "title": "CVE-2016-10200", "type": "cve", "cwe": ["CWE-362", "CWE-416", "CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10200"], "modified": "2018-01-05T02:30:00", "cpe": ["cpe:/o:linux:linux_kernel:4.8.13", "cpe:/o:google:android:7.1.1"], "id": "CVE-2016-10200", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10200", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:7.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:linux:linux_kernel:4.8.13:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:13:30", "description": "The KEYS subsystem in the Linux kernel before 3.18 allows local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via vectors involving a NULL value for a certain match field, related to the keyring_search_iterator function in keyring.c.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-31T04:59:00", "title": "CVE-2017-2647", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-2647"], "modified": "2019-01-15T11:29:00", "cpe": ["cpe:/o:linux:linux_kernel:3.17.8"], "id": "CVE-2017-2647", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2647", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:linux:linux_kernel:3.17.8:*:*:*:*:*:*:*"]}], "android": [{"lastseen": "2020-06-22T14:42:12", "bulletinFamily": "software", "cvelist": ["CVE-2016-10200"], "description": "Race condition in the L2TPv3 IP Encapsulation feature in the Linux kernel before 4.8.14 allows local users to gain privileges or cause a denial of service (use-after-free) by making multiple bind system calls without properly ascertaining whether a socket has the SOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c.", "edition": 1, "modified": "2019-07-26T00:00:00", "published": "2017-03-01T00:00:00", "id": "ANDROID:CVE-2016-10200", "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2016-10200.html", "title": "CVE-2016-10200", "type": "android", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2020-04-06T22:40:17", "bulletinFamily": "software", "cvelist": ["CVE-2016-10200"], "description": "\nF5 Product Development has assigned ID 659142 (BIG-IP) to this vulnerability. Additionally, [F5 iHealth](<https://www.f5.com/services/support/support-offerings/big-ip-ihealth-diagnostic-tool>) may list Heuristic H68852819 on the **Diagnostics** > **Identified** > **High** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 | 14.0.0 - 14.1.0 \n13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.1 \n11.2.1 | High | Linux kernel \nBIG-IP AAM | 13.0.0 \n | 14.0.0 - 14.1.0 \n13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.1 | High | Linux kernel \nBIG-IP AFM | 13.0.0 \n | 14.0.0 - 14.1.0 \n13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.1 | High | Linux kernel \nBIG-IP Analytics | 13.0.0 \n | 14.0.0 - 14.1.0 \n13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.1 \n11.2.1 | High | Linux kernel \nBIG-IP APM | 13.0.0 | 14.0.0 - 14.1.0 \n13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.1 \n11.2.1 | High | Linux kernel \nBIG-IP ASM | 13.0.0 | 14.0.0 - 14.1.0 \n13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.1 \n11.2.1 | High | Linux kernel \nBIG-IP DNS | 13.0.0 | 14.0.0 - 14.1.0 \n13.1.0 \n12.0.0 - 12.1.3 | High | Linux kernel \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable | None \nBIG-IP GTM | None | 11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP Link Controller | 13.0.0 | 14.0.0 - 14.1.0 \n13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.1 \n11.2.1 | High | Linux kernel \nBIG-IP PEM | 13.0.0 | 14.0.0 - 14.1.0 \n13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.1 | High | Linux kernel \nBIG-IP PSM | None | 11.4.0 - 11.4.1 | Not vulnerable | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable | None \nBIG-IP WebSafe | 13.0.0 | 14.0.0 - 14.1.0 \n13.1.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.1 | High | Linux kernel \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.2.0 \n4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nF5 iWorkflow | None | 2.0.0 - 2.1.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None \n \nF5 will not develop a fix for vulnerable products that do not already have a fixed version listed in this article, and will not update this table with subsequent vulnerable releases in the associated branches. F5 recommends that you update to more recent, non-vulnerable versions whenever feasible. For more information, refer to [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nTo mitigate this vulnerability, you should permit management access to F5 products only over a secure network and restrict command line access for affected systems to trusted users. For more information about restricting access to the BIG-IP system, refer to [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "edition": 1, "modified": "2019-09-26T19:06:00", "published": "2017-05-02T06:01:00", "id": "F5:K68852819", "href": "https://support.f5.com/csp/article/K68852819", "title": "Linux kernel vulnerability CVE-2016-10200", "type": "f5", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-06T22:39:42", "bulletinFamily": "software", "cvelist": ["CVE-2017-2647"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability. F5 Product Development has assigned IDs 661939 and 661941 (BIG-IP), ID 662018 (BIG-IQ), ID 662017 (Enterprise Manager), and ID 662240 (F5 iWorkflow) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 14.0.0 \n13.0.0 -13.1.1 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 \n11.2.1 | Not vulnerable 2 | None \nBIG-IP AAM | None | 14.0.0 \n13.0.0 -13.1.1 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 | Not vulnerable 2 | None \nBIG-IP AFM | None | 14.0.0 \n13.0.0 -13.1.1 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 | Not vulnerable 2 | None \nBIG-IP Analytics | None | 14.0.0 \n13.0.0 -13.1.1 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 \n11.2.1 | Not vulnerable 2 | None \nBIG-IP APM | None | 14.0.0 \n13.0.0 -13.1.1 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 \n11.2.1 | Not vulnerable 2 | None \nBIG-IP ASM | None | 14.0.0 \n13.0.0 -13.1.1 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 \n11.2.1 | Not vulnerable 2 | None \nBIG-IP DNS | None | 14.0.0 \n13.0.0 -13.1.1 \n12.0.0 - 12.1.3 | Not vulnerable 2 | None \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable1 | None \nBIG-IP GTM | None | 11.4.0 - 11.6.3 \n11.2.1 | Not vulnerable1 | None \nBIG-IP Link Controller | None | 14.0.0 \n13.0.0 -13.1.1 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 \n11.2.1 | Not vulnerable 2 | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 | Not vulnerable1 | None \nBIG-IP PSM | None | 11.4.0 - 11.4.1 | Not vulnerable1 | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable1 | None \nBIG-IP WebSafe | None | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 | Not vulnerable2 | None \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable1 | None \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable1 | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable1 | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable1 | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable1 | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.2.0 \n4.6.0 | Not vulnerable1 | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable1 | None \nF5 iWorkflow | None | 2.0.0 - 2.1.0 | Not vulnerable1 | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Low | Linux kernel \n \n1 The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\n2 The specified product versions before BIG-IP 13.1.0.2 and 14.0.0 contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "edition": 1, "modified": "2018-09-06T19:49:00", "published": "2017-05-06T01:33:00", "id": "F5:K32115847", "href": "https://support.f5.com/csp/article/K32115847", "title": "Linux kernel vulnerability CVE-2017-2647", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T05:08:22", "description": "An update for kernel-rt is now available for Red Hat Enterprise MRG 2.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel-rt packages provide the Real Time Linux Kernel, which\nenables fine-tuning for systems with extremely high determinism\nrequirements.\n\nSecurity Fix(es) :\n\n* A use-after-free flaw was found in the Linux kernel which enables a\nrace condition in the L2TPv3 IP Encapsulation feature. A local user\ncould use this flaw to escalate their privileges or crash the system.\n(CVE-2016-10200, Important)\n\n* A flaw was found that can be triggered in keyring_search_iterator in\nkeyring.c if type->match is NULL. A local user could use this flaw to\ncrash the system or, potentially, escalate their privileges.\n(CVE-2017-2647, Important)\n\n* The lrw_crypt() function in 'crypto/lrw.c' in the Linux kernel\nbefore 4.5 allows local users to cause a system crash and a denial of\nservice by the NULL pointer dereference via accept(2) system call for\nAF_ALG socket without calling setkey() first to set a cipher key.\n(CVE-2015-8970, Moderate)\n\nRed Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin\n(Virtuozzo) for reporting CVE-2017-2647 and Igor Redko (Virtuozzo) and\nVasily Averin (Virtuozzo) for reporting CVE-2015-8970.\n\nBug Fix(es) :\n\n* Writing model-specific register (MSR) registers during intel_idle\ninitialization could previously cause exceptions. Consequently, a\nkernel panic occurred during this initialization. The function call to\nwrite to the MSR with exception handling was modified to use\nwrmsrl_safe() instead of wrmsrl(). In this scenario, the kernel no\nlonger panics. (BZ#1447438)\n\n* The ixgbe driver was using incorrect bitwise operations on received\nPTP flags. Consequently, systems that were using the ixgbe driver\ncould not synchronize time using PTP. The provided patch corrected the\nbitwise operations on received PTP flags allowing these system to\ncorrectly synchronize time using PTP. (BZ#1469795) (BZ#1451821)\n\nThe kernel-rt packages have been upgraded to version\n3.10.0-514.rt56.230, which provides a number of security and bug fixes\nover the previous version. (BZ#1463427)", "edition": 27, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-10T00:00:00", "title": "RHEL 6 : MRG (RHSA-2017:2444)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10200", "CVE-2015-8970", "CVE-2017-2647"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-firmware", "p-cpe:/a:redhat:enterprise_linux:kernel-rt", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo"], "id": "REDHAT-RHSA-2017-2444.NASL", "href": "https://www.tenable.com/plugins/nessus/102350", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:2444. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102350);\n script_version(\"3.10\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2015-8970\", \"CVE-2016-10200\", \"CVE-2017-2647\");\n script_xref(name:\"RHSA\", value:\"2017:2444\");\n\n script_name(english:\"RHEL 6 : MRG (RHSA-2017:2444)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel-rt is now available for Red Hat Enterprise MRG 2.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel-rt packages provide the Real Time Linux Kernel, which\nenables fine-tuning for systems with extremely high determinism\nrequirements.\n\nSecurity Fix(es) :\n\n* A use-after-free flaw was found in the Linux kernel which enables a\nrace condition in the L2TPv3 IP Encapsulation feature. A local user\ncould use this flaw to escalate their privileges or crash the system.\n(CVE-2016-10200, Important)\n\n* A flaw was found that can be triggered in keyring_search_iterator in\nkeyring.c if type->match is NULL. A local user could use this flaw to\ncrash the system or, potentially, escalate their privileges.\n(CVE-2017-2647, Important)\n\n* The lrw_crypt() function in 'crypto/lrw.c' in the Linux kernel\nbefore 4.5 allows local users to cause a system crash and a denial of\nservice by the NULL pointer dereference via accept(2) system call for\nAF_ALG socket without calling setkey() first to set a cipher key.\n(CVE-2015-8970, Moderate)\n\nRed Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin\n(Virtuozzo) for reporting CVE-2017-2647 and Igor Redko (Virtuozzo) and\nVasily Averin (Virtuozzo) for reporting CVE-2015-8970.\n\nBug Fix(es) :\n\n* Writing model-specific register (MSR) registers during intel_idle\ninitialization could previously cause exceptions. Consequently, a\nkernel panic occurred during this initialization. The function call to\nwrite to the MSR with exception handling was modified to use\nwrmsrl_safe() instead of wrmsrl(). In this scenario, the kernel no\nlonger panics. (BZ#1447438)\n\n* The ixgbe driver was using incorrect bitwise operations on received\nPTP flags. Consequently, systems that were using the ixgbe driver\ncould not synchronize time using PTP. The provided patch corrected the\nbitwise operations on received PTP flags allowing these system to\ncorrectly synchronize time using PTP. (BZ#1469795) (BZ#1451821)\n\nThe kernel-rt packages have been upgraded to version\n3.10.0-514.rt56.230, which provides a number of security and bug fixes\nover the previous version. (BZ#1463427)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:2444\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8970\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-10200\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-2647\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-trace-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-rt-vanilla-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2015-8970\", \"CVE-2016-10200\", \"CVE-2017-2647\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2017:2444\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:2444\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"mrg-release\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"MRG\");\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-3.10.0-514.rt56.231.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debug-3.10.0-514.rt56.231.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debug-debuginfo-3.10.0-514.rt56.231.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debug-devel-3.10.0-514.rt56.231.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-3.10.0-514.rt56.231.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-debuginfo-common-x86_64-3.10.0-514.rt56.231.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-devel-3.10.0-514.rt56.231.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-rt-doc-3.10.0-514.rt56.231.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"kernel-rt-firmware-3.10.0-514.rt56.231.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-trace-3.10.0-514.rt56.231.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-trace-debuginfo-3.10.0-514.rt56.231.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-trace-devel-3.10.0-514.rt56.231.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-vanilla-3.10.0-514.rt56.231.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-vanilla-debuginfo-3.10.0-514.rt56.231.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"kernel-rt-vanilla-devel-3.10.0-514.rt56.231.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-rt / kernel-rt-debug / kernel-rt-debug-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T05:08:21", "description": "An update for kernel is now available for Red Hat Enterprise Linux 7.3\nExtended Update Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* A use-after-free flaw was found in the Linux kernel which enables a\nrace condition in the L2TPv3 IP Encapsulation feature. A local user\ncould use this flaw to escalate their privileges or crash the system.\n(CVE-2016-10200, Important)\n\n* A flaw was found that can be triggered in keyring_search_iterator in\nkeyring.c if type->match is NULL. A local user could use this flaw to\ncrash the system or, potentially, escalate their privileges.\n(CVE-2017-2647, Important)\n\n* It was found that the NFSv4 server in the Linux kernel did not\nproperly validate layout type when processing NFSv4 pNFS LAYOUTGET and\nGETDEVICEINFO operands. A remote attacker could use this flaw to\nsoft-lockup the system and thus cause denial of service.\n(CVE-2017-8797, Important)\n\n* The lrw_crypt() function in 'crypto/lrw.c' in the Linux kernel\nbefore 4.5 allows local users to cause a system crash and a denial of\nservice by the NULL pointer dereference via accept(2) system call for\nAF_ALG socket without calling setkey() first to set a cipher key.\n(CVE-2015-8970, Moderate)\n\nRed Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin\n(Virtuozzo) for reporting CVE-2017-2647 and Igor Redko (Virtuozzo) and\nVasily Averin (Virtuozzo) for reporting CVE-2015-8970.\n\nBug Fix(es) :\n\n* When running the LPAR with IBM Power 8 SMT8 mode, system performance\ndegradation occurred due to the load getting spread across threads\nfrom the same core. The provided patches fix scheduler performance\nissues and assure the load is spread across cores, thus improving the\nsystem performance significantly. (BZ#1434853)\n\n* Upon reboot, the bond slave with some network adapter ports became\nunresponsive in the backup state and never proceeded to the active\nstate. As a consequence, the bond slave never transmitted any LACP PDU\nand the bond interface was never produced properly. With this update,\nthe i40e network driver has been fixed for long link-down notification\ntime and the bond slave now transmits LACP PDUs as expected.\n(BZ#1446783)\n\n* When attempting to configure two or more Ethernet adapter cards\nusing Virtual Function I/O (VFIO) in the KVM guest, subsequent KVM\nguests previously failed to boot returning an error message. The\nprovided patch adds the ability of VFIO to support more than one card\nin the KVM guest environment. (BZ#1447718)\n\n* It is possible to define the CPUs in which unbound kworkers can run\nby setting a 'mask' in a specific file in the sysfs file system,\nhelping on CPU isolation. However, this setup did not work properly,\nand unbounded kworkers were being activated on CPUs in which they were\nset to _NOT_ run. The provided patchset prevents unbound kworkers from\nbeing run on CPUs that are masked, thus fixing this bug. (BZ#1458203)\n\n* Due to a regression, the kernel previously failed to create the\n/sys/block/ /devices/enclosure_device symlinks. The provided patch\ncorrects the call to the scsi_is_sas_rphy() function, which is now\nmade on the SAS end device, instead of the SCSI device. (BZ#1460204)\n\n* Previously, the system panic occurred when running mkfs.ext4 on\nnewly created software RAID1 partitions on SATA SDD drives. The\nprovided patch ensures the ext4 file system is created on the /dev/md0\npartition and is mounted there successfully. (BZ#1463359)", "edition": 27, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-10T00:00:00", "title": "RHEL 7 : kernel (RHSA-2017:2437)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10200", "CVE-2015-8970", "CVE-2017-2647", "CVE-2017-8797"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "cpe:/o:redhat:enterprise_linux:7.3", "p-cpe:/a:redhat:enterprise_linux:kernel-tools", "p-cpe:/a:redhat:enterprise_linux:kernel", "p-cpe:/a:redhat:enterprise_linux:python-perf", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:kernel-doc"], "id": "REDHAT-RHSA-2017-2437.NASL", "href": "https://www.tenable.com/plugins/nessus/102349", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2017:2437. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102349);\n script_version(\"3.10\");\n script_cvs_date(\"Date: 2019/10/24 15:35:43\");\n\n script_cve_id(\"CVE-2015-8970\", \"CVE-2016-10200\", \"CVE-2017-2647\", \"CVE-2017-8797\");\n script_xref(name:\"RHSA\", value:\"2017:2437\");\n\n script_name(english:\"RHEL 7 : kernel (RHSA-2017:2437)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 7.3\nExtended Update Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* A use-after-free flaw was found in the Linux kernel which enables a\nrace condition in the L2TPv3 IP Encapsulation feature. A local user\ncould use this flaw to escalate their privileges or crash the system.\n(CVE-2016-10200, Important)\n\n* A flaw was found that can be triggered in keyring_search_iterator in\nkeyring.c if type->match is NULL. A local user could use this flaw to\ncrash the system or, potentially, escalate their privileges.\n(CVE-2017-2647, Important)\n\n* It was found that the NFSv4 server in the Linux kernel did not\nproperly validate layout type when processing NFSv4 pNFS LAYOUTGET and\nGETDEVICEINFO operands. A remote attacker could use this flaw to\nsoft-lockup the system and thus cause denial of service.\n(CVE-2017-8797, Important)\n\n* The lrw_crypt() function in 'crypto/lrw.c' in the Linux kernel\nbefore 4.5 allows local users to cause a system crash and a denial of\nservice by the NULL pointer dereference via accept(2) system call for\nAF_ALG socket without calling setkey() first to set a cipher key.\n(CVE-2015-8970, Moderate)\n\nRed Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin\n(Virtuozzo) for reporting CVE-2017-2647 and Igor Redko (Virtuozzo) and\nVasily Averin (Virtuozzo) for reporting CVE-2015-8970.\n\nBug Fix(es) :\n\n* When running the LPAR with IBM Power 8 SMT8 mode, system performance\ndegradation occurred due to the load getting spread across threads\nfrom the same core. The provided patches fix scheduler performance\nissues and assure the load is spread across cores, thus improving the\nsystem performance significantly. (BZ#1434853)\n\n* Upon reboot, the bond slave with some network adapter ports became\nunresponsive in the backup state and never proceeded to the active\nstate. As a consequence, the bond slave never transmitted any LACP PDU\nand the bond interface was never produced properly. With this update,\nthe i40e network driver has been fixed for long link-down notification\ntime and the bond slave now transmits LACP PDUs as expected.\n(BZ#1446783)\n\n* When attempting to configure two or more Ethernet adapter cards\nusing Virtual Function I/O (VFIO) in the KVM guest, subsequent KVM\nguests previously failed to boot returning an error message. The\nprovided patch adds the ability of VFIO to support more than one card\nin the KVM guest environment. (BZ#1447718)\n\n* It is possible to define the CPUs in which unbound kworkers can run\nby setting a 'mask' in a specific file in the sysfs file system,\nhelping on CPU isolation. However, this setup did not work properly,\nand unbounded kworkers were being activated on CPUs in which they were\nset to _NOT_ run. The provided patchset prevents unbound kworkers from\nbeing run on CPUs that are masked, thus fixing this bug. (BZ#1458203)\n\n* Due to a regression, the kernel previously failed to create the\n/sys/block/ /devices/enclosure_device symlinks. The provided patch\ncorrects the call to the scsi_is_sas_rphy() function, which is now\nmade on the SAS end device, instead of the SCSI device. (BZ#1460204)\n\n* Previously, the system panic occurred when running mkfs.ext4 on\nnewly created software RAID1 partitions on SATA SDD drives. The\nprovided patch ensures the ext4 file system is created on the /dev/md0\npartition and is mounted there successfully. (BZ#1463359)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2017:2437\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-8970\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-10200\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-2647\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2017-8797\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7\\.3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.3\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2015-8970\", \"CVE-2016-10200\", \"CVE-2017-2647\", \"CVE-2017-8797\");\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for RHSA-2017:2437\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2017:2437\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", reference:\"kernel-abi-whitelists-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-debug-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-debug-debuginfo-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-debug-devel-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-debuginfo-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-debuginfo-common-s390x-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-devel-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", reference:\"kernel-doc-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-headers-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-kdump-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-kdump-debuginfo-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-kdump-devel-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"perf-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"perf-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"perf-debuginfo-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"python-perf-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"s390x\", reference:\"python-perf-debuginfo-3.10.0-514.28.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"3\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-514.28.1.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-01T01:58:52", "description": "Race condition in the L2TPv3 IP Encapsulation feature in the Linux\nkernel before 4.8.14 allows local users to gain privileges or cause a\ndenial of service (use-after-free) by making multiple bind system\ncalls without properly ascertaining whether a socket has the\nSOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and\nnet/l2tp/l2tp_ip6.c. (CVE-2016-10200)\n\nImpact\n\nAn attacker with administrative command line access may be able to\nperforma use-after-free exploit to cause a denial of service (DoS)or\ngain system privileges.", "edition": 28, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-02T00:00:00", "title": "F5 Networks BIG-IP : Linux kernel vulnerability (K68852819)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10200"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_access_policy_manager"], "id": "F5_BIGIP_SOL68852819.NASL", "href": "https://www.tenable.com/plugins/nessus/99921", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K68852819.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99921);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2019/01/04 10:03:41\");\n\n script_cve_id(\"CVE-2016-10200\");\n\n script_name(english:\"F5 Networks BIG-IP : Linux kernel vulnerability (K68852819)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Race condition in the L2TPv3 IP Encapsulation feature in the Linux\nkernel before 4.8.14 allows local users to gain privileges or cause a\ndenial of service (use-after-free) by making multiple bind system\ncalls without properly ascertaining whether a socket has the\nSOCK_ZAPPED status, related to net/l2tp/l2tp_ip.c and\nnet/l2tp/l2tp_ip6.c. (CVE-2016-10200)\n\nImpact\n\nAn attacker with administrative command line access may be able to\nperforma use-after-free exploit to cause a denial of service (DoS)or\ngain system privileges.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K68852819\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K68852819.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K68852819\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"13.0.0\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"14.0.0-14.1.0\",\"13.1.0\",\"12.0.0-12.1.3\",\"11.4.0-11.6.1\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"13.0.0\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"14.0.0-14.1.0\",\"13.1.0\",\"12.0.0-12.1.3\",\"11.4.0-11.6.1\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"13.0.0\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"14.0.0-14.1.0\",\"13.1.0\",\"12.0.0-12.1.3\",\"11.4.0-11.6.1\",\"11.2.1\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"13.0.0\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"14.0.0-14.1.0\",\"13.1.0\",\"12.0.0-12.1.3\",\"11.4.0-11.6.1\",\"11.2.1\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"13.0.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"14.0.0-14.1.0\",\"13.1.0\",\"12.0.0-12.1.3\",\"11.4.0-11.6.1\",\"11.2.1\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"13.0.0\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"14.0.0-14.1.0\",\"13.1.0\",\"12.0.0-12.1.3\",\"11.4.0-11.6.1\",\"11.2.1\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"13.0.0\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"14.0.0-14.1.0\",\"13.1.0\",\"12.0.0-12.1.3\",\"11.4.0-11.6.1\",\"11.2.1\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"13.0.0\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"14.0.0-14.1.0\",\"13.1.0\",\"12.0.0-12.1.3\",\"11.4.0-11.6.1\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:13:11", "description": "According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerability :\n\n - A flaw was discovered in the Linux kernel's key\n subsystem. Invoking the request_key() system call with\n a specially crafted set of arguments could result in a\n NULL-pointer dereference inside the search_keyring()\n function. A local unprivileged user could use this\n vulnerability to crash the system. The vulnerability\n could be exploited from inside containers.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 41, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-27T00:00:00", "title": "Virtuozzo 7 : readykernel-patch (VZA-2017-021)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2647"], "modified": "2017-03-27T00:00:00", "cpe": ["cpe:/o:virtuozzo:virtuozzo:7", "p-cpe:/a:virtuozzo:virtuozzo:readykernel"], "id": "VIRTUOZZO_VZA-2017-021.NASL", "href": "https://www.tenable.com/plugins/nessus/97987", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97987);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2017-2647\"\n );\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2017-021)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerability :\n\n - A flaw was discovered in the Linux kernel's key\n subsystem. Invoking the request_key() system call with\n a specially crafted set of arguments could result in a\n NULL-pointer dereference inside the search_keyring()\n function. A local unprivileged user could use this\n vulnerability to crash the system. The vulnerability\n could be exploited from inside containers.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2770065\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1427994\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-15.2-15.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?98467d7f\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-18.7-15.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1b6af2dd\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-20.18-15.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3641f775\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-327.18.2.vz7.15.2\",\n \"patch\",\"readykernel-patch-15.2-15.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-327.36.1.vz7.18.7\",\n \"patch\",\"readykernel-patch-18.7-15.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-327.36.1.vz7.20.18\",\n \"patch\",\"readykernel-patch-20.18-15.0-1.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_HOLE, release:\"Virtuozzo-7\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:13:10", "description": "According to the version of the parallels-server-bm-release /\nvzkernel / etc packages installed, the Virtuozzo installation on the\nremote host is affected by the following vulnerability :\n\n - A flaw was discovered in the Linux kernel's key\n subsystem. Invoking the request_key() system call with\n a specially crafted set of arguments could result in a\n NULL-pointer dereference inside the search_keyring()\n function. A local unprivileged user could use this\n vulnerability to crash the system. The vulnerability\n could be exploited from inside containers.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 40, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-03-27T00:00:00", "title": "Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-019)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2647"], "modified": "2017-03-27T00:00:00", "cpe": ["p-cpe:/a:virtuozzo:virtuozzo:vzkernel", "p-cpe:/a:virtuozzo:virtuozzo:vzkernel-devel", "p-cpe:/a:virtuozzo:virtuozzo:vzkernel-firmware", "p-cpe:/a:virtuozzo:virtuozzo:vzmodules", "cpe:/o:virtuozzo:virtuozzo:6", "p-cpe:/a:virtuozzo:virtuozzo:parallels-server-bm-release", "p-cpe:/a:virtuozzo:virtuozzo:vzmodules-devel"], "id": "VIRTUOZZO_VZA-2017-019.NASL", "href": "https://www.tenable.com/plugins/nessus/97986", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(97986);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2017-2647\"\n );\n\n script_name(english:\"Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-019)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the parallels-server-bm-release /\nvzkernel / etc packages installed, the Virtuozzo installation on the\nremote host is affected by the following vulnerability :\n\n - A flaw was discovered in the Linux kernel's key\n subsystem. Invoking the request_key() system call with\n a specially crafted set of arguments could result in a\n NULL-pointer dereference inside the search_keyring()\n function. A local unprivileged user could use this\n vulnerability to crash the system. The vulnerability\n could be exploited from inside containers.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.virtuozzo.com/customer/portal/articles/2770047\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1427994\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected parallels-server-bm-release / vzkernel / etc package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:parallels-server-bm-release\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:vzkernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:vzkernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:vzmodules\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:vzmodules-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 6.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nflag = 0;\n\npkgs = [\"parallels-server-bm-release-6.0.12-3673\",\n \"vzkernel-2.6.32-042stab120.20\",\n \"vzkernel-devel-2.6.32-042stab120.20\",\n \"vzkernel-firmware-2.6.32-042stab120.20\",\n \"vzmodules-2.6.32-042stab120.20\",\n \"vzmodules-devel-2.6.32-042stab120.20\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"Virtuozzo-6\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"parallels-server-bm-release / vzkernel / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-19T05:34:15", "description": "The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:3836 advisory.\n\n - kernel: Null pointer dereference in search_keyring (CVE-2017-2647)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 3, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-09-24T00:00:00", "title": "RHEL 6 : kernel (RHSA-2020:3836)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-2647"], "modified": "2020-09-24T00:00:00", "cpe": ["cpe:/o:redhat:rhel_aus:6.6::server", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "cpe:/o:redhat:rhel_aus:6.6", "p-cpe:/a:redhat:enterprise_linux:kernel"], "id": "REDHAT-RHSA-2020-3836.NASL", "href": "https://www.tenable.com/plugins/nessus/140782", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3836. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140782);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/18\");\n\n script_cve_id(\"CVE-2017-2647\");\n script_bugtraq_id(97258);\n script_xref(name:\"RHSA\", value:\"2020:3836\");\n\n script_name(english:\"RHEL 6 : kernel (RHSA-2020:3836)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:3836 advisory.\n\n - kernel: Null pointer dereference in search_keyring (CVE-2017-2647)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/476.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2017-2647\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:3836\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1428353\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-2647\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(476);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:6.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:6.6::server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6\\.6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 6.6', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_aus_6_6_server': [\n 'rhel-6-server-aus-debug-rpms',\n 'rhel-6-server-aus-optional-debug-rpms',\n 'rhel-6-server-aus-optional-rpms',\n 'rhel-6-server-aus-optional-source-rpms',\n 'rhel-6-server-aus-rpms',\n 'rhel-6-server-aus-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:3836');\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n cve_list = make_list('CVE-2017-2647');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for RHSA-2020:3836');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\npkgs = [\n {'reference':'kernel-2.6.32-504.84.1.el6', 'sp':'6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_6_6_server']},\n {'reference':'kernel-debug-2.6.32-504.84.1.el6', 'sp':'6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_6_6_server']},\n {'reference':'kernel-debug-devel-2.6.32-504.84.1.el6', 'sp':'6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_6_6_server']},\n {'reference':'kernel-devel-2.6.32-504.84.1.el6', 'sp':'6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_aus_6_6_server']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kernel-debug / kernel-debug-devel / kernel-devel');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-01T14:11:02", "description": "Security Fix(es) :\n\n - kernel: NULL pointer dereference in search_keyring\n (CVE-2017-2647)\n\n - kernel: heap-based buffer overflow in\n lbs_ibss_join_existing function in\n drivers/net/wireless/marvell/libertas/cfg.c\n (CVE-2019-14896)", "edition": 3, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-08-27T00:00:00", "title": "Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20200826)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-14896", "CVE-2017-2647"], "modified": "2020-08-27T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists", "p-cpe:/a:fermilab:scientific_linux:kernel", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo", "p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:perf-debuginfo", "p-cpe:/a:fermilab:scientific_linux:kernel-debug", "p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-i686", "p-cpe:/a:fermilab:scientific_linux:kernel-firmware", "p-cpe:/a:fermilab:scientific_linux:kernel-headers", "p-cpe:/a:fermilab:scientific_linux:python-perf", "p-cpe:/a:fermilab:scientific_linux:kernel-devel", "p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:kernel-doc", "p-cpe:/a:fermilab:scientific_linux:perf"], "id": "SL_20200826_KERNEL_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/139895", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139895);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/30\");\n\n script_cve_id(\"CVE-2017-2647\", \"CVE-2019-14896\");\n\n script_name(english:\"Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20200826)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Security Fix(es) :\n\n - kernel: NULL pointer dereference in search_keyring\n (CVE-2017-2647)\n\n - kernel: heap-based buffer overflow in\n lbs_ibss_join_existing function in\n drivers/net/wireless/marvell/libertas/cfg.c\n (CVE-2019-14896)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind2008&L=SCIENTIFIC-LINUX-ERRATA&P=10713\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b85dfdec\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-14896\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-i686\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"kernel-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-abi-whitelists-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"x86_64\", reference:\"kernel-abi-whitelists-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debug-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debug-debuginfo-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debug-devel-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debuginfo-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-debuginfo-common-i686-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-devel-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-doc-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"x86_64\", reference:\"kernel-doc-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-firmware-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"x86_64\", reference:\"kernel-firmware-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"kernel-headers-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"perf-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"perf-debuginfo-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"python-perf-2.6.32-754.33.1.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"python-perf-debuginfo-2.6.32-754.33.1.el6\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-21T06:03:56", "description": "The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3548 advisory.\n\n - kernel: Null pointer dereference in search_keyring (CVE-2017-2647)\n\n - kernel: heap-based buffer overflow in lbs_ibss_join_existing function in drivers/net/wireless/marvell/libertas/cfg.c (CVE-2019-14896)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 3, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-08-25T00:00:00", "title": "RHEL 6 : kernel (RHSA-2020:3548)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-14896", "CVE-2017-2647"], "modified": "2020-08-25T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:kernel-kdump", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "p-cpe:/a:redhat:enterprise_linux:kernel-firmware", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-bootwrapper", "p-cpe:/a:redhat:enterprise_linux:kernel", "cpe:/o:redhat:enterprise_linux:6::client", "cpe:/o:redhat:enterprise_linux:6::workstation", "p-cpe:/a:redhat:enterprise_linux:python-perf", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:perf", "cpe:/o:redhat:enterprise_linux:6::computenode", "cpe:/o:redhat:enterprise_linux:6::server"], "id": "REDHAT-RHSA-2020-3548.NASL", "href": "https://www.tenable.com/plugins/nessus/139807", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3548. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139807);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/19\");\n\n script_cve_id(\"CVE-2017-2647\", \"CVE-2019-14896\");\n script_bugtraq_id(97258);\n script_xref(name:\"RHSA\", value:\"2020:3548\");\n\n script_name(english:\"RHEL 6 : kernel (RHSA-2020:3548)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3548 advisory.\n\n - kernel: Null pointer dereference in search_keyring (CVE-2017-2647)\n\n - kernel: heap-based buffer overflow in lbs_ibss_join_existing function in drivers/net/wireless/marvell/libertas/cfg.c (CVE-2019-14896)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/122.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/476.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2017-2647\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-14896\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:3548\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1428353\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1774875\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-14896\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(122, 476);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6::client\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6::computenode\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6::server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6::workstation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-bootwrapper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-kdump-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('ksplice.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'enterprise_linux_6_client': [\n 'rhel-6-desktop-debug-rpms',\n 'rhel-6-desktop-fastrack-debug-rpms',\n 'rhel-6-desktop-fastrack-rpms',\n 'rhel-6-desktop-fastrack-source-rpms',\n 'rhel-6-desktop-optional-debug-rpms',\n 'rhel-6-desktop-optional-fastrack-debug-rpms',\n 'rhel-6-desktop-optional-fastrack-rpms',\n 'rhel-6-desktop-optional-fastrack-source-rpms',\n 'rhel-6-desktop-optional-rpms',\n 'rhel-6-desktop-optional-source-rpms',\n 'rhel-6-desktop-rpms',\n 'rhel-6-desktop-source-rpms'\n ],\n 'enterprise_linux_6_computenode': [\n 'rhel-6-for-hpc-node-fastrack-debug-rpms',\n 'rhel-6-for-hpc-node-fastrack-rpms',\n 'rhel-6-for-hpc-node-fastrack-source-rpms',\n 'rhel-6-for-hpc-node-optional-fastrack-debug-rpms',\n 'rhel-6-for-hpc-node-optional-fastrack-rpms',\n 'rhel-6-for-hpc-node-optional-fastrack-source-rpms',\n 'rhel-6-hpc-node-debug-rpms',\n 'rhel-6-hpc-node-optional-debug-rpms',\n 'rhel-6-hpc-node-optional-rpms',\n 'rhel-6-hpc-node-optional-source-rpms',\n 'rhel-6-hpc-node-rpms',\n 'rhel-6-hpc-node-source-rpms',\n 'rhel-hpc-node-6-eus-sfs-debug-rpms',\n 'rhel-hpc-node-6-eus-sfs-source-rpms',\n 'rhel-scalefs-for-rhel-6-hpc-node-debug-rpms',\n 'rhel-scalefs-for-rhel-6-hpc-node-rpms',\n 'rhel-scalefs-for-rhel-6-hpc-node-source-rpms'\n ],\n 'enterprise_linux_6_server': [\n 'rhel-6-for-system-z-debug-rpms',\n 'rhel-6-for-system-z-fastrack-debug-rpms',\n 'rhel-6-for-system-z-fastrack-rpms',\n 'rhel-6-for-system-z-fastrack-source-rpms',\n 'rhel-6-for-system-z-optional-debug-rpms',\n 'rhel-6-for-system-z-optional-fastrack-debug-rpms',\n 'rhel-6-for-system-z-optional-fastrack-rpms',\n 'rhel-6-for-system-z-optional-fastrack-source-rpms',\n 'rhel-6-for-system-z-optional-rpms',\n 'rhel-6-for-system-z-optional-source-rpms',\n 'rhel-6-for-system-z-rpms',\n 'rhel-6-for-system-z-source-rpms',\n 'rhel-6-server-debug-rpms',\n 'rhel-6-server-fastrack-debug-rpms',\n 'rhel-6-server-fastrack-rpms',\n 'rhel-6-server-fastrack-source-rpms',\n 'rhel-6-server-optional-debug-rpms',\n 'rhel-6-server-optional-fastrack-debug-rpms',\n 'rhel-6-server-optional-fastrack-rpms',\n 'rhel-6-server-optional-fastrack-source-rpms',\n 'rhel-6-server-optional-rpms',\n 'rhel-6-server-optional-source-rpms',\n 'rhel-6-server-rpms',\n 'rhel-6-server-source-rpms',\n 'rhel-ha-for-rhel-6-server-debug-rpms',\n 'rhel-ha-for-rhel-6-server-rpms',\n 'rhel-ha-for-rhel-6-server-source-rpms',\n 'rhel-lb-for-rhel-6-server-debug-rpms',\n 'rhel-lb-for-rhel-6-server-rpms',\n 'rhel-lb-for-rhel-6-server-source-rpms',\n 'rhel-rs-for-rhel-6-server-debug-rpms',\n 'rhel-rs-for-rhel-6-server-rpms',\n 'rhel-rs-for-rhel-6-server-source-rpms',\n 'rhel-scalefs-for-rhel-6-server-debug-rpms',\n 'rhel-scalefs-for-rhel-6-server-rpms',\n 'rhel-scalefs-for-rhel-6-server-source-rpms'\n ],\n 'enterprise_linux_6_workstation': [\n 'rhel-6-workstation-debug-rpms',\n 'rhel-6-workstation-fastrack-debug-rpms',\n 'rhel-6-workstation-fastrack-rpms',\n 'rhel-6-workstation-fastrack-source-rpms',\n 'rhel-6-workstation-optional-debug-rpms',\n 'rhel-6-workstation-optional-fastrack-debug-rpms',\n 'rhel-6-workstation-optional-fastrack-rpms',\n 'rhel-6-workstation-optional-fastrack-source-rpms',\n 'rhel-6-workstation-optional-rpms',\n 'rhel-6-workstation-optional-source-rpms',\n 'rhel-6-workstation-rpms',\n 'rhel-6-workstation-source-rpms',\n 'rhel-scalefs-for-rhel-6-workstation-debug-rpms',\n 'rhel-scalefs-for-rhel-6-workstation-rpms',\n 'rhel-scalefs-for-rhel-6-workstation-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:3548');\n}\n\nif (get_one_kb_item('Host/ksplice/kernel-cves'))\n{\n rm_kb_item(name:'Host/uptrack-uname-r');\n cve_list = make_list('CVE-2017-2647', 'CVE-2019-14896');\n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, 'KSplice hotfix for RHSA-2020:3548');\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\npkgs = [\n {'reference':'kernel-2.6.32-754.33.1.