Lucene search

K
suseSuseOPENSUSE-SU-2016:2625-1
HistoryOct 25, 2016 - 7:06 p.m.

Security update for the Linux Kernel (important)

2016-10-2519:06:08
lists.opensuse.org
37

0.879 High

EPSS

Percentile

98.4%

The openSUSE 13.2 kernel was updated to receive various security and
bugfixes.

The following security bugs were fixed:

  • CVE-2015-8956: The rfcomm_sock_bind function in
    net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to
    obtain sensitive information or cause a denial of service (NULL pointer
    dereference) via vectors involving a bind system call on a Bluetooth
    RFCOMM socket (bnc#1003925).
  • CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed,
    which is reportedly exploited in the wild (bsc#1004418).
  • CVE-2016-8658: Stack-based buffer overflow in the
    brcmf_cfg80211_start_ap function in
    drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux
    kernel allowed local users to cause a denial of service (system crash)
    or possibly have unspecified other impact via a long SSID Information
    Element in a command to a Netlink socket (bnc#1004462).
  • CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg
    function in net/socket.c in the Linux kernel allowed remote attackers to
    execute arbitrary code via vectors involving a recvmmsg system call that
    is mishandled during error processing (bnc#1003077).
  • CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the
    Linux kernel before 3.19.3, as used in Android 6.0.1 before 2016-03-01,
    allowed local users to obtain sensitive physical-address information by
    reading a pagemap file, aka Android internal bug 25739721 (bnc#994759).
  • CVE-2016-7425: The arcmsr_iop_message_xfer function in
    drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a
    certain length field, which allowed local users to gain privileges
    or cause a denial of service (heap-based buffer overflow) via an
    ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).
  • CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel
    allowed local users to cause a denial of service (NULL pointer
    dereference and system crash) by using an ABORT_TASK command to abort a
    device write operation (bnc#994748).
  • CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in
    the Linux kernel did not properly maintain certain SACK state after a
    failed data copy, which allowed local users to cause a denial of service
    (tcp_xmit_retransmit_queue use-after-free and system crash) via a
    crafted SACK option (bnc#994296).
  • CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly
    determine the rate of challenge ACK segments, which made it easier for
    man-in-the-middle attackers to hijack TCP sessions via a blind in-window
    attack (bnc#989152)
  • CVE-2016-6480: Race condition in the ioctl_send_fib function in
    drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users
    to cause a denial of service (out-of-bounds access or system crash) by
    changing a certain size value, aka a "double fetch" vulnerability
    (bnc#991608).
  • CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset the
    PIT counter values during state restoration, which allowed guest OS
    users to cause a denial of service (divide-by-zero error and host OS
    crash) via a zero value, related to the kvm_vm_ioctl_set_pit and
    kvm_vm_ioctl_set_pit2 functions (bnc#960689).
  • CVE-2016-1237: nfsd in the Linux kernel allowed local users to bypass
    intended file-permission restrictions by setting a POSIX ACL, related to
    nfs2acl.c, nfs3acl.c, and nfs4acl.c (bnc#986570).

The following non-security bugs were fixed:

  • AF_VSOCK: Shrink the area influenced by prepare_to_wait (bsc#994520).
  • xen: Fix refcnt regression in xen netback introduced by changes made for
    bug#881008 (bnc#978094)
  • MSI-X: fix an error path (luckily none so far).
  • usb: fix typo in wMaxPacketSize validation (bsc#991665).
  • usb: validate wMaxPacketValue entries in endpoint descriptors
    (bnc#991665).
  • Update patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch
    (bsc#986570 CVE#2016-1237).
  • Update patches.fixes/0001-posix_acl-Add-set_posix_acl.patch (bsc#986570
    CVE#2016-1237).
  • apparmor: fix change_hat not finding hat after policy replacement
    (bsc#1000287).
  • arm64: Honor __GFP_ZERO in dma allocations (bsc#1004045).
  • arm64: __clear_user: handle exceptions on strb (bsc#994752).
  • arm64: dma-mapping: always clear allocated buffers (bsc#1004045).
  • arm64: perf: reject groups spanning multiple HW PMUs (bsc#1003931).
  • blkfront: fix an error path memory leak (luckily none so far).
  • blktap2: eliminate deadlock potential from shutdown path (bsc#909994).
  • blktap2: eliminate race from deferred work queue handling (bsc#911687).
  • btrfs: ensure that file descriptor used with subvol ioctls is a dir
    (bsc#999600).
  • cdc-acm: added sanity checking for probe() (bsc#993891).
  • kaweth: fix firmware download (bsc#993890).
  • kaweth: fix oops upon failed memory allocation (bsc#993890).
  • netback: fix flipping mode (bsc#996664).
  • netback: fix flipping mode (bsc#996664).
  • netfront: linearize SKBs requiring too many slots (bsc#991247).
  • nfsd: check permissions when setting ACLs (bsc#986570).
  • posix_acl: Add set_posix_acl (bsc#986570).
  • ppp: defer netns reference release for ppp channel (bsc#980371).
  • tunnels: Do not apply GRO to multiple layers of encapsulation
    (bsc#1001486).
  • usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices
    (bsc#922634).
  • x86: suppress lazy MMU updates during vmalloc fault processing
    (bsc#951155).
  • xen-netback-generalize.patch: Fold back into base patch.
  • xen3-patch-2.6.31.patch: Fold back into base patch.
  • xen3-patch-3.12.patch: Fold bac into base patch.
  • xen3-patch-3.15.patch: Fold back into base patch.
  • xen3-patch-3.3.patch: Fold back into base patch.
  • xen3-patch-3.9.patch: Fold bac into base patch.
  • xen3-patch-3.9.patch: Fold back into base patch.
  • xenbus: do not bail early from xenbus_dev_request_and_reply() (luckily
    none so far).
  • xenbus: inspect the correct type in xenbus_dev_request_and_reply().

0.879 High

EPSS

Percentile

98.4%

Related for OPENSUSE-SU-2016:2625-1