kernel: security and bugfix update (important)

The Linux kernel was updated to fix security issues and bugs:

Security issues fixed: CVE-2014-4699: The Linux kernel on Intel processors
did not properly restrict use of a non-canonical value for the saved RIP
address in the case of a system call that does not use IRET, which allowed
local users to leverage a race condition and gain privileges, or cause a
denial of service (double fault), via a crafted application that makes
ptrace and fork system calls.

CVE-2014-4667: The sctp_association_free function in net/sctp/associola.c
in the Linux kernel did not properly manage a certain backlog value, which
allowed remote attackers to cause a denial of service (socket
outage) via a crafted SCTP packet.

CVE-2014-4171: mm/shmem.c in the Linux kernel did not properly implement
the interaction between range notification and hole punching, which
allowed local users to cause a denial of service (i_mutex hold) by using
the mmap system call to access a hole, as demonstrated by interfering with
intended shmem activity by blocking completion of (1) an MADV_REMOVE
madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call.

CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit
x86 platforms, when syscall auditing is enabled and the sep CPU feature
flag is set, allowed local users to cause a denial of service (OOPS and
system crash) via an invalid syscall number, as demonstrated by number
1000.

CVE-2014-0100: Race condition in the inet_frag_intern function in
net/ipv4/inet_fragment.c in the Linux kernel allowed remote attackers to
cause a denial of service (use-after-free error) or possibly have
unspecified other impact via a large series of fragmented ICMP Echo
Request packets to a system with a heavy CPU load.

CVE-2014-4656: Multiple integer overflows in sound/core/control.c in the
ALSA control implementation in the Linux kernel allowed local users to
cause a denial of service by leveraging /dev/snd/controlCX access, related
to (1) index values in the snd_ctl_add function and (2) numid values in
the snd_ctl_remove_numid_conflict function.

CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in
the ALSA control implementation in the Linux kernel did not properly
maintain the user_ctl_count value, which allowed local users to cause a
denial of service (integer overflow and limit bypass) by leveraging
/dev/snd/controlCX access for a large number of
SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls.

CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c in
the ALSA control implementation in the Linux kernel did not check
authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allowed
local users to remove kernel controls and cause a denial of service
(use-after-free and system crash) by leveraging /dev/snd/controlCX access
for an ioctl call.

CVE-2014-4653: sound/core/control.c in the ALSA control implementation in
the Linux kernel did not ensure possession of a read/write lock, which
allowed local users to cause a denial of service (use-after-free) and
obtain sensitive information from kernel memory by leveraging
/dev/snd/controlCX access.

CVE-2014-4652: Race condition in the tlv handler functionality in the
snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control
implementation in the Linux kernel allowed local users to obtain sensitive
information from kernel memory by leveraging /dev/snd/controlCX access.

CVE-2014-4014: The capabilities implementation in the Linux kernel did not
properly consider that namespaces are inapplicable to inodes, which
allowed local users to bypass intended chmod restrictions by first
creating a user namespace, as demonstrated by setting the setgid bit on a
file with group ownership of root.

CVE-2014-2309: The ip6_route_add function in net/ipv6/route.c in the Linux
kernel did not properly count the addition of routes, which allowed remote
attackers to cause a denial of service (memory consumption) via a flood of
ICMPv6 Router Advertisement packets.

CVE-2014-3917: kernel/auditsc.c in the Linux kernel, when
CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allowed local
users to obtain potentially sensitive single-bit values from kernel memory
or cause a denial of service (OOPS) via a large value of a syscall number.

CVE-2014-0131: Use-after-free vulnerability in the skb_segment function in
net/core/skbuff.c in the Linux kernel allowed attackers to obtain
sensitive information from kernel memory by leveraging the absence of a
certain orphaning operation.

Bugs fixed:

• Don’t trigger congestion wait on dirty-but-not-writeout pages
  (bnc#879071).

• via-velocity: fix netif_receive_skb use in irq disabled section
  (bnc#851686).

• HID: logitech-dj: Fix USB 3.0 issue (bnc#886629).

• tg3: Change nvram command timeout value to 50ms (bnc#768714 bnc#855657).

• tg3: Override clock, link aware and link idle mode during NVRAM dump
  (bnc#768714 bnc#855657).

• tg3: Set the MAC clock to the fastest speed during boot code load
  (bnc#768714 bnc#855657).

• ALSA: usb-audio: Fix deadlocks at resuming (bnc#884840).

• ALSA: usb-audio: Save mixer status only once at suspend (bnc#884840).

• ALSA: usb-audio: Resume mixer values properly (bnc#884840).