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-2.6.32-754.33.1.el6', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-2.6.32-754.33.1.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-abi-whitelists-2.6.32-754.33.1.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-debug-2.6.32-754.33.1.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-debug-2.6.32-754.33.1.el6', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-debug-2.6.32-754.33.1.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-debug-devel-2.6.32-754.33.1.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-debug-devel-2.6.32-754.33.1.el6', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-debug-devel-2.6.32-754.33.1.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-devel-2.6.32-754.33.1.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-devel-2.6.32-754.33.1.el6', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-devel-2.6.32-754.33.1.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-firmware-2.6.32-754.33.1.el6', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-headers-2.6.32-754.33.1.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-headers-2.6.32-754.33.1.el6', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-headers-2.6.32-754.33.1.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-kdump-2.6.32-754.33.1.el6', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'kernel-kdump-devel-2.6.32-754.33.1.el6', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'perf-2.6.32-754.33.1.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'perf-2.6.32-754.33.1.el6', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'perf-2.6.32-754.33.1.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'python-perf-2.6.32-754.33.1.el6', 'cpu':'i686', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'python-perf-2.6.32-754.33.1.el6', 'cpu':'s390x', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']},\n {'reference':'python-perf-2.6.32-754.33.1.el6', 'cpu':'x86_64', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['enterprise_linux_6_client', 'enterprise_linux_6_computenode', 'enterprise_linux_6_server', 'enterprise_linux_6_workstation']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kernel / kernel-abi-whitelists / kernel-debug / kernel-debug-devel / etc');\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T13:24:14", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - l2tp: fix racy SOCK_ZAPPED flag check in\n l2tp_ip[,6]_bind (Guillaume Nault) [Orabug: 26586047]\n (CVE-2016-10200)\n\n - xfs: fix two memory leaks in xfs_attr_list.c error paths\n (Mateusz Guzik) [Orabug: 26586022] (CVE-2016-9685)\n\n - KEYS: Disallow keyrings beginning with '.' to be joined\n as session keyrings (David Howells) [Orabug: 26585994]\n (CVE-2016-9604)\n\n - ipv6: fix out of bound writes in __ip6_append_data (Eric\n Dumazet) [Orabug: 26578198] (CVE-2017-9242)", "edition": 26, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-21T00:00:00", "title": "OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0144)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9604", "CVE-2017-9242", "CVE-2016-10200", "CVE-2016-9685"], "modified": "2017-08-21T00:00:00", "cpe": ["cpe:/o:oracle:vm_server:3.3", "p-cpe:/a:oracle:vm:kernel-uek", "p-cpe:/a:oracle:vm:kernel-uek-firmware"], "id": "ORACLEVM_OVMSA-2017-0144.NASL", "href": "https://www.tenable.com/plugins/nessus/102625", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2017-0144.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102625);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-10200\", \"CVE-2016-9604\", \"CVE-2016-9685\", \"CVE-2017-9242\");\n\n script_name(english:\"OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0144)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - l2tp: fix racy SOCK_ZAPPED flag check in\n l2tp_ip[,6]_bind (Guillaume Nault) [Orabug: 26586047]\n (CVE-2016-10200)\n\n - xfs: fix two memory leaks in xfs_attr_list.c error paths\n (Mateusz Guzik) [Orabug: 26586022] (CVE-2016-9685)\n\n - KEYS: Disallow keyrings beginning with '.' to be joined\n as session keyrings (David Howells) [Orabug: 26585994]\n (CVE-2016-9604)\n\n - ipv6: fix out of bound writes in __ip6_append_data (Eric\n Dumazet) [Orabug: 26578198] (CVE-2017-9242)\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2017-August/000758.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ab2271dc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel-uek / kernel-uek-firmware packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.3\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.3\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.3\", reference:\"kernel-uek-3.8.13-118.19.4.el6uek\")) flag++;\nif (rpm_check(release:\"OVS3.3\", reference:\"kernel-uek-firmware-3.8.13-118.19.4.el6uek\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel-uek / kernel-uek-firmware\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T04:42:52", "description": "Description of changes:\n\n[2.6.39-400.297.6.el6uek]\n- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume \nNault) [Orabug: 26586050] {CVE-2016-10200}\n- xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz \nGuzik) [Orabug: 26586024] {CVE-2016-9685}\n- KEYS: Disallow keyrings beginning with '.' to be joined as session \nkeyrings (David Howells) [Orabug: 26586002] {CVE-2016-9604}\n- ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) \n[Orabug: 26578202] {CVE-2017-9242}", "edition": 25, "cvss3": {"score": 7.0, "vector": "AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-08-21T00:00:00", "title": "Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3607)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9604", "CVE-2017-9242", "CVE-2016-10200", "CVE-2016-9685"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:kernel-uek-firmware", "p-cpe:/a:oracle:linux:kernel-uek-doc", "p-cpe:/a:oracle:linux:kernel-uek", "p-cpe:/a:oracle:linux:kernel-uek-debug-devel", "p-cpe:/a:oracle:linux:kernel-uek-devel", "p-cpe:/a:oracle:linux:kernel-uek-debug"], "id": "ORACLELINUX_ELSA-2017-3607.NASL", "href": "https://www.tenable.com/plugins/nessus/102624", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2017-3607.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102624);\n script_version(\"3.8\");\n script_cvs_date(\"Date: 2019/09/27 13:00:38\");\n\n script_cve_id(\"CVE-2016-10200\", \"CVE-2016-9604\", \"CVE-2016-9685\", \"CVE-2017-9242\");\n\n script_name(english:\"Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3607)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\n[2.6.39-400.297.6.el6uek]\n- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume \nNault) [Orabug: 26586050] {CVE-2016-10200}\n- xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz \nGuzik) [Orabug: 26586024] {CVE-2016-9685}\n- KEYS: Disallow keyrings beginning with '.' to be joined as session \nkeyrings (David Howells) [Orabug: 26586002] {CVE-2016-9604}\n- ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) \n[Orabug: 26578202] {CVE-2017-9242}\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2017-August/007145.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected unbreakable enterprise kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-uek-firmware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2016-10200\", \"CVE-2016-9604\", \"CVE-2016-9685\", \"CVE-2017-9242\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2017-3607\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-2.6.39-400.297.6.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-2.6.39-400.297.6.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-debug-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-debug-devel-2.6.39-400.297.6.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-devel-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-devel-2.6.39-400.297.6.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-doc-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-doc-2.6.39-400.297.6.el6uek\")) flag++;\nif (rpm_exists(release:\"EL6\", rpm:\"kernel-uek-firmware-2.6.39\") && rpm_check(release:\"EL6\", reference:\"kernel-uek-firmware-2.6.39-400.297.6.el6uek\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:46:31", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8970", "CVE-2016-10200", "CVE-2017-2647", "CVE-2017-8797"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* A use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important)\n\n* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important)\n\n* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important)\n\n* The lrw_crypt() function in 'crypto/lrw.c' in the Linux kernel before 4.5 allows local users to cause a system crash and a denial of service by the NULL pointer dereference via accept(2) system call for AF_ALG socket without calling setkey() first to set a cipher key. (CVE-2015-8970, Moderate)\n\nRed Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647 and Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970.\n\nBug Fix(es):\n\n* When running the LPAR with IBM Power 8 SMT8 mode, system performance degradation occurred due to the load getting spread across threads from the same core. The provided patches fix scheduler performance issues and assure the load is spread across cores, thus improving the system performance significantly. (BZ#1434853)\n\n* Upon reboot, the bond slave with some network adapter ports became unresponsive in the backup state and never proceeded to the active state. As a consequence, the bond slave never transmitted any LACP PDU and the bond interface was never produced properly. With this update, the i40e network driver has been fixed for long link-down notification time and the bond slave now transmits LACP PDUs as expected. (BZ#1446783)\n\n* When attempting to configure two or more Ethernet adapter cards using Virtual Function I/O (VFIO) in the KVM guest, subsequent KVM guests previously failed to boot returning an error message. The provided patch adds the ability of VFIO to support more than one card in the KVM guest environment. (BZ#1447718)\n\n* It is possible to define the CPUs in which unbound kworkers can run by setting a \"mask\" in a specific file in the sysfs file system, helping on CPU isolation. However, this setup did not work properly, and unbounded kworkers were being activated on CPUs in which they were set to _NOT_ run. The provided patchset prevents unbound kworkers from being run on CPUs that are masked, thus fixing this bug. (BZ#1458203)\n\n* Due to a regression, the kernel previously failed to create the /sys/block/<sd device>/devices/enclosure_device symlinks. The provided patch corrects the call to the scsi_is_sas_rphy() function, which is now made on the SAS end device, instead of the SCSI device. (BZ#1460204)\n\n* Previously, the system panic occurred when running mkfs.ext4 on newly created software RAID1 partitions on SATA SDD drives. The provided patch ensures the ext4 file system is created on the /dev/md0 partition and is mounted there successfully. (BZ#1463359)", "modified": "2017-08-28T06:59:46", "published": "2017-08-08T18:58:24", "id": "RHSA-2017:2437", "href": "https://access.redhat.com/errata/RHSA-2017:2437", "type": "redhat", "title": "(RHSA-2017:2437) Important: kernel security and bug fix update", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-09-24T09:58:40", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2647"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* kernel: Null pointer dereference in search_keyring (CVE-2017-2647)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-09-24T13:46:53", "published": "2020-09-24T13:41:46", "id": "RHSA-2020:3836", "href": "https://access.redhat.com/errata/RHSA-2020:3836", "type": "redhat", "title": "(RHSA-2020:3836) Important: kernel security update", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-27T22:07:00", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2647", "CVE-2019-14896"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* kernel: Null pointer dereference in search_keyring (CVE-2017-2647)\n\n* kernel: heap-based buffer overflow in lbs_ibss_join_existing function in drivers/net/wireless/marvell/libertas/cfg.c (CVE-2019-14896)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Crash in mptscsih_io_done() due to buffer overrun in sense_buf_pool (BZ#1824907)", "modified": "2020-08-25T17:13:06", "published": "2020-08-25T16:52:50", "id": "RHSA-2020:3548", "href": "https://access.redhat.com/errata/RHSA-2020:3548", "type": "redhat", "title": "(RHSA-2020:3548) Important: kernel security and bug fix update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:31:48", "bulletinFamily": "unix", "cvelist": ["CVE-2014-7970", "CVE-2014-7975", "CVE-2015-8839", "CVE-2015-8970", "CVE-2016-10088", "CVE-2016-10147", "CVE-2016-10200", "CVE-2016-10741", "CVE-2016-6213", "CVE-2016-7042", "CVE-2016-7097", "CVE-2016-8645", "CVE-2016-9576", "CVE-2016-9588", "CVE-2016-9604", "CVE-2016-9685", "CVE-2016-9806", "CVE-2017-1000379", "CVE-2017-2584", "CVE-2017-2596", "CVE-2017-2647", "CVE-2017-2671", "CVE-2017-5551", "CVE-2017-5970", "CVE-2017-6001", "CVE-2017-6951", "CVE-2017-7187", "CVE-2017-7495", "CVE-2017-7616", "CVE-2017-7889", "CVE-2017-8797", "CVE-2017-8890", "CVE-2017-9074", "CVE-2017-9075", "CVE-2017-9076", "CVE-2017-9077", "CVE-2017-9242"], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important)\n\n* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important)\n\n* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important)\n\nThis update also fixes multiple Moderate and Low impact security issues:\n\n* CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685\n\nDocumentation for these issues is available from the Release Notes document linked from the References section.\n\nRed Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.", "modified": "2019-02-04T18:17:48", "published": "2017-08-01T09:55:25", "id": "RHSA-2017:1842", "href": "https://access.redhat.com/errata/RHSA-2017:1842", "type": "redhat", "title": "(RHSA-2017:1842) Important: kernel security, bug fix, and enhancement update", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-12-11T13:33:29", "bulletinFamily": "unix", "cvelist": ["CVE-2014-7970", "CVE-2014-7975", "CVE-2015-8839", "CVE-2015-8970", "CVE-2016-10088", "CVE-2016-10147", "CVE-2016-10200", "CVE-2016-10741", "CVE-2016-6213", "CVE-2016-7042", "CVE-2016-7097", "CVE-2016-8645", "CVE-2016-9576", "CVE-2016-9588", "CVE-2016-9604", "CVE-2016-9685", "CVE-2016-9806", "CVE-2017-2584", "CVE-2017-2596", "CVE-2017-2647", "CVE-2017-2671", "CVE-2017-5551", "CVE-2017-5970", "CVE-2017-6001", "CVE-2017-6951", "CVE-2017-7187", "CVE-2017-7495", "CVE-2017-7616", "CVE-2017-7889", "CVE-2017-8797", "CVE-2017-8890", "CVE-2017-9074", "CVE-2017-9075", "CVE-2017-9076", "CVE-2017-9077", "CVE-2017-9242"], "description": "The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.\n\nSecurity Fix(es):\n\n* An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important)\n\n* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important)\n\n* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important)\n\nThis update also fixes multiple Moderate and Low impact security issues:\n\n* CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685\n\nDocumentation for these issues is available from the Release Notes document linked from the References section.\n\nRed Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.", "modified": "2019-02-04T21:48:10", "published": "2017-08-01T09:57:19", "id": "RHSA-2017:2077", "href": "https://access.redhat.com/errata/RHSA-2017:2077", "type": "redhat", "title": "(RHSA-2017:2077) Important: kernel-rt security, bug fix, and enhancement update", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "virtuozzo": [{"lastseen": "2019-11-05T11:27:42", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2647"], "description": "This update provides the new Virtuozzo 6.0 kernel 2.6.32-042stab120.20 based on the Red Hat Enterprise Linux 6.8 kernel 2.6.32-642.6.1.el6. The new kernel provides a security fix.\n**Vulnerability id:** CVE-2017-2647\nA flaw was discovered in the Linux kernel's key subsystem. Invoking the request_key() system call with a specially crafted set of arguments could result in a NULL-pointer dereference inside the search_keyring() function. A local unprivileged user could use this vulnerability to crash the system. The vulnerability could be exploited from inside containers.\n\n", "edition": 1, "modified": "2017-03-20T00:00:00", "published": "2017-03-20T00:00:00", "id": "VZA-2017-019", "href": "https://help.virtuozzo.com/customer/portal/articles/2770047", "title": "Kernel security update: new kernel 2.6.32-042stab120.20, Virtuozzo 6.0 Update 12 Hotfix 6 (6.0.12-3673)", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T11:28:17", "bulletinFamily": "unix", "cvelist": ["CVE-2017-2647"], "description": "The cumulative Virtuozzo ReadyKernel patch updated with a security fix. The patch applies to Virtuozzo versions 7.0.0, 7.0.1, and 7.0.3.\n**Vulnerability id:** CVE-2017-2647\nA flaw was discovered in the Linux kernel's key subsystem. Invoking the request_key() system call with a specially crafted set of arguments could result in a NULL-pointer dereference inside the search_keyring() function. A local unprivileged user could use this vulnerability to crash the system. The vulnerability could be exploited from inside containers.\n\n", "edition": 1, "modified": "2017-03-20T00:00:00", "published": "2017-03-20T00:00:00", "id": "VZA-2017-021", "href": "https://help.virtuozzo.com/customer/portal/articles/2770065", "title": "Kernel security update: Virtuozzo ReadyKernel patch 15.0 for kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3)", "type": "virtuozzo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2020-08-28T05:41:37", "bulletinFamily": "unix", "cvelist": ["CVE-2019-14896", "CVE-2017-2647"], "description": "[2.6.32-754.33.1.OL6]\n- Update genkey [bug 25599697]\n[2.6.32-754.33.1]\n- [message] scsi: mptscsih: Fix read sense data size (Tomas Henzl) [1824907]\n[2.6.32-754.32.1]\n- [wireless] libertas: make lbs_ibss_join_existing() return error code on rates overflow (Jarod Wilson) [1776569]\n- [wireless] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held (Jarod Wilson) [1776569]\n- [wireless] libertas: Fix two buffer overflows at parsing bss descriptor (Jarod Wilson) [1776569]\n- [security] keys: Protect request_key() against a type with no match function (Patrick Talbert) [1433220] {CVE-2017-2647}", "edition": 1, "modified": "2020-08-26T00:00:00", "published": "2020-08-26T00:00:00", "id": "ELSA-2020-3548", "href": "http://linux.oracle.com/errata/ELSA-2020-3548.html", "title": "kernel security and bug fix update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-22T17:03:40", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9604", "CVE-2017-9242", "CVE-2016-10200", "CVE-2016-9685"], "description": "[2.6.39-400.297.6]\n- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume Nault) [Orabug: 26586050] {CVE-2016-10200}\n- xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz Guzik) [Orabug: 26586024] {CVE-2016-9685}\n- KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (David Howells) [Orabug: 26586002] {CVE-2016-9604}\n- ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) [Orabug: 26578202] {CVE-2017-9242}", "edition": 5, "modified": "2017-08-18T00:00:00", "published": "2017-08-18T00:00:00", "id": "ELSA-2017-3607", "href": "http://linux.oracle.com/errata/ELSA-2017-3607.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:57", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9604", "CVE-2017-9242", "CVE-2016-10200", "CVE-2016-9685"], "description": "kernel-uek\n[3.8.13-118.19.4]\n- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume Nault) [Orabug: 26586047] {CVE-2016-10200}\n- xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz Guzik) [Orabug: 26586022] {CVE-2016-9685}\n- KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (David Howells) [Orabug: 26585994] {CVE-2016-9604}\n- ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) [Orabug: 26578198] {CVE-2017-9242}", "edition": 4, "modified": "2017-08-18T00:00:00", "published": "2017-08-18T00:00:00", "id": "ELSA-2017-3606", "href": "http://linux.oracle.com/errata/ELSA-2017-3606.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:07", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9604", "CVE-2016-6213", "CVE-2017-9242", "CVE-2016-10200", "CVE-2017-7533"], "description": "kernel-uek\n[4.1.12-94.5.9]\n- dentry name snapshots (Al Viro) [Orabug: 26630936] {CVE-2017-7533}\n[4.1.12-94.5.8]\n- scsi: libiscsi: use kvzalloc for iscsi_pool_init (Kyle Fortin) [Orabug: 26621191] \n- mm: introduce kv[mz]alloc helpers (Kyle Fortin) [Orabug: 26621191] \n- KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (David Howells) [Orabug: 26621179] {CVE-2016-9604} {CVE-2016-9604}\n- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume Nault) [Orabug: 26621176] {CVE-2016-10200}\n- mnt: Add a per mount namespace limit on the number of mounts (Eric W. Biederman) [Orabug: 26621171] {CVE-2016-6213} {CVE-2016-6213}\n- ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) [Orabug: 26621163] {CVE-2017-9242}", "edition": 4, "modified": "2017-08-17T00:00:00", "published": "2017-08-17T00:00:00", "id": "ELSA-2017-3605", "href": "http://linux.oracle.com/errata/ELSA-2017-3605.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:41", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9604", "CVE-2016-9806", "CVE-2016-7097", "CVE-2016-6213", "CVE-2017-7616", "CVE-2017-7889", "CVE-2017-9074", "CVE-2016-10088", "CVE-2017-6001", "CVE-2015-8839", "CVE-2017-9242", "CVE-2017-5970", "CVE-2016-10200", "CVE-2017-2671", "CVE-2017-9075", "CVE-2014-7975", "CVE-2016-9685", "CVE-2015-8970", "CVE-2016-10147", "CVE-2016-9576", "CVE-2017-6951", "CVE-2017-2647", "CVE-2017-2596", "CVE-2016-9588", "CVE-2017-9076", "CVE-2017-7187", "CVE-2017-9077", "CVE-2017-8890", "CVE-2017-8797", "CVE-2016-7042", "CVE-2016-8645", "CVE-2014-7970"], "description": " ", "edition": 5, "modified": "2017-08-07T00:00:00", "published": "2017-08-07T00:00:00", "id": "ELSA-2017-1842", "href": "http://linux.oracle.com/errata/ELSA-2017-1842.html", "title": "kernel security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-12-30T19:19:50", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9604", "CVE-2016-9806", "CVE-2016-7097", "CVE-2016-6213", "CVE-2017-7616", "CVE-2017-7889", "CVE-2017-9074", "CVE-2016-10088", "CVE-2017-6001", "CVE-2015-8839", "CVE-2017-9242", "CVE-2017-5970", "CVE-2016-10200", "CVE-2017-2671", "CVE-2017-9075", "CVE-2014-7975", "CVE-2016-9685", "CVE-2015-8970", "CVE-2016-10147", "CVE-2016-9576", "CVE-2017-6951", "CVE-2017-2647", "CVE-2017-2596", "CVE-2016-9588", "CVE-2017-9076", "CVE-2017-7187", "CVE-2017-9077", "CVE-2017-8890", "CVE-2017-8797", "CVE-2016-7042", "CVE-2016-8645", "CVE-2014-7970"], "description": " ", "edition": 7, "modified": "2017-08-15T00:00:00", "published": "2017-08-15T00:00:00", "id": "ELSA-2017-1842-1", "href": "http://linux.oracle.com/errata/ELSA-2017-1842-1.html", "title": "kernel security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-06-04T15:28:34", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9604", "CVE-2017-11176", "CVE-2017-5753", "CVE-2017-5754", "CVE-2017-1000111", "CVE-2016-6213", "CVE-2017-9059", "CVE-2017-9242", "CVE-2016-10200", "CVE-2017-2671", "CVE-2017-11473", "CVE-2017-9075", "CVE-2017-7533", "CVE-2017-1000251", "CVE-2017-5715", "CVE-2017-1000407", "CVE-2017-1000364", "CVE-2017-12134", "CVE-2017-1000365", "CVE-2016-10044", "CVE-2017-8797"], "description": "[4.1.12-61.63.1]\n- Revert 'kernel.spec: Require the new microcode_ctl.' (Brian Maly) \n- x86: Clean up IBRS functionality resident in common code (Kanth Ghatraju) [Orabug: 27439198] \n- x86: Display correct settings for the SPECTRE_V2 bug (Kanth Ghatraju) [Orabug: 27439198] \n- Set CONFIG_GENERIC_CPU_VULNERABILITIES flag (Kanth Ghatraju) [Orabug: 27439198] \n- x86/cpu: Implement CPU vulnerabilites sysfs functions (Thomas Gleixner) [Orabug: 27439198] \n- sysfs/cpu: Fix typos in vulnerability documentation (David Woodhouse) [Orabug: 27439198] \n- sysfs/cpu: Add vulnerability folder (Thomas Gleixner) [Orabug: 27439198] \n- x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] (David Woodhouse) [Orabug: 27439198] \n- x86/cpufeatures: Add X86_BUG_CPU_MELTDOWN (Kanth Ghatraju) [Orabug: 27439198] \n- KVM: x86: Add memory barrier on vmcs field lookup (Andrew Honig) {CVE-2017-5753}\n- KVM: VMX: remove I/O port 0x80 bypass on Intel hosts (Andrew Honig) [Orabug: 27439182] {CVE-2017-1000407} {CVE-2017-1000407}\n[4.1.12-61.62.1]\n- xen-blkback: add pending_req allocation stats (Ankur Arora) [Orabug: 27386891] \n- xen-blkback: move indirect req allocation out-of-line (Ankur Arora) [Orabug: 27386891] \n- xen-blkback: pull nseg validation out in a function (Ankur Arora) [Orabug: 27386891] \n- xen-blkback: make struct pending_req less monolithic (Ankur Arora) [Orabug: 27386891]\n[4.1.12-61.61.1]\n- x86/pti/efi: broken conversion from efi to kernel page table (Pavel Tatashin) [Orabug: 27378519] [Orabug: 27352353] {CVE-2017-5754}\n- x86/spec: Always set IBRS to guest value on VMENTER and host on VMEXIT (redux) (Konrad Rzeszutek Wilk) [Orabug: 27378474] \n- x86/IBRS: Make sure we restore MSR_IA32_SPEC_CTRL to a valid value (Boris Ostrovsky) [Orabug: 27378115] \n- x86/IBRS/IBPB: Set sysctl_ibrs/ibpb_enabled properly (Boris Ostrovsky) [Orabug: 27382622] \n- x86/spec_ctrl: Add missing 'lfence' when IBRS is not supported. (Konrad Rzeszutek Wilk) [Orabug: 27345850] {CVE-2017-5715}\n- x86/entry_64: TRACE_IRQS_OFF before re-enabling. (Jamie Iles) [Orabug: 27345850] {CVE-2017-5715}\n- ptrace: remove unlocked RCU dereference. (Jamie Iles) [Orabug: 27345850] {CVE-2017-5715}\n- x86/ia32: Adds code hygiene for 32bit SYSCALL instruction entry. (Konrad Rzeszutek Wilk) [Orabug: 27345850] {CVE-2017-5715}\n- x86/ia32: dont save registers on audit call (Konrad Rzeszutek Wilk) [Orabug: 27345850] {CVE-2017-5715}\n- x86/spec/ia32: Sprinkle IBRS and RSB at the 32-bit SYSCALL (Konrad Rzeszutek Wilk) [Orabug: 27345850] {CVE-2017-5715}\n- x86/ia32: Move STUFF_RSB And ENABLE_IBRS (Konrad Rzeszutek Wilk) [Orabug: 27345850] {CVE-2017-5715}\n- x86/spec: Always set IBRS to guest value on VMENTER and host on VMEXIT. (Konrad Rzeszutek Wilk) [Orabug: 27365614] {CVE-2017-5715}\n- x86/ia32: save and clear registers on syscall. (Jamie Iles) [Orabug: 27371760] {CVE-2017-5754}\n- x86/IBRS: Save current status of MSR_IA32_SPEC_CTRL (Boris Ostrovsky) [Orabug: 27371757] \n- pti: Rename X86_FEATURE_KAISER to X86_FEATURE_PTI (Pavel Tatashin) [Orabug: 27371653] {CVE-2017-5754}\n- x86/spec_ctrl: Add missing IBRS_DISABLE (Konrad Rzeszutek Wilk) \n- Make use of ibrs_inuse consistent. (Jun Nakajima) \n- x86/kvm: Set IBRS on VMEXIT if guest disabled it. (Konrad Rzeszutek Wilk) \n- Re-introduce clearing of r12-15, rbp, rbx (Kris Van Hees) [Orabug: 27345850] {CVE-2017-5715}\n- x86: more ibrs/pti fixes (Pavel Tatashin) [Orabug: 27371653] {CVE-2017-5754}\n- x86/spec: Actually do the check for in_use on ENABLE_IBRS (Konrad Rzeszutek Wilk) {CVE-2017-5715}\n- kvm: svm: Expose the CPUID.0x80000008 ebx flag. (Konrad Rzeszutek Wilk) {CVE-2017-5715}\n- x86/spec_ctrl: Provide the sysfs version of the ibrs_enabled (Konrad Rzeszutek Wilk) {CVE-2017-5715}\n- x86: Use better #define for FEATURE_ENABLE_IBRS and 0 (Konrad Rzeszutek Wilk) {CVE-2017-5715}\n- x86: Instead of 0x2, 0x4, and 0x1 use #defines. (Konrad Rzeszutek Wilk) {CVE-2017-5715}\n- kpti: Disable when running under Xen PV (Konrad Rzeszutek Wilk) [Orabug: 27371653] {CVE-2017-5754}\n- x86: Dont ENABLE_IBRS in nmi when we are still running on user cr3 (Konrad Rzeszutek Wilk) {CVE-2017-5715}\n- x86/enter: Use IBRS on syscall and interrupts - fix ia32 path (Konrad Rzeszutek Wilk) {CVE-2017-5715}\n- x86: Fix spectre/kpti integration (Konrad Rzeszutek Wilk) [Orabug: 27371653] {CVE-2017-5754}\n- PTI: unbreak EFI old_memmap (Jiri Kosina) [Orabug: 27371653] {CVE-2017-5754}\n- KAISER KABI tweaks. (Martin K. Petersen) [Orabug: 27371653] {CVE-2017-5754}\n- x86/ldt: fix crash in ldt freeing. (Jamie Iles) [Orabug: 27371653] {CVE-2017-5754}\n- x86/entry: Define 'cpu_current_top_of_stack' for 64-bit code (Denys Vlasenko) [Orabug: 27371653] {CVE-2017-5754}\n- x86/entry: Remove unused 'kernel_stack' per-cpu variable (Denys Vlasenko) [Orabug: 27371653] {CVE-2017-5754}\n- x86/entry: Stop using PER_CPU_VAR(kernel_stack) (Denys Vlasenko) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: Set _PAGE_NX only if supported (Guenter Roeck) [Orabug: 27371653] {CVE-2017-5754}\n- x86/vdso: Get pvclock data from the vvar VMA instead of the fixmap (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- KPTI: Report when enabled (Kees Cook) [Orabug: 27371653] {CVE-2017-5754}\n- KPTI: Rename to PAGE_TABLE_ISOLATION (Kees Cook) [Orabug: 27371653] {CVE-2017-5754}\n- x86/kaiser: Move feature detection up (Borislav Petkov) [Orabug: 27371653] {CVE-2017-5754}\n- x86/kaiser: Reenable PARAVIRT (Borislav Petkov) [Orabug: 27371653] {CVE-2017-5754}\n- x86/paravirt: Dont patch flush_tlb_single (Thomas Gleixner) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: kaiser_flush_tlb_on_return_to_user() check PCID (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: asm/tlbflush.h handle noPGE at lower level (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: drop is_atomic arg to kaiser_pagetable_walk() (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: use ALTERNATIVE instead of x86_cr3_pcid_noflush (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- x86/kaiser: Check boottime cmdline params (Borislav Petkov) [Orabug: 27371653] {CVE-2017-5754}\n- x86/kaiser: Rename and simplify X86_FEATURE_KAISER handling (Borislav Petkov) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: add 'nokaiser' boot option, using ALTERNATIVE (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: fix unlikely error in alloc_ldt_struct() (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: _pgd_alloc() without __GFP_REPEAT to avoid stalls (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: paranoid_entry pass cr3 need to paranoid_exit (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: x86_cr3_pcid_noflush and x86_cr3_pcid_user (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: PCID 0 for kernel and 128 for user (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: load_new_mm_cr3() let SWITCH_USER_CR3 flush user (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: enhanced by kernel and user PCIDs (Dave Hansen) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: vmstat show NR_KAISERTABLE as nr_overhead (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: delete KAISER_REAL_SWITCH option (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: name that 0x1000 KAISER_SHADOW_PGD_OFFSET (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: cleanups while trying for gold link (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: kaiser_remove_mapping() move along the pgd (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: tidied up kaiser_add/remove_mapping slightly (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: tidied up asm/kaiser.h somewhat (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: ENOMEM if kaiser_pagetable_walk() NULL (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: fix perf crashes (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: fix regs to do_nmi() ifndef CONFIG_KAISER (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: KAISER depends on SMP (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: fix build and FIXME in alloc_ldt_struct() (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: stack map PAGE_SIZE at THREAD_SIZE-PAGE_SIZE (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: do not set _PAGE_NX on pgd_none (Hugh Dickins) [Orabug: 27371653] {CVE-2017-5754}\n- kaiser: merged update (Dave Hansen) [Orabug: 27371653] {CVE-2017-5754}\n- KAISER: Kernel Address Isolation (Richard Fellner) [Orabug: 27371653] {CVE-2017-5754}\n- x86/boot: Add early cmdline parsing for options with arguments (Tom Lendacky) [Orabug: 27371653] {CVE-2017-5754}\n- x86/mm/64: Fix reboot interaction with CR4.PCIDE (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- x86/mm: Enable CR4.PCIDE on supported systems (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- x86/mm: Add the 'nopcid' boot option to turn off PCID (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- x86/mm: Disable PCID on 32-bit kernels (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- x86/mm: Remove the UP asm/tlbflush.h code, always use the (formerly) SMP code (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- x86/mm: Reimplement flush_tlb_page() using flush_tlb_mm_range() (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- x86/mm: Make flush_tlb_mm_range() more predictable (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- x86/mm: Remove flush_tlb() and flush_tlb_current_task() (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- x86/vm86/32: Switch to flush_tlb_mm_range() in mark_screen_rdonly() (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- x86/irq: Do not substract irq_tlb_count from irq_call_count (Aaron Lu) [Orabug: 27371653] {CVE-2017-5754}\n- sched/core: Idle_task_exit() shouldnt use switch_mm_irqs_off() (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- ARM: Hide finish_arch_post_lock_switch() from modules (Steven Rostedt) [Orabug: 27371653] {CVE-2017-5754}\n- x86/mm, sched/core: Turn off IRQs in switch_mm() (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- x86/mm, sched/core: Uninline switch_mm() (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- x86/mm: Build arch/x86/mm/tlb.c even on !SMP (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- sched/core: Add switch_mm_irqs_off() and use it in the scheduler (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- mm/mmu_context, sched/core: Fix mmu_context.h assumption (Ingo Molnar) [Orabug: 27371653] {CVE-2017-5754}\n- x86/mm: If INVPCID is available, use it to flush global mappings (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- x86/mm: Add a 'noinvpcid' boot option to turn off INVPCID (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- x86/mm: Fix INVPCID asm constraint (Borislav Petkov) [Orabug: 27371653] {CVE-2017-5754}\n- x86/mm: Add INVPCID helpers (Andy Lutomirski) [Orabug: 27371653] {CVE-2017-5754}\n- x86/ibrs: Remove 'ibrs_dump' and remove the pr_debug (Konrad Rzeszutek Wilk) [Orabug: 27351388] \n- kABI: Revert kABI: Make the boot_cpu_data look normal (Konrad Rzeszutek Wilk) {CVE-2017-5715}\n[4.1.12-61.60.1]\n- userns: prevent speculative execution (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- udf: prevent speculative execution (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- net: mpls: prevent speculative execution (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- fs: prevent speculative execution (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- ipv6: prevent speculative execution (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- ipv4: prevent speculative execution (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- Thermal/int340x: prevent speculative execution (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- cw1200: prevent speculative execution (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- qla2xxx: prevent speculative execution (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- p54: prevent speculative execution (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- carl9170: prevent speculative execution (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- uvcvideo: prevent speculative execution (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- bpf: prevent speculative execution in eBPF interpreter (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- locking/barriers: introduce new observable speculation barrier (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- x86/cpu/AMD: Remove now unused definition of MFENCE_RDTSC feature (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- x86/cpu/AMD: Make the LFENCE instruction serialized (Elena Reshetova) [Orabug: 27345857] {CVE-2017-5753}\n- kABI: Make the boot_cpu_data look normal. (Konrad Rzeszutek Wilk) [Orabug: 27345850] {CVE-2017-5715}\n- kernel.spec: Require the new microcode_ctl. (Konrad Rzeszutek Wilk) [Orabug: 27345850] {CVE-2017-5715} {CVE-2017-5715}\n- x86/microcode/AMD: Add support for fam17h microcode loading (Tom Lendacky) [Orabug: 27345850] {CVE-2017-5715}\n- x86/spec_ctrl: Disable if running as Xen PV guest. (Konrad Rzeszutek Wilk) [Orabug: 27345850] {CVE-2017-5715}\n- Set IBPB when running a different VCPU (Dave Hansen) [Orabug: 27345850] {CVE-2017-5715}\n- Clear the host registers after setbe (Jun Nakajima) [Orabug: 27345850] {CVE-2017-5715}\n- Use the ibpb_inuse variable. (Jun Nakajima) [Orabug: 27345850] {CVE-2017-5715}\n- KVM: x86: add SPEC_CTRL to MSR and CPUID lists (Andrea Arcangeli) [Orabug: 27345850] {CVE-2017-5715}\n- kvm: vmx: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Paolo Bonzini) [Orabug: 27345850] {CVE-2017-5715}\n- Use the 'ibrs_inuse' variable. (Jun Nakajima) [Orabug: 27345850] {CVE-2017-5715}\n- kvm: svm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD (Andrea Arcangeli) [Orabug: 27345850] {CVE-2017-5715}\n- x86/svm: Set IBPB when running a different VCPU (Paolo Bonzini) [Orabug: 27345850] {CVE-2017-5715}\n- x86/kvm: Pad RSB on VM transition (Tim Chen) [Orabug: 27345850] {CVE-2017-5715}\n- x86/cpu/AMD: Add speculative control support for AMD (Tom Lendacky) [Orabug: 27345850] {CVE-2017-5715}\n- x86/microcode: Recheck IBRS and IBPB feature on microcode reload (Tim Chen) [Orabug: 27345850] {CVE-2017-5715}\n- x86: Move IBRS/IBPB feature detection to scattered.c (Tim Chen) [Orabug: 27345850] {CVE-2017-5715}\n- x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control (Tim Chen) [Orabug: 27345850] {CVE-2017-5715}\n- x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature (Konrad Rzeszutek Wilk) [Orabug: 27345850] {CVE-2017-5715}\n- x86/kvm: clear registers on VM exit (Tom Lendacky) [Orabug: 27345850] {CVE-2017-5715}\n- x86/kvm: Set IBPB when switching VM (Tim Chen) [Orabug: 27345850] {CVE-2017-5715}\n- *INCOMPLETE* x86/syscall: Clear unused extra registers on syscall entrance (Konrad Rzeszutek Wilk) [Orabug: 27345850] {CVE-2017-5715}\n- x86/entry: Stuff RSB for entry to kernel for non-SMEP platform (Konrad Rzeszutek Wilk) [Orabug: 27345850] {CVE-2017-5715}\n- x86/mm: Only set IBPB when the new thread cannot ptrace current thread (Konrad Rzeszutek Wilk) [Orabug: 27345850] {CVE-2017-5715}\n- x86/mm: Set IBPB upon context switch (Tim Chen) [Orabug: 27345850] {CVE-2017-5715}\n- x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup (Tim Chen) [Orabug: 27345850] {CVE-2017-5715}\n- x86/idle: Disable IBRS entering idle and enable it on wakeup (Tim Chen) [Orabug: 27345850] {CVE-2017-5715}\n- x86/spec_ctrl: save IBRS MSR value in paranoid_entry (Andrea Arcangeli) [Orabug: 27345850] {CVE-2017-5715}\n- *Scaffolding* x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature (Tim Chen) [Orabug: 27345850] {CVE-2017-5715}\n- x86/enter: Use IBRS on syscall and interrupts (Tim Chen) [Orabug: 27345850] {CVE-2017-5715}\n- x86: Add macro that does not save rax, rcx, rdx on stack to disable IBRS (Tim Chen) [Orabug: 27345850] {CVE-2017-5715}\n- x86/enter: MACROS to set/clear IBRS and set IBP (Tim Chen) [Orabug: 27345850] {CVE-2017-5715}\n- x86/feature: Report presence of IBPB and IBRS control (Tim Chen) [Orabug: 27345850] {CVE-2017-5715}\n- x86: Add STIBP feature enumeration (Konrad Rzeszutek Wilk) [Orabug: 27345850] {CVE-2017-5715}\n- x86/cpufeature: Add X86_FEATURE_IA32_ARCH_CAPS and X86_FEATURE_IBRS_ATT (Konrad Rzeszutek Wilk) [Orabug: 27345850] {CVE-2017-5715}\n- x86/feature: Enable the x86 feature to control (Tim Chen) [Orabug: 27345850] {CVE-2017-5715}\n[4.1.12-61.59.1]\n- nvme: merge probe_work and reset_work (Christoph Hellwig) [Orabug: 26984819] \n- nvme: only ignore hardware errors in nvme_create_io_queues (Christoph Hellwig) [Orabug: 26984819] \n- nvme: add NVME_SC_CANCELLED (Christoph Hellwig) [Orabug: 26984819]\n[4.1.12-61.58.1]\n- netlink: allow to listen 'all' netns (Nicolas Dichtel) [Orabug: 27098331] \n- netlink: rename private flags and states (Nicolas Dichtel) [Orabug: 27098331] \n- netns: use a spin_lock to protect nsid management (Nicolas Dichtel) [Orabug: 27098331] \n- netns: notify new nsid outside __peernet2id() (Nicolas Dichtel) [Orabug: 27098331] \n- netns: rename peernet2id() to peernet2id_alloc() (Nicolas Dichtel) [Orabug: 27098331] \n- netns: always provide the id to rtnl_net_fill() (Nicolas Dichtel) [Orabug: 27098331] \n- netns: returns always an id in __peernet2id() (Nicolas Dichtel) [Orabug: 27098331] \n- mm: fix new crash in unmapped_area_topdown() (Hugh Dickins) [Orabug: 26338222] {CVE-2017-1000364}\n- mm: larger stack guard gap, between vmas (Hugh Dickins) [Orabug: 26338222] {CVE-2017-1000364}\n- Revert 'SUNRPC: Refactor svc_set_num_threads()' (Kirtikar Kashyap) [Orabug: 26981903] \n- Revert 'NFSv4: Fix callback server shutdown' (Kirtikar Kashyap) [Orabug: 26981903]\n[4.1.12-61.57.1]\n- packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) [Orabug: 26681157] {CVE-2017-1000111}\n- sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) [Orabug: 26650879] {CVE-2017-9075}\n- x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han) [Orabug: 26643642] {CVE-2017-11473}\n- aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug: 26643594] {CVE-2016-10044}\n- mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang) [Orabug: 26643552] {CVE-2017-11176}\n- ping: implement proper locking (Eric Dumazet) [Orabug: 26540282] {CVE-2017-2671}\n- nfsd: encoders mustnt use unitialized values in error cases (J. Bruce Fields) [Orabug: 26572912] {CVE-2017-8797}\n- nfsd: fix undefined behavior in nfsd4_layout_verify (Ari Kauppi) [Orabug: 26572912] {CVE-2017-8797}\n- vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman) [Orabug: 26643594] {CVE-2016-10044}\n- vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo) [Orabug: 26643594] {CVE-2016-10044}\n- fs/exec.c: account for argv/envp pointers (Kees Cook) [Orabug: 26403981] {CVE-2017-1000365} {CVE-2017-1000365}\n- NFSv4: Fix callback server shutdown (Trond Myklebust) [Orabug: 26403981] {CVE-2017-9059}\n- SUNRPC: Refactor svc_set_num_threads() (Trond Myklebust) [Orabug: 26403981] {CVE-2017-9059}\n[4.1.12-61.56.1]\n- mlx4_core: calculate log_num_mtt based on total system memory (Wei Lin Guay) [Orabug: 26867347] \n- xen/x86: Add interface for querying amount of host memory (Boris Ostrovsky) [Orabug: 26867347]\n[4.1.12-61.55.1]\n- Bluetooth: Properly check L2CAP config option output buffer length (Ben Seri) [Orabug: 26796420] {CVE-2017-1000251}\n- blk-mq: avoid re-initialize request which is failed in direct dispatch (Shaohua Li) [Orabug: 26752510] \n- xen-blkfront: fix mq start/stop race (Junxiao Bi) [Orabug: 26739166] [Orabug: 26739166] \n- Added IB diag counters from UEK2 (Chris Gray) [Orabug: 26088233]\n[4.1.12-61.54.1]\n- xen: fix bio vec merging (Roger Pau Monne) [Orabug: 26669479] [Orabug: 26645497] {CVE-2017-12134}\n[4.1.12-61.53.1]\n- dentry name snapshots (Al Viro) [Orabug: 26630810] {CVE-2017-7533}\n[4.1.12-61.52.1]\n- KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (David Howells) [Orabug: 26585991] {CVE-2016-9604} {CVE-2016-9604}\n- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume Nault) [Orabug: 26586044] {CVE-2016-10200}\n- mnt: Add a per mount namespace limit on the number of mounts (Eric W. Biederman) [Orabug: 26585947] {CVE-2016-6213} {CVE-2016-6213}\n- ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) [Orabug: 26578193] {CVE-2017-9242}", "edition": 74, "modified": "2018-01-27T00:00:00", "published": "2018-01-27T00:00:00", "id": "ELSA-2018-4021", "href": "http://linux.oracle.com/errata/ELSA-2018-4021.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:38:54", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10208", "CVE-2016-2782", "CVE-2017-7895", "CVE-2017-7184", "CVE-2016-7910", "CVE-2016-8399", "CVE-2016-10088", "CVE-2015-6252", "CVE-2015-9731", "CVE-2015-5257", "CVE-2017-2583", "CVE-2017-6214", "CVE-2017-5669", "CVE-2017-2647", "CVE-2017-5986", "CVE-2016-10229", "CVE-2017-7187", "CVE-2016-10142", "CVE-2016-9644"], "description": "kernel-uek\n[3.8.13-118.18.2]\n- nfsd: stricter decoding of write-like NFSv2/v3 ops (J. Bruce Fields) [Orabug: 25986990] {CVE-2017-7895}\n[3.8.13-118.18.1]\n- fnic: Update fnic driver version to 1.6.0.24 (John Sobecki) [Orabug: 24448585] \n- xen-netfront: Rework the fix for Rx stall during OOM and network stress (Dongli Zhang) [Orabug: 25450703] \n- xen-netfront: Fix Rx stall during network stress and OOM (Dongli Zhang) [Orabug: 25450703] \n- ipv6: Skip XFRM lookup if dst_entry in socket cache is valid (Jakub Sitnicki) \n- uek-rpm: enable CONFIG_KSPLICE. (Jamie Iles) [Orabug: 25549809] \n- ksplice: add sysctls for determining Ksplice features. (Jamie Iles) [Orabug: 25549809] \n- signal: protect SIGNAL_UNKILLABLE from unintentional clearing. (Jamie Iles) [Orabug: 25549809] \n- VSOCK: Fix lockdep issue. (Dongli Zhang) [Orabug: 25559937] \n- VSOCK: sock_put wasn't safe to call in interrupt context (Dongli Zhang) [Orabug: 25559937] \n- IB/CORE: sync the resouce access in fmr_pool (Wengang Wang) [Orabug: 25677469] \n- KVM: x86: fix emulation of 'MOV SS, null selector' (Paolo Bonzini) [Orabug: 25719675] {CVE-2017-2583} {CVE-2017-2583}\n- ext4: validate s_first_meta_bg at mount time (Eryu Guan) [Orabug: 25719738] {CVE-2016-10208}\n- sctp: avoid BUG_ON on sctp_wait_for_sndbuf (Marcelo Ricardo Leitner) [Orabug: 25719810] {CVE-2017-5986}\n- tcp: avoid infinite loop in tcp_splice_read() (Eric Dumazet) [Orabug: 25720813] {CVE-2017-6214}\n- lpfc cannot establish connection with targets that send PRLI under P2P mode (Joe Jin) [Orabug: 25759083] \n- USB: visor: fix null-deref at probe (Johan Hovold) [Orabug: 25796594] {CVE-2016-2782}\n- ipc/shm: Fix shmat mmap nil-page protection (Davidlohr Bueso) [Orabug: 25797012] {CVE-2017-5669}\n- vhost: actually track log eventfd file (Marc-Andre Lureau) [Orabug: 25797052] {CVE-2015-6252}\n- xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder (Andy Whitcroft) [Orabug: 25814663] {CVE-2017-7184}\n- xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window (Andy Whitcroft) [Orabug: 25814663] {CVE-2017-7184}\n- KEYS: Remove key_type::match in favour of overriding default by match_preparse (Aniket Alshi) [Orabug: 25823962] {CVE-2017-2647} {CVE-2017-2647}\n- USB: whiteheat: fix potential null-deref at probe (Johan Hovold) [Orabug: 25825105] {CVE-2015-5257} {CVE-2015-5257}\n- udf: Check path length when reading symlink (Jan Kara) [Orabug: 25871102] {CVE-2015-9731}\n- udp: properly support MSG_PEEK with truncated buffers (Eric Dumazet) [Orabug: 25876655] {CVE-2016-10229}\n- block: fix use-after-free in seq file (Vegard Nossum) [Orabug: 25877530] {CVE-2016-7910}\n- Revert 'fix minor infoleak in get_user_ex()' (Brian Maly) [Orabug: 25790392] {CVE-2016-9644}\n- net: ping: check minimum size on ICMP header length (Kees Cook) [Orabug: 25766911] {CVE-2016-8399}\n- ipv6: stop sending PTB packets for MTU < 1280 (Hagen Paul Pfeifer) [Orabug: 25765776] {CVE-2016-10142}\n- sg_write()/bsg_write() is not fit to be called under KERNEL_DS (Al Viro) [Orabug: 25765445] {CVE-2016-10088}\n- scsi: sg: check length passed to SG_NEXT_CMD_LEN (peter chang) [Orabug: 25751996] {CVE-2017-7187}", "edition": 4, "modified": "2017-05-16T00:00:00", "published": "2017-05-16T00:00:00", "id": "ELSA-2017-3566", "href": "http://linux.oracle.com/errata/ELSA-2017-3566.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-04T17:28:47", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9604", "CVE-2017-11176", "CVE-2016-7097", "CVE-2017-1000380", "CVE-2017-1000111", "CVE-2017-14489", "CVE-2017-7889", "CVE-2017-7645", "CVE-2017-9242", "CVE-2016-10200", "CVE-2017-8831", "CVE-2017-2671", "CVE-2017-11473", "CVE-2017-9075", "CVE-2017-10661", "CVE-2016-9685", "CVE-2017-1000251", "CVE-2017-12134", "CVE-2017-1000363", "CVE-2017-9077", "CVE-2017-7542", "CVE-2017-1000365", "CVE-2016-10044", "CVE-2017-12190"], "description": "kernel-uek\n[3.8.13-118.20.1]\n- tty: Fix race in pty_write() leading to NULL deref (Todd Vierling) [Orabug: 25392692] \n- ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei) [Orabug: 26479780] \n- KEYS: fix dereferencing NULL payload with nonzero length (Eric Biggers) [Orabug: 26592025] \n- oracleasm: Copy the integrity descriptor (Martin K. Petersen) [Orabug: 26649818] \n- mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook) [Orabug: 26675925] {CVE-2017-7889}\n- xscore: add dma address check (Zhu Yanjun) [Orabug: 27058468] \n- more bio_map_user_iov() leak fixes (Al Viro) [Orabug: 27069042] {CVE-2017-12190}\n- fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh) [Orabug: 27069042] {CVE-2017-12190}\n- nvme: Drop nvmeq->q_lock before dma_pool_alloc(), so as to prevent hard lockups (Aruna Ramakrishna) [Orabug: 25409587] \n- nvme: Handle PM1725 HIL reset (Martin K. Petersen) [Orabug: 26277600] \n- char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) [Orabug: 26403940] {CVE-2017-1000363}\n- ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai) [Orabug: 26403956] {CVE-2017-1000380}\n- ALSA: timer: Fix race between read and ioctl (Takashi Iwai) [Orabug: 26403956] {CVE-2017-1000380}\n- ALSA: timer: fix NULL pointer dereference in read()/ioctl() race (Vegard Nossum) [Orabug: 26403956] {CVE-2017-1000380}\n- ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) [Orabug: 26403956] {CVE-2017-1000380}\n- ALSA: timer: Fix race at concurrent reads (Takashi Iwai) [Orabug: 26403956] {CVE-2017-1000380}\n- ALSA: timer: Fix race among timer ioctls (Takashi Iwai) [Orabug: 26403956] {CVE-2017-1000380}\n- ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) [Orabug: 26404005] {CVE-2017-9077}\n- ocfs2: fix deadlock issue when taking inode lock at vfs entry points (Eric Ren) [Orabug: 26427126] \n- ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (Eric Ren) [Orabug: 26427126] \n- ping: implement proper locking (Eric Dumazet) [Orabug: 26540286] {CVE-2017-2671}\n- aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug: 26643598] {CVE-2016-10044}\n- vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman) [Orabug: 26643598] {CVE-2016-10044}\n- vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo) [Orabug: 26643598] {CVE-2016-10044}\n- x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han) [Orabug: 26643645] {CVE-2017-11473}\n- sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) [Orabug: 26650883] {CVE-2017-9075}\n- [media] saa7164: fix double fetch PCIe access condition (Steven Toth) [Orabug: 26675142] {CVE-2017-8831}\n- [media] saa7164: fix sparse warnings (Hans Verkuil) [Orabug: 26675142] {CVE-2017-8831}\n- fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE (Abhi Das) [Orabug: 26797306] \n- timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899787] {CVE-2017-10661}\n- scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (Xin Long) [Orabug: 26988627] {CVE-2017-14489}\n- mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang) [Orabug: 26643556] {CVE-2017-11176}\n- ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27011273] {CVE-2017-7542}\n- packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) [Orabug: 27002450] {CVE-2017-1000111}\n- mlx4_core: calculate log_num_mtt based on total system memory (Wei Lin Guay) [Orabug: 26883934] \n- xen/x86: Add interface for querying amount of host memory (Boris Ostrovsky) [Orabug: 26883934] \n- Bluetooth: Properly check L2CAP config option output buffer length (Ben Seri) [Orabug: 26796364] {CVE-2017-1000251}\n- xen: fix bio vec merging (Roger Pau Monne) [Orabug: 26645550] {CVE-2017-12134}\n- fs/exec.c: account for argv/envp pointers (Kees Cook) [Orabug: 26638921] {CVE-2017-1000365} {CVE-2017-1000365}\n- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume Nault) [Orabug: 26586047] {CVE-2016-10200}\n- xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz Guzik) [Orabug: 26586022] {CVE-2016-9685}\n- KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (David Howells) [Orabug: 26585994] {CVE-2016-9604}\n- ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) [Orabug: 26578198] {CVE-2017-9242}\n- posix_acl: Clear SGID bit when setting file permissions (Jan Kara) [Orabug: 25507344] {CVE-2016-7097} {CVE-2016-7097}\n- nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields) [Orabug: 26366022] {CVE-2017-7645}", "edition": 6, "modified": "2017-12-07T00:00:00", "published": "2017-12-07T00:00:00", "id": "ELSA-2017-3657", "href": "http://linux.oracle.com/errata/ELSA-2017-3657.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-06-04T17:31:39", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9604", "CVE-2017-11176", "CVE-2017-1000380", "CVE-2017-1000111", "CVE-2017-14489", "CVE-2017-7889", "CVE-2017-9074", "CVE-2017-7645", "CVE-2017-9242", "CVE-2017-7273", "CVE-2016-10200", "CVE-2017-8831", "CVE-2017-2671", "CVE-2015-1465", "CVE-2017-11473", "CVE-2017-9075", "CVE-2017-10661", "CVE-2016-9685", "CVE-2017-1000251", "CVE-2017-1000253", "CVE-2017-1000364", "CVE-2017-7308", "CVE-2017-12134", "CVE-2015-2686", "CVE-2017-1000363", "CVE-2014-9710", "CVE-2015-4167", "CVE-2017-9077", "CVE-2017-7542", "CVE-2017-1000365", "CVE-2016-10044", "CVE-2017-12190"], "description": "[2.6.39-400.298.1]\n- ocfs2/dlm: ignore cleaning the migration mle that is inuse (xuejiufei) [Orabug: 23320090] \n- tty: Fix race in pty_write() leading to NULL deref (Todd Vierling) [Orabug: 24337879] \n- xen-netfront: cast grant table reference first to type int (Dongli Zhang) [Orabug: 25102637] \n- xen-netfront: do not cast grant table reference to signed short (Dongli Zhang) [Orabug: 25102637] \n- RDS: Print failed rdma op details if failure is remote access error (Rama Nichanamatlu) [Orabug: 25440316] \n- ping: implement proper locking (Eric Dumazet) [Orabug: 26540288] {CVE-2017-2671}\n- KEYS: fix dereferencing NULL payload with nonzero length (Eric Biggers) [Orabug: 26592013] \n- oracleasm: Copy the integrity descriptor (Martin K. Petersen) [Orabug: 26650039] \n- mm: Tighten x86 /dev/mem with zeroing reads (Kees Cook) [Orabug: 26675934] {CVE-2017-7889}\n- fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE (Abhi Das) [Orabug: 26797307] \n- xscore: add dma address check (Zhu Yanjun) [Orabug: 27058559] \n- more bio_map_user_iov() leak fixes (Al Viro) [Orabug: 27069045] {CVE-2017-12190}\n- fix unbalanced page refcounting in bio_map_user_iov (Vitaly Mayatskikh) [Orabug: 27069045] {CVE-2017-12190}\n- xsigo: [backport] Fix race in freeing aged Forwarding tables (Pradeep Gopanapalli) [Orabug: 24823234] \n- ocfs2: fix deadlock issue when taking inode lock at vfs entry points (Eric Ren) [Orabug: 25671723] \n- ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock (Eric Ren) [Orabug: 25671723] \n- net/packet: fix overflow in check for tp_reserve (Andrey Konovalov) [Orabug: 26143563] {CVE-2017-7308}\n- net/packet: fix overflow in check for tp_frame_nr (Andrey Konovalov) [Orabug: 26143563] {CVE-2017-7308}\n- char: lp: fix possible integer overflow in lp_setup() (Willy Tarreau) [Orabug: 26403941] {CVE-2017-1000363}\n- ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380}\n- ALSA: timer: Fix race between read and ioctl (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380}\n- ALSA: timer: fix NULL pointer dereference in read()/ioctl() race (Vegard Nossum) [Orabug: 26403958] {CVE-2017-1000380}\n- ALSA: timer: Fix negative queue usage by racy accesses (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380}\n- ALSA: timer: Fix race at concurrent reads (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380}\n- ALSA: timer: Fix race among timer ioctls (Takashi Iwai) [Orabug: 26403958] {CVE-2017-1000380}\n- ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() (Ben Hutchings) [Orabug: 26403974] {CVE-2017-9074}\n- ipv6: Check ip6_find_1stfragopt() return value properly. (David S. Miller) [Orabug: 26403974] {CVE-2017-9074}\n- ipv6: Prevent overrun when parsing v6 header options (Craig Gallek) [Orabug: 26403974] {CVE-2017-9074}\n- ipv6/dccp: do not inherit ipv6_mc_list from parent (WANG Cong) [Orabug: 26404007] {CVE-2017-9077}\n- aio: mark AIO pseudo-fs noexec (Jann Horn) [Orabug: 26643601] {CVE-2016-10044}\n- vfs: Commit to never having exectuables on proc and sysfs. (Eric W. Biederman) [Orabug: 26643601] {CVE-2016-10044}\n- vfs, writeback: replace FS_CGROUP_WRITEBACK with SB_I_CGROUPWB (Tejun Heo) [Orabug: 26643601] {CVE-2016-10044}\n- x86/acpi: Prevent out of bound access caused by broken ACPI tables (Seunghun Han) [Orabug: 26643652] {CVE-2017-11473}\n- sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (Eric Dumazet) [Orabug: 26650889] {CVE-2017-9075}\n- saa7164: fix double fetch PCIe access condition (Steven Toth) [Orabug: 26675148] {CVE-2017-8831}\n- saa7164: fix sparse warnings (Hans Verkuil) [Orabug: 26675148] {CVE-2017-8831}\n- saa7164: get rid of warning: no previous prototype (Mauro Carvalho Chehab) [Orabug: 26675148] {CVE-2017-8831}\n- [scsi] lpfc 8.3.44: Fix kernel panics from corrupted ndlp (James Smart) [Orabug: 26765341] \n- timerfd: Protect the might cancel mechanism proper (Thomas Gleixner) [Orabug: 26899791] {CVE-2017-10661}\n- scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly (Xin Long) [Orabug: 26988628] {CVE-2017-14489}\n- mqueue: fix a use-after-free in sys_mq_notify() (Cong Wang) [Orabug: 26643562] {CVE-2017-11176}\n- ipv6: avoid overflow of offset in ip6_find_1stfragopt (Sabrina Dubroca) [Orabug: 27011278] {CVE-2017-7542}\n- packet: fix tp_reserve race in packet_set_ring (Willem de Bruijn) [Orabug: 27002453] {CVE-2017-1000111}\n- mlx4_core: calculate log_mtt based on total system memory (Wei Lin Guay) [Orabug: 26867355] \n- xen/x86: Add interface for querying amount of host memory (Boris Ostrovsky) [Orabug: 26867355] \n- fs/binfmt_elf.c: fix bug in loading of PIE binaries (Michael Davidson) [Orabug: 26870958] {CVE-2017-1000253}\n- Bluetooth: Properly check L2CAP config option output buffer length (Ben Seri) [Orabug: 26796428] {CVE-2017-1000251}\n- xen: fix bio vec merging (Roger Pau Monne) [Orabug: 26645562] {CVE-2017-12134}\n- fs/exec.c: account for argv/envp pointers (Kees Cook) [Orabug: 26638926] {CVE-2017-1000365} {CVE-2017-1000365}\n- l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() (Guillaume Nault) [Orabug: 26586050] {CVE-2016-10200}\n- xfs: fix two memory leaks in xfs_attr_list.c error paths (Mateusz Guzik) [Orabug: 26586024] {CVE-2016-9685}\n- KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings (David Howells) [Orabug: 26586002] {CVE-2016-9604}\n- ipv6: fix out of bound writes in __ip6_append_data() (Eric Dumazet) [Orabug: 26578202] {CVE-2017-9242}\n- selinux: quiet the filesystem labeling behavior message (Paul Moore) [Orabug: 25721485] \n- RDS/IB: active bonding port state fix for intfs added late (Mukesh Kacker) [Orabug: 25875426] \n- HID: hid-cypress: validate length of report (Greg Kroah-Hartman) [Orabug: 25891914] {CVE-2017-7273}\n- udf: Remove repeated loads blocksize (Jan Kara) [Orabug: 25905722] {CVE-2015-4167}\n- udf: Check length of extended attributes and allocation descriptors (Jan Kara) [Orabug: 25905722] {CVE-2015-4167}\n- udf: Verify i_size when loading inode (Jan Kara) [Orabug: 25905722] {CVE-2015-4167}\n- btrfs: drop unused parameter from btrfs_item_nr (Ross Kirk) [Orabug: 25948102] {CVE-2014-9710}\n- Btrfs: cleanup of function where fixup_low_keys() is called (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710}\n- Btrfs: remove unused argument of fixup_low_keys() (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710}\n- Btrfs: remove unused argument of btrfs_extend_item() (Tsutomu Itoh) [Orabug: 25948102] {CVE-2014-9710}\n- Btrfs: add support for asserts (Josef Bacik) [Orabug: 25948102] {CVE-2014-9710}\n- Btrfs: make xattr replace operations atomic (Filipe Manana) [Orabug: 25948102] {CVE-2014-9710}\n- net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom (Al Viro) [Orabug: 25948149] {CVE-2015-2686}\n- xsigo: Compute node crash on FC failover (Joe Jin) [Orabug: 25965445] \n- PCI: Prevent VPD access for QLogic ISP2722 (Ethan Zhao) [Orabug: 25975513] \n- PCI: Prevent VPD access for buggy devices (Babu Moger) [Orabug: 25975513] \n- ipv4: try to cache dst_entries which would cause a redirect (Hannes Frederic Sowa) [Orabug: 26032377] {CVE-2015-1465}\n- mm: larger stack guard gap, between vmas (Hugh Dickins) [Orabug: 26326145] {CVE-2017-1000364}\n- nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields) [Orabug: 26366024] {CVE-2017-7645}\n- dm mpath: allow ioctls to trigger pg init (Mikulas Patocka) [Orabug: 25645229] \n- xen/manage: Always freeze/thaw processes when suspend/resuming (Ross Lagerwall) [Orabug: 25795530] \n- lpfc cannot establish connection with targets that send PRLI under P2P mode (Joe Jin) [Orabug: 25955028]", "edition": 6, "modified": "2017-12-08T00:00:00", "published": "2017-12-08T00:00:00", "id": "ELSA-2017-3658", "href": "http://linux.oracle.com/errata/ELSA-2017-3658.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "avleonov": [{"lastseen": "2017-10-04T21:13:33", "bulletinFamily": "blog", "cvelist": ["CVE-2014-7970", "CVE-2016-10200", "CVE-2016-9604"], "description": "As I already wrote earlier, you can easily [ add third party nasl plugins to OpenVAS](<https://avleonov.com/2017/06/30/adding-third-party-nasl-plugins-to-openvas/>). So, my friends from [Vulners.com](<http://vulners.com>) realised generation of NASL plugins for OpenVAS using own security content. I've tested it for scanning CentOS 7 host. And it works =)\n\n[](<https://avleonov.com/wp-content/uploads/2017/10/vulners_openvas_vulnerabilities_logo.png>)\n\nLet's see the whole process.\n\nI assume that we have [installed OpenVAS 9 from sources](<https://avleonov.com/2017/04/10/installing-openvas-9-from-the-sources/>) using [openvas-commander](<https://github.com/leonov-av/openvas-commander>) script.\n\nI am going to the OpenVAS server and run all commands as root:\n\n`ssh vmuser@192.168.56.120 \nsu`\n\n#### Cleaning NVT cache and updating plugins from Greenbone feed\n\nIf you already were experimenting with own NASL scripts, it's may be a good clear the OpenVAS vulnerability base.\n\nDeleting cache and plugins for 2017:\n\n`find /usr/local/var/lib/openvas/plugins/2017/ | grep \"nasl\" | xargs -i rm '{}' \nfind /usr/local/var/cache/openvas/2017/ | grep \".nvti\" | xargs -i rm '{}'`\n\nUpdating Greenbone content:\n\n`wget https://raw.githubusercontent.com/leonov-av/openvas-commander/master/openvas_commander.sh \nchmod +x openvas_commander.sh \n./openvas_commander.sh --update-content-nvt \n./openvas_commander.sh --kill-all \n./openvas_commander.sh --start-all \nps -aux | grep \"openvassd\" # Wait untill openvassd 100% reloaded `\n\nRebuilding cache:\n\n`openvasmd --rebuild --progress`\n\nOutput:\n \n \n Rebuilding NVT cache... |\n done.\n\nAnd restart once again:\n\n`./openvas_commander.sh --kill-all \n./openvas_commander.sh --start-all \nps -aux | grep \"openvassd\" # Wait untill openvassd 100% reloaded `\n\nChecking that there is no third-party plugins in GSM:\n\n[](<https://avleonov.com/wp-content/uploads/2017/10/only_greenbone_nvt.png>)\n\nSeems good.\n\n#### Adding Vulners NASL scripts\n\nYou can get a link to an archive at <https://vulners.com/stats> (icon with gear)\n\n\n\n`curl -k https://vulners.com/api/v3/archive/nasl/?type=centos > vulners_nasl.zip \nunzip vulners_nasl.zip -d vulners_nasl \ncp vulners_nasl/* /usr/local/var/lib/openvas/plugins/2017/`\n\nRestart OpenVAS:\n\n`./openvas_commander.sh --kill-all \n./openvas_commander.sh --start-all \nps -aux | grep \"openvassd\" # Wait untill openvassd 100% reloaded `\n\nAnd rebuild NVT cache:\n\n`openvasmd --rebuild --progress`\n\nOutput:\n \n \n Rebuilding NVT cache... |\n done.\n\nChecking Vulners plugins in GSM:\n\n[](<https://avleonov.com/wp-content/uploads/2017/10/vulners_nasl.png>)\n\nBoth Greenbone and [Vulners.com](<http://Vulners.com>) plugins here. Great!\n\n#### Scanning CentOS host\n\nI created a simple authenticated scanning task and launched it:\n\n[](<https://avleonov.com/wp-content/uploads/2017/10/launched_openvas_scan.png>)\n\nSome minutes letter I have the results, that I can easily filter. For example, show vulnerabilities detected by Vulners nasl plugins:\n\n`vulnerability~\"VulnersDB\"`\n\n[](<https://avleonov.com/wp-content/uploads/2017/10/vulners_openvas_vulnerabilities.png>)\n\nPlugin data:\n\n[](<https://avleonov.com/wp-content/uploads/2017/10/vulner_description_part1.png>)\u2026[](<https://avleonov.com/wp-content/uploads/2017/10/vulner_description_part2.png>)\n\nPlugin text on Vulners.com website: <https://vulners.com/api/v3/nasl/id/?id=CESA-2017:1842>\n \n \n ###############################################################################\n # OpenVAS centos Vulnerability Test\n #\n # kernel, perf, python security update\n #\n # Authors:\n # Kir Ermakov\n # Igor Bulatenko\n # Ivan Elkin\n # Alex Leonov\n #\n # Copyright:\n # Copyright (C) 2017 Vulners.com, https://vulners.com\n #\n # This program is free software; you can redistribute it and/or modify\n ...\n # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n ###############################################################################\n \n if(description)\n {\n \n script_oid(\"1.3.6.1.4.1.25623.1.1.51337.5133700027808229620542704492639841805966348423\");\n script_version(\"$Revision: 1 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-08-24T01:38:33 $\");\n script_tag(name:\"creation_date\", value:\"$Date: 2017-08-24T01:38:33 $\");\n script_cve_id(\"CVE-2016-9604\",...,\"CVE-2014-7970\");\n \n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n \n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"VulnersDB: CESA-2017:1842 kernel, perf, python security update\");\n script_tag(name: \"summary\", value: \"**CentOS Errata and Security Advisory** CESA-2017:1842\n \n \n The kernel packages contain the Linux kernel, the core of any Linux operating system.\n \n Security Fix(es):\n \n * An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important)\n \n ...\n **Affected packages:**\n kernel\n ...\n python-perf\n \n **Upstream details at:**\n \");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"affected\", value: \"\n kernel-tools on CentOS 7 ,\n ...\n kernel-debug-devel on CentOS 7 ,\n kernel-headers on CentOS 7 ,\n perf on CentOS 7 ,\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"URL\" , value: \"http://lists.centos.org/pipermail/centos-cr-announce/2017-August/004249.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Vulners\");\n \n script_xref(name: \"CESA\", value: \"CESA-2017:1842\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"HostDetails/OS/cpe:/o:centos:centos\", \"login/SSH/success\", \"ssh/login/release\");\n \n \n exit(0);\n \n }\n \n include(\"revisions-lib.inc\");\n include(\"pkg-lib-rpm.inc\");\n \n release = get_kb_item(\"ssh/login/release\");\n \n res = \"\";\n if(release == NULL){\n exit(0);\n }\n \n \n if(release == \"CentOS7\")\n {\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~693.el7\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n }\n \n ...\n \n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n \n\nI can also filter vulnerabilities detected only by Greenbone plugins.\n\n`vulnerability~\"CentOS Update\"`\n\n[](<https://avleonov.com/wp-content/uploads/2017/10/greenbone_vulners.png>)\n\nAs you can see on dashboards the results are not fully the same. Some vulnerabilities both Greenbone and Vulners found.\n\n`vulnerability~\"CESA-2017:1481\"`\n\n[](<https://avleonov.com/wp-content/uploads/2017/10/two_feeds.png>)\n\nBut, for example, CESA-2017:1842 that I have shown above on a sreenshot was detected only by Vulners plugins.\n\nThe plugin says that kernel-tools-3.10.0-514.el7 is vulnerable.\n\nAnd it is, according to bulletin <https://vulners.com/centos/CESA-2017:1842>:\n\nCentOS 7 x86_64 kernel-tools < 3.10.0-693.el7 kernel-tools-3.10.0-693.el7.x86_64.rpm\n\nThe answer is that Greenbone feed doesn't contain this plugin (yet):\n\n`# ls /usr/local/var/lib/openvas/plugins/2017/gb_CESA-2017_1842* \nls: cannot access /usr/local/var/lib/openvas/plugins/2017/gb_CESA-2017_1842*: No such file or directory`\n\n", "modified": "2017-10-04T17:57:22", "published": "2017-10-04T17:57:22", "href": "http://feedproxy.google.com/~r/avleonov/~3/Dhh-m0ErpgY/", "id": "AVLEONOV:B1FBE34AF90D9EFE8FB00EA97D833417", "title": "Vulners NASL Plugin Feeds for OpenVAS 9", "type": "avleonov", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2020-08-12T01:10:01", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7472", "CVE-2016-9604", "CVE-2017-7261", "CVE-2017-7184", "CVE-2017-7616", "CVE-2017-7618", "CVE-2017-5967", "CVE-2017-5970", "CVE-2017-7273", "CVE-2016-10200", "CVE-2017-2671", "CVE-2017-7294", "CVE-2017-7308", "CVE-2017-6951", "CVE-2017-2647", "CVE-2016-2188"], "description": "Package : linux\nVersion : 3.2.88-1\nCVE ID : CVE-2016-2188 CVE-2016-9604 CVE-2016-10200 CVE-2017-2647 \n CVE-2017-2671 CVE-2017-5967 CVE-2017-5970 CVE-2017-6951 \n CVE-2017-7184 CVE-2017-7261 CVE-2017-7273 CVE-2017-7294 \n CVE-2017-7308 CVE-2017-7472 CVE-2017-7616 CVE-2017-7618\n\nSeveral vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service or have other\nimpacts.\n\nCVE-2016-2188\n\n Ralf Spenneberg of OpenSource Security reported that the iowarrior\n device driver did not sufficiently validate USB descriptors. This\n allowed a physically present user with a specially designed USB\n device to cause a denial of service (crash).\n\nCVE-2016-9604\n\n It was discovered that the keyring subsystem allowed a process to\n set a special internal keyring as its session keyring. The\n security impact in this version of the kernel is unknown.\n\nCVE-2016-10200\n\n Baozeng Ding and Andrey Konovalov reported a race condition in the\n L2TP implementation which could corrupt its table of bound\n sockets. A local user could use this to cause a denial of service\n (crash) or possibly for privilege escalation.\n\nCVE-2017-2647 / CVE-2017-6951\n\n idl3r reported that the keyring subsystem would allow a process\n to search for 'dead' keys, causing a null pointer dereference.\n A local user could use this to cause a denial of service (crash).\n\nCVE-2017-2671\n\n Daniel Jiang discovered a race condition in the ping socket\n implementation. A local user with access to ping sockets could\n use this to cause a denial of service (crash) or possibly for\n privilege escalation. This feature is not accessible to any\n users by default.\n\nCVE-2017-5967\n\n Xing Gao reported that the /proc/timer_list file showed\n information about all processes, not considering PID namespaces.\n If timer debugging was enabled by a privileged user, this leaked\n information to processes contained in PID namespaces.\n\nCVE-2017-5970\n\n Andrey Konovalov discovered a denial-of-service flaw in the IPv4\n networking code. This can be triggered by a local or remote\n attacker if a local UDP or raw socket has the IP_RETOPTS option\n enabled.\n\nCVE-2017-7184\n\n Chaitin Security Research Lab discovered that the net xfrm\n subsystem did not sufficiently validate replay state parameters,\n allowing a heap buffer overflow. This can be used by a local user\n with the CAP_NET_ADMIN capability for privilege escalation.\n\nCVE-2017-7261\n\n Vladis Dronov and Murray McAllister reported that the vmwgfx\n driver did not sufficiently validate rendering surface parameters.\n In a VMware guest, this can be used by a local user to cause a\n denial of service (crash).\n\nCVE-2017-7273\n\n Benoit Camredon reported that the hid-cypress driver did not\n sufficiently validate HID reports. This possibly allowed a\n physically present user with a specially designed USB device to\n cause a denial of service (crash).\n\nCVE-2017-7294\n\n Li Qiang reported that the vmwgfx driver did not sufficiently\n validate rendering surface parameters. In a VMware guest, this\n can be used by a local user to cause a denial of service (crash)\n or possibly for privilege escalation.\n\nCVE-2017-7308\n\n Andrey Konovalov reported that the packet socket (AF_PACKET)\n implementation did not sufficiently validate buffer parameters.\n This can be used by a local user with the CAP_NET_RAW capability\n for privilege escalation.\n\nCVE-2017-7472\n\n Eric Biggers reported that the keyring subsystem allowed a thread\n to create new thread keyrings repeatedly, causing a memory leak.\n This can be used by a local user to cause a denial of service\n (memory exhaustion).\n\nCVE-2017-7616\n\n Chris Salls reported an information leak in the 32-bit big-endian\n compatibility implementations of set_mempolicy() and mbind().\n This does not affect any architecture supported in Debian 7 LTS.\n\nCVE-2017-7618\n\n Sabrina Dubroca reported that the cryptographic hash subsystem\n does not correctly handle submission of unaligned data to a\n device that is already busy, resulting in infinite recursion.\n On some systems this can be used by local users to cause a\n denial of service (crash).\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n3.2.88-1. This version also includes bug fixes from upstream version\n3.2.88, and fixes some older security issues in the keyring, packet\nsocket and cryptographic hash subsystems that do not have CVE IDs.\n\nFor Debian 8 "Jessie", most of these problems have been fixed in\nversion 3.16.43-1 which will be part of the next point release.\n\nWe recommend that you upgrade your linux packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \nBen Hutchings - Debian developer, member of kernel, installer and LTS teams", "edition": 9, "modified": "2017-04-28T12:39:45", "published": "2017-04-28T12:39:45", "id": "DEBIAN:DLA-922-1:854C7", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201704/msg00041.html", "title": "[SECURITY] [DLA 922-1] linux security update", "type": "debian", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "openvas": [{"lastseen": "2020-01-29T20:11:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7472", "CVE-2016-9604", "CVE-2017-7261", "CVE-2017-7184", "CVE-2017-7616", "CVE-2017-7618", "CVE-2017-5967", "CVE-2017-5970", "CVE-2017-7273", "CVE-2016-10200", "CVE-2017-2671", "CVE-2017-7294", "CVE-2017-7308", "CVE-2017-6951", "CVE-2017-2647", "CVE-2016-2188"], "description": "Several vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service or have other\nimpacts.\n\nCVE-2016-2188\n\nRalf Spenneberg of OpenSource Security reported that the iowarrior\ndevice driver did not sufficiently validate USB descriptors. This\nallowed a physically present user with a specially designed USB\ndevice to cause a denial of service (crash).\n\nCVE-2016-9604\n\nIt was discovered that the keyring subsystem allowed a process to\nset a special internal keyring as its session keyring. The\nsecurity impact in this version of the kernel is unknown.\n\nDescription truncated. Please see the references for more information.\n\nFor Debian 7 ", "modified": "2020-01-29T00:00:00", "published": "2018-01-17T00:00:00", "id": "OPENVAS:1361412562310890922", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310890922", "type": "openvas", "title": "Debian LTS: Security Advisory for linux (DLA-922-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.890922\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2016-10200\", \"CVE-2016-2188\", \"CVE-2016-9604\", \"CVE-2017-2647\", \"CVE-2017-2671\", \"CVE-2017-5967\", \"CVE-2017-5970\", \"CVE-2017-6951\", \"CVE-2017-7184\", \"CVE-2017-7261\", \"CVE-2017-7273\", \"CVE-2017-7294\", \"CVE-2017-7308\", \"CVE-2017-7472\", \"CVE-2017-7616\", \"CVE-2017-7618\");\n script_name(\"Debian LTS: Security Advisory for linux (DLA-922-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-01-17 00:00:00 +0100 (Wed, 17 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/04/msg00041.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"linux on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n3.2.88-1. This version also includes bug fixes from upstream version\n3.2.88, and fixes some older security issues in the keyring, packet\nsocket and cryptographic hash subsystems that do not have CVE IDs.\n\nFor Debian 8 'Jessie', most of these problems have been fixed in\nversion 3.16.43-1 which will be part of the next point release.\n\nWe recommend that you upgrade your linux packages.\");\n\n script_tag(name:\"summary\", value:\"Several vulnerabilities have been discovered in the Linux kernel that\nmay lead to a privilege escalation, denial of service or have other\nimpacts.\n\nCVE-2016-2188\n\nRalf Spenneberg of OpenSource Security reported that the iowarrior\ndevice driver did not sufficiently validate USB descriptors. This\nallowed a physically present user with a specially designed USB\ndevice to cause a denial of service (crash).\n\nCVE-2016-9604\n\nIt was discovered that the keyring subsystem allowed a process to\nset a special internal keyring as its session keyring. The\nsecurity impact in this version of the kernel is unknown.\n\nDescription truncated. Please see the references for more information.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n3.2.88-1. This version also includes bug fixes from upstream version\n3.2.88, and fixes some older security issues in the keyring, packet\nsocket and cryptographic hash subsystems that do not have CVE IDs.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"linux-doc-3.2\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-486\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-686-pae\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-all\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-all-amd64\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-all-armel\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-all-armhf\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-all-i386\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-amd64\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-common\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-common-rt\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-iop32x\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-ixp4xx\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-kirkwood\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-mv78xx0\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-mx5\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-omap\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-orion5x\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-rt-686-pae\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-rt-amd64\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-versatile\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-4-vexpress\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-486\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-686-pae\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-all\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-all-amd64\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-all-armel\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-all-armhf\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-all-i386\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-amd64\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-common\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-common-rt\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-iop32x\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-ixp4xx\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-kirkwood\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-mv78xx0\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-mx5\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-omap\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-orion5x\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-rt-686-pae\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-rt-amd64\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-versatile\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-3.2.0-5-vexpress\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-486\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-686-pae\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-686-pae-dbg\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-amd64\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-amd64-dbg\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-iop32x\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-ixp4xx\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-kirkwood\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-mv78xx0\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-mx5\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-omap\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-orion5x\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-rt-686-pae\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-rt-686-pae-dbg\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-rt-amd64\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-rt-amd64-dbg\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-versatile\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-4-vexpress\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-486\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-686-pae\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-686-pae-dbg\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-amd64\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-amd64-dbg\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-iop32x\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-ixp4xx\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-kirkwood\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-mv78xx0\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-mx5\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-omap\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-orion5x\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-rt-686-pae\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-rt-686-pae-dbg\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-rt-amd64\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-rt-amd64-dbg\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-versatile\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-3.2.0-5-vexpress\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-libc-dev\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-manual-3.2\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-source-3.2\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-support-3.2.0-4\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-support-3.2.0-5\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xen-linux-system-3.2.0-4-686-pae\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xen-linux-system-3.2.0-4-amd64\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xen-linux-system-3.2.0-5-686-pae\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"xen-linux-system-3.2.0-5-amd64\", ver:\"3.2.88-1\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:34:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9604", "CVE-2016-9806", "CVE-2016-7097", "CVE-2016-6213", "CVE-2017-7616", "CVE-2017-7889", "CVE-2017-9074", "CVE-2016-10088", "CVE-2017-6001", "CVE-2015-8839", "CVE-2017-9242", "CVE-2017-5970", "CVE-2016-10200", "CVE-2017-2671", "CVE-2017-9075", "CVE-2014-7975", "CVE-2016-9685", "CVE-2015-8970", "CVE-2016-10147", "CVE-2016-9576", "CVE-2017-6951", "CVE-2017-2647", "CVE-2017-2596", "CVE-2016-9588", "CVE-2017-9076", "CVE-2017-7187", "CVE-2017-9077", "CVE-2017-8890", "CVE-2017-8797", "CVE-2016-7042", "CVE-2016-8645", "CVE-2014-7970"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2017-08-04T00:00:00", "id": "OPENVAS:1361412562310871855", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871855", "type": "openvas", "title": "RedHat Update for kernel RHSA-2017:1842-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_RHSA-2017_1842-01_kernel.nasl 12497 2018-11-23 08:28:21Z cfischer $\n#\n# RedHat Update for kernel RHSA-2017:1842-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871855\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-04 12:47:14 +0530 (Fri, 04 Aug 2017)\");\n script_cve_id(\"CVE-2014-7970\", \"CVE-2014-7975\", \"CVE-2015-8839\", \"CVE-2015-8970\",\n \"CVE-2016-10088\", \"CVE-2016-10147\", \"CVE-2016-10200\", \"CVE-2016-6213\",\n \"CVE-2016-7042\", \"CVE-2016-7097\", \"CVE-2016-8645\", \"CVE-2016-9576\",\n \"CVE-2016-9588\", \"CVE-2016-9604\", \"CVE-2016-9685\", \"CVE-2016-9806\",\n \"CVE-2017-2596\", \"CVE-2017-2647\", \"CVE-2017-2671\", \"CVE-2017-5970\",\n \"CVE-2017-6001\", \"CVE-2017-6951\", \"CVE-2017-7187\", \"CVE-2017-7616\",\n \"CVE-2017-7889\", \"CVE-2017-8797\", \"CVE-2017-8890\", \"CVE-2017-9074\",\n \"CVE-2017-9075\", \"CVE-2017-9076\", \"CVE-2017-9077\", \"CVE-2017-9242\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for kernel RHSA-2017:1842-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The kernel packages contain the Linux\n kernel, the core of any Linux operating system. Security Fix(es): * An\n use-after-free flaw was found in the Linux kernel which enables a race condition\n in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to\n escalate their privileges or crash the system. (CVE-2016-10200, Important) * A\n flaw was found that can be triggered in keyring_search_iterator in keyring.c if\n type- match is NULL. A local user could use this flaw to crash the system or,\n potentially, escalate their privileges. (CVE-2017-2647, Important) * It was\n found that the NFSv4 server in the Linux kernel did not properly validate layout\n type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote\n attacker could use this flaw to soft-lockup the system and thus cause denial of\n service. (CVE-2017-8797, Important) This update also fixes multiple Moderate and\n Low impact security issues: * CVE-2015-8839, CVE-2015-8970, CVE-2016-9576,\n CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588,\n CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671,\n CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616,\n CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075,\n CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242,\n CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685\n Documentation for these issues is available from the Release Notes document\n linked from the References section. Red Hat would like to thank Igor Redko\n (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647 Igor\n Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970\n Marco Grassi for reporting CVE-2016-8645 and Dmitry Vyukov (Google Inc.) for\n reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina\n (Red Hat) the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red\n Hat) and Jan Kara (SUSE) the CVE-2016-6213 and CVE-2016-9685 issues were\n discovered by Qian Cai (Red Hat) and the CVE-2016-9604 issue was discovered by\n David Howells (Red Hat). Additional Changes: For detailed information on other\n changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes\n linked from the References section.\");\n script_tag(name:\"affected\", value:\"kernel on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2017:1842-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2017-August/msg00017.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel-abi-whitelists\", rpm:\"kernel-abi-whitelists~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-doc\", rpm:\"kernel-doc~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo\", rpm:\"kernel-debuginfo~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-debuginfo-common-x86_64\", rpm:\"kernel-debuginfo-common-x86_64~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-debuginfo\", rpm:\"kernel-tools-debuginfo~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"perf-debuginfo\", rpm:\"perf-debuginfo~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"python-perf-debuginfo\", rpm:\"python-perf-debuginfo~3.10.0~693.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:33:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-18690", "CVE-2018-14734", "CVE-2018-18710", "CVE-2018-16276", "CVE-2017-2647", "CVE-2018-18386", "CVE-2018-10902", "CVE-2018-12896"], "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-12-21T00:00:00", "id": "OPENVAS:1361412562310843857", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843857", "type": "openvas", "title": "Ubuntu Update for linux USN-3849-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3849_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for linux USN-3849-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843857\");\n script_version(\"$Revision: 14288 $\");\n script_cve_id(\"CVE-2017-2647\", \"CVE-2018-10902\", \"CVE-2018-12896\", \"CVE-2018-14734\",\n \"CVE-2018-16276\", \"CVE-2018-18386\", \"CVE-2018-18690\", \"CVE-2018-18710\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-21 07:23:25 +0100 (Fri, 21 Dec 2018)\");\n script_name(\"Ubuntu Update for linux USN-3849-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n script_xref(name:\"USN\", value:\"3849-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3849-1/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the USN-3849-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that a NULL pointer dereference existed in the keyring\nsubsystem of the Linux kernel. A local attacker could use this to cause a\ndenial of service (system crash). (CVE-2017-2647)\n\nIt was discovered that a race condition existed in the raw MIDI driver for\nthe Linux kernel, leading to a double free vulnerability. A local attacker\ncould use this to cause a denial of service (system crash) or possibly\nexecute arbitrary code. (CVE-2018-10902)\n\nIt was discovered that an integer overrun vulnerability existed in the\nPOSIX timers implementation in the Linux kernel. A local attacker could use\nthis to cause a denial of service. (CVE-2018-12896)\n\nNoam Rathaus discovered that a use-after-free vulnerability existed in the\nInfiniband implementation in the Linux kernel. An attacker could use this\nto cause a denial of service (system crash). (CVE-2018-14734)\n\nIt was discovered that the YUREX USB device driver for the Linux kernel did\nnot properly restrict user space reads or writes. A physically proximate\nattacker could use this to cause a denial of service (system crash) or\npossibly execute arbitrary code. (CVE-2018-16276)\n\nTetsuo Handa discovered a logic error in the TTY subsystem of the Linux\nkernel. A local attacker with access to pseudo terminal devices could use\nthis to cause a denial of service. (CVE-2018-18386)\n\nKanda Motohiro discovered that writing extended attributes to an XFS file\nsystem in the Linux kernel in certain situations could cause an error\ncondition to occur. A local attacker could use this to cause a denial of\nservice. (CVE-2018-18690)\n\nIt was discovered that an integer overflow vulnerability existed in the\nCDROM driver of the Linux kernel. A local attacker could use this to expose\nsensitive information (kernel memory). (CVE-2018-18710)\");\n\n script_tag(name:\"affected\", value:\"linux on Ubuntu 14.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-164-generic\", ver:\"3.13.0-164.214\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-164-generic-lpae\", ver:\"3.13.0-164.214\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-164-lowlatency\", ver:\"3.13.0-164.214\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-164-powerpc-e500\", ver:\"3.13.0-164.214\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-164-powerpc-e500mc\", ver:\"3.13.0-164.214\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-164-powerpc-smp\", ver:\"3.13.0-164.214\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-164-powerpc64-emb\", ver:\"3.13.0-164.214\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-164-powerpc64-smp\", ver:\"3.13.0-164.214\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"3.13.0.164.174\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"3.13.0.164.174\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"3.13.0.164.174\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500\", ver:\"3.13.0.164.174\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"3.13.0.164.174\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"3.13.0.164.174\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"3.13.0.164.174\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"3.13.0.164.174\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:28:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9191", "CVE-2017-7184", "CVE-2016-10200", "CVE-2017-2636", "CVE-2017-6214", "CVE-2017-6345", "CVE-2017-5986", "CVE-2017-6346", "CVE-2017-2596", "CVE-2017-6353", "CVE-2016-2117", "CVE-2017-6347"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-04-02T00:00:00", "id": "OPENVAS:1361412562310851530", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851530", "type": "openvas", "title": "openSUSE: Security Advisory for kernel (openSUSE-SU-2017:0907-1)", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851530\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-04-02 06:32:15 +0200 (Sun, 02 Apr 2017)\");\n script_cve_id(\"CVE-2016-10200\", \"CVE-2016-2117\", \"CVE-2016-9191\", \"CVE-2017-2596\",\n \"CVE-2017-2636\", \"CVE-2017-6214\", \"CVE-2017-6345\", \"CVE-2017-6346\",\n \"CVE-2017-6347\", \"CVE-2017-6353\", \"CVE-2017-7184\", \"CVE-2017-5986\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for kernel (openSUSE-SU-2017:0907-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The openSUSE Leap 42.2 kernel was updated to 4.4.56 fix various security\n issues and bugs.\n\n The following security bugs were fixed:\n\n - CVE-2017-7184: The xfrm_replay_verify_len function in\n net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size\n data after an XFRM_MSG_NEWAE update, which allowed local users to obtain\n root privileges or cause a denial of service (heap-based out-of-bounds\n access) by leveraging the CAP_NET_ADMIN capability, as demonstrated\n during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10\n linux-image-* package 4.8.0.41.52 (bnc#1030573).\n\n - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in\n the Linux kernel allowed local users to gain privileges or cause a\n denial of service (use-after-free) by making multiple bind system calls\n without properly ascertaining whether a socket has the SOCK_ZAPPED\n status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c\n (bnc#1028415).\n\n - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux\n kernel allowed local users to gain privileges or cause a denial of\n service (double free) by setting the HDLC line discipline (bnc#1027565).\n\n - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that\n a certain destructor exists in required circumstances, which allowed\n local users to cause a denial of service (BUG_ON) or possibly have\n unspecified other impact via crafted system calls (bnc#1027190).\n\n - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux\n kernel allowed local users to cause a denial of service (use-after-free)\n or possibly have unspecified other impact via a multithreaded\n application that made PACKET_FANOUT setsockopt system calls\n (bnc#1027189).\n\n - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly\n restrict association peel-off operations during certain wait states,\n which allowed local users to cause a denial of service (invalid unlock\n and double free) via a multithreaded application. NOTE: this\n vulnerability exists because of an incorrect fix for CVE-2017-5986\n (bnc#1025235).\n\n - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the\n Linux kernel allowed remote attackers to cause a denial of service\n (infinite loop and soft lockup) via vectors involving a TCP packet with\n the URG flag (bnc#1026722).\n\n - CVE-2016-2117: The atl2_probe function in\n drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly\n enables scatter/gather I/O, which allowed remote attackers to obtain\n sensitive information from kernel memory by reading packet ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"Kernel on openSUSE Leap 42.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:0907-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs\", rpm:\"kernel-docs~4.4.57~18.3.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-html\", rpm:\"kernel-docs-html~4.4.57~18.3.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-pdf\", rpm:\"kernel-docs-pdf~4.4.57~18.3.2\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source-vanilla\", rpm:\"kernel-source-vanilla~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base\", rpm:\"kernel-debug-base~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base-debuginfo\", rpm:\"kernel-debug-base-debuginfo~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debugsource\", rpm:\"kernel-debug-debugsource~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel-debuginfo\", rpm:\"kernel-debug-devel-debuginfo~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build\", rpm:\"kernel-obs-build~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build-debugsource\", rpm:\"kernel-obs-build-debugsource~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-qa\", rpm:\"kernel-obs-qa~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla\", rpm:\"kernel-vanilla~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-base\", rpm:\"kernel-vanilla-base~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-base-debuginfo\", rpm:\"kernel-vanilla-base-debuginfo~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debuginfo\", rpm:\"kernel-vanilla-debuginfo~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debugsource\", rpm:\"kernel-vanilla-debugsource~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-devel\", rpm:\"kernel-vanilla-devel~4.4.57~18.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T18:27:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-10208", "CVE-2017-7184", "CVE-2017-2584", "CVE-2016-10200", "CVE-2017-2636", "CVE-2017-6348", "CVE-2017-2583", "CVE-2017-6214", "CVE-2017-6345", "CVE-2017-5669", "CVE-2017-5986", "CVE-2017-6346", "CVE-2017-2596", "CVE-2017-6353", "CVE-2016-2117", "CVE-2017-6347"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-04-02T00:00:00", "id": "OPENVAS:1361412562310851529", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851529", "type": "openvas", "title": "openSUSE: Security Advisory for kernel (openSUSE-SU-2017:0906-1)", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851529\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-04-02 06:31:35 +0200 (Sun, 02 Apr 2017)\");\n script_cve_id(\"CVE-2016-10200\", \"CVE-2016-10208\", \"CVE-2016-2117\", \"CVE-2017-2583\",\n \"CVE-2017-2584\", \"CVE-2017-2596\", \"CVE-2017-2636\", \"CVE-2017-5669\",\n \"CVE-2017-6214\", \"CVE-2017-6345\", \"CVE-2017-6346\", \"CVE-2017-6347\",\n \"CVE-2017-6348\", \"CVE-2017-6353\", \"CVE-2017-7184\", \"CVE-2017-5986\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for kernel (openSUSE-SU-2017:0906-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Still left to do:\n\n - Check CVE descriptions. They need to be written in the past tense. They\n are processed automatically, THERE CAN BE ERRORS IN THERE!\n\n - Remove version numbers from the CVE descriptions\n\n - Check the capitalization of the subsystems, then sort again\n\n - For each CVE: Check the corresponding bug if everything is okay\n\n - If you remove CVEs or bugs: Do not forget to change the meta information\n\n - Determine which of the bugs after the CVE lines is the right one\n\n ======================================================================\n\n The openSUSE Leap 42.1 kernel was updated to 4.1.39 to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel\n did not restrict the address calculated by a certain rounding operation,\n which allowed local users to map page zero, and consequently bypass a\n protection mechanism that exists for the mmap system call, by making\n crafted shmget and shmat system calls in a privileged context\n (bnc#1026914).\n\n - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the\n Linux kernel improperly manages lock dropping, which allowed local users\n to cause a denial of service (deadlock) via crafted operations on IrDA\n devices (bnc#1027178).\n\n - CVE-2017-7184: The xfrm_replay_verify_len function in\n net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size\n data after an XFRM_MSG_NEWAE update, which allowed local users to obtain\n root privileges or cause a denial of service (heap-based out-of-bounds\n access) by leveraging the CAP_NET_ADMIN capability, as demonstrated\n during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10\n linux-image-* package 4.8.0.41.52 (bnc#1030573).\n\n - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in\n the Linux kernel allowed local users to gain privileges or cause a\n denial of service (use-after-free) by making multiple bind system calls\n without properly ascertaining whether a socket has the SOCK_ZAPPED\n status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c\n (bnc#1028415).\n\n - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux\n kernel allowed local users to gain privileges or cause a denial of\n service (double free) by setting the HDLC line discipline (bnc#1027565).\n\n - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that\n a certain destructor exists in required circumstances, which allowed\n local users to cause a denial ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n\n script_tag(name:\"affected\", value:\"Kernel on openSUSE Leap 42.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:0906-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default\", rpm:\"kernel-default~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base\", rpm:\"kernel-default-base~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-base-debuginfo\", rpm:\"kernel-default-base-debuginfo~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debuginfo\", rpm:\"kernel-default-debuginfo~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-debugsource\", rpm:\"kernel-default-debugsource~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-default-devel\", rpm:\"kernel-default-devel~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build\", rpm:\"kernel-obs-build~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-build-debugsource\", rpm:\"kernel-obs-build-debugsource~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-obs-qa\", rpm:\"kernel-obs-qa~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-syms\", rpm:\"kernel-syms~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug\", rpm:\"kernel-debug~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base\", rpm:\"kernel-debug-base~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-base-debuginfo\", rpm:\"kernel-debug-base-debuginfo~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debuginfo\", rpm:\"kernel-debug-debuginfo~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-debugsource\", rpm:\"kernel-debug-debugsource~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel\", rpm:\"kernel-debug-devel~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-debug-devel-debuginfo\", rpm:\"kernel-debug-devel-debuginfo~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2\", rpm:\"kernel-ec2~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base\", rpm:\"kernel-ec2-base~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-base-debuginfo\", rpm:\"kernel-ec2-base-debuginfo~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-debuginfo\", rpm:\"kernel-ec2-debuginfo~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-debugsource\", rpm:\"kernel-ec2-debugsource~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-ec2-devel\", rpm:\"kernel-ec2-devel~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv\", rpm:\"kernel-pv~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-base\", rpm:\"kernel-pv-base~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-base-debuginfo\", rpm:\"kernel-pv-base-debuginfo~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-debuginfo\", rpm:\"kernel-pv-debuginfo~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-debugsource\", rpm:\"kernel-pv-debugsource~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pv-devel\", rpm:\"kernel-pv-devel~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla\", rpm:\"kernel-vanilla~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debuginfo\", rpm:\"kernel-vanilla-debuginfo~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-debugsource\", rpm:\"kernel-vanilla-debugsource~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-vanilla-devel\", rpm:\"kernel-vanilla-devel~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen\", rpm:\"kernel-xen~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base\", rpm:\"kernel-xen-base~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-base-debuginfo\", rpm:\"kernel-xen-base-debuginfo~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debuginfo\", rpm:\"kernel-xen-debuginfo~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-debugsource\", rpm:\"kernel-xen-debugsource~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-xen-devel\", rpm:\"kernel-xen-devel~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs\", rpm:\"kernel-docs~4.1.39~53.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-html\", rpm:\"kernel-docs-html~4.1.39~53.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-docs-pdf\", rpm:\"kernel-docs-pdf~4.1.39~53.2\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-macros\", rpm:\"kernel-macros~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source\", rpm:\"kernel-source~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-source-vanilla\", rpm:\"kernel-source-vanilla~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae\", rpm:\"kernel-pae~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base\", rpm:\"kernel-pae-base~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-base-debuginfo\", rpm:\"kernel-pae-base-debuginfo~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-debuginfo\", rpm:\"kernel-pae-debuginfo~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-debugsource\", rpm:\"kernel-pae-debugsource~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-pae-devel\", rpm:\"kernel-pae-devel~4.1.39~53.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-05T16:36:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5244", "CVE-2013-6383", "CVE-2017-9074", "CVE-2018-8087", "CVE-2014-3611", "CVE-2017-13693", "CVE-2018-1130", "CVE-2015-8970", "CVE-2017-16536", "CVE-2017-16939", "CVE-2017-15116", "CVE-2015-9004", "CVE-2017-17449", "CVE-2017-16529", "CVE-2017-16650", "CVE-2015-8955", "CVE-2015-8767", "CVE-2018-10323", "CVE-2017-14497", "CVE-2014-4667"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-05T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191537", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191537", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1537)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1537\");\n script_version(\"2020-02-05T08:56:28+0000\");\n script_cve_id(\"CVE-2013-6383\", \"CVE-2014-3611\", \"CVE-2014-4667\", \"CVE-2015-8767\", \"CVE-2015-8955\", \"CVE-2015-8970\", \"CVE-2015-9004\", \"CVE-2016-5244\", \"CVE-2017-13693\", \"CVE-2017-14497\", \"CVE-2017-15116\", \"CVE-2017-16529\", \"CVE-2017-16536\", \"CVE-2017-16650\", \"CVE-2017-16939\", \"CVE-2017-17449\", \"CVE-2017-9074\", \"CVE-2018-10323\", \"CVE-2018-1130\", \"CVE-2018-8087\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-02-05 08:56:28 +0000 (Wed, 05 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:08:31 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1537)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1537\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1537\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1537 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A buffer overflow was discovered in tpacket_rcv() function in the Linux kernel since v4.6-rc1 through v4.13. A number of socket-related syscalls can be made to set up a configuration when each packet received by a network interface can cause writing up to 10 bytes to a kernel memory outside of a kernel buffer. This can cause unspecified kernel data corruption effects, including damage of in-memory and on-disk XFS data.(CVE-2017-14497)\n\nThe qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (divide-by-zero error and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16650)\n\nA race condition flaw was found in the way the Linux kernel's SCTP implementation handled sctp_accept() during the processing of heartbeat timeout events. A remote attacker could use this flaw to prevent further connections to be accepted by the SCTP server running on the system, resulting in a denial of service.(CVE-2015-8767)\n\nA race condition flaw was found in the way the Linux kernel's KVM subsystem handled PIT (Programmable Interval Timer) emulation. A guest user who has access to the PIT I/O ports could use this flaw to crash the host.(CVE-2014-3611)\n\nThe Linux kernel is vulnerable to a memory leak in the drivers/net/wireless/mac80211_hwsim.c:hwsim_new_radio_nl() function. An attacker could exploit this to cause a potential denial of service.(CVE-2018-8087)\n\nAn integer underflow flaw was found in the way the Linux kernel's Stream Control Transmission Protocol (SCTP) implementation processed certain COOKIE_ECHO packets. By sending a specially crafted SCTP packet, a remote attacker could use this flaw to prevent legitimate connections to a particular SCTP server socket to be made.(CVE-2014-4667)\n\nThe cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-cards.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16536)\n\nThe snd_usb_create_streams function in sound/usb/card.c in the Linux kernel, before 4.13.6, allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16529)\n\nA flaw was found in the Linux kernel's random number generator API. A null pointer dereference in the rngapi_reset function may result in denial of service, crashing the system.(CVE-2017-15116)\n\nThe __netlink_deliver_tap_skb function in net/net ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-09T19:32:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7472", "CVE-2016-9604", "CVE-2016-7097", "CVE-2016-9754", "CVE-2016-9191", "CVE-2016-8650", "CVE-2016-9084", "CVE-2017-5970", "CVE-2016-10200", "CVE-2016-9178", "CVE-2017-1000251", "CVE-2017-6214", "CVE-2016-9083", "CVE-2017-7541", "CVE-2017-6951", "CVE-2017-6346", "CVE-2017-7187", "CVE-2016-10044"], "description": "The remote host is missing an update for the ", "modified": "2020-06-08T00:00:00", "published": "2017-09-19T00:00:00", "id": "OPENVAS:1361412562310843312", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843312", "type": "openvas", "title": "Ubuntu Update for linux USN-3422-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for linux USN-3422-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843312\");\n script_version(\"2020-06-08T06:52:36+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-08 06:52:36 +0000 (Mon, 08 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-09-19 07:43:00 +0200 (Tue, 19 Sep 2017)\");\n script_cve_id(\"CVE-2017-1000251\", \"CVE-2016-10044\", \"CVE-2016-10200\", \"CVE-2016-7097\",\n \"CVE-2016-8650\", \"CVE-2016-9083\", \"CVE-2016-9084\", \"CVE-2016-9178\",\n \"CVE-2016-9191\", \"CVE-2016-9604\", \"CVE-2016-9754\", \"CVE-2017-5970\",\n \"CVE-2017-6214\", \"CVE-2017-6346\", \"CVE-2017-6951\", \"CVE-2017-7187\",\n \"CVE-2017-7472\", \"CVE-2017-7541\");\n script_tag(name:\"cvss_base\", value:\"7.7\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for linux USN-3422-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that a buffer overflow\n existed in the Bluetooth stack of the Linux kernel when handling L2CAP\n configuration responses. A physically proximate attacker could use this to cause\n a denial of service (system crash). (CVE-2017-1000251) It was discovered that\n the asynchronous I/O (aio) subsystem of the Linux kernel did not properly set\n permissions on aio memory mappings in some situations. An attacker could use\n this to more easily exploit other vulnerabilities. (CVE-2016-10044) Baozeng Ding\n and Andrey Konovalov discovered a race condition in the L2TPv3 IP Encapsulation\n implementation in the Linux kernel. A local attacker could use this to cause a\n denial of service (system crash) or possibly execute arbitrary code.\n (CVE-2016-10200) Andreas Gruenbacher and Jan Kara discovered that the filesystem\n implementation in the Linux kernel did not clear the setgid bit during a\n setxattr call. A local attacker could use this to possibly elevate group\n privileges. (CVE-2016-7097) Sergej Schumilo, Ralf Spenneberg, and Hendrik\n Schwartke discovered that the key management subsystem in the Linux kernel did\n not properly allocate memory in some situations. A local attacker could use this\n to cause a denial of service (system crash). (CVE-2016-8650) Vlad Tsyrklevich\n discovered an integer overflow vulnerability in the VFIO PCI driver for the\n Linux kernel. A local attacker with access to a vfio PCI device file could use\n this to cause a denial of service (system crash) or possibly execute arbitrary\n code. (CVE-2016-9083, CVE-2016-9084) It was discovered that an information leak\n existed in __get_user_asm_ex() in the Linux kernel. A local attacker could use\n this to expose sensitive information. (CVE-2016-9178) CAI Qian discovered that\n the sysctl implementation in the Linux kernel did not properly perform reference\n counting in some situations. An unprivileged attacker could use this to cause a\n denial of service (system hang). (CVE-2016-9191) It was discovered that the\n keyring implementation in the Linux kernel in some situations did not prevent\n special internal keyrings from being joined by userspace keyrings. A privileged\n local attacker could use this to bypass module verification. (CVE-2016-9604) It\n was discovered that an integer overflow existed in the trace subsystem of the\n Linux kernel. A local privileged attacker could use this to cause a denial of\n service (system crash). (CVE-2016-9754) Andrey Konovalov discovered that the\n IPv4 implementation in the Linux kernel did not properly handle invalid IP\n options in some situations. An attacker could use this to cause a denial of\n service or possibly ex ... Description truncated, for more information please\n check the Reference URL\");\n script_tag(name:\"affected\", value:\"linux on Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3422-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3422-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU14\\.04 LTS\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-132-generic\", ver:\"3.13.0-132.181\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-132-generic-lpae\", ver:\"3.13.0-132.181\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-132-lowlatency\", ver:\"3.13.0-132.181\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-132-powerpc-e500\", ver:\"3.13.0-132.181\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-132-powerpc-e500mc\", ver:\"3.13.0-132.181\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-132-powerpc-smp\", ver:\"3.13.0-132.181\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-132-powerpc64-emb\", ver:\"3.13.0-132.181\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-3.13.0-132-powerpc64-smp\", ver:\"3.13.0-132.181\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic\", ver:\"3.13.0.132.141\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-generic-lpae\", ver:\"3.13.0.132.141\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-lowlatency\", ver:\"3.13.0.132.141\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500\", ver:\"3.13.0.132.141\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-e500mc\", ver:\"3.13.0.132.141\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc-smp\", ver:\"3.13.0.132.141\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-emb\", ver:\"3.13.0.132.141\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"linux-image-powerpc64-smp\", ver:\"3.13.0.132.141\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-02-05T16:39:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8787", "CVE-2015-8962", "CVE-2015-8964", "CVE-2016-0723", "CVE-2015-8746", "CVE-2015-8812", "CVE-2015-8970", "CVE-2015-8543", "CVE-2015-8963", "CVE-2015-8953", "CVE-2015-8374", "CVE-2015-8539", "CVE-2015-8956", "CVE-2015-9004", "CVE-2015-8944", "CVE-2015-8660", "CVE-2015-8767", "CVE-2015-8816", "CVE-2015-8961", "CVE-2015-8575", "CVE-2015-8569", "CVE-2015-8785"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-05T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191489", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191489", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1489)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1489\");\n script_version(\"2020-02-05T08:56:28+0000\");\n script_cve_id(\"CVE-2015-8374\", \"CVE-2015-8539\", \"CVE-2015-8543\", \"CVE-2015-8569\", \"CVE-2015-8575\", \"CVE-2015-8660\", \"CVE-2015-8746\", \"CVE-2015-8767\", \"CVE-2015-8785\", \"CVE-2015-8787\", \"CVE-2015-8812\", \"CVE-2015-8816\", \"CVE-2015-8944\", \"CVE-2015-8953\", \"CVE-2015-8956\", \"CVE-2015-8961\", \"CVE-2015-8962\", \"CVE-2015-8963\", \"CVE-2015-8964\", \"CVE-2015-8970\", \"CVE-2015-9004\", \"CVE-2016-0723\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-02-05 08:56:28 +0000 (Wed, 05 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:54:59 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1489)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1489\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1489\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1489 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An information-leak vulnerability was found in the kernel when it truncated a file to a smaller size which consisted of an inline extent that was compressed. The data between the new file size and the old file size was not discarded and the number of bytes used by the inode were not correctly decremented, which gave the wrong report for callers of the stat(2) syscall. This wasted metadata space and allowed for the truncated data to be leaked, and data corruption or loss to occur. A caller of the clone ioctl could exploit this flaw by using only standard file-system operations without root access to read the truncated data.(CVE-2015-8374)\n\nA flaw was found in the Linux kernel's key management system where it was possible for an attacker to escalate privileges or crash the machine. If a user key gets negatively instantiated, an error code is cached in the payload area. A negatively instantiated key may be then be positively instantiated by updating it with valid data. However, the -update key type method must be aware that the error code may be there.(CVE-2015-8539)\n\nA NULL pointer dereference flaw was found in the way the Linux kernel's network subsystem handled socket creation with an invalid protocol identifier. A local user could use this flaw to crash the system.(CVE-2015-8543)\n\nAn out-of-bounds flaw was found in the kernel, where the length of the sockaddr parameter was not checked in the pptp_bind() and pptp_connect() functions. As a result, more kernel memory was copied out than required, leaking information from the kernel stack (including kernel addresses). A local system user could exploit this flaw to bypass kernel ASLR or leak other information.(CVE-2015-8569)\n\nAn out-of-bounds flaw was found in the kernel, where the sco_sock_bind() function (bluetooth/sco) did not check the length of its sockaddr parameter. As a result, more kernel memory was copied out than required, leaking information from the kernel stack (including kernel addresses). A local user could exploit this flaw to bypass kernel ASLR or leak other information.(CVE-2015-8575)\n\nThe ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.(CVE-2015-8660)\n\nA NULL pointer dereference flaw was found in the Linux kernel: the NFSv4.2 migration code improperly initialized the kernel structure. A local, authenticated user could use this flaw to cause a panic of the NFS client (denial of service).(2015-8746) ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~3.10.0~862.14.1.6_42\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-05T16:40:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7910", "CVE-2013-2898", "CVE-2018-1066", "CVE-2014-8160", "CVE-2018-11506", "CVE-2017-16532", "CVE-2018-14615", "CVE-2016-10200", "CVE-2015-7872", "CVE-2014-8559", "CVE-2018-8781", "CVE-2014-4656", "CVE-2017-5972", "CVE-2014-9729", "CVE-2013-4514", "CVE-2015-3212", "CVE-2015-7799", "CVE-2016-4580", "CVE-2017-11600", "CVE-2014-1690"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-05T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191474", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191474", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1474)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1474\");\n script_version(\"2020-02-05T08:56:28+0000\");\n script_cve_id(\"CVE-2013-2898\", \"CVE-2013-4514\", \"CVE-2014-1690\", \"CVE-2014-4656\", \"CVE-2014-8160\", \"CVE-2014-8559\", \"CVE-2014-9729\", \"CVE-2015-3212\", \"CVE-2015-7799\", \"CVE-2015-7872\", \"CVE-2016-10200\", \"CVE-2016-4580\", \"CVE-2016-7910\", \"CVE-2017-11600\", \"CVE-2017-16532\", \"CVE-2017-5972\", \"CVE-2018-1066\", \"CVE-2018-11506\", \"CVE-2018-14615\", \"CVE-2018-8781\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-02-05 08:56:28 +0000 (Wed, 05 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:49:48 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1474)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1474\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1474\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1474 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.(CVE-2016-4580)\n\nA flaw was found in the Linux kernel's implementation of seq_file where a local attacker could manipulate memory in the put() function pointer. This could lead to memory corruption and possible privileged escalation.(CVE-2016-7910)\n\nA flaw was found in the way the Linux kernel's netfilter subsystem handled generic protocol tracking. As demonstrated in the Stream Control Transmission Protocol (SCTP) case, a remote attacker could use this flaw to bypass intended iptables rule restrictions when the associated connection tracking module was not loaded on the system.(CVE-2014-8160)\n\nThe get_endpoints function in drivers/usb/misc/usbtest.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16532)\n\nAn integer overflow flaw was found in the way the Linux kernel's Advanced Linux Sound Architecture (ALSA) implementation handled user controls. A local, privileged user could use this flaw to crash the system.(CVE-2014-4656)\n\nThe sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact because sense buffers have different sizes at the CDROM layer and the SCSI layer.(CVE-2018-11506)\n\nA race condition flaw was found in the way the Linux kernel's SCTP implementation handled Address Configuration lists when performing Address Configuration Change (ASCONF). A local attacker could use this flaw to crash the system via a race condition triggered by setting certain ASCONF options on a socket.(CVE-2015-3212)\n\nA symlink size validation was missing in Linux kernels built with UDF file system (CONFIG_UDF_FS) support, allowing the corruption of kernel memory. An attacker able to mount a corrupted/malicious UDF file system image could cause the kernel to crash.(CVE-2014-9729)\n\nThe Linux kernel before version 4.11 is vulnerable to a NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response is mishandled during session recovery.(CVE-2018-1066)\n\ndriv ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-05T16:38:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-7472", "CVE-2016-5828", "CVE-2017-7645", "CVE-2017-5967", "CVE-2013-4270", "CVE-2017-16537", "CVE-2016-2544", "CVE-2015-0570", "CVE-2016-4558", "CVE-2017-10911", "CVE-2017-16647", "CVE-2015-5697", "CVE-2017-16643", "CVE-2017-2647", "CVE-2018-12233", "CVE-2014-5207", "CVE-2016-6130", "CVE-2015-8845", "CVE-2013-4299", "CVE-2018-15572"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-02-05T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191478", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191478", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1478)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1478\");\n script_version(\"2020-02-05T08:56:28+0000\");\n script_cve_id(\"CVE-2013-4270\", \"CVE-2013-4299\", \"CVE-2014-5207\", \"CVE-2015-0570\", \"CVE-2015-5697\", \"CVE-2015-8845\", \"CVE-2016-2544\", \"CVE-2016-4558\", \"CVE-2016-5828\", \"CVE-2016-6130\", \"CVE-2017-10911\", \"CVE-2017-16537\", \"CVE-2017-16643\", \"CVE-2017-16647\", \"CVE-2017-2647\", \"CVE-2017-5967\", \"CVE-2017-7472\", \"CVE-2017-7645\", \"CVE-2018-12233\", \"CVE-2018-15572\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-02-05 08:56:28 +0000 (Wed, 05 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:51:12 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for kernel (EulerOS-SA-2019-1478)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1478\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1478\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'kernel' package(s) announced via the EulerOS-SA-2019-1478 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file. This vulnerability can be triggered by an unprivileged user with the ability to create files and execute programs. A kmalloc call is incorrect, leading to slab-out-of-bounds in jfs_xattr.(CVE-2018-12233)\n\nThe spectre_v2_select_mitigation function in arch/x86/kernel/cpu/bugs.c in the Linux kernel before 4.18.1 does not always fill RSB upon a context switch, which makes it easier for attackers to conduct userspace-userspace spectreRSB attacks.(CVE-2018-15572)\n\nRace condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel before 4.4.1 allows local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time.(CVE-2016-2544)\n\nA flaw was found in the Linux kernel's implementation of BPF in which systems can application can overflow a 32 bit refcount in both program and map refcount. This refcount can wrap and end up a user after free.(CVE-2016-4558)\n\nInterpretation conflict in drivers/md/dm-snap-persistent.c in the Linux kernel through 3.11.6 allows remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device.(CVE-2013-4299)\n\nThe imon_probe function in drivers/media/rc/imon.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16537)\n\nA vulnerability in the handling of Transactional Memory on powerpc systems was found. An unprivileged local user can crash the kernel by starting a transaction, suspending it, and then calling any of the exec() class system calls.(CVE-2016-5828)\n\nA cross-boundary flaw was discovered in the Linux kernel software raid driver. The driver accessed a disabled bitmap where only the first byte of the buffer was initialized to zero. This meant that the rest of the request (up to 4095 bytes) was left and copied into user space. An attacker could use this flaw to read private information from user space that would not otherwise have been accessible.(CVE-2015-5697)\n\nThe parse_hid_report_descriptor function in drivers/input/tablet/gtco.c in the Linux kernel before 4.13.11 allows local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16643)\n\nRace condition in the ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'kernel' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-devel\", rpm:\"kernel-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-headers\", rpm:\"kernel-headers~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools\", rpm:\"kernel-tools~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs\", rpm:\"kernel-tools-libs~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"kernel-tools-libs-devel\", rpm:\"kernel-tools-libs-devel~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"perf\", rpm:\"perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"python-perf\", rpm:\"python-perf~4.19.28~1.2.117\", rls:\"EULEROSVIRTARM64-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2017-05-15T21:20:15", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7261", "CVE-2017-7184", "CVE-2017-6074", "CVE-2017-7616", "CVE-2015-3288", "CVE-2017-5970", "CVE-2016-10200", "CVE-2017-2671", "CVE-2017-7294", "CVE-2017-6348", "CVE-2015-8970", "CVE-2016-5243", "CVE-2017-6214", "CVE-2017-7308", "CVE-2017-5669", "CVE-2017-5986", "CVE-2017-6353", "CVE-2017-7187"], "description": "The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various\n security and bugfixes.\n\n Notable new features:\n\n - Toleration of newer crypto hardware for z Systems\n - USB 2.0 Link power management for Haswell-ULT\n\n The following security bugs were fixed:\n\n - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in\n the Linux kernel did not properly validate certain block-size data,\n which allowed local users to cause a denial of service (overflow) or\n possibly have unspecified other impact via crafted system calls\n (bnc#1031579)\n - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux\n kernel was too late in obtaining a certain lock and consequently could\n not ensure that disconnect function calls are safe, which allowed local\n users to cause a denial of service (panic) by leveraging access to the\n protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003)\n - CVE-2017-7184: The xfrm_replay_verify_len function in\n net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size\n data after an XFRM_MSG_NEWAE update, which allowed local users to obtain\n root privileges or cause a denial of service (heap-based out-of-bounds\n access) by leveraging the CAP_NET_ADMIN capability (bsc#1030573).\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a\n denial of service (system crash) via (1) an application that made\n crafted system calls or possibly (2) IPv4 traffic with invalid IP\n options (bsc#1024938).\n - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind\n compat syscalls in mm/mempolicy.c in the Linux kernel allowed local\n users to obtain sensitive information from uninitialized stack data by\n triggering failure of a certain bitmap operation (bsc#1033336).\n - CVE-2017-7294: The vmw_surface_define_ioctl function in\n drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not\n validate addition of certain levels data, which allowed local users to\n trigger an integer overflow and out-of-bounds write, and cause a denial\n of service (system hang or crash) or possibly gain privileges, via a\n crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440)\n - CVE-2017-7261: The vmw_surface_define_ioctl function in\n drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not\n check for a zero value of certain levels data, which allowed local users\n to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and\n possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device\n (bnc#1031052)\n - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux\n kernel allowed local users to cause a denial of service (stack-based\n buffer overflow) or possibly have unspecified other impact via a large\n command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds\n write access in the sg_write function (bnc#1030213)\n - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the\n Linux kernel improperly managed lock dropping, which allowed local users\n to cause a denial of service (deadlock) via crafted operations on IrDA\n devices (bnc#1027178)\n - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel\n did not restrict the address calculated by a certain rounding operation,\n which allowed local users to map page zero, and consequently bypass a\n protection mechanism that exists for the mmap system call, by making\n crafted shmget and shmat system calls in a privileged context\n (bnc#1026914)\n - CVE-2015-3288: mm/memory.c in the Linux kernel mishandled anonymous\n pages, which allowed local users to gain privileges or cause a denial of\n service (page tainting) via a crafted application that triggers writing\n to page zero (bsc#979021).\n - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in\n the Linux kernel allowed local users to gain privileges or cause a\n denial of service (use-after-free) by making multiple bind system calls\n without properly ascertaining whether a socket has the SOCK_ZAPPED\n status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c\n (bnc#1028415)\n - CVE-2016-5243: The tipc_nl_compat_link_dump function in\n net/tipc/netlink_compat.c in the Linux kernel did not properly copy a\n certain string, which allowed local users to obtain sensitive\n information from kernel stack memory by reading a Netlink message\n (bnc#983212)\n - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly\n restrict association peel-off operations during certain wait states,\n which allowed local users to cause a denial of service (invalid unlock\n and double free) via a multithreaded application (bnc#1027066)\n - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the\n Linux kernel allowed remote attackers to cause a denial of service\n (infinite loop and soft lockup) via vectors involving a TCP packet with\n the URG flag (bnc#1026722)\n - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c\n in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures\n in the LISTEN state, which allowed local users to obtain root privileges\n or cause a denial of service (double free) via an application that made\n an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024)\n - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in\n net/sctp/socket.c in the Linux kernel allowed local users to cause a\n denial of service (assertion failure and panic) via a multithreaded\n application that peels off an association in a certain buffer-full state\n (bsc#1025235)\n - CVE-2015-8970: crypto/algif_skcipher.c in the Linux kernel did not\n verify that a setkey operation has been performed on an AF_ALG socket an\n accept system call is processed, which allowed local users to cause a\n denial of service (NULL pointer dereference and system crash) via a\n crafted application that does not supply a key, related to the lrw_crypt\n function in crypto/lrw.c (bsc#1008374).\n\n The following non-security bugs were fixed:\n\n - NFSD: do not risk using duplicate owner/file/delegation ids\n (bsc#1029212).\n - RAID1: avoid unnecessary spin locks in I/O barrier code (bsc#982783,\n bsc#1026260).\n - SUNRPC: Clean up the slot table allocation (bsc#1013862).\n - SUNRPC: Initalise the struct xprt upon allocation (bsc#1013862).\n - USB: cdc-acm: fix broken runtime suspend (bsc#1033771).\n - USB: cdc-acm: fix open and suspend race (bsc#1033771).\n - USB: cdc-acm: fix potential urb leak and PM imbalance in write\n (bsc#1033771).\n - USB: cdc-acm: fix runtime PM for control messages (bsc#1033771).\n - USB: cdc-acm: fix runtime PM imbalance at shutdown (bsc#1033771).\n - USB: cdc-acm: fix shutdown and suspend race (bsc#1033771).\n - USB: cdc-acm: fix write and resume race (bsc#1033771).\n - USB: cdc-acm: fix write and suspend race (bsc#1033771).\n - USB: hub: Fix crash after failure to read BOS descriptor\n - USB: serial: iuu_phoenix: fix NULL-deref at open (bsc#1033794).\n - USB: serial: kl5kusb105: fix line-state error handling (bsc#1021256).\n - USB: serial: mos7720: fix NULL-deref at open (bsc#1033816).\n - USB: serial: mos7720: fix parallel probe (bsc#1033816).\n - USB: serial: mos7720: fix parport use-after-free on probe errors\n (bsc#1033816).\n - USB: serial: mos7720: fix use-after-free on probe errors (bsc#1033816).\n - USB: serial: mos7840: fix NULL-deref at open (bsc#1034026).\n - USB: xhci-mem: use passed in GFP flags instead of GFP_KERNEL\n (bsc#1023014).\n - Update metadata for serial fixes (bsc#1013070)\n - Use PF_LESS_THROTTLE in loop device thread (bsc#1027101).\n - clocksource: Remove "weak" from clocksource_default_clock() declaration\n (bnc#1013018).\n - dlm: backport "fix lvb invalidation conditions" (bsc#1005651).\n - drm/mgag200: Add support for G200e rev 4 (bnc#995542, comment #81)\n - enic: set skb->hash type properly (bsc#911105).\n - ext4: fix mballoc breakage with 64k block size (bsc#1013018).\n - ext4: fix stack memory corruption with 64k block size (bsc#1013018).\n - ext4: reject inodes with negative size (bsc#1013018).\n - fuse: initialize fc->release before calling it (bsc#1013018).\n - i40e/i40evf: Break up xmit_descriptor_count from maybe_stop_tx\n (bsc#985561).\n - i40e/i40evf: Fix mixed size frags and linearization (bsc#985561).\n - i40e/i40evf: Limit TSO to 7 descriptors for payload instead of 8 per\n packet (bsc#985561).\n - i40e/i40evf: Rewrite logic for 8 descriptor per packet check\n (bsc#985561).\n - i40e: Fix TSO with more than 8 frags per segment issue (bsc#985561).\n - i40e: Impose a lower limit on gso size (bsc#985561).\n - i40e: Limit TX descriptor count in cases where frag size is greater than\n 16K (bsc#985561).\n - i40e: avoid null pointer dereference (bsc#909486).\n - jbd: Fix oops in journal_remove_journal_head() (bsc#1017143).\n - jbd: do not wait (forever) for stale tid caused by wraparound\n (bsc#1020229).\n - kABI: mask struct xfs_icdinode change (bsc#1024788).\n - kabi: Protect xfs_mount and xfs_buftarg (bsc#1024508).\n - kabi: fix (bsc#1008893).\n - lockd: use init_utsname for id encoding (bsc#1033804).\n - lockd: use rpc client's cl_nodename for id encoding (bsc#1033804).\n - md linear: fix a race between linear_add() and linear_congested()\n (bsc#1018446).\n - md/linear: shutup lockdep warnning (bsc#1018446).\n - mm/mempolicy.c: do not put mempolicy before using its nodemask\n (bnc#931620).\n - ocfs2: do not write error flag to user structure we cannot copy from/to\n (bsc#1013018).\n - ocfs2: fix crash caused by stale lvb with fsdlm plugin (bsc#1013800).\n - ocfs2: fix error return code in ocfs2_info_handle_freefrag()\n (bsc#1013018).\n - ocfs2: null deref on allocation error (bsc#1013018).\n - pciback: only check PF if actually dealing with a VF (bsc#999245).\n - pciback: use pci_physfn() (bsc#999245).\n - posix-timers: Fix stack info leak in timer_create() (bnc#1013018).\n - powerpc,cpuidle: Dont toggle CPUIDLE_FLAG_IGNORE while setting\n smt_snooze_delay (bsc#1023163).\n - powerpc/fadump: Fix the race in crash_fadump() (bsc#1022971).\n - powerpc/fadump: Reserve memory at an offset closer to bottom of RAM\n (bsc#1032141).\n - powerpc/fadump: Update fadump documentation (bsc#1032141).\n - powerpc/nvram: Fix an incorrect partition merge (bsc#1016489).\n - powerpc/vdso64: Use double word compare on pointers (bsc#1016489).\n - rcu: Call out dangers of expedited RCU primitives (bsc#1008893).\n - rcu: Direct algorithmic SRCU implementation (bsc#1008893).\n - rcu: Flip ->completed only once per SRCU grace period (bsc#1008893).\n - rcu: Implement a variant of Peter's SRCU algorithm (bsc#1008893).\n - rcu: Increment upper bit only for srcu_read_lock() (bsc#1008893).\n - rcu: Remove fast check path from __synchronize_srcu() (bsc#1008893).\n - s390/kmsg: add missing kmsg descriptions (bnc#1025702).\n - s390/vmlogrdr: fix IUCV buffer allocation (bnc#1025702).\n - s390/zcrypt: Introduce CEX6 toleration\n - sched/core: Fix TASK_DEAD race in finish_task_switch() (bnc#1013018).\n - sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded\n systems (bnc#1013018).\n - scsi: zfcp: do not trace pure benign residual HBA responses at default\n level (bnc#1025702).\n - scsi: zfcp: fix rport unblock race with LUN recovery (bnc#1025702).\n - scsi: zfcp: fix use-after-"free" in FC ingress path after TMF\n (bnc#1025702).\n - scsi: zfcp: fix use-after-free by not tracing WKA port open/close on\n failed send (bnc#1025702).\n - sfc: reduce severity of PIO buffer alloc failures (bsc#1019168).\n - tcp: abort orphan sockets stalling on zero window probes (bsc#1021913).\n - vfs: split generic splice code from i_mutex locking (bsc#1024788).\n - virtio_scsi: fix memory leak on full queue condition (bsc#1028880).\n - vmxnet3: segCnt can be 1 for LRO packets (bsc#988065, bsc#1029770).\n - xen-blkfront: correct maximum segment accounting (bsc#1018263).\n - xen-blkfront: do not call talk_to_blkback when already connected to\n blkback.\n - xen-blkfront: free resources if xlvbd_alloc_gendisk fails.\n - xfs: Fix lock ordering in splice write (bsc#1024788).\n - xfs: Make xfs_icdinode->di_dmstate atomic_t (bsc#1024788).\n - xfs: do not assert fail on non-async buffers on ioacct decrement\n (bsc#1024508).\n - xfs: exclude never-released buffers from buftarg I/O accounting\n (bsc#1024508).\n - xfs: fix buffer overflow dm_get_dirattrs/dm_get_dirattrs2 (bsc#989056).\n - xfs: fix up xfs_swap_extent_forks inline extent handling (bsc#1023888).\n - xfs: kill xfs_itruncate_start (bsc#1024788).\n - xfs: remove the i_new_size field in struct xfs_inode (bsc#1024788).\n - xfs: remove the i_size field in struct xfs_inode (bsc#1024788).\n - xfs: remove xfs_itruncate_data (bsc#1024788).\n - xfs: replace global xfslogd wq with per-mount wq (bsc#1024508).\n - xfs: split xfs_itruncate_finish (bsc#1024788).\n - xfs: split xfs_setattr (bsc#1024788).\n - xfs: track and serialize in-flight async buffers against unmount\n (bsc#1024508).\n - xfs_dmapi: fix the debug compilation of xfs_dmapi (bsc#989056).\n\n", "edition": 1, "modified": "2017-05-15T21:33:24", "published": "2017-05-15T21:33:24", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00043.html", "id": "SUSE-SU-2017:1301-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-05T00:36:41", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-7261", "CVE-2017-7184", "CVE-2017-1000380", "CVE-2017-6074", "CVE-2016-7117", "CVE-2017-7616", "CVE-2015-3288", "CVE-2017-9074", "CVE-2017-9242", "CVE-2017-5970", "CVE-2016-10200", "CVE-2017-2636", "CVE-2017-2671", "CVE-2017-11473", "CVE-2017-9075", "CVE-2017-7533", "CVE-2017-7294", "CVE-2017-6348", "CVE-2017-8924", "CVE-2015-8970", "CVE-2016-5243", "CVE-2017-6214", "CVE-2017-1000364", "CVE-2017-7482", "CVE-2014-9922", "CVE-2016-4997", "CVE-2017-7308", "CVE-2017-5669", "CVE-2017-6951", "CVE-2017-2647", "CVE-2017-8925", "CVE-2017-5986", "CVE-2017-6353", "CVE-2017-7487", "CVE-2017-9076", "CVE-2017-1000363", "CVE-2017-7187", "CVE-2017-9077", "CVE-2017-7542", "CVE-2017-1000365", "CVE-2017-8890", "CVE-2016-4998", "CVE-2016-2188"], "description": "The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various\n security and bugfixes.\n\n\n The following security bugs were fixed:\n\n - CVE-2014-9922: The eCryptfs subsystem in the Linux kernel allowed local\n users to gain privileges via a large filesystem stack that includes an\n overlayfs layer, related to fs/ecryptfs/main.c and fs/overlayfs/super.c\n (bsc#1032340).\n - CVE-2015-3288: mm/memory.c in the Linux kernel mishandled anonymous\n pages, which allowed local users to gain privileges or cause a denial of\n service (page tainting) via a crafted application that triggers writing\n to page zero (bnc#979021).\n - CVE-2015-8970: crypto/algif_skcipher.c in the Linux kernel did not\n verify that a setkey operation has been performed on an AF_ALG socket\n before an accept system call is processed, which allowed local users to\n cause a denial of service (NULL pointer dereference and system crash)\n via a crafted application that did not supply a key, related to the\n lrw_crypt function in crypto/lrw.c (bnc#1008374 bsc#1008850).\n - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in\n the Linux kernel allowed local users to gain privileges or cause a\n denial of service (use-after-free) by making multiple bind system calls\n without properly ascertaining whether a socket has the SOCK_ZAPPED\n status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c\n (bnc#1028415).\n - CVE-2016-2188: The iowarrior_probe function in\n drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically\n proximate attackers to cause a denial of service (NULL pointer\n dereference and system crash) via a crafted endpoints value in a USB\n device descriptor (bnc#970956).\n - CVE-2016-4997: The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE\n setsockopt implementations in the netfilter subsystem in the Linux\n kernel allow local users to gain privileges or cause a denial of service\n (memory corruption) by leveraging in-container root access to provide a\n crafted offset value that triggers an unintended decrement (bnc#986362).\n - CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the\n netfilter subsystem in the Linux kernel allowed local users to cause a\n denial of service (out-of-bounds read) or possibly obtain sensitive\n information from kernel heap memory by leveraging in-container root\n access to provide a crafted offset value that leads to crossing a\n ruleset blob boundary (bnc#986365).\n - CVE-2016-5243: The tipc_nl_compat_link_dump function in\n net/tipc/netlink_compat.c in the Linux kernel did not properly copy a\n certain string, which allowed local users to obtain sensitive\n information from kernel stack memory by reading a Netlink message\n (bnc#983212).\n - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg\n function in net/socket.c in the Linux kernel allowed remote attackers to\n execute arbitrary code via vectors involving a recvmmsg system call that\n is mishandled during error processing (bnc#1003077).\n - CVE-2017-1000363: A buffer overflow in kernel commandline handling of\n the "lp" parameter could be used to bypass certain secure boot settings.\n (bnc#1039456).\n - CVE-2017-1000364: An issue was discovered in the size of the stack guard\n page on Linux, specifically a 4k stack guard page is not sufficiently\n large and can be "jumped" over (the stack guard page is bypassed), this\n affects Linux Kernel versions 4.11.5 and earlier (the stackguard page\n was introduced in 2010) (bnc#1039348).\n - CVE-2017-1000365: The Linux Kernel imposes a size restriction on the\n arguments and environmental strings passed through\n RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the\n argument and environment pointers into account, which allowed attackers\n to bypass this limitation (bnc#1039354).\n - CVE-2017-1000380: sound/core/timer.c in the Linux kernel is vulnerable\n to a data race in the ALSA /dev/snd/timer driver resulting in local\n users being able to read information belonging to other users, i.e.,\n uninitialized memory contents may be disclosed when a read and an ioctl\n happen at the same time (bnc#1044125).\n - CVE-2017-11176: The mq_notify function in the Linux kernel did not set\n the sock pointer to NULL upon entry into the retry logic. During a\n user-space close of a Netlink socket, it allowed attackers to cause a\n denial of service (use-after-free) or possibly have unspecified other\n impact (bnc#1048275).\n - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function\n in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users\n to gain privileges via a crafted ACPI table (bsc#1049603).\n - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux\n kernel allowed local users to gain privileges or cause a denial of\n service (double free) by setting the HDLC line discipline (bnc#1027565\n bsc#1028372).\n - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local\n users to gain privileges or cause a denial of service (NULL pointer\n dereference and system crash) via vectors involving a NULL value for a\n certain match field, related to the keyring_search_iterator function in\n keyring.c (bnc#1030593).\n - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux\n kernel is too late in obtaining a certain lock and consequently cannot\n ensure that disconnect function calls are safe, which allowed local\n users to cause a denial of service (panic) by leveraging access to the\n protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003).\n - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel\n did not restrict the address calculated by a certain rounding operation,\n which allowed local users to map page zero, and consequently bypass a\n protection mechanism that exists for the mmap system call, by making\n crafted shmget and shmat system calls in a privileged context\n (bnc#1026914).\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a\n denial of service (system crash) via (1) an application that made\n crafted system calls or possibly (2) IPv4 traffic with invalid IP\n options (bnc#1024938).\n - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in\n net/sctp/socket.c in the Linux kernel allowed local users to cause a\n denial of service (assertion failure and panic) via a multithreaded\n application that peels off an association in a certain buffer-full state\n (bnc#1025235).\n - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c\n in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures\n in the LISTEN state, which allowed local users to obtain root privileges\n or cause a denial of service (double free) via an application that made\n an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024 bsc#1033287).\n - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the\n Linux kernel allowed remote attackers to cause a denial of service\n (infinite loop and soft lockup) via vectors involving a TCP packet with\n the URG flag (bnc#1026722).\n - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the\n Linux kernel improperly manages lock dropping, which allowed local users\n to cause a denial of service (deadlock) via crafted operations on IrDA\n devices (bnc#1027178).\n - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly\n restrict association peel-off operations during certain wait states,\n which allowed local users to cause a denial of service (invalid unlock\n and double free) via a multithreaded application. NOTE: this\n vulnerability exists because of an incorrect fix for CVE-2017-5986\n (bnc#1027066).\n - CVE-2017-6951: The keyring_search_aux function in\n security/keys/keyring.c in the Linux kernel allowed local users to cause\n a denial of service (NULL pointer dereference and OOPS) via a\n request_key system call for the "dead" type (bnc#1029850).\n - CVE-2017-7184: The xfrm_replay_verify_len function in\n net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size\n data after an XFRM_MSG_NEWAE update, which allowed local users to obtain\n root privileges or cause a denial of service (heap-based out-of-bounds\n access) by leveraging the CAP_NET_ADMIN capability, as demonstrated\n during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10\n linux-image-* package 4.8.0.41.52 (bnc#1030573).\n - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux\n kernel allowed local users to cause a denial of service (stack-based\n buffer overflow) or possibly have unspecified other impact via a large\n command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds\n write access in the sg_write function (bnc#1030213).\n - CVE-2017-7261: The vmw_surface_define_ioctl function in\n drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not\n check for a zero value of certain levels data, which allowed local users\n to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and\n possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device\n (bnc#1031052).\n - CVE-2017-7294: The vmw_surface_define_ioctl function in\n drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not\n validate addition of certain levels data, which allowed local users to\n trigger an integer overflow and out-of-bounds write, and cause a denial\n of service (system hang or crash) or possibly gain privileges, via a\n crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440).\n - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in\n the Linux kernel did not properly validate certain block-size data,\n which allowed local users to cause a denial of service (integer\n signedness error and out-of-bounds write), or gain privileges (if the\n CAP_NET_RAW capability is held), via crafted system calls (bnc#1031579).\n - CVE-2017-7482: Fixed a potential overflow in the net/rxprc where a\n padded len isn't checked in ticket decode (bsc#1046107).\n - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the\n Linux kernel mishandled reference counts, which allowed local users to\n cause a denial of service (use-after-free) or possibly have unspecified\n other impact via a failed SIOCGIFADDR ioctl call for an IPX interface\n (bnc#1038879).\n - CVE-2017-7533: Race condition in the fsnotify implementation in the\n Linux kernel allowed local users to gain privileges or cause a denial of\n service (memory corruption) via a crafted application that leverages\n simultaneous execution of the inotify_handle_event and vfs_rename\n functions (bsc#1049483).\n - CVE-2017-7542: The ip6_find_1stfragopt function in\n net/ipv6/output_core.c in the Linux kernel allowed local users to cause\n a denial of service (integer overflow and infinite loop) by leveraging\n the ability to open a raw socket (bsc#1049882).\n - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind\n compat syscalls in mm/mempolicy.c in the Linux kernel allowed local\n users to obtain sensitive information from uninitialized stack data by\n triggering failure of a certain bitmap operation (bnc#1033336).\n - CVE-2017-8890: The inet_csk_clone_lock function in\n net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to\n cause a denial of service (double free) or possibly have unspecified\n other impact by leveraging use of the accept system call (bnc#1038544).\n - CVE-2017-8924: The edge_bulk_in_callback function in\n drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to\n obtain sensitive information (in the dmesg ringbuffer and syslog) from\n uninitialized kernel memory by using a crafted USB device (posing as an\n io_ti USB serial device) to trigger an integer underflow (bnc#1037182\n bsc#1038982).\n - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c\n in the Linux kernel allowed local users to cause a denial of service\n (tty exhaustion) by leveraging reference count mishandling (bnc#1037183\n bsc#1038981).\n - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel\n did not consider that the nexthdr field may be associated with an\n invalid option, which allowed local users to cause a denial of service\n (out-of-bounds read and BUG) or possibly have unspecified other impact\n via crafted socket and send system calls (bnc#1039882).\n - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c\n in the Linux kernel mishandled inheritance, which allowed local users to\n cause a denial of service or possibly have unspecified other impact via\n crafted system calls, a related issue to CVE-2017-8890 (bnc#1039883).\n - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c\n in the Linux kernel mishandled inheritance, which allowed local users to\n cause a denial of service or possibly have unspecified other impact via\n crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885).\n - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c\n in the Linux kernel mishandled inheritance, which allowed local users to\n cause a denial of service or possibly have unspecified other impact via\n crafted system calls, a related issue to CVE-2017-8890 (bnc#1040069).\n - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c\n in the Linux kernel is too late in checking whether an overwrite of an\n skb data structure may occur, which allowed local users to cause a\n denial of service (system crash) via crafted system calls (bnc#1041431).\n\n The following non-security bugs were fixed:\n\n - 8250: use callbacks to access UART_DLL/UART_DLM.\n - acpi: Disable APEI error injection if securelevel is set (bsc#972891,\n bsc#1023051).\n - af_key: Add lock to key dump (bsc#1047653).\n - af_key: Fix slab-out-of-bounds in pfkey_compile_policy (bsc#1047354).\n - alsa: ctxfi: Fallback DMA mask to 32bit (bsc#1045538).\n - alsa: hda - Fix regression of HD-audio controller fallback modes\n (bsc#1045538).\n - alsa: hda/realtek - Correction of fixup codes for PB V7900 laptop\n (bsc#1045538).\n - alsa: hda/realtek - Fix COEF widget NID for ALC260 replacer fixup\n (bsc#1045538).\n - alsa: hda - using uninitialized data (bsc#1045538).\n - alsa: off by one bug in snd_riptide_joystick_probe() (bsc#1045538).\n - alsa: seq: Fix snd_seq_call_port_info_ioctl in compat mode (bsc#1045538).\n - ath9k: fix buffer overrun for ar9287 (bsc#1045538).\n - __bitmap_parselist: fix bug in empty string handling (bnc#1042633).\n - blacklist.conf: Add a few inapplicable items (bsc#1045538).\n - blacklist.conf: blacklisted 1fe89e1b6d27 (bnc#1046122)\n - block: do not allow updates through sysfs until registration completes\n (bsc#1047027).\n - block: fix ext_dev_lock lockdep report (bsc#1050154).\n - btrfs: Don't clear SGID when inheriting ACLs (bsc#1030552).\n - cifs: backport prepath matching fix (bsc#799133).\n - cifs: don't compare uniqueids in cifs_prime_dcache unless server inode\n numbers are in use (bsc#1041975).\n - cifs: small underflow in cnvrtDosUnixTm() (bsc#1043935).\n - cifs: Timeout on SMBNegotiate request (bsc#1044913).\n - clocksource: Remove "weak" from clocksource_default_clock() declaration\n (bnc#1013018).\n - cputime: Avoid multiplication overflow on utime scaling (bnc#938352).\n - crypto: nx - off by one bug in nx_of_update_msc()\n (fate#314588,bnc#792863).\n - decompress_bunzip2: off by one in get_next_block() (git-fixes).\n - devres: fix a for loop bounds check (git-fixes).\n - dlm: backport "fix lvb invalidation conditions" (bsc#1005651).\n - dm: fix ioctl retry termination with signal (bsc#1050154).\n - drm/mgag200: Add support for G200eH3 (bnc#1044216, fate#323551)\n - drm/mgag200: Add support for G200e rev 4 (bnc#995542, comment #81)\n - edac, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr()\n (fate#313937).\n - enic: set skb->hash type properly (bsc#911105 FATE#317501).\n - ext2: Don't clear SGID when inheriting ACLs (bsc#1030552).\n - ext3: Don't clear SGID when inheriting ACLs (bsc#1030552).\n - ext4: Don't clear SGID when inheriting ACLs (bsc#1030552).\n - ext4: fix fdatasync(2) after extent manipulation operations\n (bsc#1013018).\n - ext4: fix mballoc breakage with 64k block size (bsc#1013018).\n - ext4: fix stack memory corruption with 64k block size (bsc#1013018).\n - ext4: keep existing extra fields when inode expands (bsc#1013018).\n - ext4: reject inodes with negative size (bsc#1013018).\n - fbdev/efifb: Fix 16 color palette entry calculation (bsc#1041762).\n - firmware: fix directory creation rule matching with make 3.80\n (bsc#1012422).\n - firmware: fix directory creation rule matching with make 3.82\n (bsc#1012422).\n - fixed invalid assignment of 64bit mask to host dma_boundary for scatter\n gather segment boundary limit (bsc#1042045).\n - Fix soft lockup in svc_rdma_send (bsc#1044854).\n - fnic: Return 'DID_IMM_RETRY' if rport is not ready (bsc#1035920).\n - fnic: Using rport->dd_data to check rport online instead of rport_lookup\n (bsc#1035920).\n - fs/block_dev: always invalidate cleancache in invalidate_bdev()\n (git-fixes).\n - fs: fix data invalidation in the cleancache during direct IO (git-fixes).\n - fs/xattr.c: zero out memory copied to userspace in getxattr\n (bsc#1013018).\n - fuse: add missing FR_FORCE (bsc#1013018).\n - fuse: initialize fc->release before calling it (bsc#1013018).\n - genirq: Prevent proc race against freeing of irq descriptors\n (bnc#1044230).\n - hrtimer: Allow concurrent hrtimer_start() for self restarting timers\n (bnc#1013018).\n - i40e: avoid null pointer dereference (bsc#909486 FATE#317393).\n - i40e: Fix TSO with more than 8 frags per segment issue (bsc#985561).\n - i40e/i40evf: Break up xmit_descriptor_count from maybe_stop_tx\n (bsc#985561).\n - i40e/i40evf: Fix mixed size frags and linearization (bsc#985561).\n - i40e/i40evf: Limit TSO to 7 descriptors for payload instead of 8 per\n packet (bsc#985561).\n - i40e/i40evf: Rewrite logic for 8 descriptor per packet check\n (bsc#985561).\n - i40e: Impose a lower limit on gso size (bsc#985561).\n - i40e: Limit TX descriptor count in cases where frag size is greater than\n 16K (bsc#985561).\n - ib/mlx4: Demote mcg message from warning to debug (bsc#919382).\n - ib/mlx4: Fix ib device initialization error flow (bsc#919382).\n - ib/mlx4: Fix port query for 56Gb Ethernet links (bsc#919382).\n - ib/mlx4: Handle well-known-gid in mad_demux processing (bsc#919382).\n - ib/mlx4: Reduce SRIOV multicast cleanup warning message to debug level\n (bsc#919382).\n - ib/mlx4: Set traffic class in AH (bsc#919382).\n - Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE\n operation (bsc#1036288).\n - initial cr0 bits (bnc#1036056, LTC#153612).\n - input: cm109 - validate number of endpoints before using them\n (bsc#1037193).\n - input: hanwang - validate number of endpoints before using them\n (bsc#1037232).\n - input: yealink - validate number of endpoints before using them\n (bsc#1037227).\n - ipmr, ip6mr: fix scheduling while atomic and a deadlock with\n ipmr_get_route (git-fixes).\n - irq: Fix race condition (bsc#1042615).\n - isdn/gigaset: fix NULL-deref at probe (bsc#1037356).\n - isofs: Do not return EACCES for unknown filesystems (bsc#1013018).\n - jbd: do not wait (forever) for stale tid caused by wraparound\n (bsc#1020229).\n - jbd: Fix oops in journal_remove_journal_head() (bsc#1017143).\n - jsm: add support for additional Neo cards (bsc#1045615).\n - kabi fix (bsc#1008893).\n - kABI: mask struct xfs_icdinode change (bsc#1024788).\n - kabi: Protect xfs_mount and xfs_buftarg (bsc#1024508).\n - kabi:severeties: Add splice_write_to_file PASS This function is part of\n an xfs-specific fix which never went upstream and is not expected to\n have 3rdparty users other than xfs itself.\n - kernel-binary.spec: Propagate MAKE_ARGS to %build (bsc#1012422)\n - keys: Disallow keyrings beginning with '.' to be joined as session\n keyrings (bnc#1035576).\n - kvm: kvm_io_bus_unregister_dev() should never fail.\n - libata: fix sff host state machine locking while polling (bsc#1045525).\n - libceph: NULL deref on crush_decode() error path (bsc#1044015).\n - libceph: potential NULL dereference in ceph_msg_data_create()\n (bsc#1051515).\n - libfc: fixup locking in fc_disc_stop() (bsc#1029140).\n - libfc: move 'pending' and 'requested' setting (bsc#1029140).\n - libfc: only restart discovery after timeout if not already running\n (bsc#1029140).\n - lockd: use init_utsname for id encoding (bsc#1033804).\n - lockd: use rpc client's cl_nodename for id encoding (bsc#1033804).\n - locking/rtmutex: Prevent dequeue vs. unlock race (bnc#1013018).\n - math64: New div64_u64_rem helper (bnc#938352).\n - md: ensure md devices are freed before module is unloaded (git-fixes).\n - md: fix a null dereference (bsc#1040351).\n - md: flush ->event_work before stopping array (git-fixes).\n - md linear: fix a race between linear_add() and linear_congested()\n (bsc#1018446).\n - md/linear: shutup lockdep warnning (bsc#1018446).\n - md: make sure GET_ARRAY_INFO ioctl reports correct "clean" status\n (git-fixes).\n - md/raid0: apply base queue limits *before* disk_stack_limits (git-fixes).\n - md/raid1: extend spinlock to protect raid1_end_read_request against\n inconsistencies (git-fixes).\n - md/raid1: fix test for 'was read error from last working device'\n (git-fixes).\n - md/raid5: do not record new size if resize_stripes fails (git-fixes).\n - md/raid5: Fix CPU hotplug callback registration (git-fixes).\n - md: use separate bio_pool for metadata writes (bsc#1040351).\n - megaraid_sas: add missing curly braces in ioctl handler (bsc#1050154).\n - mlx4: reduce OOM risk on arches with large pages (bsc#919382).\n - mmc: core: add missing pm event in mmc_pm_notify to fix hib restore\n (bsc#1045547).\n - mmc: ushc: fix NULL-deref at probe (bsc#1037191).\n - mm: do not collapse stack gap into THP (bnc#1039348)\n - mm: enlarge stack guard gap (bnc#1039348).\n - mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check (VM\n Functionality, bsc#1042832).\n - mm: hugetlb: call huge_pte_alloc() only if ptep is null (VM\n Functionality, bsc#1042832).\n - mm/memory-failure.c: use compound_head() flags for huge pages\n (bnc#971975 VM -- git fixes).\n - mm/mempolicy.c: do not put mempolicy before using its nodemask\n (References: VM Performance, bnc#931620).\n - mm, mmap: do not blow on PROT_NONE MAP_FIXED holes in the stack\n (bnc#1039348, bnc#1045340, bnc#1045406).\n - module: fix memory leak on early load_module() failures (bsc#1043014).\n - Move nr_cpus_allowed into a hole in struct_sched_entity instead of the\n one below task_struct.policy. RT fills the hole 29baa7478ba4 used, which\n will screw up kABI for RT instead of curing the space needed problem in\n sched_rt_entity caused by adding ff77e4685359. This leaves\n nr_cpus_alowed in an odd spot, but safely allows the RT entity specific\n data added by ff77e4685359 to reside where it belongs.. nr_cpus_allowed\n just moves from one odd spot to another.\n - mwifiex: printk() overflow with 32-byte SSIDs (bsc#1048185).\n - net: avoid reference counter overflows on fib_rules in multicast\n forwarding (git-fixes).\n - net: ip6mr: fix static mfc/dev leaks on table destruction (git-fixes).\n - net: ipmr: fix static mfc/dev leaks on table destruction (git-fixes).\n - net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV\n (bsc#919382).\n - net/mlx4_core: Enhance the MAD_IFC wrapper to convert VF port to\n physical (bsc#919382).\n - net/mlx4_core: Fix VF overwrite of module param which disables DMFS on\n new probed PFs (bsc#919382).\n - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to\n VGT transitions (bsc#919382).\n - net/mlx4_core: Get num_tc using netdev_get_num_tc (bsc#919382).\n - net/mlx4_core: Prevent VF from changing port configuration (bsc#919382).\n - net/mlx4_core: Use-after-free causes a resource leak in flow-steering\n detach (bsc#919382).\n - net/mlx4_core: Use cq quota in SRIOV when creating completion EQs\n (bsc#919382).\n - net/mlx4_en: Avoid adding steering rules with invalid ring (bsc#919382).\n - net/mlx4_en: Change the error print to debug print (bsc#919382).\n - net/mlx4_en: fix overflow in mlx4_en_init_timestamp() (bsc#919382).\n - net/mlx4_en: Fix type mismatch for 32-bit systems (bsc#919382).\n - net/mlx4_en: Resolve dividing by zero in 32-bit system (bsc#919382).\n - net/mlx4_en: Wake TX queues only when there's enough room (bsc#1039258).\n - net/mlx4: Fix the check in attaching steering rules (bsc#919382).\n - net/mlx4: Fix uninitialized fields in rule when adding promiscuous mode\n to device managed flow steering (bsc#919382).\n - net: wimax/i2400m: fix NULL-deref at probe (bsc#1037358).\n - netxen_nic: set rcode to the return status from the call to\n netxen_issue_cmd (bnc#784815 FATE#313898).\n - nfs: Avoid getting confused by confused server (bsc#1045416).\n - nfsd4: minor NFSv2/v3 write decoding cleanup (bsc#1034670).\n - nfsd: check for oversized NFSv2/v3 arguments (bsc#1034670).\n - nfsd: do not risk using duplicate owner/file/delegation ids\n (bsc#1029212).\n - nfsd: Don't use state id of 0 - it is reserved (bsc#1049688 bsc#1051770).\n - nfsd: stricter decoding of write-like NFSv2/v3 ops (bsc#1034670).\n - nfs: Fix another OPEN_DOWNGRADE bug (git-next).\n - nfs: fix nfs_size_to_loff_t (git-fixes).\n - nfs: Fix size of NFSACL SETACL operations (git-fixes).\n - nfs: Make nfs_readdir revalidate less often (bsc#1048232).\n - nfs: tidy up nfs_show_mountd_netid (git-fixes).\n - nfsv4: Do not call put_rpccred() under the rcu_read_lock() (git-fixes).\n - nfsv4: Fix another bug in the close/open_downgrade code (git-fixes).\n - nfsv4: fix getacl head length estimation (git-fixes).\n - nfsv4: Fix problems with close in the presence of a delegation\n (git-fixes).\n - nfsv4: Fix the underestimation of delegation XDR space reservation\n (git-fixes).\n - ocfs2: do not write error flag to user structure we cannot copy from/to\n (bsc#1013018).\n - ocfs2: Don't clear SGID when inheriting ACLs (bsc#1030552).\n - ocfs2: fix crash caused by stale lvb with fsdlm plugin (bsc#1013800).\n - ocfs2: fix error return code in ocfs2_info_handle_freefrag()\n (bsc#1013018).\n - ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with\n ocfs2_unblock_lock (bsc#962257).\n - ocfs2: null deref on allocation error (bsc#1013018).\n - pci: Allow access to VPD attributes with size 0 (bsc#1018074).\n - pciback: only check PF if actually dealing with a VF (bsc#999245).\n - pciback: use pci_physfn() (bsc#999245).\n - pci: Fix devfn for VPD access through function 0 (bnc#943786 git-fixes).\n - perf/core: Correct event creation with PERF_FORMAT_GROUP (bnc#1013018).\n - perf/core: Fix event inheritance on fork() (bnc#1013018).\n - posix-timers: Fix stack info leak in timer_create() (bnc#1013018).\n - powerpc,cpuidle: Dont toggle CPUIDLE_FLAG_IGNORE while setting\n smt_snooze_delay (bsc#1023163).\n - powerpc: Drop support for pre-POWER4 cpus (fate#322495, bsc#1032471).\n - powerpc/fadump: Fix the race in crash_fadump() (bsc#1022971).\n - powerpc/fadump: Reserve memory at an offset closer to bottom of RAM\n (bsc#1032141).\n - powerpc/fadump: Update fadump documentation (bsc#1032141).\n - powerpc/mm: Do not alias user region to other regions below PAGE_OFFSET\n (bsc#928138,fate#319026).\n - powerpc/mm/hash: Check for non-kernel address in get_kernel_vsid()\n (fate#322495, bsc#1032471).\n - powerpc/mm/hash: Convert mask to unsigned long (fate#322495,\n bsc#1032471).\n - powerpc/mm/hash: Increase VA range to 128TB (fate#322495, bsc#1032471).\n - powerpc/mm/hash: Properly mask the ESID bits when building proto VSID\n (fate#322495, bsc#1032471).\n - powerpc/mm/hash: Support 68 bit VA (fate#322495, bsc#1032471).\n - powerpc/mm/hash: Use context ids 1-4 for the kernel (fate#322495,\n bsc#1032471).\n - powerpc/mm: Remove checks that TASK_SIZE_USER64 is too small\n (fate#322495, bsc#1032471).\n - powerpc/mm/slice: Convert slice_mask high slice to a bitmap\n (fate#322495, bsc#1032471).\n - powerpc/mm/slice: Fix off-by-1 error when computing slice mask\n (fate#322495, bsc#1032471).\n - powerpc/mm/slice: Move slice_mask struct definition to slice.c\n (fate#322495, bsc#1032471).\n - powerpc/mm/slice: Update slice mask printing to use bitmap printing\n (fate#322495, bsc#1032471).\n - powerpc/mm/slice: Update the function prototype (fate#322495,\n bsc#1032471).\n - powerpc/mm: use macro PGTABLE_EADDR_SIZE instead of digital\n (fate#322495, bsc#1032471).\n - powerpc/nvram: Fix an incorrect partition merge (bsc#1016489).\n - powerpc/pseries: Release DRC when configure_connector fails\n (bsc#1035777, Pending Base Kernel Fixes).\n - powerpc: Remove STAB code (fate#322495, bsc#1032471).\n - powerpc/vdso64: Use double word compare on pointers (bsc#1016489).\n - raid1: avoid unnecessary spin locks in I/O barrier code\n (bsc#982783,bsc#1026260).\n - random32: fix off-by-one in seeding requirement (git-fixes).\n - rcu: Call out dangers of expedited RCU primitives (bsc#1008893).\n - rcu: Direct algorithmic SRCU implementation (bsc#1008893).\n - rcu: Flip ->completed only once per SRCU grace period (bsc#1008893).\n - rcu: Implement a variant of Peter's SRCU algorithm (bsc#1008893).\n - rcu: Increment upper bit only for srcu_read_lock() (bsc#1008893).\n - rcu: Remove fast check path from __synchronize_srcu() (bsc#1008893).\n - reiserfs: Don't clear SGID when inheriting ACLs (bsc#1030552).\n - reiserfs: don't preallocate blocks for extended attributes (bsc#990682).\n - Remove patches causing regression (bsc#1043234)\n - Remove superfluous make flags (bsc#1012422)\n - Return short read or 0 at end of a raw device, not EIO (bsc#1039594).\n - Revert "kabi:severeties: Add splice_write_to_file PASS" This reverts\n commit 05ecf7ab16b2ea555fadd1ce17d8177394de88f2.\n - Revert "math64: New div64_u64_rem helper" (bnc#938352).\n - Revert "xfs: fix up xfs_swap_extent_forks inline extent handling\n (bsc#1023888)." I was baing my assumption of SLE11-SP4 needing this\n patch on an old kernel build (3.0.101-63). Re-testing with the latest\n one 3.0.101-94 shows that the issue is not present. Furthermore this one\n was causing some crashes. This reverts commit\n 16ceeac70f7286b6232861c3170ed32e39dcc68c.\n - rfkill: fix rfkill_fop_read wait_event usage (bsc#1046192).\n - s390/kmsg: add missing kmsg descriptions (bnc#1025702, LTC#151573).\n - s390/qdio: clear DSCI prior to scanning multiple input queues\n (bnc#1046715, LTC#156234).\n - s390/qeth: no ETH header for outbound AF_IUCV (bnc#1046715, LTC#156276).\n - s390/qeth: size calculation outbound buffers (bnc#1046715, LTC#156276).\n - s390/vmlogrdr: fix IUCV buffer allocation (bnc#1025702, LTC#152144).\n - s390/zcrypt: Introduce CEX6 toleration (FATE#321782, LTC#147505).\n - sched: Always initialize cpu-power (bnc#1013018).\n - sched: Avoid cputime scaling overflow (bnc#938352).\n - sched: Avoid prev->stime underflow (bnc#938352).\n - sched/core: Fix TASK_DEAD race in finish_task_switch() (bnc#1013018).\n - sched/core: Remove false-positive warning from wake_up_process()\n (bnc#1044882).\n - sched/cputime: Do not scale when utime == 0 (bnc#938352).\n - sched/debug: Print the scheduler topology group mask (bnc#1013018).\n - sched: Do not account bogus utime (bnc#938352).\n - sched/fair, cpumask: Export for_each_cpu_wrap() (bnc#1013018).\n - sched/fair: Fix min_vruntime tracking (bnc#1013018).\n - sched: Fix domain iteration (bnc#1013018).\n - sched: Fix SD_OVERLAP (bnc#1013018).\n - sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded\n systems (bnc#1013018).\n - sched: Lower chances of cputime scaling overflow (bnc#938352).\n - sched: Move nr_cpus_allowed out of 'struct sched_rt_entity'\n (bnc#1013018). Prep for b60205c7c558 sched/fair: Fix min_vruntime\n tracking\n - sched: Rename a misleading variable in build_overlap_sched_groups()\n (bnc#1013018).\n - sched/rt: Fix PI handling vs. sched_setscheduler() (bnc#1013018). Prep\n for b60205c7c558 sched/fair: Fix min_vruntime tracking\n - sched/topology: Fix building of overlapping sched-groups (bnc#1013018).\n - sched/topology: Fix overlapping sched_group_capacity (bnc#1013018).\n - sched/topology: Fix overlapping sched_group_mask (bnc#1013018).\n - sched/topology: Move comment about asymmetric node setups (bnc#1013018).\n - sched/topology: Optimize build_group_mask() (bnc#1013018).\n - sched/topology: Refactor function build_overlap_sched_groups()\n (bnc#1013018).\n - sched/topology: Remove FORCE_SD_OVERLAP (bnc#1013018).\n - sched/topology: Simplify build_overlap_sched_groups() (bnc#1013018).\n - sched/topology: Verify the first group matches the child domain\n (bnc#1013018).\n - sched: Use swap() macro in scale_stime() (bnc#938352).\n - scsi: bnx2i: missing error code in bnx2i_ep_connect() (bsc#1048221).\n - scsi: fix race between simultaneous decrements of ->host_failed\n (bsc#1050154).\n - scsi: fnic: Correcting rport check location in fnic_queuecommand_lck\n (bsc#1035920).\n - scsi: mvsas: fix command_active typo (bsc#1050154).\n - scsi: qla2xxx: Fix scsi scan hang triggered if adapter fails during init\n (bsc#1050154).\n - scsi: virtio_scsi: fix memory leak on full queue condition (bsc#1028880).\n - scsi: zfcp: do not trace pure benign residual HBA responses at default\n level (bnc#1025702, LTC#151317).\n - scsi: zfcp: fix rport unblock race with LUN recovery (bnc#1025702,\n LTC#151319).\n - scsi: zfcp: fix use-after-free by not tracing WKA port open/close on\n failed send (bnc#1025702, LTC#151365).\n - scsi: zfcp: fix use-after-"free" in FC ingress path after TMF\n (bnc#1025702, LTC#151312).\n - sfc: do not device_attach if a reset is pending (bsc#909618 FATE#317521).\n - sfc: reduce severity of PIO buffer alloc failures (bsc#1019168).\n - smsc75xx: use skb_cow_head() to deal with cloned skbs (bsc#1045154).\n - splice: Stub splice_write_to_file (bsc#1043234).\n - sunrpc: Clean up the slot table allocation (bsc#1013862).\n - sunrpc: Fix a memory leak in the backchannel code (git-fixes).\n - sunrpc: Initalise the struct xprt upon allocation (bsc#1013862).\n - svcrdma: Fix send_reply() scatter/gather set-up (git-fixes).\n - target/iscsi: Fix double free in lio_target_tiqn_addtpg() (bsc#1050154).\n - tcp: abort orphan sockets stalling on zero window probes (bsc#1021913).\n - tracing: Fix syscall_*regfunc() vs copy_process() race (bnc#1042687).\n - tracing/kprobes: Enforce kprobes teardown after testing (bnc#1013018).\n - udf: Fix deadlock between writeback and udf_setsize() (bsc#1013018).\n - udf: Fix races with i_size changes during readpage (bsc#1013018).\n - Update metadata for serial fixes (bsc#1013070)\n - Update patches.fixes/nfs-svc-rdma.fix (bsc#1044854).\n - usb: cdc-acm: fix broken runtime suspend (bsc#1033771).\n - usb: cdc-acm: fix open and suspend race (bsc#1033771).\n - usb: cdc-acm: fix potential urb leak and PM imbalance in write\n (bsc#1033771).\n - usb: cdc-acm: fix runtime PM for control messages (bsc#1033771).\n - usb: cdc-acm: fix runtime PM imbalance at shutdown (bsc#1033771).\n - usb: cdc-acm: fix shutdown and suspend race (bsc#1033771).\n - usb: cdc-acm: fix write and resume race (bsc#1033771).\n - usb: cdc-acm: fix write and suspend race (bsc#1033771).\n - usb: class: usbtmc.c: Cleaning up uninitialized variables (bsc#1036288).\n - usb: class: usbtmc: do not print error when allocating urb fails\n (bsc#1036288).\n - usb: class: usbtmc: do not print on ENOMEM (bsc#1036288).\n - usb: hub: Fix crash after failure to read BOS descriptor (FATE#317453).\n - usb: iowarrior: fix info ioctl on big-endian hosts (bsc#1037441).\n - usb: iowarrior: fix NULL-deref in write (bsc#1037359).\n - usb: r8a66597-hcd: select a different endpoint on timeout (bsc#1047053).\n - usb: serial: ark3116: fix register-accessor error handling (git-fixes).\n - usb: serial: ch341: fix open error handling (bsc#1037441).\n - usb: serial: cp210x: fix tiocmget error handling (bsc#1037441).\n - usb: serial: ftdi_sio: fix line-status over-reporting (bsc#1037441).\n - usb: serial: io_edgeport: fix epic-descriptor handling (bsc#1037441).\n - usb: serial: io_ti: fix information leak in completion handler\n (git-fixes).\n - usb: serial: iuu_phoenix: fix NULL-deref at open (bsc#1033794).\n - usb: serial: kl5kusb105: fix line-state error handling (bsc#1021256).\n - usb: serial: mos7720: fix NULL-deref at open (bsc#1033816).\n - usb: serial: mos7720: fix parallel probe (bsc#1033816).\n - usb: serial: mos7720: fix parport use-after-free on probe errors\n (bsc#1033816).\n - usb: serial: mos7720: fix use-after-free on probe errors (bsc#1033816).\n - usb: serial: mos7840: fix another NULL-deref at open (bsc#1034026).\n - usb: serial: mos7840: fix NULL-deref at open (bsc#1034026).\n - usb: serial: oti6858: fix NULL-deref at open (bsc#1037441).\n - usb: serial: sierra: fix bogus alternate-setting assumption\n (bsc#1037441).\n - usb: serial: spcp8x5: fix NULL-deref at open (bsc#1037441).\n - usbtmc: remove redundant braces (bsc#1036288).\n - usbtmc: remove trailing spaces (bsc#1036288).\n - usb: usbip: fix nonconforming hub descriptor (bsc#1047487).\n - usb: usbtmc: add device quirk for Rigol DS6104 (bsc#1036288).\n - usb: usbtmc: Add flag rigol_quirk to usbtmc_device_data (bsc#1036288).\n - usb: usbtmc: add missing endpoint sanity check (bsc#1036288).\n - usb: usbtmc: Change magic number to constant (bsc#1036288).\n - usb: usbtmc: fix big-endian probe of Rigol devices (bsc#1036288).\n - usb: usbtmc: fix DMA on stack (bsc#1036288).\n - usb: usbtmc: fix probe error path (bsc#1036288).\n - usb: usbtmc: Set rigol_quirk if device is listed (bsc#1036288).\n - usb: usbtmc: TMC request code segregated from usbtmc_read (bsc#1036288).\n - usb: usbtmc: usbtmc_read sends multiple TMC header based on rigol_quirk\n (bsc#1036288).\n - usbvision: fix NULL-deref at probe (bsc#1050431).\n - usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL\n (bsc#1023014).\n - Use make --output-sync feature when available (bsc#1012422). The mesages\n in make output can interleave making it impossible to extract warnings\n reliably. Since version 4 GNU Make supports --output-sync flag that\n prints output of each sub-command atomically preventing this issue.\n Detect the flag and use it if available. SLE11 has make 3.81 so it is\n required to include make 4 in the kernel OBS projects to take advantege\n of this.\n - Use PF_LESS_THROTTLE in loop device thread (bsc#1027101).\n - uwb: hwa-rc: fix NULL-deref at probe (bsc#1037233).\n - uwb: i1480-dfu: fix NULL-deref at probe (bsc#1036629).\n - vb2: Fix an off by one error in 'vb2_plane_vaddr' (bsc#1050431).\n - vfs: split generic splice code from i_mutex locking (bsc#1024788).\n - vmxnet3: avoid calling pskb_may_pull with interrupts disabled\n (bsc#1045356).\n - vmxnet3: fix checks for dma mapping errors (bsc#1045356).\n - vmxnet3: fix lock imbalance in vmxnet3_tq_xmit() (bsc#1045356).\n - vmxnet3: segCnt can be 1 for LRO packets (bsc#988065, bsc#1029770).\n - x86, mm, paravirt: Fix vmalloc_fault oops during lazy MMU updates\n (bsc#948562).\n - x86/pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0\n (bsc#1051478).\n - xen: avoid deadlock in xenbus (bnc#1047523).\n - xen-blkfront: correct maximum segment accounting (bsc#1018263).\n - xen-blkfront: do not call talk_to_blkback when already connected to\n blkback.\n - xen-blkfront: free resources if xlvbd_alloc_gendisk fails.\n - xen/PCI-MSI: fix sysfs teardown in DomU (bsc#986924).\n - xfrm: dst_entries_init() per-net dst_ops (bsc#1030814).\n - xfrm: NULL dereference on allocation failure (bsc#1047343).\n - xfrm: Oops on error in pfkey_msg2xfrm_state() (bsc#1047653).\n - xfs_dmapi: fix the debug compilation of xfs_dmapi (bsc#989056).\n - xfs: do not assert fail on non-async buffers on ioacct decrement\n (bsc#1024508).\n - xfs: exclude never-released buffers from buftarg I/O accounting\n (bsc#1024508).\n - xfs: fix buffer overflow dm_get_dirattrs/dm_get_dirattrs2 (bsc#989056).\n - xfs: Fix lock ordering in splice write (bsc#1024788).\n - xfs: fix up xfs_swap_extent_forks inline extent handling (bsc#1023888).\n - xfs: kill xfs_itruncate_start (bsc#1024788).\n - xfs: Make xfs_icdinode->di_dmstate atomic_t (bsc#1024788).\n - xfs: remove the i_new_size field in struct xfs_inode (bsc#1024788).\n - xfs: remove the i_size field in struct xfs_inode (bsc#1024788).\n - xfs: remove xfs_itruncate_data (bsc#1024788).\n - xfs: replace global xfslogd wq with per-mount wq (bsc#1024508).\n - xfs: split xfs_itruncate_finish (bsc#1024788).\n - xfs: split xfs_setattr (bsc#1024788).\n - xfs: Synchronize xfs_buf disposal routines (bsc#1041160).\n - xfs: track and serialize in-flight async buffers against unmount\n (bsc#1024508).\n - xfs: use ->b_state to fix buffer I/O accounting release race\n (bsc#1041160).\n - xprtrdma: Free the pd if ib_query_qp() fails (git-fixes).\n\n", "edition": 1, "modified": "2017-09-04T21:11:06", "published": "2017-09-04T21:11:06", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00009.html", "id": "SUSE-SU-2017:2342-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-01T13:17:35", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9191", "CVE-2017-7184", "CVE-2016-10200", "CVE-2017-2636", "CVE-2017-6214", "CVE-2017-6345", "CVE-2017-5986", "CVE-2017-6346", "CVE-2017-2596", "CVE-2017-6353", "CVE-2016-2117", "CVE-2017-6347"], "edition": 1, "description": "The openSUSE Leap 42.2 kernel was updated to 4.4.56 fix various security\n issues and bugs.\n\n The following security bugs were fixed:\n\n - CVE-2017-7184: The xfrm_replay_verify_len function in\n net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size\n data after an XFRM_MSG_NEWAE update, which allowed local users to obtain\n root privileges or cause a denial of service (heap-based out-of-bounds\n access) by leveraging the CAP_NET_ADMIN capability, as demonstrated\n during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10\n linux-image-* package 4.8.0.41.52 (bnc#1030573).\n - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in\n the Linux kernel allowed local users to gain privileges or cause a\n denial of service (use-after-free) by making multiple bind system calls\n without properly ascertaining whether a socket has the SOCK_ZAPPED\n status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c\n (bnc#1028415).\n - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux\n kernel allowed local users to gain privileges or cause a denial of\n service (double free) by setting the HDLC line discipline (bnc#1027565).\n - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that\n a certain destructor exists in required circumstances, which allowed\n local users to cause a denial of service (BUG_ON) or possibly have\n unspecified other impact via crafted system calls (bnc#1027190).\n - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux\n kernel allowed local users to cause a denial of service (use-after-free)\n or possibly have unspecified other impact via a multithreaded\n application that made PACKET_FANOUT setsockopt system calls\n (bnc#1027189).\n - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly\n restrict association peel-off operations during certain wait states,\n which allowed local users to cause a denial of service (invalid unlock\n and double free) via a multithreaded application. NOTE: this\n vulnerability exists because of an incorrect fix for CVE-2017-5986\n (bnc#1025235).\n - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the\n Linux kernel allowed remote attackers to cause a denial of service\n (infinite loop and soft lockup) via vectors involving a TCP packet with\n the URG flag (bnc#1026722).\n - CVE-2016-2117: The atl2_probe function in\n drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly\n enables scatter/gather I/O, which allowed remote attackers to obtain\n sensitive information from kernel memory by reading packet data\n (bnc#968697).\n - CVE-2017-6347: The ip_cmsg_recv_checksum function in\n net/ipv4/ip_sockglue.c in the Linux kernel has incorrect expectations\n about skb data layout, which allowed local users to cause a denial of\n service (buffer over-read) or possibly have unspecified other impact via\n crafted system calls, as demonstrated by use of the MSG_MORE flag in\n conjunction with loopback UDP transmission (bnc#1027179).\n - CVE-2016-9191: The cgroup offline implementation in the Linux kernel\n mishandled certain drain operations, which allowed local users to cause\n a denial of service (system hang) by leveraging access to a container\n environment for executing a crafted application, as demonstrated by\n trinity (bnc#1008842).\n - CVE-2017-2596: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c\n in the Linux kernel improperly emulates the VMXON instruction, which\n allowed KVM L1 guest OS users to cause a denial of service (host OS\n memory consumption) by leveraging the mishandling of page references\n (bnc#1022785).\n\n The following non-security bugs were fixed:\n\n - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC (bsc#1028819).\n - ACPI, ioapic: Clear on-stack resource before using it (bsc#1028819).\n - ACPI: Remove platform devices from a bus on removal (bsc#1028819).\n - add mainline tag to one hyperv patch\n - bnx2x: allow adding VLANs while interface is down (bsc#1027273).\n - btrfs: backref: Fix soft lockup in __merge_refs function (bsc#1017641).\n - btrfs: incremental send, do not delay rename when parent inode is new\n (bsc#1028325).\n - btrfs: incremental send, do not issue invalid rmdir operations\n (bsc#1028325).\n - btrfs: qgroup: Move half of the qgroup accounting time out of commit\n trans (bsc#1017461).\n - btrfs: send, fix failure to rename top level inode due to name collision\n (bsc#1028325).\n - btrfs: serialize subvolume mounts with potentially mismatching rw flags\n (bsc#951844 bsc#1024015)\n - crypto: algif_hash - avoid zero-sized array (bnc#1007962).\n - cxgb4vf: do not offload Rx checksums for IPv6 fragments (bsc#1026692).\n - drivers: hv: vmbus: Prevent sending data on a rescinded channel\n (fate#320485, bug#1028217).\n - drm/i915: Add intel_uncore_suspend / resume functions (bsc#1011913).\n - drm/i915: Listen for PMIC bus access notifications (bsc#1011913).\n - drm/mgag200: Added support for the new device G200eH3 (bsc#1007959,\n fate#322780)\n - ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986).\n - Fix kABI breakage of dccp in 4.4.56 (stable-4.4.56).\n - futex: Add missing error handling to FUTEX_REQUEUE_PI (bsc#969755).\n - futex: Fix potential use-after-free in FUTEX_REQUEUE_PI (bsc#969755).\n - i2c: designware-baytrail: Acquire P-Unit access on bus acquire\n (bsc#1011913).\n - i2c: designware-baytrail: Call pmic_bus_access_notifier_chain\n (bsc#1011913).\n - i2c: designware-baytrail: Fix race when resetting the semaphore\n (bsc#1011913).\n - i2c: designware-baytrail: Only check iosf_mbi_available() for shared\n hosts (bsc#1011913).\n - i2c: designware: Disable pm for PMIC i2c-bus even if there is no _SEM\n method (bsc#1011913).\n - i2c-designware: increase timeout (bsc#1011913).\n - i2c: designware: Never suspend i2c-busses used for accessing the system\n PMIC (bsc#1011913).\n - i2c: designware: Rename accessor_flags to flags (bsc#1011913).\n - kABI: protect struct iscsi_conn (kabi).\n - kABI: protect struct se_node_acl (kabi).\n - kABI: restore can_rx_register parameters (kabi).\n - kgr/module: make a taint flag module-specific (fate#313296).\n - kgr: remove all arch-specific kgraft header files (fate#313296).\n - l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415).\n - l2tp: fix lookup for sockets not bound to a device in l2tp_ip\n (bsc#1028415).\n - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind()\n (bsc#1028415).\n - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()\n (bsc#1028415).\n - l2tp: lock socket before checking flags in connect() (bsc#1028415).\n - md/raid1: add rcu protection to rdev in fix_read_error (References:\n bsc#998106,bsc#1020048,bsc#982783).\n - md/raid1: fix a use-after-free bug (bsc#998106,bsc#1020048,bsc#982783).\n - md/raid1: handle flush request correctly\n (bsc#998106,bsc#1020048,bsc#982783).\n - md/raid1: Refactor raid1_make_request\n (bsc#998106,bsc#1020048,bsc#982783).\n - mm: fix set pageblock migratetype in deferred struct page init\n (bnc#1027195).\n - mm/page_alloc: Remove useless parameter of __free_pages_boot_core\n (bnc#1027195).\n - module: move add_taint_module() to a header file (fate#313296).\n - net/ena: change condition for host attribute configuration (bsc#1026509).\n - net/ena: change driver's default timeouts (bsc#1026509).\n - net: ena: change the return type of ena_set_push_mode() to be void\n (bsc#1026509).\n - net: ena: Fix error return code in ena_device_init() (bsc#1026509).\n - net/ena: fix ethtool RSS flow configuration (bsc#1026509).\n - net/ena: fix NULL dereference when removing the driver after device\n reset failed (bsc#1026509).\n - net/ena: fix potential access to freed memory during device reset\n (bsc#1026509).\n - net/ena: fix queues number calculation (bsc#1026509).\n - net/ena: fix RSS default hash configuration (bsc#1026509).\n - net/ena: reduce the severity of ena printouts (bsc#1026509).\n - net/ena: refactor ena_get_stats64 to be atomic context safe\n (bsc#1026509).\n - net/ena: remove ntuple filter support from device feature list\n (bsc#1026509).\n - net: ena: remove superfluous check in ena_remove() (bsc#1026509).\n - net: ena: Remove unnecessary pci_set_drvdata() (bsc#1026509).\n - net/ena: update driver version to 1.1.2 (bsc#1026509).\n - net/ena: use READ_ONCE to access completion descriptors (bsc#1026509).\n - net: ena: use setup_timer() and mod_timer() (bsc#1026509).\n - net/mlx4_core: Avoid command timeouts during VF driver device shutdown\n (bsc#1028017).\n - net/mlx4_core: Avoid delays during VF driver device shutdown\n (bsc#1028017).\n - net/mlx4_core: Fix racy CQ (Completion Queue) free (bsc#1028017).\n - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to\n VGT transitions (bsc#1028017).\n - net/mlx4_core: Use cq quota in SRIOV when creating completion EQs\n (bsc#1028017).\n - net/mlx4_en: Fix bad WQE issue (bsc#1028017).\n - NFS: do not try to cross a mountpount when there isn't one there\n (bsc#1028041).\n - nvme: Do not suspend admin queue that wasn't created (bsc#1026505).\n - nvme: Suspend all queues before deletion (bsc#1026505).\n - PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal\n (fate#320485, bug#1028217).\n - PCI: hv: Use device serial number as PCI domain (fate#320485,\n bug#1028217).\n - powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895).\n - RAID1: a new I/O barrier implementation to remove resync window\n (bsc#998106,bsc#1020048,bsc#982783).\n - RAID1: avoid unnecessary spin locks in I/O barrier code\n (bsc#998106,bsc#1020048,bsc#982783).\n - Revert "give up on gcc ilog2() constant optimizations" (kabi).\n - Revert "net: introduce device min_header_len" (kabi).\n - Revert "net/mlx4_en: Avoid unregister_netdev at shutdown flow"\n (bsc#1028017).\n - Revert "nfit, libnvdimm: fix interleave set cookie calculation" (kabi).\n - Revert "RDMA/core: Fix incorrect structure packing for booleans" (kabi).\n - Revert "target: Fix NULL dereference during LUN lookup + active I/O\n shutdown" (kabi).\n - rtlwifi: rtl_usb: Fix missing entry in USB driver's private data\n (bsc#1026462).\n - s390/kmsg: add missing kmsg descriptions (bnc#1025683, LTC#151573).\n - s390/mm: fix zone calculation in arch_add_memory() (bnc#1025683,\n LTC#152318).\n - sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting\n (bsc#1018419).\n - scsi_dh_alua: Do not modify the interval value for retries (bsc#1012910).\n - scsi: do not print 'reservation conflict' for TEST UNIT READY\n (bsc#1027054).\n - softirq: Let ksoftirqd do its job (bsc#1019618).\n - supported.conf: Add tcp_westwood as supported module (fate#322432)\n - taint/module: Clean up global and module taint flags handling\n (fate#313296).\n - Update mainline reference in\n patches.drivers/drm-ast-Fix-memleaks-in-error-path-in-ast_fb_create.patch S\n ee (bsc#1028158) for the context in which this was discovered upstream.\n - x86/apic/uv: Silence a shift wrapping warning (bsc#1023866).\n - x86/mce: Do not print MCEs when mcelog is active (bsc#1013994).\n - x86, mm: fix gup_pte_range() vs DAX mappings (bsc#1026405).\n - x86/mm/gup: Simplify get_user_pages() PTE bit handling (bsc#1026405).\n - x86/platform/intel/iosf_mbi: Add a mutex for P-Unit access (bsc#1011913).\n - x86/platform/intel/iosf_mbi: Add a PMIC bus access notifier\n (bsc#1011913).\n - x86/platform: Remove warning message for duplicate NMI handlers\n (bsc#1029220).\n - x86/platform/UV: Add basic CPU NMI health check (bsc#1023866).\n - x86/platform/UV: Add Support for UV4 Hubless NMIs (bsc#1023866).\n - x86/platform/UV: Add Support for UV4 Hubless systems (bsc#1023866).\n - x86/platform/UV: Clean up the NMI code to match current coding style\n (bsc#1023866).\n - x86/platform/UV: Clean up the UV APIC code (bsc#1023866).\n - x86/platform/UV: Ensure uv_system_init is called when necessary\n (bsc#1023866).\n - x86/platform/UV: Fix 2 socket config problem (bsc#1023866).\n - x86/platform/UV: Fix panic with missing UVsystab support (bsc#1023866).\n - x86/platform/UV: Initialize PCH GPP_D_0 NMI Pin to be NMI source\n (bsc#1023866).\n - x86/platform/UV: Verify NMI action is valid, default is standard\n (bsc#1023866).\n - xen-blkfront: correct maximum segment accounting (bsc#1018263).\n - xen-blkfront: do not call talk_to_blkback when already connected to\n blkback.\n - xen/blkfront: Fix crash if backend does not follow the right states.\n - xen-blkfront: free resources if xlvbd_alloc_gendisk fails.\n - xen/netback: set default upper limit of tx/rx queues to 8 (bnc#1019163).\n - xen/netfront: set default upper limit of tx/rx queues to 8 (bnc#1019163).\n - xfs: do not take the IOLOCK exclusive for direct I/O page invalidation\n (bsc#1015609).\n\n", "modified": "2017-04-01T15:11:17", "published": "2017-04-01T15:11:17", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-04/msg00001.html", "id": "OPENSUSE-SU-2017:0907-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-05-19T17:20:49", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10208", "CVE-2016-9604", "CVE-2016-9191", "CVE-2017-7261", "CVE-2017-6074", "CVE-2016-7117", "CVE-2017-7616", "CVE-2016-3070", "CVE-2017-7645", "CVE-2016-10200", "CVE-2017-2671", "CVE-2017-7294", "CVE-2017-6348", "CVE-2016-5243", "CVE-2017-6214", "CVE-2015-1350", "CVE-2017-7308", "CVE-2017-6345", "CVE-2017-5669", "CVE-2017-6951", "CVE-2017-2647", "CVE-2017-5986", "CVE-2017-6346", "CVE-2016-9588", "CVE-2017-6353", "CVE-2017-8106", "CVE-2017-7187", "CVE-2016-2117", "CVE-2016-10044", "CVE-2017-5897"], "description": "The SUSE Linux Enterprise 12 SP1 kernel was updated to 3.12.74 to receive\n various security and bugfixes.\n\n Notable new/improved features:\n - Improved support for Hyper-V\n - Support for the tcp_westwood TCP scheduling algorithm\n\n The following security bugs were fixed:\n\n - CVE-2017-8106: The handle_invept function in arch/x86/kvm/vmx.c in the\n Linux kernel allowed privileged KVM guest OS users to cause a denial of\n service (NULL pointer dereference and host OS crash) via a\n single-context INVEPT instruction with a NULL EPT pointer (bsc#1035877).\n - CVE-2017-6951: The keyring_search_aux function in\n security/keys/keyring.c in the Linux kernel allowed local users to cause\n a denial of service (NULL pointer dereference and OOPS) via a\n request_key system call for the "dead" type. (bsc#1029850).\n - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local\n users to gain privileges or cause a denial of service (NULL pointer\n dereference and system crash) via vectors involving a NULL value for a\n certain match field, related to the keyring_search_iterator function in\n keyring.c. (bsc#1030593)\n - CVE-2016-9604: This fixes handling of keyrings starting with '.' in\n KEYCTL_JOIN_SESSION_KEYRING, which could have allowed local users to\n manipulate privileged keyrings (bsc#1035576)\n - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind\n compat syscalls in mm/mempolicy.c in the Linux kernel allowed local\n users to obtain sensitive information from uninitialized stack data by\n triggering failure of a certain bitmap operation. (bnc#1033336).\n - CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux\n kernel allowed remote attackers to cause a denial of service (system\n crash) via a long RPC reply, related to net/sunrpc/svc.c,\n fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c. (bsc#1034670).\n - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in\n the Linux kernel did not properly validate certain block-size data,\n which allowed local users to cause a denial of service (overflow) or\n possibly have unspecified other impact via crafted system calls\n (bnc#1031579)\n - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux\n kernel was too late in obtaining a certain lock and consequently could\n not ensure that disconnect function calls are safe, which allowed local\n users to cause a denial of service (panic) by leveraging access to the\n protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003)\n - CVE-2017-7294: The vmw_surface_define_ioctl function in\n drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not\n validate addition of certain levels data, which allowed local users to\n trigger an integer overflow and out-of-bounds write, and cause a denial\n of service (system hang or crash) or possibly gain privileges, via a\n crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440)\n - CVE-2017-7261: The vmw_surface_define_ioctl function in\n drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not\n check for a zero value of certain levels data, which allowed local users\n to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and\n possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device\n (bnc#1031052)\n - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux\n kernel allowed local users to cause a denial of service (stack-based\n buffer overflow) or possibly have unspecified other impact via a large\n command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds\n write access in the sg_write function (bnc#1030213)\n - CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel mismanaged the #BP\n and #OF exceptions, which allowed guest OS users to cause a denial of\n service (guest OS crash) by declining to handle an exception thrown by\n an L2 guest (bsc#1015703).\n - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel\n did not restrict the address calculated by a certain rounding operation,\n which allowed local users to map page zero, and consequently bypass a\n protection mechanism that exists for the mmap system call, by making\n crafted shmget and shmat system calls in a privileged context\n (bnc#1026914).\n - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in\n the Linux kernel allowed local users to gain privileges or cause a\n denial of service (use-after-free) by making multiple bind system calls\n without properly ascertaining whether a socket has the SOCK_ZAPPED\n status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c\n (bnc#1028415)\n - CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the\n Linux kernel did not properly validate meta block groups, which allowed\n physically proximate attackers to cause a denial of service\n (out-of-bounds read and system crash) via a crafted ext4 image\n (bnc#1023377).\n - CVE-2017-5897: The ip6gre_err function in net/ipv6/ip6_gre.c in the\n Linux kernel allowed remote attackers to have unspecified impact via\n vectors involving GRE flags in an IPv6 packet, which trigger an\n out-of-bounds access (bsc#1023762).\n - CVE-2017-5986: A race condition in the sctp_wait_for_sndbuf function in\n net/sctp/socket.c in the Linux kernel allowed local users to cause a\n denial of service (assertion failure and panic) via a multithreaded\n application that peels off an association in a certain buffer-full state\n (bsc#1025235).\n - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c\n in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures\n in the LISTEN state, which allowed local users to obtain root privileges\n or cause a denial of service (double free) via an application that made\n an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024)\n - CVE-2016-9191: The cgroup offline implementation in the Linux kernel\n mishandled certain drain operations, which allowed local users to cause\n a denial of service (system hang) by leveraging access to a container\n environment for executing a crafted application (bnc#1008842)\n - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the\n Linux kernel improperly managed lock dropping, which allowed local users\n to cause a denial of service (deadlock) via crafted operations on IrDA\n devices (bnc#1027178).\n - CVE-2016-10044: The aio_mount function in fs/aio.c in the Linux kernel\n did not properly restrict execute access, which made it easier for local\n users to bypass intended SELinux W^X policy restrictions, and\n consequently gain privileges, via an io_setup system call (bnc#1023992).\n - CVE-2016-3070: The trace_writeback_dirty_page implementation in\n include/trace/events/writeback.h in the Linux kernel improperly\n interacts with mm/migrate.c, which allowed local users to cause a denial\n of service (NULL pointer dereference and system crash) or possibly have\n unspecified other impact by triggering a certain page move (bnc#979215).\n - CVE-2016-5243: The tipc_nl_compat_link_dump function in\n net/tipc/netlink_compat.c in the Linux kernel did not properly copy a\n certain string, which allowed local users to obtain sensitive\n information from kernel stack memory by reading a Netlink message\n (bnc#983212).\n - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that\n a certain destructor exists in required circumstances, which allowed\n local users to cause a denial of service (BUG_ON) or possibly have\n unspecified other impact via crafted system calls (bnc#1027190)\n - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux\n kernel allowed local users to cause a denial of service (use-after-free)\n or possibly have unspecified other impact via a multithreaded\n application that made PACKET_FANOUT setsockopt system calls (bnc#1027189)\n - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly\n restrict association peel-off operations during certain wait states,\n which allowed local users to cause a denial of service (invalid unlock\n and double free) via a multithreaded application. NOTE: this\n vulnerability exists because of an incorrect fix for CVE-2017-5986\n (bnc#1027066)\n - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in\n net/sctp/socket.c in the Linux kernel allowed local users to cause a\n denial of service (assertion failure and panic) via a multithreaded\n application that peels off an association in a certain buffer-full state\n (bsc#1025235).\n - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the\n Linux kernel allowed remote attackers to cause a denial of service\n (infinite loop and soft lockup) via vectors involving a TCP packet with\n the URG flag (bnc#1026722)\n - CVE-2016-2117: The atl2_probe function in\n drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly\n enables scatter/gather I/O, which allowed remote attackers to obtain\n sensitive information from kernel memory by reading packet data\n (bnc#968697)\n - CVE-2015-1350: The VFS subsystem in the Linux kernel provided an\n incomplete set of requirements for setattr operations that\n underspecifies removing extended privilege attributes, which allowed\n local users to cause a denial of service (capability stripping) via a\n failed invocation of a system call, as demonstrated by using chown to\n remove a capability from the ping or Wireshark dumpcap program\n (bsc#914939).\n - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg\n function in net/socket.c in the Linux kernel allowed remote attackers to\n execute arbitrary code via vectors involving a recvmmsg system call that\n is mishandled during error processing (bsc#1003077).\n\n The following non-security bugs were fixed:\n\n - ACPI / APEI: Fix NMI notification handling (bsc#917630).\n - arch: Mass conversion of smp_mb__*() (bsc#1020795).\n - asm-generic: add __smp_xxx wrappers (bsc#1020795).\n - block: remove struct request buffer member (bsc#1020795).\n - block: submit_bio_wait() conversions (bsc#1020795).\n - bonding: Advertize vxlan offload features when supported (bsc#1009682).\n - bonding: handle more gso types (bsc#1009682).\n - bonding: use the correct ether type for alb (bsc#1028595).\n - btrfs: allow unlink to exceed subvolume quota (bsc#1015821).\n - btrfs: Change qgroup_meta_rsv to 64bit (bsc#1015821).\n - btrfs: fix btrfs_compat_ioctl failures on non-compat ioctls\n (bsc#1018100).\n - btrfs: make file clone aware of fatal signals (bsc#1015787).\n - btrfs: qgroups: Retry after commit on getting EDQUOT (bsc#1015821).\n - cancel the setfilesize transation when io error happen (bsc#1028648).\n - cgroup: remove stray references to css_id (bsc#1020795).\n - cpuidle: powernv/pseries: Auto-promotion of snooze to deeper idle state\n (bnc#1023164).\n - dm: add era target (bsc#1020795).\n - dm: allow remove to be deferred (bsc#1020795).\n - dm bitset: only flush the current word if it has been dirtied\n (bsc#1020795).\n - dm btree: add dm_btree_find_lowest_key (bsc#1020795).\n - dm cache: actually resize cache (bsc#1020795).\n - dm cache: add block sizes and total cache blocks to status output\n (bsc#1020795).\n - dm cache: add cache block invalidation support (bsc#1020795).\n - dm cache: add passthrough mode (bsc#1020795).\n - dm cache: add policy name to status output (bsc#1020795).\n - dm cache: add remove_cblock method to policy interface (bsc#1020795).\n - dm cache: be much more aggressive about promoting writes to discarded\n blocks (bsc#1020795).\n - dm cache: cache shrinking support (bsc#1020795).\n - dm cache: do not add migration to completed list before unhooking bio\n (bsc#1020795).\n - dm cache: fix a lock-inversion (bsc#1020795).\n - dm cache: fix truncation bug when mapping I/O to more than 2TB fast\n device (bsc#1020795).\n - dm cache: fix writethrough mode quiescing in cache_map (bsc#1020795).\n - dm cache: improve efficiency of quiescing flag management (bsc#1020795).\n - dm cache: io destined for the cache device can now serve as tick bios\n (bsc#1020795).\n - dm cache: log error message if dm_kcopyd_copy() fails (bsc#1020795).\n - dm cache metadata: check the metadata version when reading the\n superblock (bsc#1020795).\n - dm cache metadata: return bool from __superblock_all_zeroes\n (bsc#1020795).\n - dm cache: move hook_info into common portion of per_bio_data structure\n (bsc#1020795).\n - dm cache: optimize commit_if_needed (bsc#1020795).\n - dm cache policy mq: a few small fixes (bsc#1020795).\n - dm cache policy mq: fix promotions to occur as expected (bsc#1020795).\n - dm cache policy mq: implement writeback_work() and\n mq_{set,clear}_dirty() (bsc#1020795).\n - dm cache policy mq: introduce three promotion threshold tunables\n (bsc#1020795).\n - dm cache policy mq: protect residency method with existing mutex\n (bsc#1020795).\n - dm cache policy mq: reduce memory requirements (bsc#1020795).\n - dm cache policy mq: use list_del_init instead of list_del +\n INIT_LIST_HEAD (bsc#1020795).\n - dm cache policy: remove return from void policy_remove_mapping\n (bsc#1020795).\n - dm cache: promotion optimisation for writes (bsc#1020795).\n - dm cache: resolve small nits and improve Documentation (bsc#1020795).\n - dm cache: return -EINVAL if the user specifies unknown cache policy\n (bsc#1020795).\n - dm cache: use cell_defer() boolean argument consistently (bsc#1020795).\n - dm: change sector_count member in clone_info from sector_t to unsigned\n (bsc#1020795).\n - dm crypt: add TCW IV mode for old CBC TCRYPT containers (bsc#1020795).\n - dm crypt: properly handle extra key string in initialization\n (bsc#1020795).\n - dm delay: use per-bio data instead of a mempool and slab cache\n (bsc#1020795).\n - dm: fix Kconfig indentation (bsc#1020795).\n - dm: fix Kconfig menu indentation (bsc#1020795).\n - dm: make dm_table_alloc_md_mempools static (bsc#1020795).\n - dm mpath: do not call pg_init when it is already running (bsc#1020795).\n - dm mpath: fix lock order inconsistency in multipath_ioctl (bsc#1020795).\n - dm mpath: print more useful warnings in multipath_message()\n (bsc#1020795).\n - dm mpath: push back requests instead of queueing (bsc#1020795).\n - dm mpath: really fix lockdep warning (bsc#1020795).\n - dm mpath: reduce memory pressure when requeuing (bsc#1020795).\n - dm mpath: remove extra nesting in map function (bsc#1020795).\n - dm mpath: remove map_io() (bsc#1020795).\n - dm mpath: remove process_queued_ios() (bsc#1020795).\n - dm mpath: requeue I/O during pg_init (bsc#1020795).\n - dm persistent data: cleanup dm-thin specific references in text\n (bsc#1020795).\n - dm snapshot: call destroy_work_on_stack() to pair with\n INIT_WORK_ONSTACK() (bsc#1020795).\n - dm snapshot: fix metadata corruption (bsc#1020795).\n - dm snapshot: prepare for switch to using dm-bufio (bsc#1020795).\n - dm snapshot: use dm-bufio (bsc#1020795).\n - dm snapshot: use dm-bufio prefetch (bsc#1020795).\n - dm snapshot: use GFP_KERNEL when initializing exceptions (bsc#1020795).\n - dm space map disk: optimise sm_disk_dec_block (bsc#1020795).\n - dm space map metadata: limit errors in sm_metadata_new_block\n (bsc#1020795).\n - dm: stop using bi_private (bsc#1020795).\n - dm table: add dm_table_run_md_queue_async (bsc#1020795).\n - dm table: print error on preresume failure (bsc#1020795).\n - dm table: remove unused buggy code that extends the targets array\n (bsc#1020795).\n - dm thin: add error_if_no_space feature (bsc#1020795).\n - dm thin: add mappings to end of prepared_* lists (bsc#1020795).\n - dm thin: add 'no_space_timeout' dm-thin-pool module param (bsc#1020795).\n - dm thin: add timeout to stop out-of-data-space mode holding IO forever\n (bsc#1020795).\n - dm thin: allow metadata commit if pool is in PM_OUT_OF_DATA_SPACE mode\n (bsc#1020795).\n - dm thin: allow metadata space larger than supported to go unused\n (bsc#1020795).\n - dm thin: cleanup and improve no space handling (bsc#1020795).\n - dm thin: eliminate the no_free_space flag (bsc#1020795).\n - dm thin: ensure user takes action to validate data and metadata\n consistency (bsc#1020795).\n - dm thin: factor out check_low_water_mark and use bools (bsc#1020795).\n - dm thin: fix deadlock in __requeue_bio_list (bsc#1020795).\n - dm thin: fix noflush suspend IO queueing (bsc#1020795).\n - dm thin: fix out of data space handling (bsc#1020795).\n - dm thin: fix pool feature parsing (bsc#1020795).\n - dm thin: fix rcu_read_lock being held in code that can sleep\n (bsc#1020795).\n - dm thin: handle metadata failures more consistently (bsc#1020795).\n - dm thin: irqsave must always be used with the pool->lock spinlock\n (bsc#1020795).\n - dm thin: log info when growing the data or metadata device (bsc#1020795).\n - dm thin: requeue bios to DM core if no_free_space and in read-only mode\n (bsc#1020795).\n - dm thin: return error from alloc_data_block if pool is not in write mode\n (bsc#1020795).\n - dm thin: simplify pool_is_congested (bsc#1020795).\n - dm thin: sort the per thin deferred bios using an rb_tree (bsc#1020795).\n - dm thin: synchronize the pool mode during suspend (bsc#1020795).\n - dm thin: use bool rather than unsigned for flags in structures\n (bsc#1020795).\n - dm thin: use INIT_WORK_ONSTACK in noflush_work to avoid ODEBUG warning\n (bsc#1020795).\n - dm thin: use per thin device deferred bio lists (bsc#1020795).\n - dm: use RCU_INIT_POINTER instead of rcu_assign_pointer in __unbind\n (bsc#1020795).\n - drm/i915: relax uncritical udelay_range() (bsc#1038261).\n - ether: add loopback type ETH_P_LOOPBACK (bsc#1028595).\n - ext4: fix bh leak on error paths in ext4_rename() and\n ext4_cross_rename() (bsc#1012985).\n - ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986).\n - ext4: mark inode dirty after converting inline directory (bsc#1012985).\n - ftrace: Make ftrace_location_range() global (FATE#322421).\n - HID: usbhid: improve handling of Clear-Halt and reset (bsc#1031080).\n - hv: util: catch allocation errors\n - hv: utils: use memdup_user in hvt_op_write\n - hwrng: virtio - ensure reads happen after successful probe (bsc#954763\n bsc#1032344).\n - i40e: avoid null pointer dereference (bsc#922853).\n - i40e/i40evf: Break up xmit_descriptor_count from maybe_stop_tx\n (bsc#985561).\n - i40e/i40evf: Limit TSO to 7 descriptors for payload instead of 8 per\n packet (bsc#985561).\n - i40e/i40evf: Rewrite logic for 8 descriptor per packet check\n (bsc#985561).\n - i40e: Impose a lower limit on gso size (bsc#985561).\n - i40e: Limit TX descriptor count in cases where frag size is greater than\n 16K (bsc#985561).\n - iommu/vt-d: Flush old iommu caches for kdump when the device gets\n context mapped (bsc#1023824).\n - iommu/vt-d: Tylersburg isoch identity map check is done too late\n (bsc#1032125).\n - ipv6: make ECMP route replacement less greedy (bsc#930399).\n - kabi: hide changes in struct sk_buff (bsc#1009682).\n - KABI: Hide new include in arch/powerpc/kernel/process.c (fate#322421).\n - kABI: mask struct xfs_icdinode change (bsc#1024788).\n - kABI: protect struct inet6_dev (kabi).\n - kABI: protect struct iscsi_conn (bsc#103470).\n - kABI: protect struct xfs_buftarg and struct xfs_mount (bsc#1024508).\n - kABI: restore can_rx_register parameters (kabi).\n - kernel/watchdog: use nmi registers snapshot in hardlockup handler\n (bsc#940946, bsc#937444).\n - kgr: Mark eeh_event_handler() kthread safe using a timeout (bsc#1031662).\n - kgr/module: make a taint flag module-specific\n - kgr: remove unneeded kgr_needs_lazy_migration() s390x definition\n - l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415).\n - l2tp: fix lookup for sockets not bound to a device in l2tp_ip\n (bsc#1028415).\n - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind()\n (bsc#1028415).\n - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()\n (bsc#1028415).\n - l2tp: hold tunnel socket when handling control frames in l2tp_ip and\n l2tp_ip6 (bsc#1028415).\n - l2tp: lock socket before checking flags in connect() (bsc#1028415).\n - livepatch: Allow architectures to specify an alternate ftrace location\n (FATE#322421).\n - locking/semaphore: Add down_interruptible_timeout() (bsc#1031662).\n - md: avoid oops on unload if some process is in poll or select\n (bsc#1020795).\n - md: Convert use of typedef ctl_table to struct ctl_table (bsc#1020795).\n - md: ensure metadata is writen after raid level change (bsc#1020795).\n - md linear: fix a race between linear_add() and linear_congested()\n (bsc#1018446).\n - md: md_clear_badblocks should return an error code on failure\n (bsc#1020795).\n - md: refuse to change shape of array if it is active but read-only\n (bsc#1020795).\n - megaraid_sas: add missing curly braces in ioctl handler (bsc#1023207).\n - megaraid_sas: Fixup tgtid count in megasas_ld_list_query() (bsc#971933).\n - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bnc#1030118).\n - mm, memcg: do not retry precharge charges (bnc#1022559).\n - mm/mempolicy.c: do not put mempolicy before using its nodemask\n (References: VM Performance, bnc#931620).\n - mm/page_alloc: fix nodes for reclaim in fast path (bnc#1031842).\n - module: move add_taint_module() to a header file\n - net: Add skb_gro_postpull_rcsum to udp and vxlan (bsc#1009682).\n - net: add skb_pop_rcv_encapsulation (bsc#1009682).\n - net: Call skb_checksum_init in IPv4 (bsc#1009682).\n - net: Call skb_checksum_init in IPv6 (bsc#1009682).\n - netfilter: allow logging fron non-init netns (bsc#970083).\n - net: Generalize checksum_init functions (bsc#1009682).\n - net: Preserve CHECKSUM_COMPLETE at validation (bsc#1009682).\n - NFS: do not try to cross a mountpount when there isn't one there\n (bsc#1028041).\n - NFS: Expedite unmount of NFS auto-mounts (bnc#1025802).\n - NFS: Fix a performance regression in readdir (bsc#857926).\n - NFS: flush out dirty data on file fput() (bsc#1021762).\n - ocfs2: do not write error flag to user structure we cannot copy from/to\n (bsc#1012985).\n - powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895).\n - powerpc: Create a helper for getting the kernel toc value (FATE#322421).\n - powerpc/fadump: Fix the race in crash_fadump() (bsc#1022971).\n - powerpc/fadump: Reserve memory at an offset closer to bottom of RAM\n (bsc#1032141).\n - powerpc/fadump: Update fadump documentation (bsc#1032141).\n - powerpc/ftrace: Add Kconfig & Make glue for mprofile-kernel\n (FATE#322421).\n - powerpc/ftrace: Add support for -mprofile-kernel ftrace ABI\n (FATE#322421).\n - powerpc/ftrace: Use $(CC_FLAGS_FTRACE) when disabling ftrace\n (FATE#322421).\n - powerpc/ftrace: Use generic ftrace_modify_all_code() (FATE#322421).\n - powerpc: introduce TIF_KGR_IN_PROGRESS thread flag (FATE#322421).\n - powerpc/kgraft: Add kgraft header (FATE#322421).\n - powerpc/kgraft: Add kgraft stack to struct thread_info (FATE#322421).\n - powerpc/kgraft: Add live patching support on ppc64le (FATE#322421).\n - powerpc/module: Create a special stub for ftrace_caller() (FATE#322421).\n - powerpc/module: Mark module stubs with a magic value (FATE#322421).\n - powerpc/module: Only try to generate the ftrace_caller() stub once\n (FATE#322421).\n - powerpc/modules: Never restore r2 for a mprofile-kernel style mcount()\n call (FATE#322421).\n - powerpc/prom: Increase minimum RMA size to 512MB (bsc#984530).\n - powerpc/pseries/cpuidle: Remove MAX_IDLE_STATE macro (bnc#1023164).\n - powerpc/pseries/cpuidle: Use cpuidle_register() for initialisation\n (bnc#1023164).\n - powerpc: Reject binutils 2.24 when building little endian (boo#1028895).\n - RAID1: avoid unnecessary spin locks in I/O barrier code\n (bsc#982783,bsc#1020048).\n - raid1: include bio_end_io_list in nr_queued to prevent freeze_array hang\n - remove mpath patches from dmcache backport, for bsc#1035738\n - revert "procfs: mark thread stack correctly in proc/PID/maps"\n (bnc#1030901).\n - Revert "RDMA/core: Fix incorrect structure packing for booleans" (kabi).\n - rtnetlink: allow to register ops without ops->setup set (bsc#1021374).\n - s390/zcrypt: Introduce CEX6 toleration (FATE#321783, LTC#147506,\n bsc#1019514).\n - sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting\n (bsc#1018419).\n - scsi_error: count medium access timeout only once per EH run\n (bsc#993832, bsc#1032345).\n - scsi: libiscsi: add lock around task lists to fix list corruption\n regression (bsc#1034700).\n - scsi: storvsc: fix SRB_STATUS_ABORTED handling\n - sfc: reduce severity of PIO buffer alloc failures (bsc#1019168).\n - svcrpc: fix gss-proxy NULL dereference in some error cases (bsc#1024309).\n - taint/module: Clean up global and module taint flags handling\n - tcp: abort orphan sockets stalling on zero window probes (bsc#1021913).\n - thp: fix MADV_DONTNEED vs. numa balancing race (bnc#1027974).\n - thp: reduce indentation level in change_huge_pmd() (bnc#1027974).\n - treewide: fix "distingush" typo (bsc#1020795).\n - tree-wide: use reinit_completion instead of INIT_COMPLETION\n (bsc#1020795).\n - usb: dwc3: gadget: Fix incorrect DEPCMD and DGCMD status macros\n (bsc#1035699).\n - usb: host: xhci: print correct command ring address (bnc#1035699).\n - USB: serial: kl5kusb105: fix line-state error handling (bsc#1021256).\n - vfs: Do not exchange "short" filenames unconditionally (bsc#1012985).\n - vfs: split generic splice code from i_mutex locking (bsc#1024788).\n - vmxnet3: segCnt can be 1 for LRO packets (bsc#988065).\n - VSOCK: Detach QP check should filter out non matching QPs (bsc#1036752).\n - vxlan: cancel sock_work in vxlan_dellink() (bsc#1031567).\n - vxlan: Checksum fixes (bsc#1009682).\n - vxlan: GRO support at tunnel layer (bsc#1009682).\n - xen-blkfront: correct maximum segment accounting (bsc#1018263).\n - xen-blkfront: do not call talk_to_blkback when already connected to\n blkback.\n - xen-blkfront: free resources if xlvbd_alloc_gendisk fails.\n - xfs_dmapi: fix the debug compilation of xfs_dmapi (bsc#989056).\n - xfs: do not allow di_size with high bit set (bsc#1024234).\n - xfs: do not assert fail on non-async buffers on ioacct decrement\n (bsc#1024508).\n - xfs: exclude never-released buffers from buftarg I/O accounting\n (bsc#1024508).\n - xfs: fix broken multi-fsb buffer logging (bsc#1024081).\n - xfs: fix buffer overflow dm_get_dirattrs/dm_get_dirattrs2 (bsc#989056).\n - xfs: Fix lock ordering in splice write (bsc#1024788).\n - xfs: fix up xfs_swap_extent_forks inline extent handling (bsc#1023888).\n - xfs: Make xfs_icdinode->di_dmstate atomic_t (bsc#1024788).\n - xfs: pass total block res. as total xfs_bmapi_write() parameter\n (bsc#1029470).\n - xfs: replace global xfslogd wq with per-mount wq (bsc#1024508).\n - xfs: track and serialize in-flight async buffers against unmount\n (bsc#1024508).\n\n", "edition": 1, "modified": "2017-05-19T18:10:39", "published": "2017-05-19T18:10:39", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00058.html", "id": "SUSE-SU-2017:1360-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-01T13:17:35", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10208", "CVE-2017-7184", "CVE-2017-2584", "CVE-2016-10200", "CVE-2017-2636", "CVE-2017-6348", "CVE-2017-2583", "CVE-2017-6214", "CVE-2017-6345", "CVE-2017-5669", "CVE-2017-5986", "CVE-2017-6346", "CVE-2017-2596", "CVE-2017-6353", "CVE-2016-2117", "CVE-2017-6347"], "edition": 1, "description": "======================================================================\n Still left to do:\n - Check CVE descriptions. They need to be written in the past tense. They\n are processed automatically, THERE CAN BE ERRORS IN THERE!\n - Remove version numbers from the CVE descriptions\n - Check the capitalization of the subsystems, then sort again\n - For each CVE: Check the corresponding bug if everything is okay\n - If you remove CVEs or bugs: Do not forget to change the meta information\n - Determine which of the bugs after the CVE lines is the right one\n\n ======================================================================\n\n The openSUSE Leap 42.1 kernel was updated to 4.1.39 to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel\n did not restrict the address calculated by a certain rounding operation,\n which allowed local users to map page zero, and consequently bypass a\n protection mechanism that exists for the mmap system call, by making\n crafted shmget and shmat system calls in a privileged context\n (bnc#1026914).\n - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the\n Linux kernel improperly manages lock dropping, which allowed local users\n to cause a denial of service (deadlock) via crafted operations on IrDA\n devices (bnc#1027178).\n - CVE-2017-7184: The xfrm_replay_verify_len function in\n net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size\n data after an XFRM_MSG_NEWAE update, which allowed local users to obtain\n root privileges or cause a denial of service (heap-based out-of-bounds\n access) by leveraging the CAP_NET_ADMIN capability, as demonstrated\n during a Pwn2Own competition at CanSecWest 2017 for the Ubuntu 16.10\n linux-image-* package 4.8.0.41.52 (bnc#1030573).\n - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in\n the Linux kernel allowed local users to gain privileges or cause a\n denial of service (use-after-free) by making multiple bind system calls\n without properly ascertaining whether a socket has the SOCK_ZAPPED\n status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c\n (bnc#1028415).\n - CVE-2017-2636: Race condition in drivers/tty/n_hdlc.c in the Linux\n kernel allowed local users to gain privileges or cause a denial of\n service (double free) by setting the HDLC line discipline (bnc#1027565).\n - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that\n a certain destructor exists in required circumstances, which allowed\n local users to cause a denial of service (BUG_ON) or possibly have\n unspecified other impact via crafted system calls (bnc#1027190).\n - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux\n kernel allowed local users to cause a denial of service (use-after-free)\n or possibly have unspecified other impact via a multithreaded\n application that made PACKET_FANOUT setsockopt system calls\n (bnc#1027189).\n - CVE-2017-6347: The ip_cmsg_recv_checksum function in\n net/ipv4/ip_sockglue.c in the Linux kernel has incorrect expectations\n about skb data layout, which allowed local users to cause a denial of\n service (buffer over-read) or possibly have unspecified other impact via\n crafted system calls, as demonstrated by use of the MSG_MORE flag in\n conjunction with loopback UDP transmission (bnc#1027179).\n - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly\n restrict association peel-off operations during certain wait states,\n which allowed local users to cause a denial of service (invalid unlock\n and double free) via a multithreaded application. NOTE: this\n vulnerability exists because of an incorrect fix for CVE-2017-5986\n (bnc#1025235).\n - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the\n Linux kernel allowed remote attackers to cause a denial of service\n (infinite loop and soft lockup) via vectors involving a TCP packet with\n the URG flag (bnc#1026722).\n - CVE-2016-2117: The atl2_probe function in\n drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly\n enables scatter/gather I/O, which allowed remote attackers to obtain\n sensitive information from kernel memory by reading packet data\n (bnc#968697).\n - CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the\n Linux kernel did not properly validate meta block groups, which allowed\n physically proximate attackers to cause a denial of service\n (out-of-bounds read and system crash) via a crafted ext4 image\n (bnc#1023377).\n - CVE-2017-2596: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c\n in the Linux kernel improperly emulates the VMXON instruction, which\n allowed KVM L1 guest OS users to cause a denial of service (host OS\n memory consumption) by leveraging the mishandling of page references\n (bnc#1022785).\n - CVE-2017-2583: The load_segment_descriptor implementation in\n arch/x86/kvm/emulate.c in the Linux kernel improperly emulates a "MOV\n SS, NULL selector" instruction, which allowed guest OS users to cause a\n denial of service (guest OS crash) or gain guest OS privileges via a\n crafted application (bnc#1020602).\n - CVE-2017-2584: arch/x86/kvm/emulate.c in the Linux kernel allowed local\n users to obtain sensitive information from kernel memory or cause a\n denial of service (use-after-free) via a crafted application that\n leverages instruction emulation for fxrstor, fxsave, sgdt, and sidt\n (bnc#1019851).\n\n The following non-security bugs were fixed:\n\n - Fix kABI breakage of musb struct in 4.1.39 (stable 4.1.39).\n - Revert "ptrace: Capture the ptracer's creds not PT_PTRACE_CAP" (stable\n 4.1.39).\n - ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986).\n - ext4: validate s_first_meta_bg at mount time (bsc#1023377).\n - kabi/severities: Ignore x86/kvm kABI changes for 4.1.39\n - l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415).\n - l2tp: fix lookup for sockets not bound to a device in l2tp_ip\n (bsc#1028415).\n - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind()\n (bsc#1028415).\n - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()\n (bsc#1028415).\n - l2tp: lock socket before checking flags in connect() (bsc#1028415).\n - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bsc#1030118).\n\n", "modified": "2017-04-01T15:07:45", "published": "2017-04-01T15:07:45", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-04/msg00000.html", "id": "OPENSUSE-SU-2017:0906-1", "type": "suse", "title": "Security update for the Linux Kernel (important)", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-05-05T13:19:32", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9191", "CVE-2017-7261", "CVE-2017-6074", "CVE-2016-10200", "CVE-2017-2671", "CVE-2017-7294", "CVE-2017-6214", "CVE-2017-7374", "CVE-2017-7308", "CVE-2017-6345", "CVE-2017-5986", "CVE-2017-6346", "CVE-2017-2596", "CVE-2017-6353", "CVE-2017-7187", "CVE-2016-2117", "CVE-2017-6347"], "description": "The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.58 to receive\n various security and bugfixes.\n\n Notable new/improved features:\n - Improved support for Hyper-V\n - Support for Matrox G200eH3\n - Support for tcp_westwood\n\n The following security bugs were fixed:\n\n - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux\n kernel was too late in obtaining a certain lock and consequently could\n not ensure that disconnect function calls are safe, which allowed local\n users to cause a denial of service (panic) by leveraging access to the\n protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003).\n - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in\n the Linux kernel did not properly validate certain block-size data,\n which allowed local users to cause a denial of service (overflow) or\n possibly have unspecified other impact via crafted system calls\n (bnc#1031579).\n - CVE-2017-7294: The vmw_surface_define_ioctl function in\n drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not\n validate addition of certain levels data, which allowed local users to\n trigger an integer overflow and out-of-bounds write, and cause a denial\n of service (system hang or crash) or possibly gain privileges, via a\n crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440).\n - CVE-2017-7261: The vmw_surface_define_ioctl function in\n drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not\n check for a zero value of certain levels data, which allowed local users\n to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and\n possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device\n (bnc#1031052).\n - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux\n kernel allowed local users to cause a denial of service (stack-based\n buffer overflow) or possibly have unspecified other impact via a large\n command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds\n write access in the sg_write function (bnc#1030213).\n - CVE-2017-7374: Use-after-free vulnerability in fs/crypto/ in the Linux\n kernel allowed local users to cause a denial of service (NULL pointer\n dereference) or possibly gain privileges by revoking keyring keys being\n used for ext4, f2fs, or ubifs encryption, causing cryptographic\n transform objects to be freed prematurely (bnc#1032006).\n - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in\n the Linux kernel allowed local users to gain privileges or cause a\n denial of service (use-after-free) by making multiple bind system calls\n without properly ascertaining whether a socket has the SOCK_ZAPPED\n status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c\n (bnc#1028415).\n - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that\n a certain destructor exists in required circumstances, which allowed\n local users to cause a denial of service (BUG_ON) or possibly have\n unspecified other impact via crafted system calls (bnc#1027190).\n - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux\n kernel allowed local users to cause a denial of service (use-after-free)\n or possibly have unspecified other impact via a multithreaded\n application that made PACKET_FANOUT setsockopt system calls\n (bnc#1027189).\n - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly\n restrict association peel-off operations during certain wait states,\n which allowed local users to cause a denial of service (invalid unlock\n and double free) via a multithreaded application. NOTE: this\n vulnerability exists because of an incorrect fix for CVE-2017-5986\n (bnc#1027066).\n - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the\n Linux kernel allowed remote attackers to cause a denial of service\n (infinite loop and soft lockup) via vectors involving a TCP packet with\n the URG flag (bnc#1026722).\n - CVE-2016-2117: The atl2_probe function in\n drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly\n enables scatter/gather I/O, which allowed remote attackers to obtain\n sensitive information from kernel memory by reading packet data\n (bnc#968697).\n - CVE-2017-6347: The ip_cmsg_recv_checksum function in\n net/ipv4/ip_sockglue.c in the Linux kernel had incorrect expectations\n about skb data layout, which allowed local users to cause a denial of\n service (buffer over-read) or possibly have unspecified other impact via\n crafted system calls, as demonstrated by use of the MSG_MORE flag in\n conjunction with loopback UDP transmission (bnc#1027179).\n - CVE-2016-9191: The cgroup offline implementation in the Linux kernel\n mishandled certain drain operations, which allowed local users to cause\n a denial of service (system hang) by leveraging access to a container\n environment for executing a crafted application (bnc#1008842).\n - CVE-2017-2596: The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c\n in the Linux kernel improperly emulated the VMXON instruction, which\n allowed KVM L1 guest OS users to cause a denial of service (host OS\n memory consumption) by leveraging the mishandling of page references\n (bnc#1022785).\n - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c\n in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures\n in the LISTEN state, which allowed local users to obtain root privileges\n or cause a denial of service (double free) via an application that made\n an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024).\n\n The following non-security bugs were fixed:\n\n - ACPI, ioapic: Clear on-stack resource before using it (bsc#1028819).\n - ACPI: Do not create a platform_device for IOAPIC/IOxAPIC (bsc#1028819).\n - ACPI: Remove platform devices from a bus on removal (bsc#1028819).\n - HID: usbhid: Quirk a AMI virtual mouse and keyboard with ALWAYS_POLL\n (bsc#1022340).\n - NFS: do not try to cross a mountpount when there isn't one there\n (bsc#1028041).\n - NFS: flush out dirty data on file fput() (bsc#1021762).\n - PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal\n (bug#1028217).\n - PCI: hv: Use device serial number as PCI domain (bug#1028217).\n - RAID1: a new I/O barrier implementation to remove resync window\n (bsc#998106,bsc#1020048,bsc#982783).\n - RAID1: avoid unnecessary spin locks in I/O barrier code\n (bsc#998106,bsc#1020048,bsc#982783).\n - Revert "RDMA/core: Fix incorrect structure packing for booleans" (kabi).\n - Revert "give up on gcc ilog2() constant optimizations" (kabi).\n - Revert "net/mlx4_en: Avoid unregister_netdev at shutdown flow"\n (bsc#1028017).\n - Revert "net: introduce device min_header_len" (kabi).\n - Revert "nfit, libnvdimm: fix interleave set cookie calculation" (kabi).\n - Revert "target: Fix NULL dereference during LUN lookup + active I/O\n shutdown" (kabi).\n - acpi, nfit: fix acpi_nfit_flush_probe() crash (bsc#1031717).\n - acpi, nfit: fix extended status translations for ACPI DSMs (bsc#1031717).\n - arm64: Use full path in KBUILD_IMAGE definition (bsc#1010032).\n - arm64: hugetlb: fix the wrong address for several functions\n (bsc#1032681).\n - arm64: hugetlb: fix the wrong return value for\n huge_ptep_set_access_flags (bsc#1032681).\n - arm64: hugetlb: remove the wrong pmd check in find_num_contig()\n (bsc#1032681).\n - arm: Use full path in KBUILD_IMAGE definition (bsc#1010032).\n - bnx2x: allow adding VLANs while interface is down (bsc#1027273).\n - bonding: fix 802.3ad aggregator reselection (bsc#1029514).\n - btrfs: Change qgroup_meta_rsv to 64bit (bsc#1019614).\n - btrfs: allow unlink to exceed subvolume quota (bsc#1019614).\n - btrfs: backref: Fix soft lockup in __merge_refs function (bsc#1017641).\n - btrfs: incremental send, do not delay rename when parent inode is new\n (bsc#1028325).\n - btrfs: incremental send, do not issue invalid rmdir operations\n (bsc#1028325).\n - btrfs: qgroup: Move half of the qgroup accounting time out of commit\n trans (bsc#1017461).\n - btrfs: qgroups: Retry after commit on getting EDQUOT (bsc#1019614).\n - btrfs: send, fix failure to rename top level inode due to name collision\n (bsc#1028325).\n - btrfs: serialize subvolume mounts with potentially mismatching rw flags\n (bsc#951844 bsc#1024015)\n - cgroup/pids: remove spurious suspicious RCU usage warning (bnc#1031831).\n - crypto: algif_hash - avoid zero-sized array (bnc#1007962).\n - cxgb4vf: do not offload Rx checksums for IPv6 fragments (bsc#1026692).\n - device-dax: fix private mapping restriction, permit read-only\n (bsc#1031717).\n - drm/i915: Add intel_uncore_suspend / resume functions (bsc#1011913).\n - drm/i915: Fix crash after S3 resume with DP MST mode change\n (bsc#1029634).\n - drm/i915: Listen for PMIC bus access notifications (bsc#1011913).\n - drm/i915: Only enable hotplug interrupts if the display interrupts are\n enabled (bsc#1031717).\n - drm/mgag200: Added support for the new device G200eH3 (bsc#1007959)\n - ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986).\n - futex: Add missing error handling to FUTEX_REQUEUE_PI (bsc#969755).\n - futex: Fix potential use-after-free in FUTEX_REQUEUE_PI (bsc#969755).\n - hv: export current Hyper-V clocksource (bsc#1031206).\n - hv: util: do not forget to init host_ts.lock (bsc#1031206).\n - hv: vmbus: Prevent sending data on a rescinded channel (bug#1028217).\n - hv_utils: implement Hyper-V PTP source (bsc#1031206).\n - i2c-designware: increase timeout (bsc#1011913).\n - i2c: designware-baytrail: Acquire P-Unit access on bus acquire\n (bsc#1011913).\n - i2c: designware-baytrail: Call pmic_bus_access_notifier_chain\n (bsc#1011913).\n - i2c: designware-baytrail: Fix race when resetting the semaphore\n (bsc#1011913).\n - i2c: designware-baytrail: Only check iosf_mbi_available() for shared\n hosts (bsc#1011913).\n - i2c: designware: Disable pm for PMIC i2c-bus even if there is no _SEM\n method (bsc#1011913).\n - i2c: designware: Never suspend i2c-busses used for accessing the system\n PMIC (bsc#1011913).\n - i2c: designware: Rename accessor_flags to flags (bsc#1011913).\n - iommu/vt-d: Make sure IOMMUs are off when intel_iommu=off (bsc#1031208).\n - kABI: protect struct iscsi_conn (kabi).\n - kABI: protect struct se_node_acl (kabi).\n - kABI: restore can_rx_register parameters (kabi).\n - kgr/module: make a taint flag module-specific\n - kgr: Mark eeh_event_handler() kthread safe using a timeout (bsc#1031662).\n - kgr: remove all arch-specific kgraft header files\n - l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415).\n - l2tp: fix lookup for sockets not bound to a device in l2tp_ip\n (bsc#1028415).\n - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind()\n (bsc#1028415).\n - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()\n (bsc#1028415).\n - l2tp: hold tunnel socket when handling control frames in l2tp_ip and\n l2tp_ip6 (bsc#1028415).\n - l2tp: lock socket before checking flags in connect() (bsc#1028415).\n - libnvdimm, pfn: fix memmap reservation size versus 4K alignment\n (bsc#1031717).\n - locking/semaphore: Add down_interruptible_timeout() (bsc#1031662).\n - md/raid1: Refactor raid1_make_request\n (bsc#998106,bsc#1020048,bsc#982783).\n - md/raid1: add rcu protection to rdev in fix_read_error (References:\n bsc#998106,bsc#1020048,bsc#982783).\n - md/raid1: fix a use-after-free bug (bsc#998106,bsc#1020048,bsc#982783).\n - md/raid1: handle flush request correctly\n (bsc#998106,bsc#1020048,bsc#982783).\n - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bnc#1030118).\n - mm/memblock.c: fix memblock_next_valid_pfn() (bnc#1031200).\n - mm/page_alloc: Remove useless parameter of __free_pages_boot_core\n (bnc#1027195).\n - mm: fix set pageblock migratetype in deferred struct page init\n (bnc#1027195).\n - mm: page_alloc: skip over regions of invalid pfns where possible\n (bnc#1031200).\n - module: move add_taint_module() to a header file\n - net/ena: change condition for host attribute configuration (bsc#1026509).\n - net/ena: change driver's default timeouts (bsc#1026509).\n - net/ena: fix NULL dereference when removing the driver after device\n reset failed (bsc#1026509).\n - net/ena: fix RSS default hash configuration (bsc#1026509).\n - net/ena: fix ethtool RSS flow configuration (bsc#1026509).\n - net/ena: fix potential access to freed memory during device reset\n (bsc#1026509).\n - net/ena: fix queues number calculation (bsc#1026509).\n - net/ena: reduce the severity of ena printouts (bsc#1026509).\n - net/ena: refactor ena_get_stats64 to be atomic context safe\n (bsc#1026509).\n - net/ena: remove ntuple filter support from device feature list\n (bsc#1026509).\n - net/ena: update driver version to 1.1.2 (bsc#1026509).\n - net/ena: use READ_ONCE to access completion descriptors (bsc#1026509).\n - net/mlx4_core: Avoid command timeouts during VF driver device shutdown\n (bsc#1028017).\n - net/mlx4_core: Avoid delays during VF driver device shutdown\n (bsc#1028017).\n - net/mlx4_core: Fix racy CQ (Completion Queue) free (bsc#1028017).\n - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to\n VGT transitions (bsc#1028017).\n - net/mlx4_core: Use cq quota in SRIOV when creating completion EQs\n (bsc#1028017).\n - net/mlx4_en: Fix bad WQE issue (bsc#1028017).\n - net: ena: Fix error return code in ena_device_init() (bsc#1026509).\n - net: ena: Remove unnecessary pci_set_drvdata() (bsc#1026509).\n - net: ena: change the return type of ena_set_push_mode() to be void\n (bsc#1026509).\n - net: ena: remove superfluous check in ena_remove() (bsc#1026509).\n - net: ena: use setup_timer() and mod_timer() (bsc#1026509).\n - netfilter: allow logging from non-init namespaces (bsc#970083).\n - nvme: Do not suspend admin queue that wasn't created (bsc#1026505).\n - nvme: Suspend all queues before deletion (bsc#1026505).\n - ping: implement proper locking (bsc#1031003).\n - powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895).\n - rtlwifi: rtl_usb: Fix missing entry in USB driver's private data\n (bsc#1026462).\n - s390/kmsg: add missing kmsg descriptions (bnc#1025683).\n - s390/mm: fix zone calculation in arch_add_memory() (bnc#1025683).\n - sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting\n (bsc#1018419).\n - scsi: do not print 'reservation conflict' for TEST UNIT READY\n (bsc#1027054).\n - scsi_dh_alua: Do not modify the interval value for retries (bsc#1012910).\n - softirq: Let ksoftirqd do its job (bsc#1019618).\n - x86, mm: fix gup_pte_range() vs DAX mappings (bsc#1026405).\n - x86/apic/uv: Silence a shift wrapping warning (bsc#1023866).\n - x86/ioapic: Change prototype of acpi_ioapic_add() (bsc#1027153,\n bsc#1027616).\n - x86/ioapic: Fix IOAPIC failing to request resource (bsc#1027153,\n bsc#1027616).\n - x86/ioapic: Fix incorrect pointers in ioapic_setup_resources()\n (bsc#1027153, bsc#1027616).\n - x86/ioapic: Fix lost IOAPIC resource after hot-removal and hotadd\n (bsc#1027153, bsc#1027616).\n - x86/ioapic: Fix setup_res() failing to get resource (bsc#1027153,\n bsc#1027616).\n - x86/ioapic: Ignore root bridges without a companion ACPI device\n (bsc#1027153, bsc#1027616).\n - x86/ioapic: Simplify ioapic_setup_resources() (bsc#1027153, bsc#1027616).\n - x86/ioapic: Support hot-removal of IOAPICs present during boot\n (bsc#1027153, bsc#1027616).\n - x86/ioapic: fix kABI (hide added include) (bsc#1027153, bsc#1027616).\n - x86/mce: Do not print MCEs when mcelog is active (bsc#1013994).\n - x86/mce: Fix copy/paste error in exception table entries\n - x86/mm/gup: Simplify get_user_pages() PTE bit handling (bsc#1026405).\n - x86/platform/UV: Add Support for UV4 Hubless NMIs (bsc#1023866).\n - x86/platform/UV: Add Support for UV4 Hubless systems (bsc#1023866).\n - x86/platform/UV: Add basic CPU NMI health check (bsc#1023866).\n - x86/platform/UV: Clean up the NMI code to match current coding style\n (bsc#1023866).\n - x86/platform/UV: Clean up the UV APIC code (bsc#1023866).\n - x86/platform/UV: Ensure uv_system_init is called when necessary\n (bsc#1023866).\n - x86/platform/UV: Fix 2 socket config problem (bsc#1023866).\n - x86/platform/UV: Fix panic with missing UVsystab support (bsc#1023866).\n - x86/platform/UV: Initialize PCH GPP_D_0 NMI Pin to be NMI source\n (bsc#1023866).\n - x86/platform/UV: Verify NMI action is valid, default is standard\n (bsc#1023866).\n - x86/platform/intel/iosf_mbi: Add a PMIC bus access notifier\n (bsc#1011913).\n - x86/platform/intel/iosf_mbi: Add a mutex for P-Unit access (bsc#1011913).\n - x86/platform: Remove warning message for duplicate NMI handlers\n (bsc#1029220).\n - x86/ras/therm_throt: Do not log a fake MCE for thermal events\n (bsc#1028027).\n - xen-blkfront: correct maximum segment accounting (bsc#1018263).\n - xen-blkfront: do not call talk_to_blkback when already connected to\n blkback.\n - xen-blkfront: free resources if xlvbd_alloc_gendisk fails.\n - xen/blkfront: Fix crash if backend does not follow the right states.\n - xen/netback: set default upper limit of tx/rx queues to 8 (bnc#1019163).\n - xen/netfront: set default upper limit of tx/rx queues to 8 (bnc#1019163).\n - xen: Use machine addresses in /sys/kernel/vmcoreinfo when PV\n (bsc#1014136)\n - xfs: do not take the IOLOCK exclusive for direct I/O page invalidation\n (bsc#1015609).\n - xgene_enet: remove bogus forward declarations (bsc#1032673).\n\n", "edition": 1, "modified": "2017-05-05T15:11:30", "published": "2017-05-05T15:11:30", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00011.html", "id": "SUSE-SU-2017:1183-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-19T18:33:11", "bulletinFamily": "unix", "cvelist": ["CVE-2017-11176", "CVE-2017-14051", "CVE-2017-7261", "CVE-2017-7184", "CVE-2017-1000380", "CVE-2017-6074", "CVE-2017-7616", "CVE-2017-12762", "CVE-2017-9074", "CVE-2017-9242", "CVE-2017-5970", "CVE-2016-10200", "CVE-2017-8831", "CVE-2017-2671", "CVE-2017-11473", "CVE-2017-9075", "CVE-2017-7533", "CVE-2017-7294", "CVE-2017-6348", "CVE-2017-10661", "CVE-2017-8924", "CVE-2017-1000112", "CVE-2016-5243", "CVE-2017-6214", "CVE-2017-7482", "CVE-2017-7308", "CVE-2017-5669", "CVE-2017-6951", "CVE-2017-2647", "CVE-2017-8925", "CVE-2017-5986", "CVE-2017-6353", "CVE-2017-7487", "CVE-2017-9076", "CVE-2017-1000363", "CVE-2017-7187", "CVE-2017-9077", "CVE-2017-7542", "CVE-2017-1000365", "CVE-2017-8890"], "description": "The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2016-5243: The tipc_nl_compat_link_dump function in\n net/tipc/netlink_compat.c in the Linux kernel did not properly copy a\n certain string, which allowed local users to obtain sensitive\n information from kernel stack memory by reading a Netlink message\n (bnc#983212)\n - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in\n the Linux kernel allowed local users to gain privileges or cause a\n denial of service (use-after-free) by making multiple bind system calls\n without properly ascertaining whether a socket has the SOCK_ZAPPED\n status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c\n (bnc#1028415)\n - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local\n users to gain privileges or cause a denial of service (NULL pointer\n dereference and system crash) via vectors involving a NULL value for a\n certain match field, related to the keyring_search_iterator function in\n keyring.c (bsc#1030593).\n - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux\n kernel was too late in obtaining a certain lock and consequently could\n not ensure that disconnect function calls are safe, which allowed local\n users to cause a denial of service (panic) by leveraging access to the\n protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003)\n - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel\n did not restrict the address calculated by a certain rounding operation,\n which allowed local users to map page zero, and consequently bypass a\n protection mechanism that exists for the mmap system call, by making\n crafted shmget and shmat system calls in a privileged context\n (bnc#1026914)\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a\n denial of service (system crash) via (1) an application that made\n crafted system calls or possibly (2) IPv4 traffic with invalid IP\n options (bsc#1024938)\n - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in\n net/sctp/socket.c in the Linux kernel allowed local users to cause a\n denial of service (assertion failure and panic) via a multithreaded\n application that peels off an association in a certain buffer-full state\n (bsc#1025235)\n - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c\n in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures\n in the LISTEN state, which allowed local users to obtain root privileges\n or cause a denial of service (double free) via an application that made\n an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024)\n - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the\n Linux kernel allowed remote attackers to cause a denial of service\n (infinite loop and soft lockup) via vectors involving a TCP packet with\n the URG flag (bnc#1026722)\n - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the\n Linux kernel improperly managed lock dropping, which allowed local users\n to cause a denial of service (deadlock) via crafted operations on IrDA\n devices (bnc#1027178)\n - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly\n restrict association peel-off operations during certain wait states,\n which allowed local users to cause a denial of service (invalid unlock\n and double free) via a multithreaded application. NOTE: this\n vulnerability exists because of an incorrect fix for CVE-2017-5986\n (bnc#1027066)\n - CVE-2017-6951: The keyring_search_aux function in\n security/keys/keyring.c in the Linux kernel allowed local users to cause\n a denial of service (NULL pointer dereference and OOPS) via a\n request_key system call for the "dead" type (bsc#1029850).\n - CVE-2017-7184: The xfrm_replay_verify_len function in\n net/xfrm/xfrm_user.c in the Linux kernel did not validate certain size\n data after an XFRM_MSG_NEWAE update, which allowed local users to obtain\n root privileges or cause a denial of service (heap-based out-of-bounds\n access) by leveraging the CAP_NET_ADMIN capability (bsc#1030573)\n - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux\n kernel allowed local users to cause a denial of service (stack-based\n buffer overflow) or possibly have unspecified other impact via a large\n command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds\n write access in the sg_write function (bnc#1030213)\n - CVE-2017-7261: The vmw_surface_define_ioctl function in\n drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not\n check for a zero value of certain levels data, which allowed local users\n to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and\n possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device\n (bnc#1031052)\n - CVE-2017-7294: The vmw_surface_define_ioctl function in\n drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not\n validate addition of certain levels data, which allowed local users to\n trigger an integer overflow and out-of-bounds write, and cause a denial\n of service (system hang or crash) or possibly gain privileges, via a\n crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440)\n - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in\n the Linux kernel did not properly validate certain block-size data,\n which allowed local users to cause a denial of service (overflow) or\n possibly have unspecified other impact via crafted system calls\n (bnc#1031579)\n - CVE-2017-7482: Several missing length checks ticket decode allowing for\n information leak or potentially code execution (bsc#1046107).\n - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the\n Linux kernel mishandled reference counts, which allowed local users to\n cause a denial of service (use-after-free) or possibly have unspecified\n other impact via a failed SIOCGIFADDR ioctl call for an IPX interface\n (bsc#1038879).\n - CVE-2017-7533: Race condition in the fsnotify implementation in the\n Linux kernel allowed local users to gain privileges or cause a denial of\n service (memory corruption) via a crafted application that leverages\n simultaneous execution of the inotify_handle_event and vfs_rename\n functions (bnc#1049483 1050677 ).\n - CVE-2017-7542: The ip6_find_1stfragopt function in\n net/ipv6/output_core.c in the Linux kernel allowed local users to cause\n a denial of service (integer overflow and infinite loop) by leveraging\n the ability to open a raw socket (bnc#1049882).\n - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind\n compat syscalls in mm/mempolicy.c in the Linux kernel allowed local\n users to obtain sensitive information from uninitialized stack data by\n triggering failure of a certain bitmap operation (bsc#1033336)\n - CVE-2017-8831: The saa7164_bus_get function in\n drivers/media/pci/saa7164/saa7164-bus.c in the Linux kernel allowed\n local users to cause a denial of service (out-of-bounds array access) or\n possibly have unspecified other impact by changing a certain\n sequence-number value, aka a "double fetch" vulnerability. This requires\n a malicious PCI Card. (bnc#1037994).\n - CVE-2017-8890: The inet_csk_clone_lock function in\n net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to\n cause a denial of service (double free) or possibly have unspecified\n other impact by leveraging use of the accept system call (bsc#1038544).\n - CVE-2017-8924: The edge_bulk_in_callback function in\n drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to\n obtain sensitive information (in the dmesg ringbuffer and syslog) from\n uninitialized kernel memory by using a crafted USB device (posing as an\n io_ti USB serial device) to trigger an integer underflow (bnc#1037182).\n - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c\n in the Linux kernel allowed local users to cause a denial of service\n (tty exhaustion) by leveraging reference count mishandling (bnc#1038981).\n - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel\n did not consider that the nexthdr field may be associated with an\n invalid option, which allowed local users to cause a denial of service\n (out-of-bounds read and BUG) or possibly have unspecified other impact\n via crafted socket and send system calls (bnc#1039882).\n - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c\n in the Linux kernel mishandled inheritance, which allowed local users to\n cause a denial of service or possibly have unspecified other impact via\n crafted system calls, a related issue to CVE-2017-8890 (bsc#1039883).\n - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c\n in the Linux kernel mishandled inheritance, which allowed local users to\n cause a denial of service or possibly have unspecified other impact via\n crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885).\n - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c\n in the Linux kernel mishandled inheritance, which allowed local users to\n cause a denial of service or possibly have unspecified other impact via\n crafted system calls, a related issue to CVE-2017-8890 (bsc#1040069).\n - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c\n in the Linux kernel was too late in checking whether an overwrite of an\n skb data structure may occur, which allowed local users to cause a\n denial of service (system crash) via crafted system calls (bnc#1041431).\n - CVE-2017-10661: Race condition in fs/timerfd.c in the Linux kernel\n allowed local users to gain privileges or cause a denial of service\n (list corruption or use-after-free) via simultaneous file-descriptor\n operations that leverage improper might_cancel queueing (bnc#1053152).\n - CVE-2017-11176: The mq_notify function in the Linux kernel did not set\n the sock pointer to NULL upon entry into the retry logic. During a\n user-space close of a Netlink socket, it allowed attackers to cause a\n denial of service (use-after-free) or possibly have unspecified other\n impact (bnc#1048275).\n - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function\n in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users\n to gain privileges via a crafted ACPI table (bnc#1049603).\n - CVE-2017-12762: In /drivers/isdn/i4l/isdn_net.c: A user-controlled\n buffer is copied into a local buffer of constant size using strcpy\n without a length check which can cause a buffer overflow. (bnc#1053148).\n - CVE-2017-14051: An integer overflow in the\n qla2x00_sysfs_write_optrom_ctl function in\n drivers/scsi/qla2xxx/qla_attr.c in the Linux kernel allowed local users\n to cause a denial of service (memory corruption and system crash) by\n leveraging root access (bnc#1056588).\n - CVE-2017-1000112: Fixed a race condition in net-packet code that could\n have been exploited by unprivileged users to gain root access.\n (bsc#1052311).\n - CVE-2017-1000363: Linux drivers/char/lp.c Out-of-Bounds Write. Due to a\n missing bounds check, and the fact that parport_ptr integer is static, a\n 'secure boot' kernel command line adversary could have overflowed the\n parport_nr array in the following code (bnc#1039456).\n - CVE-2017-1000365: The Linux Kernel imposes a size restriction on the\n arguments and environmental strings passed through\n RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the\n argument and environment pointers into account, which allowed attackers\n to bypass this limitation (bnc#1039354).\n - CVE-2017-1000380: sound/core/timer.c in the Linux kernel was vulnerable\n to a data race in the ALSA /dev/snd/timer driver resulting in local\n users being able to read information belonging to other users, i.e.,\n uninitialized memory contents may be disclosed when a read and an ioctl\n happen at the same time (bnc#1044125).\n\n The following non-security bugs were fixed:\n\n - acpi: Disable APEI error injection if securelevel is set (bsc#972891,\n bsc#1023051).\n - blkback/blktap: do not leak stack data via response ring (bsc#1042863\n XSA-216).\n - btrfs: cleanup code of btrfs_balance_delayed_items() (bsc#1034838).\n - btrfs: do not run delayed nodes again after all nodes flush\n (bsc#1034838).\n - btrfs: remove btrfs_end_transaction_dmeta() (bsc#1034838).\n - btrfs: remove residual code in delayed inode async helper (bsc#1034838).\n - btrfs: use flags instead of the bool variants in delayed node\n (bsc#1034838).\n - cifs: cifs_get_root shouldn't use path with tree name, alternate fix\n (bsc#963655, bsc#979681, bsc#1027406).\n - dentry name snapshots (bsc#1049483).\n - firmware: fix directory creation rule matching with make 3.80\n (bsc#1012422).\n - firmware: fix directory creation rule matching with make 3.82\n (bsc#1012422).\n - Fix vmalloc_fault oops during lazy MMU updates (bsc#948562) (bsc#948562).\n - hv: do not lose pending heartbeat vmbus packets (bnc#1006919,\n bnc#1053760).\n - jbd: do not wait (forever) for stale tid caused by wraparound\n (bsc#1020229).\n - jbd: Fix oops in journal_remove_journal_head() (bsc#1017143).\n - kernel-binary.spec: Propagate MAKE_ARGS to %build (bsc#1012422)\n - keys: Disallow keyrings beginning with '.' to be joined as session\n keyrings (bnc#1035576).\n - nfs: Avoid getting confused by confused server (bsc#1045416).\n - nfsd4: minor NFSv2/v3 write decoding cleanup (bsc#1034670).\n - nfsd: check for oversized NFSv2/v3 arguments (bsc#1034670).\n - nfsd: do not risk using duplicate owner/file/delegation ids\n (bsc#1029212).\n - nfsd: stricter decoding of write-like NFSv2/v3 ops (bsc#1034670).\n - nfs: Make nfs_readdir revalidate less often (bsc#1048232).\n - pciback: check PF instead of VF for PCI_COMMAND_MEMORY (bsc#957990).\n - pciback: only check PF if actually dealing with a VF (bsc#999245).\n - pciback: Save the number of MSI-X entries to be copied later\n (bsc#957988).\n - Remove superfluous make flags (bsc#1012422)\n - Return short read or 0 at end of a raw device, not EIO (bsc#1039594).\n - Revert "fs/cifs: fix wrongly prefixed path to root (bsc#963655,\n bsc#979681)\n - scsi: lpfc: avoid double free of resource identifiers (bsc#989896).\n - scsi: virtio_scsi: fix memory leak on full queue condition (bsc#1028880).\n - sunrpc: Clean up the slot table allocation (bsc#1013862).\n - sunrpc: Initalise the struct xprt upon allocation (bsc#1013862).\n - usb: serial: kl5kusb105: fix line-state error handling (bsc#1021256).\n - usb: wusbcore: fix NULL-deref at probe (bsc#1045487).\n - Use make --output-sync feature when available (bsc#1012422).\n - Use PF_LESS_THROTTLE in loop device thread (bsc#1027101).\n - xen/PCI-MSI: fix sysfs teardown in DomU (bsc#986924).\n\n", "edition": 1, "modified": "2017-09-19T15:07:27", "published": "2017-09-19T15:07:27", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00073.html", "id": "SUSE-SU-2017:2525-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-09T09:57:39", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10277", "CVE-2017-11176", "CVE-2017-1000380", "CVE-2017-9074", "CVE-2017-9242", "CVE-2017-11473", "CVE-2017-9075", "CVE-2017-7533", "CVE-2017-8924", "CVE-2017-7482", "CVE-2014-9922", "CVE-2017-6951", "CVE-2017-2647", "CVE-2017-8925", "CVE-2017-7487", "CVE-2017-9076", "CVE-2017-1000363", "CVE-2017-9077", "CVE-2017-7542", "CVE-2017-1000365", "CVE-2017-8890"], "description": "The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-7482: Several missing length checks ticket decode allowing for\n information leak or potentially code execution (bsc#1046107).\n - CVE-2016-10277: Potential privilege escalation due to a missing bounds\n check in the lp driver. A kernel command-line adversary can overflow the\n parport_nr array to execute code (bsc#1039456).\n - CVE-2017-7542: The ip6_find_1stfragopt function in\n net/ipv6/output_core.c in the Linux kernel allowed local users to cause\n a denial of service (integer overflow and infinite loop) by leveraging\n the ability to open a raw socket (bsc#1049882).\n - CVE-2017-7533: Bug in inotify code allowing privilege escalation\n (bsc#1049483).\n - CVE-2017-11176: The mq_notify function in the Linux kernel did not set\n the sock pointer to NULL upon entry into the retry logic. During a\n user-space close of a Netlink socket, it allowed attackers to cause a\n denial of service (use-after-free) or possibly have unspecified other\n impact (bsc#1048275).\n - CVE-2017-11473: Buffer overflow in the mp_override_legacy_irq() function\n in arch/x86/kernel/acpi/boot.c in the Linux kernel allowed local users\n to gain privileges via a crafted ACPI table (bnc#1049603).\n - CVE-2017-1000365: The Linux Kernel imposed a size restriction on the\n arguments and environmental strings passed through\n RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but did not take the\n argument and environment pointers into account, which allowed attackers\n to bypass this limitation. (bnc#1039354)\n - CVE-2014-9922: The eCryptfs subsystem in the Linux kernel allowed local\n users to gain privileges via a large filesystem stack that includes an\n overlayfs layer, related to fs/ecryptfs/main.c and fs/overlayfs/super.c\n (bnc#1032340)\n - CVE-2017-8924: The edge_bulk_in_callback function in\n drivers/usb/serial/io_ti.c in the Linux kernel allowed local users to\n obtain sensitive information (in the dmesg ringbuffer and syslog) from\n uninitialized kernel memory by using a crafted USB device (posing as an\n io_ti USB serial device) to trigger an integer underflow (bnc#1038982).\n - CVE-2017-8925: The omninet_open function in drivers/usb/serial/omninet.c\n in the Linux kernel allowed local users to cause a denial of service\n (tty exhaustion) by leveraging reference count mishandling (bnc#1038981).\n - CVE-2017-1000380: sound/core/timer.c was vulnerable to a data race in\n the ALSA /dev/snd/timer driver resulting in local users being able to\n read information belonging to other users, i.e., uninitialized memory\n contents could have bene disclosed when a read and an ioctl happen at\n the same time (bnc#1044125)\n - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c\n was too late in checking whether an overwrite of an skb data structure\n may occur, which allowed local users to cause a denial of service\n (system crash) via crafted system calls (bnc#1041431)\n - CVE-2017-1000363: A buffer overflow in kernel commandline handling of\n the "lp" parameter could be used by local console attackers to bypass\n certain secure boot settings. (bnc#1039456)\n - CVE-2017-9076: The dccp_v6_request_recv_sock function in net/dccp/ipv6.c\n in the Linux kernel mishandled inheritance, which allowed local users to\n cause a denial of service or possibly have unspecified other impact via\n crafted system calls, a related issue to CVE-2017-8890 (bnc#1039885)\n - CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c\n in the Linux kernel mishandled inheritance, which allowed local users to\n cause a denial of service or possibly have unspecified other impact via\n crafted system calls, a related issue to CVE-2017-8890 (bnc#1040069)\n - CVE-2017-9075: The sctp_v6_create_accept_sk function in net/sctp/ipv6.c\n in the Linux kernel mishandled inheritance, which allowed local users to\n cause a denial of service or possibly have unspecified other impact via\n crafted system calls, a related issue to CVE-2017-8890 (bnc#1039883)\n - CVE-2017-9074: The IPv6 fragmentation implementation in the Linux kernel\n did not consider that the nexthdr field may be associated with an\n invalid option, which allowed local users to cause a denial of service\n (out-of-bounds read and BUG) or possibly have unspecified other impact\n via crafted socket and send system calls (bnc#1039882)\n - CVE-2017-7487: The ipxitf_ioctl function in net/ipx/af_ipx.c in the\n Linux kernel mishandled reference counts, which allowed local users to\n cause a denial of service (use-after-free) or possibly have unspecified\n other impact via a failed SIOCGIFADDR ioctl call for an IPX interface\n (bnc#1038879)\n - CVE-2017-8890: The inet_csk_clone_lock function in\n net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to\n cause a denial of service (double free) or possibly have unspecified\n other impact by leveraging use of the accept system call (bnc#1038544)\n - CVE-2017-2647: The KEYS subsystem in the Linux kernel allowed local\n users to gain privileges or cause a denial of service (NULL pointer\n dereference and system crash) via vectors involving a NULL value for a\n certain match field, related to the keyring_search_iterator function in\n keyring.c (bnc#1030593)\n - CVE-2017-6951: The keyring_search_aux function in\n security/keys/keyring.c in the Linux kernel allowed local users to cause\n a denial of service (NULL pointer dereference and OOPS) via a\n request_key system call for the "dead" type (bnc#1029850)\n\n The following non-security bugs were fixed:\n\n - 8250: use callbacks to access UART_DLL/UART_DLM.\n - ALSA: ctxfi: Fallback DMA mask to 32bit (bsc#1045538).\n - ALSA: hda - Fix regression of HD-audio controller fallback modes\n (bsc#1045538).\n - ALSA: hda - using uninitialized data (bsc#1045538).\n - ALSA: hda/realtek - Correction of fixup codes for PB V7900 laptop\n (bsc#1045538).\n - ALSA: hda/realtek - Fix COEF widget NID for ALC260 replacer fixup\n (bsc#1045538).\n - ALSA: off by one bug in snd_riptide_joystick_probe() (bsc#1045538).\n - ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode (bsc#1045538).\n - Add CVE tag to references\n - CIFS: backport prepath matching fix (bsc#799133).\n - Drop CONFIG_PPC_CELL from bigmem (bsc#1049128).\n - EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr().\n - Fix scripts/bigmem-generate-ifdef-guard to work on all branches\n - Fix soft lockup in svc_rdma_send (bsc#1044854).\n - IB/mlx4: Demote mcg message from warning to debug (bsc#919382).\n - IB/mlx4: Fix ib device initialization error flow (bsc#919382).\n - IB/mlx4: Fix port query for 56Gb Ethernet links (bsc#919382).\n - IB/mlx4: Handle well-known-gid in mad_demux processing (bsc#919382).\n - IB/mlx4: Reduce SRIOV multicast cleanup warning message to debug level\n (bsc#919382).\n - IB/mlx4: Set traffic class in AH (bsc#919382).\n - Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE\n operation (bsc#1036288).\n - Input: cm109 - validate number of endpoints before using them\n (bsc#1037193).\n - Input: hanwang - validate number of endpoints before using them\n (bsc#1037232).\n - Input: yealink - validate number of endpoints before using them\n (bsc#1037227).\n - KEYS: Disallow keyrings beginning with '.' to be joined as session\n keyrings (bnc#1035576).\n - NFS: Avoid getting confused by confused server (bsc#1045416).\n - NFS: Fix another OPEN_DOWNGRADE bug (git-next).\n - NFS: Fix size of NFSACL SETACL operations (git-fixes).\n - NFS: Make nfs_readdir revalidate less often (bsc#1048232).\n - NFS: tidy up nfs_show_mountd_netid (git-fixes).\n - NFSD: Do not use state id of 0 - it is reserved (bsc#1049688\n bsc#1051770).\n - NFSv4: Do not call put_rpccred() under the rcu_read_lock() (git-fixes).\n - NFSv4: Fix another bug in the close/open_downgrade code (git-fixes).\n - NFSv4: Fix problems with close in the presence of a delegation\n (git-fixes).\n - NFSv4: Fix the underestimation of delegation XDR space reservation\n (git-fixes).\n - NFSv4: fix getacl head length estimation (git-fixes).\n - PCI: Fix devfn for VPD access through function 0 (bnc#943786 git-fixes).\n - Remove superfluous make flags (bsc#1012422)\n - Return short read or 0 at end of a raw device, not EIO (bsc#1039594).\n - Revert "math64: New div64_u64_rem helper" (bnc#938352).\n - SUNRPC: Fix a memory leak in the backchannel code (git-fixes).\n - Staging: vt6655-6: potential NULL dereference in\n hostap_disable_hostapd() (bsc#1045479).\n - USB: class: usbtmc.c: Cleaning up uninitialized variables (bsc#1036288).\n - USB: class: usbtmc: do not print error when allocating urb fails\n (bsc#1036288).\n - USB: class: usbtmc: do not print on ENOMEM (bsc#1036288).\n - USB: iowarrior: fix NULL-deref in write (bsc#1037359).\n - USB: iowarrior: fix info ioctl on big-endian hosts (bsc#1037441).\n - USB: r8a66597-hcd: select a different endpoint on timeout (bsc#1047053).\n - USB: serial: ark3116: fix register-accessor error handling (git-fixes).\n - USB: serial: ch341: fix open error handling (bsc#1037441).\n - USB: serial: cp210x: fix tiocmget error handling (bsc#1037441).\n - USB: serial: ftdi_sio: fix line-status over-reporting (bsc#1037441).\n - USB: serial: io_edgeport: fix epic-descriptor handling (bsc#1037441).\n - USB: serial: io_ti: fix information leak in completion handler\n (git-fixes).\n - USB: serial: mos7840: fix another NULL-deref at open (bsc#1034026).\n - USB: serial: oti6858: fix NULL-deref at open (bsc#1037441).\n - USB: serial: sierra: fix bogus alternate-setting assumption\n (bsc#1037441).\n - USB: serial: spcp8x5: fix NULL-deref at open (bsc#1037441).\n - USB: usbip: fix nonconforming hub descriptor (bsc#1047487).\n - USB: usbtmc: Add flag rigol_quirk to usbtmc_device_data (bsc#1036288).\n - USB: usbtmc: Change magic number to constant (bsc#1036288).\n - USB: usbtmc: Set rigol_quirk if device is listed (bsc#1036288).\n - USB: usbtmc: TMC request code segregated from usbtmc_read (bsc#1036288).\n - USB: usbtmc: add device quirk for Rigol DS6104 (bsc#1036288).\n - USB: usbtmc: add missing endpoint sanity check (bsc#1036288).\n - USB: usbtmc: fix DMA on stack (bsc#1036288).\n - USB: usbtmc: fix big-endian probe of Rigol devices (bsc#1036288).\n - USB: usbtmc: fix probe error path (bsc#1036288).\n - USB: usbtmc: usbtmc_read sends multiple TMC header based on rigol_quirk\n (bsc#1036288).\n - USB: wusbcore: fix NULL-deref at probe (bsc#1045487).\n - Update patches.fixes/nfs-svc-rdma.fix (bsc#1044854).\n - Use make --output-sync feature when available (bsc#1012422).\n - Xen/PCI-MSI: fix sysfs teardown in DomU (bsc#986924).\n - __bitmap_parselist: fix bug in empty string handling (bnc#1042633).\n - acpi: Disable APEI error injection if securelevel is set (bsc#972891,\n bsc#1023051).\n - af_key: Add lock to key dump (bsc#1047653).\n - af_key: Fix slab-out-of-bounds in pfkey_compile_policy (bsc#1047354).\n - ath9k: fix buffer overrun for ar9287 (bsc#1045538).\n - blacklist b50a6c584bb4 powerpc/perf: Clear MMCR2 when enabling PMU\n (bsc#1035721).\n - blacklist.conf: Add a few inapplicable items (bsc#1045538).\n - blacklist.conf: Blacklist 847fa1a6d3d0 ('ftrace/x86_32: Set ftrace_stub\n to weak to prevent gcc from using short jumps to it') The released\n kernels are not build with a gas new enough to optimize the jmps so that\n this patch would be required. (bsc#1051478)\n - blkback/blktap: do not leak stack data via response ring (bsc#1042863\n XSA-216).\n - block: do not allow updates through sysfs until registration completes\n (bsc#1047027).\n - block: fix ext_dev_lock lockdep report (bsc#1050154).\n - btrfs: Do not clear SGID when inheriting ACLs (bsc#1030552).\n - cifs: Timeout on SMBNegotiate request (bsc#1044913).\n - cifs: do not compare uniqueids in cifs_prime_dcache unless server inode\n numbers are in use (bsc#1041975). backporting upstream commit\n 2f2591a34db6c9361faa316c91a6e320cb4e6aee\n - cifs: small underflow in cnvrtDosUnixTm() (bsc#1043935).\n - cputime: Avoid multiplication overflow on utime scaling (bnc#938352).\n - crypto: nx - off by one bug in nx_of_update_msc() (bnc#792863).\n - decompress_bunzip2: off by one in get_next_block() (git-fixes).\n - dentry name snapshots (bsc#1049483).\n - devres: fix a for loop bounds check (git-fixes).\n - dm: fix ioctl retry termination with signal (bsc#1050154).\n - drm/mgag200: Add support for G200eH3 (bnc#1044216)\n - drm/mgag200: Fix to always set HiPri for G200e4 (bsc#1015452,\n bsc#995542).\n - ext2: Do not clear SGID when inheriting ACLs (bsc#1030552).\n - ext3: Do not clear SGID when inheriting ACLs (bsc#1030552).\n - ext4: Do not clear SGID when inheriting ACLs (bsc#1030552).\n - ext4: fix fdatasync(2) after extent manipulation operations\n (bsc#1013018).\n - ext4: keep existing extra fields when inode expands (bsc#1013018).\n - fbdev/efifb: Fix 16 color palette entry calculation (bsc#1041762).\n - firmware: fix directory creation rule matching with make 3.80\n (bsc#1012422).\n - firmware: fix directory creation rule matching with make 3.82\n (bsc#1012422).\n - fixed invalid assignment of 64bit mask to host dma_boundary for scatter\n gather segment boundary limit (bsc#1042045).\n - fnic: Return 'DID_IMM_RETRY' if rport is not ready (bsc#1035920).\n - fnic: Using rport->dd_data to check rport online instead of rport_lookup\n (bsc#1035920).\n - fs/block_dev: always invalidate cleancache in invalidate_bdev()\n (git-fixes).\n - fs/xattr.c: zero out memory copied to userspace in getxattr\n (bsc#1013018).\n - fs: fix data invalidation in the cleancache during direct IO (git-fixes).\n - fuse: add missing FR_FORCE (bsc#1013018).\n - genirq: Prevent proc race against freeing of irq descriptors\n (bnc#1044230).\n - hrtimer: Allow concurrent hrtimer_start() for self restarting timers\n (bnc#1013018).\n - initial cr0 bits (bnc#1036056, LTC#153612).\n - ipmr, ip6mr: fix scheduling while atomic and a deadlock with\n ipmr_get_route (git-fixes).\n - irq: Fix race condition (bsc#1042615).\n - isdn/gigaset: fix NULL-deref at probe (bsc#1037356).\n - isofs: Do not return EACCES for unknown filesystems (bsc#1013018).\n - jsm: add support for additional Neo cards (bsc#1045615).\n - kernel-binary.spec: Propagate MAKE_ARGS to %build (bsc#1012422)\n - libata: fix sff host state machine locking while polling (bsc#1045525).\n - libceph: NULL deref on crush_decode() error path (bsc#1044015).\n - libceph: potential NULL dereference in ceph_msg_data_create()\n (bsc#1051515).\n - libfc: fixup locking in fc_disc_stop() (bsc#1029140).\n - libfc: move 'pending' and 'requested' setting (bsc#1029140).\n - libfc: only restart discovery after timeout if not already running\n (bsc#1029140).\n - locking/rtmutex: Prevent dequeue vs. unlock race (bnc#1013018).\n - math64: New div64_u64_rem helper (bnc#938352).\n - md/raid0: apply base queue limits *before* disk_stack_limits (git-fixes).\n - md/raid1: extend spinlock to protect raid1_end_read_request against\n inconsistencies (git-fixes).\n - md/raid1: fix test for 'was read error from last working device'\n (git-fixes).\n - md/raid5: Fix CPU hotplug callback registration (git-fixes).\n - md/raid5: do not record new size if resize_stripes fails (git-fixes).\n - md: ensure md devices are freed before module is unloaded (git-fixes).\n - md: fix a null dereference (bsc#1040351).\n - md: flush ->event_work before stopping array (git-fixes).\n - md: make sure GET_ARRAY_INFO ioctl reports correct "clean" status\n (git-fixes).\n - md: use separate bio_pool for metadata writes (bsc#1040351).\n - megaraid_sas: add missing curly braces in ioctl handler (bsc#1050154).\n - mlx4: reduce OOM risk on arches with large pages (bsc#919382).\n - mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check (VM\n Functionality, bsc#1042832).\n - mm/memory-failure.c: use compound_head() flags for huge pages\n (bnc#971975 VM -- git fixes).\n - mm: hugetlb: call huge_pte_alloc() only if ptep is null (VM\n Functionality, bsc#1042832).\n - mmc: core: add missing pm event in mmc_pm_notify to fix hib restore\n (bsc#1045547).\n - mmc: ushc: fix NULL-deref at probe (bsc#1037191).\n - module: fix memory leak on early load_module() failures (bsc#1043014).\n - mwifiex: printk() overflow with 32-byte SSIDs (bsc#1048185).\n - net/mlx4: Fix the check in attaching steering rules (bsc#919382).\n - net/mlx4: Fix uninitialized fields in rule when adding promiscuous mode\n to device managed flow steering (bsc#919382).\n - net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV\n (bsc#919382).\n - net/mlx4_core: Enhance the MAD_IFC wrapper to convert VF port to\n physical (bsc#919382).\n - net/mlx4_core: Fix VF overwrite of module param which disables DMFS on\n new probed PFs (bsc#919382).\n - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to\n VGT transitions (bsc#919382).\n - net/mlx4_core: Get num_tc using netdev_get_num_tc (bsc#919382).\n - net/mlx4_core: Prevent VF from changing port configuration (bsc#919382).\n - net/mlx4_core: Use cq quota in SRIOV when creating completion EQs\n (bsc#919382).\n - net/mlx4_core: Use-after-free causes a resource leak in flow-steering\n detach (bsc#919382).\n - net/mlx4_en: Avoid adding steering rules with invalid ring (bsc#919382).\n - net/mlx4_en: Change the error print to debug print (bsc#919382).\n - net/mlx4_en: Fix type mismatch for 32-bit systems (bsc#919382).\n - net/mlx4_en: Resolve dividing by zero in 32-bit system (bsc#919382).\n - net/mlx4_en: Wake TX queues only when there's enough room (bsc#1039258).\n - net/mlx4_en: fix overflow in mlx4_en_init_timestamp() (bsc#919382).\n - net: avoid reference counter overflows on fib_rules in multicast\n forwarding (git-fixes).\n - net: ip6mr: fix static mfc/dev leaks on table destruction (git-fixes).\n - net: ipmr: fix static mfc/dev leaks on table destruction (git-fixes).\n - net: wimax/i2400m: fix NULL-deref at probe (bsc#1037358).\n - netxen_nic: set rcode to the return status from the call to\n netxen_issue_cmd (bnc#784815).\n - nfs: fix nfs_size_to_loff_t (git-fixes).\n - nfsd4: minor NFSv2/v3 write decoding cleanup (bsc#1034670).\n - nfsd: check for oversized NFSv2/v3 arguments (bsc#1034670).\n - nfsd: stricter decoding of write-like NFSv2/v3 ops (bsc#1034670).\n - ocfs2: Do not clear SGID when inheriting ACLs (bsc#1030552).\n - ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with\n ocfs2_unblock_lock (bsc#962257).\n - perf/core: Correct event creation with PERF_FORMAT_GROUP (bnc#1013018).\n - perf/core: Fix event inheritance on fork() (bnc#1013018).\n - powerpc/ibmebus: Fix device reference leaks in sysfs interface\n (bsc#1035777 [2017-04-24] Pending Base Kernel Fixes).\n - powerpc/ibmebus: Fix further device reference leaks (bsc#1035777\n [2017-04-24] Pending Base Kernel Fixes).\n - powerpc/mm/hash: Check for non-kernel address in get_kernel_vsid()\n (bsc#1032471).\n - powerpc/mm/hash: Convert mask to unsigned long (bsc#1032471).\n - powerpc/mm/hash: Increase VA range to 128TB (bsc#1032471).\n - powerpc/mm/hash: Properly mask the ESID bits when building proto VSID\n (bsc#1032471).\n - powerpc/mm/hash: Support 68 bit VA (bsc#1032471).\n - powerpc/mm/hash: Use context ids 1-4 for the kernel (bsc#1032471).\n - powerpc/mm/slice: Convert slice_mask high slice to a bitmap\n (bsc#1032471).\n - powerpc/mm/slice: Fix off-by-1 error when computing slice mask\n (bsc#1032471).\n - powerpc/mm/slice: Move slice_mask struct definition to slice.c\n (bsc#1032471).\n - powerpc/mm/slice: Update slice mask printing to use bitmap printing\n (bsc#1032471).\n - powerpc/mm/slice: Update the function prototype (bsc#1032471).\n - powerpc/mm: Do not alias user region to other regions below PAGE_OFFSET\n (bsc#928138).\n - powerpc/mm: Remove checks that TASK_SIZE_USER64 is too small\n (bsc#1032471).\n - powerpc/mm: use macro PGTABLE_EADDR_SIZE instead of digital\n (bsc#1032471).\n - powerpc/pci/rpadlpar: Fix device reference leaks (bsc#1035777\n [2017-04-24] Pending Base Kernel Fixes).\n - powerpc/pseries: Release DRC when configure_connector fails\n (bsc#1035777, Pending Base Kernel Fixes).\n - powerpc: Drop support for pre-POWER4 cpus (bsc#1032471).\n - powerpc: Remove STAB code (bsc#1032471).\n - random32: fix off-by-one in seeding requirement (git-fixes).\n - reiserfs: Do not clear SGID when inheriting ACLs (bsc#1030552).\n - reiserfs: do not preallocate blocks for extended attributes (bsc#990682).\n - rfkill: fix rfkill_fop_read wait_event usage (bsc#1046192).\n - s390/qdio: clear DSCI prior to scanning multiple input queues\n (bnc#1046715, LTC#156234).\n - s390/qeth: no ETH header for outbound AF_IUCV (bnc#1046715, LTC#156276).\n - s390/qeth: size calculation outbound buffers (bnc#1046715, LTC#156276).\n - sched/core: Remove false-positive warning from wake_up_process()\n (bnc#1044882).\n - sched/cputime: Do not scale when utime == 0 (bnc#938352).\n - sched/debug: Print the scheduler topology group mask (bnc#1013018).\n - sched/fair, cpumask: Export for_each_cpu_wrap() (bnc#1013018).\n - sched/fair: Fix min_vruntime tracking (bnc#1013018).\n - sched/rt: Fix PI handling vs. sched_setscheduler() (bnc#1013018). Prep\n for b60205c7c558 sched/fair: Fix min_vruntime tracking\n - sched/topology: Fix building of overlapping sched-groups (bnc#1013018).\n - sched/topology: Fix overlapping sched_group_capacity (bnc#1013018).\n - sched/topology: Fix overlapping sched_group_mask (bnc#1013018).\n - sched/topology: Move comment about asymmetric node setups (bnc#1013018).\n - sched/topology: Optimize build_group_mask() (bnc#1013018).\n - sched/topology: Refactor function build_overlap_sched_groups()\n (bnc#1013018).\n - sched/topology: Remove FORCE_SD_OVERLAP (bnc#1013018).\n - sched/topology: Simplify build_overlap_sched_groups() (bnc#1013018).\n - sched/topology: Verify the first group matches the child domain\n (bnc#1013018).\n - sched: Always initialize cpu-power (bnc#1013018).\n - sched: Avoid cputime scaling overflow (bnc#938352).\n - sched: Avoid prev->stime underflow (bnc#938352).\n - sched: Do not account bogus utime (bnc#938352).\n - sched: Fix SD_OVERLAP (bnc#1013018).\n - sched: Fix domain iteration (bnc#1013018).\n - sched: Lower chances of cputime scaling overflow (bnc#938352).\n - sched: Move nr_cpus_allowed out of 'struct sched_rt_entity'\n (bnc#1013018). Prep for b60205c7c558 sched/fair: Fix min_vruntime\n tracking\n - sched: Rename a misleading variable in build_overlap_sched_groups()\n (bnc#1013018).\n - sched: Use swap() macro in scale_stime() (bnc#938352).\n - scsi: bnx2i: missing error code in bnx2i_ep_connect() (bsc#1048221).\n - scsi: fix race between simultaneous decrements of ->host_failed\n (bsc#1050154).\n - scsi: fnic: Correcting rport check location in fnic_queuecommand_lck\n (bsc#1035920).\n - scsi: mvsas: fix command_active typo (bsc#1050154).\n - scsi: qla2xxx: Fix scsi scan hang triggered if adapter fails during init\n (bsc#1050154).\n - sfc: do not device_attach if a reset is pending (bsc#909618).\n - smsc75xx: use skb_cow_head() to deal with cloned skbs (bsc#1045154).\n - splice: Stub splice_write_to_file (bsc#1043234).\n - svcrdma: Fix send_reply() scatter/gather set-up (git-fixes).\n - target/iscsi: Fix double free in lio_target_tiqn_addtpg() (bsc#1050154).\n - tracing/kprobes: Enforce kprobes teardown after testing (bnc#1013018).\n - tracing: Fix syscall_*regfunc() vs copy_process() race (bnc#1042687).\n - udf: Fix deadlock between writeback and udf_setsize() (bsc#1013018).\n - udf: Fix races with i_size changes during readpage (bsc#1013018).\n - usbtmc: remove redundant braces (bsc#1036288).\n - usbtmc: remove trailing spaces (bsc#1036288).\n - usbvision: fix NULL-deref at probe (bsc#1050431).\n - uwb: hwa-rc: fix NULL-deref at probe (bsc#1037233).\n - uwb: i1480-dfu: fix NULL-deref at probe (bsc#1036629).\n - vb2: Fix an off by one error in 'vb2_plane_vaddr' (bsc#1050431).\n - vmxnet3: avoid calling pskb_may_pull with interrupts disabled\n (bsc#1045356).\n - vmxnet3: fix checks for dma mapping errors (bsc#1045356).\n - vmxnet3: fix lock imbalance in vmxnet3_tq_xmit() (bsc#1045356).\n - x86, mm, paravirt: Fix vmalloc_fault oops during lazy MMU updates\n (bsc#948562).\n - x86/pci-calgary: Fix iommu_free() comparison of unsigned expression\n greater than 0 (bsc#1051478).\n - xen: avoid deadlock in xenbus (bnc#1047523).\n - xfrm: NULL dereference on allocation failure (bsc#1047343).\n - xfrm: Oops on error in pfkey_msg2xfrm_state() (bsc#1047653).\n - xfrm: dst_entries_init() per-net dst_ops (bsc#1030814).\n - xfs: Synchronize xfs_buf disposal routines (bsc#1041160).\n - xfs: use ->b_state to fix buffer I/O accounting release race\n (bsc#1041160).\n - xprtrdma: Free the pd if ib_query_qp() fails (git-fixes).\n\n", "edition": 1, "modified": "2017-09-08T18:09:08", "published": "2017-09-08T18:09:08", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-09/msg00017.html", "id": "SUSE-SU-2017:2389-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-05-11T19:19:57", "bulletinFamily": "unix", "cvelist": ["CVE-2016-10208", "CVE-2017-7261", "CVE-2017-6074", "CVE-2016-7117", "CVE-2017-7616", "CVE-2016-3070", "CVE-2017-5970", "CVE-2016-10200", "CVE-2017-2671", "CVE-2017-7294", "CVE-2017-6348", "CVE-2016-5243", "CVE-2017-6214", "CVE-2015-1350", "CVE-2017-7308", "CVE-2017-6345", "CVE-2017-5669", "CVE-2017-5986", "CVE-2017-6346", "CVE-2016-9588", "CVE-2017-6353", "CVE-2017-7187", "CVE-2016-2117", "CVE-2016-10044", "CVE-2017-5897"], "description": "The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2015-1350: The VFS subsystem in the Linux kernel provided an\n incomplete set of requirements for setattr operations that\n underspecifies removing extended privilege attributes, which allowed\n local users to cause a denial of service (capability stripping) via a\n failed invocation of a system call, as demonstrated by using chown to\n remove a capability from the ping or Wireshark dumpcap program\n (bnc#914939).\n - CVE-2016-2117: The atl2_probe function in\n drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel incorrectly\n enabled scatter/gather I/O, which allowed remote attackers to obtain\n sensitive information from kernel memory by reading packet data\n (bnc#968697).\n - CVE-2016-3070: The trace_writeback_dirty_page implementation in\n include/trace/events/writeback.h in the Linux kernel improperly\n interacted with mm/migrate.c, which allowed local users to cause a\n denial of service (NULL pointer dereference and system crash) or\n possibly have unspecified other impact by triggering a certain page move\n (bnc#979215).\n - CVE-2016-5243: The tipc_nl_compat_link_dump function in\n net/tipc/netlink_compat.c in the Linux kernel did not properly copy a\n certain string, which allowed local users to obtain sensitive\n information from kernel stack memory by reading a Netlink message\n (bnc#983212).\n - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg\n function in net/socket.c in the Linux kernel allowed remote attackers to\n execute arbitrary code via vectors involving a recvmmsg system call that\n is mishandled during error processing (bnc#1003077).\n - CVE-2016-9588: arch/x86/kvm/vmx.c in the Linux kernel mismanages the #BP\n and #OF exceptions, which allowed guest OS users to cause a denial of\n service (guest OS crash) by declining to handle an exception thrown by\n an L2 guest (bnc#1015703).\n - CVE-2016-10044: The aio_mount function in fs/aio.c in the Linux kernel\n did not properly restrict execute access, which made it easier for local\n users to bypass intended SELinux W^X policy restrictions, and\n consequently gain privileges, via an io_setup system call (bnc#1023992).\n - CVE-2016-10200: Race condition in the L2TPv3 IP Encapsulation feature in\n the Linux kernel allowed local users to gain privileges or cause a\n denial of service (use-after-free) by making multiple bind system calls\n without properly ascertaining whether a socket has the SOCK_ZAPPED\n status, related to net/l2tp/l2tp_ip.c and net/l2tp/l2tp_ip6.c\n (bnc#1028415).\n - CVE-2016-10208: The ext4_fill_super function in fs/ext4/super.c in the\n Linux kernel did not properly validate meta block groups, which allowed\n physically proximate attackers to cause a denial of service\n (out-of-bounds read and system crash) via a crafted ext4 image\n (bnc#1023377).\n - CVE-2017-2671: The ping_unhash function in net/ipv4/ping.c in the Linux\n kernel is too late in obtaining a certain lock and consequently cannot\n ensure that disconnect function calls are safe, which allowed local\n users to cause a denial of service (panic) by leveraging access to the\n protocol value of IPPROTO_ICMP in a socket system call (bnc#1031003).\n - CVE-2017-5669: The do_shmat function in ipc/shm.c in the Linux kernel\n did not restrict the address calculated by a certain rounding operation,\n which allowed local users to map page zero, and consequently bypass a\n protection mechanism that exists for the mmap system call, by making\n crafted shmget and shmat system calls in a privileged context\n (bnc#1026914).\n - CVE-2017-5897: The ip6gre_err function in net/ipv6/ip6_gre.c in the\n Linux kernel allowed remote attackers to have unspecified impact via\n vectors involving GRE flags in an IPv6 packet, which trigger an\n out-of-bounds access (bnc#1023762).\n - CVE-2017-5970: The ipv4_pktinfo_prepare function in\n net/ipv4/ip_sockglue.c in the Linux kernel allowed attackers to cause a\n denial of service (system crash) via (1) an application that made\n crafted system calls or possibly (2) IPv4 traffic with invalid IP\n options (bnc#1024938).\n - CVE-2017-5986: Race condition in the sctp_wait_for_sndbuf function in\n net/sctp/socket.c in the Linux kernel allowed local users to cause a\n denial of service (assertion failure and panic) via a multithreaded\n application that peels off an association in a certain buffer-full state\n (bnc#1025235).\n - CVE-2017-6074: The dccp_rcv_state_process function in net/dccp/input.c\n in the Linux kernel mishandled DCCP_PKT_REQUEST packet data structures\n in the LISTEN state, which allowed local users to obtain root privileges\n or cause a denial of service (double free) via an application that made\n an IPV6_RECVPKTINFO setsockopt system call (bnc#1026024).\n - CVE-2017-6214: The tcp_splice_read function in net/ipv4/tcp.c in the\n Linux kernel allowed remote attackers to cause a denial of service\n (infinite loop and soft lockup) via vectors involving a TCP packet with\n the URG flag (bnc#1026722).\n - CVE-2017-6345: The LLC subsystem in the Linux kernel did not ensure that\n a certain destructor exists in required circumstances, which allowed\n local users to cause a denial of service (BUG_ON) or possibly have\n unspecified other impact via crafted system calls (bnc#1027190).\n - CVE-2017-6346: Race condition in net/packet/af_packet.c in the Linux\n kernel allowed local users to cause a denial of service (use-after-free)\n or possibly have unspecified other impact via a multithreaded\n application that made PACKET_FANOUT setsockopt system calls\n (bnc#1027189).\n - CVE-2017-6348: The hashbin_delete function in net/irda/irqueue.c in the\n Linux kernel improperly managed lock dropping, which allowed local users\n to cause a denial of service (deadlock) via crafted operations on IrDA\n devices (bnc#1027178).\n - CVE-2017-6353: net/sctp/socket.c in the Linux kernel did not properly\n restrict association peel-off operations during certain wait states,\n which allowed local users to cause a denial of service (invalid unlock\n and double free) via a multithreaded application. NOTE: this\n vulnerability exists because of an incorrect fix for CVE-2017-5986\n (bnc#1027066).\n - CVE-2017-7187: The sg_ioctl function in drivers/scsi/sg.c in the Linux\n kernel allowed local users to cause a denial of service (stack-based\n buffer overflow) or possibly have unspecified other impact via a large\n command size in an SG_NEXT_CMD_LEN ioctl call, leading to out-of-bounds\n write access in the sg_write function (bnc#1030213).\n - CVE-2017-7261: The vmw_surface_define_ioctl function in\n drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not\n check for a zero value of certain levels data, which allowed local users\n to cause a denial of service (ZERO_SIZE_PTR dereference, and GPF and\n possibly panic) via a crafted ioctl call for a /dev/dri/renderD* device\n (bnc#1031052).\n - CVE-2017-7294: The vmw_surface_define_ioctl function in\n drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel did not\n validate addition of certain levels data, which allowed local users to\n trigger an integer overflow and out-of-bounds write, and cause a denial\n of service (system hang or crash) or possibly gain privileges, via a\n crafted ioctl call for a /dev/dri/renderD* device (bnc#1031440).\n - CVE-2017-7308: The packet_set_ring function in net/packet/af_packet.c in\n the Linux kernel did not properly validate certain block-size data,\n which allowed local users to cause a denial of service (overflow) or\n possibly have unspecified other impact via crafted system calls\n (bnc#1031579).\n - CVE-2017-7616: Incorrect error handling in the set_mempolicy and mbind\n compat syscalls in mm/mempolicy.c in the Linux kernel allowed local\n users to obtain sensitive information from uninitialized stack data by\n triggering failure of a certain bitmap operation (bnc#1033336).\n\n The following non-security bugs were fixed:\n\n - ext4: fix fencepost in s_first_meta_bg validation (bsc#1029986).\n - hwrng: virtio - ensure reads happen after successful probe (bsc#954763\n bsc#1032344).\n - kgr/module: make a taint flag module-specific (fate#313296).\n - l2tp: fix address test in __l2tp_ip6_bind_lookup() (bsc#1028415).\n - l2tp: fix lookup for sockets not bound to a device in l2tp_ip\n (bsc#1028415).\n - l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind()\n (bsc#1028415).\n - l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()\n (bsc#1028415).\n - l2tp: hold tunnel socket when handling control frames in l2tp_ip and\n l2tp_ip6 (bsc#1028415).\n - l2tp: lock socket before checking flags in connect() (bsc#1028415).\n - mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp (bnc#1030118).\n - module: move add_taint_module() to a header file (fate#313296).\n - netfilter: bridge: Fix the build when IPV6 is disabled (bsc#1027149).\n - nfs: flush out dirty data on file fput() (bsc#1021762).\n - powerpc: Blacklist GCC 5.4 6.1 and 6.2 (boo#1028895).\n - powerpc: Reject binutils 2.24 when building little endian (boo#1028895).\n - revert "procfs: mark thread stack correctly in proc/<pid>/maps"\n (bnc#1030901).\n - taint/module: Clean up global and module taint flags handling\n (fate#313296).\n - usb: serial: kl5kusb105: fix line-state error handling (bsc#1021256).\n - xfs_dmapi: fix the debug compilation of xfs_dmapi (bsc#989056).\n - xfs: fix buffer overflow dm_get_dirattrs/dm_get_dirattrs2 (bsc#989056).\n\n", "edition": 1, "modified": "2017-05-11T21:09:07", "published": "2017-05-11T21:09:07", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00022.html", "id": "SUSE-SU-2017:1247-1", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-02-17T19:00:05", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7097", "CVE-2016-7910", "CVE-2016-8633", "CVE-2016-8399", "CVE-2016-7117", "CVE-2016-9793", "CVE-2016-7911", "CVE-2016-10088", "CVE-2015-8962", "CVE-2015-8964", "CVE-2016-7916", "CVE-2016-9555", "CVE-2017-5551", "CVE-2016-8632", "CVE-2004-0230", "CVE-2016-9685", "CVE-2016-7425", "CVE-2015-8970", "CVE-2016-6828", "CVE-2015-1350", "CVE-2015-8956", "CVE-2012-6704", "CVE-2016-9576", "CVE-2016-9756", "CVE-2016-8646", "CVE-2016-3841", "CVE-2016-0823", "CVE-2016-7042"], "edition": 1, "description": "The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive\n various security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2015-8970: crypto/algif_skcipher.c in the Linux kernel did not\n verify that a setkey operation has been performed on an AF_ALG socket\n before an accept system call is processed, which allowed local users to\n cause a denial of service (NULL pointer dereference and system crash)\n via a crafted application that did not supply a key, related to the\n lrw_crypt function in crypto/lrw.c (bnc#1008374).\n - CVE-2017-5551: Clear S_ISGID on tmpfs when setting posix ACLs\n (bsc#1021258).\n - CVE-2016-7097: The filesystem implementation in the Linux kernel\n preserves the setgid bit during a setxattr call, which allowed local\n users to gain group privileges by leveraging the existence of a setgid\n program with restrictions on execute permissions (bnc#995968).\n - CVE-2016-10088: The sg implementation in the Linux kernel did not\n properly restrict write operations in situations where the KERNEL_DS\n option is set, which allowed local users to read or write to arbitrary\n kernel memory locations or cause a denial of service (use-after-free) by\n leveraging access to a /dev/sg device, related to block/bsg.c and\n drivers/scsi/sg.c. NOTE: this vulnerability exists because of an\n incomplete fix for CVE-2016-9576 (bnc#1017710).\n - CVE-2004-0230: TCP, when using a large Window Size, made it easier for\n remote attackers to guess sequence numbers and cause a denial of service\n (connection loss) to persistent TCP connections by repeatedly injecting\n a TCP RST packet, especially in protocols that use long-lived\n connections, such as BGP (bnc#969340).\n - CVE-2016-8632: The tipc_msg_build function in net/tipc/msg.c in the\n Linux kernel did not validate the relationship between the minimum\n fragment length and the maximum packet size, which allowed local users\n to gain privileges or cause a denial of service (heap-based buffer\n overflow) by leveraging the CAP_NET_ADMIN capability (bnc#1008831).\n - CVE-2016-8399: An elevation of privilege vulnerability in the kernel\n networking subsystem could have enabled a local malicious application to\n execute arbitrary code within the context of the kernel bnc#1014746).\n - CVE-2016-9793: The sock_setsockopt function in net/core/sock.c in the\n Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf,\n which allowed local users to cause a denial of service (memory\n corruption and system crash) or possibly have unspecified other impact\n by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt\n system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option\n (bnc#1013531).\n - CVE-2012-6704: The sock_setsockopt function in net/core/sock.c in the\n Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf,\n which allowed local users to cause a denial of service (memory\n corruption and system crash) or possibly have unspecified other impact\n by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt\n system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option (bnc#1013542).\n - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux kernel did not\n properly initialize Code Segment (CS) in certain error cases, which\n allowed local users to obtain sensitive information from kernel stack\n memory via a crafted application (bnc#1013038).\n - CVE-2016-3841: The IPv6 stack in the Linux kernel mishandled options\n data, which allowed local users to gain privileges or cause a denial of\n service (use-after-free and system crash) via a crafted sendmsg system\n call (bnc#992566).\n - CVE-2016-9685: Multiple memory leaks in error paths in\n fs/xfs/xfs_attr_list.c in the Linux kernel allowed local users to cause\n a denial of service (memory consumption) via crafted XFS filesystem\n operations (bnc#1012832).\n - CVE-2015-1350: The VFS subsystem in the Linux kernel provided an\n incomplete set of requirements for setattr operations that\n underspecifies removing extended privilege attributes, which allowed\n local users to cause a denial of service (capability stripping) via a\n failed invocation of a system call, as demonstrated by using chown to\n remove a capability from the ping or Wireshark dumpcap program\n (bnc#914939).\n - CVE-2015-8962: Double free vulnerability in the sg_common_write function\n in drivers/scsi/sg.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (memory corruption and system\n crash) by detaching a device during an SG_IO ioctl call (bnc#1010501).\n - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in\n the Linux kernel lacked chunk-length checking for the first chunk, which\n allowed remote attackers to cause a denial of service (out-of-bounds\n slab access) or possibly have unspecified other impact via crafted SCTP\n data (bnc#1011685).\n - CVE-2016-7910: Use-after-free vulnerability in the disk_seqf_stop\n function in block/genhd.c in the Linux kernel allowed local users to\n gain privileges by leveraging the execution of a certain stop operation\n even if the corresponding start operation had failed (bnc#1010716).\n - CVE-2016-7911: Race condition in the get_task_ioprio function in\n block/ioprio.c in the Linux kernel allowed local users to gain\n privileges or cause a denial of service (use-after-free) via a crafted\n ioprio_get system call (bnc#1010711).\n - CVE-2015-8964: The tty_set_termios_ldisc function in\n drivers/tty/tty_ldisc.c in the Linux kernel allowed local users to\n obtain sensitive information from kernel memory by reading a tty data\n structure (bnc#1010507).\n - CVE-2016-7916: Race condition in the environ_read function in\n fs/proc/base.c in the Linux kernel allowed local users to obtain\n sensitive information from kernel memory by reading a /proc/*/environ\n file during a process-setup time interval in which environment-variable\n copying is incomplete (bnc#1010467).\n - CVE-2016-8646: The hash_accept function in crypto/algif_hash.c in the\n Linux kernel allowed local users to cause a denial of service (OOPS) by\n attempting to trigger use of in-kernel hash algorithms for a socket that\n has received zero bytes of data (bnc#1010150).\n - CVE-2016-8633: drivers/firewire/net.c in the Linux kernel in certain\n unusual hardware configurations allowed remote attackers to execute\n arbitrary code via crafted fragmented packets (bnc#1008833).\n - CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in\n the Linux, when the GNU Compiler Collection (gcc) stack protector is\n enabled, used an incorrect buffer size for certain timeout data, which\n allowed local users to cause a denial of service (stack memory\n corruption and panic) by reading the /proc/keys file (bnc#1004517).\n - CVE-2015-8956: The rfcomm_sock_bind function in\n net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to\n obtain sensitive information or cause a denial of service (NULL pointer\n dereference) via vectors involving a bind system call on a Bluetooth\n RFCOMM socket (bnc#1003925).\n - CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg\n function in net/socket.c in the Linux kernel allowed remote attackers to\n execute arbitrary code via vectors involving a recvmmsg system call that\n is mishandled during error processing (bnc#1003077).\n - CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the\n Linux kernel allowed local users to obtain sensitive physical-address\n information by reading a pagemap file (bnc#994759).\n - CVE-2016-7425: The arcmsr_iop_message_xfer function in\n drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a\n certain length field, which allowed local users to gain privileges or\n cause a denial of service (heap-based buffer overflow) via an\n ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).\n - CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in\n the Linux kernel did not properly maintain certain SACK state after a\n failed data copy, which allowed local users to cause a denial of service\n (tcp_xmit_retransmit_queue use-after-free and system crash) via a\n crafted SACK option (bnc#994296).\n\n The following non-security bugs were fixed:\n\n - Always include the git commit in KOTD builds. This allows us not to set\n it explicitly in builds submitted to the official distribution\n (bnc#821612, bnc#824171).\n - KVM: x86: SYSENTER emulation is broken (bsc#994618).\n - NFS: Do not disconnect open-owner on NFS4ERR_BAD_SEQID (bsc#989261).\n - NFS: Refresh open-owner id when server says SEQID is bad (bsc#989261).\n - NFSv4: Ensure that we do not drop a state owner more than once\n (bsc#979595).\n - NFSv4: add flock_owner to open context (bnc#998689).\n - NFSv4: change nfs4_do_setattr to take an open_context instead of a\n nfs4_state (bnc#998689).\n - NFSv4: change nfs4_select_rw_stateid to take a lock_context inplace of\n lock_owner (bnc#998689).\n - NFSv4: enhance nfs4_copy_lock_stateid to use a flock stateid if there is\n one (bnc#998689).\n - NFSv4: fix broken patch relating to v4 read delegations (bsc#956514,\n bsc#989261, bsc#979595).\n - SELinux: Fix possible NULL pointer dereference in\n selinux_inode_permission() (bsc#1012895).\n - USB: fix typo in wMaxPacketSize validation (bsc#991665).\n - USB: validate wMaxPacketValue entries in endpoint descriptors\n (bnc#991665).\n - Update patches.xen/xen3-auto-arch-x86.diff (bsc#929141, among others).\n - __ptrace_may_access() should not deny sub-threads (bsc#1012851).\n - apparmor: fix IRQ stack overflow during free_profile (bsc#1009875).\n - arch/powerpc: Remove duplicate/redundant Altivec entries (bsc#967716).\n - cdc-acm: added sanity checking for probe() (bsc#993891).\n - include/linux/math64.h: add div64_ul() (bsc#996329).\n - kabi-fix for flock_owner addition (bsc#998689).\n - kabi: get back scsi_device.current_cmnd (bsc#935436).\n - kaweth: fix firmware download (bsc#993890).\n - kaweth: fix oops upon failed memory allocation (bsc#993890).\n - kexec: add a kexec_crash_loaded() function (bsc#973691).\n - md linear: fix a race between linear_add() and linear_congested()\n (bsc#1018446).\n - mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] (bsc#1011820).\n - mpt3sas: Fix panic when aer correct error occurred (bsc#997708,\n bsc#999943).\n - mremap: enforce rmap src/dst vma ordering in case of vma_merge()\n succeeding in copy_vma() (VM Functionality, bsc#1008645).\n - nfs4: reset states to use open_stateid when returning delegation\n voluntarily (bsc#1007944).\n - ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed() (bnc#1019783).\n - posix-timers: Remove remaining uses of tasklist_lock (bnc#997401).\n - posix-timers: Use sighand lock instead of tasklist_lock for task clock\n sample (bnc#997401).\n - posix-timers: Use sighand lock instead of tasklist_lock on timer\n deletion (bnc#997401).\n - powerpc: Add ability to build little endian kernels (bsc#967716).\n - powerpc: Avoid load of static chain register when calling nested\n functions through a pointer on 64bit (bsc#967716).\n - powerpc: Do not build assembly files with ABIv2 (bsc#967716).\n - powerpc: Do not use ELFv2 ABI to build the kernel (bsc#967716).\n - powerpc: Fix 64 bit builds with binutils 2.24 (bsc#967716).\n - powerpc: Fix error when cross building TAGS and cscope (bsc#967716).\n - powerpc: Make the vdso32 also build big-endian (bsc#967716).\n - powerpc: Remove altivec fix for gcc versions before 4.0 (bsc#967716).\n - powerpc: Remove buggy 9-year-old test for binutils lower than 2.12.1\n (bsc#967716).\n - powerpc: Require gcc 4.0 on 64-bit (bsc#967716).\n - powerpc: dtc is required to build dtb files (bsc#967716).\n - printk/sched: Introduce special printk_sched() for those awkward\n (bsc#1013042, bsc#996541, bsc#1015878).\n - qlcnic: Schedule napi directly in netpoll (bsc#966826).\n - reiserfs: fix race in prealloc discard (bsc#987576).\n - rpm/config.sh: Set a fitting release string (bsc#997059)\n - rpm/kernel-binary.spec.in: Export a make-stderr.log file (bsc#1012422)\n - rpm/mkspec: Read a default release string from rpm/config.sh (bsc997059)\n - s390/dasd: fix failfast for disconnected devices (bnc#961923,\n LTC#135138).\n - sched/core: Fix a race between try_to_wake_up() and a woken up task\n (bnc#1002165).\n - sched/core: Fix an SMP ordering race in try_to_wake_up() vs. schedule()\n (bnc#1001419).\n - sched: Fix possible divide by zero in avg_atom() calculation\n (bsc#996329).\n - scsi: lpfc: Set elsiocb contexts to NULL after freeing it (bsc#996557).\n - scsi: remove current_cmnd field from struct scsi_device (bsc#935436).\n - x86/MCE/intel: Cleanup CMCI storm logic (bsc#929141).\n - xfs: remove the deprecated nodelaylog option (bsc#992906).\n\n", "modified": "2017-02-17T18:08:18", "published": "2017-02-17T18:08:18", "id": "SUSE-SU-2017:0494-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00029.html", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "centos": [{"lastseen": "2019-12-20T18:29:17", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9604", "CVE-2016-9806", "CVE-2016-7097", "CVE-2017-2584", "CVE-2016-6213", "CVE-2017-7616", "CVE-2017-7889", "CVE-2017-9074", "CVE-2016-10088", "CVE-2017-6001", "CVE-2015-8839", "CVE-2017-9242", "CVE-2016-10741", "CVE-2017-5970", "CVE-2016-10200", "CVE-2017-5551", "CVE-2017-2671", "CVE-2017-9075", "CVE-2014-7975", "CVE-2016-9685", "CVE-2017-7495", "CVE-2017-1000379", "CVE-2015-8970", "CVE-2016-10147", "CVE-2016-9576", "CVE-2017-6951", "CVE-2017-2647", "CVE-2017-2596", "CVE-2016-9588", "CVE-2017-9076", "CVE-2017-7187", "CVE-2017-9077", "CVE-2017-8890", "CVE-2017-8797", "CVE-2016-7042", "CVE-2016-8645", "CVE-2014-7970"], "description": "**CentOS Errata and Security Advisory** CESA-2017:1842\n\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important)\n\n* A flaw was found that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL. A local user could use this flaw to crash the system or, potentially, escalate their privileges. (CVE-2017-2647, Important)\n\n* It was found that the NFSv4 server in the Linux kernel did not properly validate layout type when processing NFSv4 pNFS LAYOUTGET and GETDEVICEINFO operands. A remote attacker could use this flaw to soft-lockup the system and thus cause denial of service. (CVE-2017-8797, Important)\n\nThis update also fixes multiple Moderate and Low impact security issues:\n\n* CVE-2015-8839, CVE-2015-8970, CVE-2016-9576, CVE-2016-7042, CVE-2016-7097, CVE-2016-8645, CVE-2016-9576, CVE-2016-9588, CVE-2016-9806, CVE-2016-10088, CVE-2016-10147, CVE-2017-2596, CVE-2017-2671, CVE-2017-5970, CVE-2017-6001, CVE-2017-6951, CVE-2017-7187, CVE-2017-7616, CVE-2017-7889, CVE-2017-8890, CVE-2017-9074, CVE-2017-8890, CVE-2017-9075, CVE-2017-8890, CVE-2017-9076, CVE-2017-8890, CVE-2017-9077, CVE-2017-9242, CVE-2014-7970, CVE-2014-7975, CVE-2016-6213, CVE-2016-9604, CVE-2016-9685\n\nDocumentation for these issues is available from the Release Notes document linked from the References section.\n\nRed Hat would like to thank Igor Redko (Virtuozzo) and Andrey Ryabinin (Virtuozzo) for reporting CVE-2017-2647; Igor Redko (Virtuozzo) and Vasily Averin (Virtuozzo) for reporting CVE-2015-8970; Marco Grassi for reporting CVE-2016-8645; and Dmitry Vyukov (Google Inc.) for reporting CVE-2017-2596. The CVE-2016-7042 issue was discovered by Ondrej Kozina (Red Hat); the CVE-2016-7097 issue was discovered by Andreas Gruenbacher (Red Hat) and Jan Kara (SUSE); the CVE-2016-6213 and CVE-2016-9685 issues were discovered by Qian Cai (Red Hat); and the CVE-2016-9604 issue was discovered by David Howells (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on other changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2017-August/004249.html\n\n**Affected packages:**\nkernel\nkernel-debug\nkernel-debug-devel\nkernel-devel\nkernel-headers\nkernel-tools\nkernel-tools-libs\nkernel-tools-libs-devel\nperf\npython-perf\n\n**Upstream details at:**\n", "edition": 6, "modified": "2017-08-24T01:38:33", "published": "2017-08-24T01:38:33", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2017-August/004249.html", "id": "CESA-2017:1842", "title": "kernel, perf, python security update", "type": "centos", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:40:10", "bulletinFamily": "unix", "cvelist": ["CVE-2018-18690", "CVE-2018-14734", "CVE-2018-18710", "CVE-2018-16276", "CVE-2017-2647", "CVE-2018-18386", "CVE-2018-10902", "CVE-2018-12896"], "description": "USN-3849-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu \n12.04 ESM.\n\nIt was discovered that a NULL pointer dereference existed in the keyring \nsubsystem of the Linux kernel. A local attacker could use this to cause a \ndenial of service (system crash). (CVE-2017-2647)\n\nIt was discovered that a race condition existed in the raw MIDI driver for \nthe Linux kernel, leading to a double free vulnerability. A local attacker \ncould use this to cause a denial of service (system crash) or possibly \nexecute arbitrary code. (CVE-2018-10902)\n\nIt was discovered that an integer overrun vulnerability existed in the \nPOSIX timers implementation in the Linux kernel. A local attacker could use \nthis to cause a denial of service. (CVE-2018-12896)\n\nNoam Rathaus discovered that a use-after-free vulnerability existed in the \nInfiniband implementation in the Linux kernel. An attacker could use this \nto cause a denial of service (system crash). (CVE-2018-14734)\n\nIt was discovered that the YUREX USB device driver for the Linux kernel did \nnot properly restrict user space reads or writes. A physically proximate \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2018-16276)\n\nTetsuo Handa discovered a logic error in the TTY subsystem of the Linux \nkernel. A local attacker with access to pseudo terminal devices could use \nthis to cause a denial of service. (CVE-2018-18386)\n\nKanda Motohiro discovered that writing extended attributes to an XFS file \nsystem in the Linux kernel in certain situations could cause an error \ncondition to occur. A local attacker could use this to cause a denial of \nservice. (CVE-2018-18690)\n\nIt was discovered that an integer overflow vulnerability existed in the \nCDROM driver of the Linux kernel. A local attacker could use this to expose \nsensitive information (kernel memory). (CVE-2018-18710)", "edition": 4, "modified": "2018-12-20T00:00:00", "published": "2018-12-20T00:00:00", "id": "USN-3849-2", "href": "https://ubuntu.com/security/notices/USN-3849-2", "title": "Linux kernel (Trusty HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:40:59", "bulletinFamily": "unix", "cvelist": ["CVE-2018-18690", "CVE-2018-14734", "CVE-2018-18710", "CVE-2018-16276", "CVE-2017-2647", "CVE-2018-18386", "CVE-2018-10902", "CVE-2018-12896"], "description": "It was discovered that a NULL pointer dereference existed in the keyring \nsubsystem of the Linux kernel. A local attacker could use this to cause a \ndenial of service (system crash). (CVE-2017-2647)\n\nIt was discovered that a race condition existed in the raw MIDI driver for \nthe Linux kernel, leading to a double free vulnerability. A local attacker \ncould use this to cause a denial of service (system crash) or possibly \nexecute arbitrary code. (CVE-2018-10902)\n\nIt was discovered that an integer overrun vulnerability existed in the \nPOSIX timers implementation in the Linux kernel. A local attacker could use \nthis to cause a denial of service. (CVE-2018-12896)\n\nNoam Rathaus discovered that a use-after-free vulnerability existed in the \nInfiniband implementation in the Linux kernel. An attacker could use this \nto cause a denial of service (system crash). (CVE-2018-14734)\n\nIt was discovered that the YUREX USB device driver for the Linux kernel did \nnot properly restrict user space reads or writes. A physically proximate \nattacker could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2018-16276)\n\nTetsuo Handa discovered a logic error in the TTY subsystem of the Linux \nkernel. A local attacker with access to pseudo terminal devices could use \nthis to cause a denial of service. (CVE-2018-18386)\n\nKanda Motohiro discovered that writing extended attributes to an XFS file \nsystem in the Linux kernel in certain situations could cause an error \ncondition to occur. A local attacker could use this to cause a denial of \nservice. (CVE-2018-18690)\n\nIt was discovered that an integer overflow vulnerability existed in the \nCDROM driver of the Linux kernel. A local attacker could use this to expose \nsensitive information (kernel memory). (CVE-2018-18710)", "edition": 3, "modified": "2018-12-20T00:00:00", "published": "2018-12-20T00:00:00", "id": "USN-3849-1", "href": "https://ubuntu.com/security/notices/USN-3849-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:33:59", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7472", "CVE-2016-9604", "CVE-2016-7097", "CVE-2016-9754", "CVE-2016-9191", "CVE-2016-8650", "CVE-2016-9084", "CVE-2017-5970", "CVE-2016-10200", "CVE-2016-9178", "CVE-2017-1000251", "CVE-2017-6214", "CVE-2016-9083", "CVE-2017-7541", "CVE-2017-6951", "CVE-2017-6346", "CVE-2017-7187", "CVE-2016-10044"], "description": "USN-3422-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 \nLTS. This update provides the corresponding updates for the Linux \nHardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu \n12.04 LTS.\n\nIt was discovered that a buffer overflow existed in the Bluetooth stack of \nthe Linux kernel when handling L2CAP configuration responses. A physically \nproximate attacker could use this to cause a denial of service (system \ncrash). (CVE-2017-1000251)\n\nIt was discovered that the asynchronous I/O (aio) subsystem of the Linux \nkernel did not properly set permissions on aio memory mappings in some \nsituations. An attacker could use this to more easily exploit other \nvulnerabilities. (CVE-2016-10044)\n\nBaozeng Ding and Andrey Konovalov discovered a race condition in the L2TPv3 \nIP Encapsulation implementation in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2016-10200)\n\nAndreas Gruenbacher and Jan Kara discovered that the filesystem \nimplementation in the Linux kernel did not clear the setgid bit during a \nsetxattr call. A local attacker could use this to possibly elevate group \nprivileges. (CVE-2016-7097)\n\nSergej Schumilo, Ralf Spenneberg, and Hendrik Schwartke discovered that the \nkey management subsystem in the Linux kernel did not properly allocate \nmemory in some situations. A local attacker could use this to cause a \ndenial of service (system crash). (CVE-2016-8650)\n\nVlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO \nPCI driver for the Linux kernel. A local attacker with access to a vfio PCI \ndevice file could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)\n\nIt was discovered that an information leak existed in __get_user_asm_ex() \nin the Linux kernel. A local attacker could use this to expose sensitive \ninformation. (CVE-2016-9178)\n\nCAI Qian discovered that the sysctl implementation in the Linux kernel did \nnot properly perform reference counting in some situations. An unprivileged \nattacker could use this to cause a denial of service (system hang). \n(CVE-2016-9191)\n\nIt was discovered that the keyring implementation in the Linux kernel in \nsome situations did not prevent special internal keyrings from being joined \nby userspace keyrings. A privileged local attacker could use this to bypass \nmodule verification. (CVE-2016-9604)\n\nIt was discovered that an integer overflow existed in the trace subsystem \nof the Linux kernel. A local privileged attacker could use this to cause a \ndenial of service (system crash). (CVE-2016-9754)\n\nAndrey Konovalov discovered that the IPv4 implementation in the Linux \nkernel did not properly handle invalid IP options in some situations. An \nattacker could use this to cause a denial of service or possibly execute \narbitrary code. (CVE-2017-5970)\n\nDmitry Vyukov discovered that the Linux kernel did not properly handle TCP \npackets with the URG flag. A remote attacker could use this to cause a \ndenial of service. (CVE-2017-6214)\n\nIt was discovered that a race condition existed in the AF_PACKET handling \ncode in the Linux kernel. A local attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2017-6346)\n\nIt was discovered that the keyring implementation in the Linux kernel did \nnot properly restrict searches for dead keys. A local attacker could use \nthis to cause a denial of service (system crash). (CVE-2017-6951)\n\nDmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux \nkernel contained a stack-based buffer overflow. A local attacker with \naccess to an sg device could use this to cause a denial of service (system \ncrash) or possibly execute arbitrary code. (CVE-2017-7187)\n\nEric Biggers discovered a memory leak in the keyring implementation in the \nLinux kernel. A local attacker could use this to cause a denial of service \n(memory consumption). (CVE-2017-7472)\n\nIt was discovered that a buffer overflow existed in the Broadcom FullMAC \nWLAN driver in the Linux kernel. A local attacker could use this to cause a \ndenial of service (system crash) or possibly execute arbitrary code. \n(CVE-2017-7541)", "edition": 7, "modified": "2017-09-18T00:00:00", "published": "2017-09-18T00:00:00", "id": "USN-3422-2", "href": "https://ubuntu.com/security/notices/USN-3422-2", "title": "Linux kernel (Trusty HWE) vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:40:12", "bulletinFamily": "unix", "cvelist": ["CVE-2017-7472", "CVE-2016-9604", "CVE-2016-7097", "CVE-2016-9754", "CVE-2016-9191", "CVE-2016-8650", "CVE-2016-9084", "CVE-2017-5970", "CVE-2016-10200", "CVE-2016-9178", "CVE-2017-1000251", "CVE-2017-6214", "CVE-2016-9083", "CVE-2017-7541", "CVE-2017-6951", "CVE-2017-6346", "CVE-2017-7187", "CVE-2016-10044"], "description": "It was discovered that a buffer overflow existed in the Bluetooth stack of \nthe Linux kernel when handling L2CAP configuration responses. A physically \nproximate attacker could use this to cause a denial of service (system \ncrash). (CVE-2017-1000251)\n\nIt was discovered that the asynchronous I/O (aio) subsystem of the Linux \nkernel did not properly set permissions on aio memory mappings in some \nsituations. An attacker could use this to more easily exploit other \nvulnerabilities. (CVE-2016-10044)\n\nBaozeng Ding and Andrey Konovalov discovered a race condition in the L2TPv3 \nIP Encapsulation implementation in the Linux kernel. A local attacker could \nuse this to cause a denial of service (system crash) or possibly execute \narbitrary code. (CVE-2016-10200)\n\nAndreas Gruenbacher and Jan Kara discovered that the filesystem \nimplementation in the Linux kernel did not clear the setgid bit during a \nsetxattr call. A local attacker could use this to possibly elevate group \nprivileges. (CVE-2016-7097)\n\nSergej Schumilo, Ralf Spenneberg, and Hendrik Schwartke discovered that the \nkey management subsystem in the Linux kernel did not properly allocate \nmemory in some situations. A local attacker could use this to cause a \ndenial of service (system crash). (CVE-2016-8650)\n\nVlad Tsyrklevich discovered an integer overflow vulnerability in the VFIO \nPCI driver for the Linux kernel. A local attacker with access to a vfio PCI \ndevice file could use this to cause a denial of service (system crash) or \npossibly execute arbitrary code. (CVE-2016-9083, CVE-2016-9084)\n\nIt was discovered that an information leak existed in __get_user_asm_ex() \nin the Linux kernel. A local attacker could use this to expose sensitive \ninformation. (CVE-2016-9178)\n\nCAI Qian discovered that the sysctl implementation in the Linux kernel did \nnot properly perform reference counting in some situations. An unprivileged \nattacker could use this to cause a denial of service (system hang). \n(CVE-2016-9191)\n\nIt was discovered that the keyring implementation in the Linux kernel in \nsome situations did not prevent special internal keyrings from being joined \nby userspace keyrings. A privileged local attacker could use this to bypass \nmodule verification. (CVE-2016-9604)\n\nIt was discovered that an integer overflow existed in the trace subsystem \nof the Linux kernel. A local privileged attacker could use this to cause a \ndenial of service (system crash). (CVE-2016-9754)\n\nAndrey Konovalov discovered that the IPv4 implementation in the Linux \nkernel did not properly handle invalid IP options in some situations. An \nattacker could use this to cause a denial of service or possibly execute \narbitrary code. (CVE-2017-5970)\n\nDmitry Vyukov discovered that the Linux kernel did not properly handle TCP \npackets with the URG flag. A remote attacker could use this to cause a \ndenial of service. (CVE-2017-6214)\n\nIt was discovered that a race condition existed in the AF_PACKET handling \ncode in the Linux kernel. A local attacker could use this to cause a denial \nof service (system crash) or possibly execute arbitrary code. \n(CVE-2017-6346)\n\nIt was discovered that the keyring implementation in the Linux kernel did \nnot properly restrict searches for dead keys. A local attacker could use \nthis to cause a denial of service (system crash). (CVE-2017-6951)\n\nDmitry Vyukov discovered that the generic SCSI (sg) subsystem in the Linux \nkernel contained a stack-based buffer overflow. A local attacker with \naccess to an sg device could use this to cause a denial of service (system \ncrash) or possibly execute arbitrary code. (CVE-2017-7187)\n\nEric Biggers discovered a memory leak in the keyring implementation in the \nLinux kernel. A local attacker could use this to cause a denial of service \n(memory consumption). (CVE-2017-7472)\n\nIt was discovered that a buffer overflow existed in the Broadcom FullMAC \nWLAN driver in the Linux kernel. A local attacker could use this to cause a \ndenial of service (system crash) or possibly execute arbitrary code. \n(CVE-2017-7541)", "edition": 6, "modified": "2017-09-18T00:00:00", "published": "2017-09-18T00:00:00", "id": "USN-3422-1", "href": "https://ubuntu.com/security/notices/USN-3422-1", "title": "Linux kernel vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.7, "vector": "AV:A/AC:L/Au:S/C:C/I:C/A:C"}}]}
