Vulnerabilities > CVE-2011-2494 - Information Exposure vulnerability in Linux Kernel
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
kernel/taskstats.c in the Linux kernel before 3.1 allows local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another user's password.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1260-1.NASL description Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. last seen 2020-06-01 modified 2020-06-02 plugin id 56817 published 2011-11-15 reporter Ubuntu Security Notice (C) 2011-2012 Canonical, Inc. / NASL script (C) 2011-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56817 title USN-1260-1 : linux-ti-omap4 vulnerability code # This script was automatically generated from Ubuntu Security # Notice USN-1260-1. It is released under the Nessus Script # Licence. # # Ubuntu Security Notices are (C) Canonical, Inc. # See http://www.ubuntu.com/usn/ # Ubuntu(R) is a registered trademark of Canonical, Inc. if (!defined_func("bn_random")) exit(0); include("compat.inc"); if (description) { script_id(56817); script_version("$Revision: 1.3 $"); script_cvs_date("$Date: 2016/12/01 20:56:51 $"); script_cve_id("CVE-2011-2494"); script_xref(name:"USN", value:"1260-1"); script_name(english:"USN-1260-1 : linux-ti-omap4 vulnerability"); script_summary(english:"Checks dpkg output for updated package(s)"); script_set_attribute(attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches."); script_set_attribute(attribute:"description", value: "Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy."); script_set_attribute(attribute:"see_also", value:"http://www.ubuntu.com/usn/usn-1260-1/"); script_set_attribute(attribute:"solution", value:"Update the affected package(s)."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"patch_publication_date", value:"2011/11/14"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Ubuntu Local Security Checks"); script_copyright("Ubuntu Security Notice (C) 2011-2012 Canonical, Inc. / NASL script (C) 2011-2016 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("ubuntu.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/Ubuntu/release")) exit(0, "The host is not running Ubuntu."); if (!get_kb_item("Host/Debian/dpkg-l")) exit(1, "Could not obtain the list of installed packages."); flag = 0; if (ubuntu_check(osver:"11.10", pkgname:"linux-image-3.0.0-1206-omap4", pkgver:"3.0.0-1206.12")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:ubuntu_report_get()); else security_note(0); exit(0); } else exit(0, "The host is not affected.");NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2011-1479.NASL description Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * Using PCI passthrough without interrupt remapping support allowed Xen hypervisor guests to generate MSI interrupts and thus potentially inject traps. A privileged guest user could use this flaw to crash the host or possibly escalate their privileges on the host. The fix for this issue can prevent PCI passthrough working and guests starting. Refer to Red Hat Bugzilla bug 715555 for details. (CVE-2011-1898, Important) * A flaw was found in the way CIFS (Common Internet File System) shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate) * A NULL pointer dereference flaw was found in the way the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 67086 published 2013-06-29 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67086 title CentOS 5 : kernel (CESA-2011:1479) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1244-1.NASL description Dan Rosenberg discovered that the Linux kernel X.25 implementation incorrectly parsed facilities. A remote attacker could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-3873) Andrea Righi discovered a race condition in the KSM memory merging support. If KSM was being used, a local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2183) Vasily Averin discovered that the NFS Lock Manager (NLM) incorrectly handled unlock requests. A local attacker could exploit this to cause a denial of service. (CVE-2011-2491) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) It was discovered that the wireless stack incorrectly verified SSID lengths. A local attacker could exploit this to cause a denial of service or gain root privileges. (CVE-2011-2517) It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695) Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905) Vasiliy Kulikov discovered that the Comedi driver did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-2909) Yogesh Sharma discovered that CIFS did not correctly handle UNCs that had no prefixpaths. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-3363) last seen 2020-06-01 modified 2020-06-02 plugin id 56643 published 2011-10-26 reporter Ubuntu Security Notice (C) 2011 Canonical, Inc. / NASL script (C) 2011-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56643 title USN-1244-1 : linux-ti-omap4 vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-1465.NASL description From Red Hat Security Advisory 2011:1465 : Updated kernel packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system last seen 2020-06-01 modified 2020-06-02 plugin id 68393 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68393 title Oracle Linux 6 : kernel (ELSA-2011-1465) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-8325.NASL description This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel. The following security issues have been fixed : - kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack). (CVE-2011-2494) - net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets. (CVE-2012-2744) - Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. (CVE-2012-3510) - The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key. (CVE-2011-4110) - The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. (CVE-2011-1044) - Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. (CVE-2012-3400) - The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. (CVE-2012-2136) - A small denial of service leak in dropping syn+fin messages was fixed. (CVE-2012-2663) The following non-security issues have been fixed : Packaging : - kbuild: Fix gcc -x syntax (bnc#773831). NFS : - knfsd: An assortment of little fixes to the sunrpc cache code. (bnc#767766) - knfsd: Unexport cache_fresh and fix a small race. (bnc#767766) - knfsd: nfsd: do not drop silently on upcall deferral. (bnc#767766) - knfsd: svcrpc: remove another silent drop from deferral code. (bnc#767766) - sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked. (bnc#767766) - sunrpc/cache: recheck cache validity after cache_defer_req. (bnc#767766) - sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req. (bnc#767766) - sunrpc/cache: avoid variable over-loading in cache_defer_req. (bnc#767766) - sunrpc/cache: allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Another fix for race problem with sunrpc cache deferal. (bnc#767766) - knfsd: nfsd: make all exp_finding functions return -errnos on err. (bnc#767766) - Fix kabi breakage in previous nfsd patch series. (bnc#767766) - nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout. (bnc#767766) - nfs: Fix a potential file corruption issue when writing. (bnc#773272) - nfs: Allow sync writes to be multiple pages. (bnc#763526) - nfs: fix reference counting for NFSv4 callback thread. (bnc#767504) - nfs: flush signals before taking down callback thread. (bnc#767504) - nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504). SCSI : - SCSI/ch: Check NULL for kmalloc() return. (bnc#783058) - drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc. (bnc#783058) - block: fail SCSI passthrough ioctls on partition devices. (bnc#738400) - dm: do not forward ioctls from logical volumes to the underlying device. (bnc#738400) - vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507). S/390 : - lgr: Make lgr_page static (bnc#772409,LTC#83520). - zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510). - kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203). - be2net: Fix EEH error reset before a flash dump completes. (bnc#755546) - mptfusion: fix msgContext in mptctl_hp_hostinfo. (bnc#767939) - PCI: Fix bus resource assignment on 32 bits with 64b resources. . (bnc#762581) - PCI: fix up setup-bus.c #ifdef. (bnc#762581) - x86: powernow-k8: Fix indexing issue. (bnc#758985) - net: Fix race condition about network device name allocation. (bnc#747576) XEN : - smpboot: adjust ordering of operations. - xen/x86-64: provide a memset() that can deal with 4Gb or above at a time. (bnc#738528) - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53. (bnc#760974) - xen/gntdev: fix multi-page slot allocation. (bnc#760974) last seen 2020-06-05 modified 2012-10-24 plugin id 62676 published 2012-10-24 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62676 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8325) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-120418.NASL description The SUSE Linux Enterprise 11 SP2 kernel has been updated to 3.0.26, which fixes a lot of bugs and security issues. The following security issues have been fixed : - A locking problem in transparent hugepage support could be used by local attackers to potentially crash the host, or via kvm a privileged guest user could crash the kvm host system. (CVE-2012-1179) - A potential hypervisor escape by issuing SG_IO commands to partitiondevices was fixed by restricting access to these commands. (CVE-2011-4127) - A local attacker could oops the kernel using memory control groups and eventfds. (CVE-2012-1146) - Limit the path length users can build using epoll() to avoid local attackers consuming lots of kernel CPU time. (CVE-2011-1083) - The regset common infrastructure assumed that regsets would always have .get and .set methods, but necessarily .active methods. Unfortunately people have since written regsets without .set method, so NULL pointer dereference attacks were possible. (CVE-2012-1097) - Access to the /proc/pid/taskstats file requires root access to avoid side channel (timing keypresses etc.) attacks on other users. (CVE-2011-2494) - Fixed a oops in jbd/jbd2 that could be caused by specific filesystem access patterns. (CVE-2011-4086) - A malicious NFSv4 server could have caused a oops in the nfsv4 acl handling. (CVE-2011-4131) - Fixed a oops in jbd/jbd2 that could be caused by mounting a malicious prepared filesystem. (Also included are all fixes from the 3.0.14 -> 3.0.25 stable kernel updates.). (CVE-2011-4132) The following non-security issues have been fixed : EFI : - efivars: add missing parameter to efi_pstore_read(). BTRFS : - add a few error cleanups. - btrfs: handle errors when excluding super extents (FATE#306586 bnc#751015). - btrfs: Fix missing goto in btrfs_ioctl_clone. - btrfs: Fixed mishandled -EAGAIN error case from btrfs_split_item. (bnc#750459) - btrfs: disallow unequal data/metadata blocksize for mixed block groups (FATE#306586). - btrfs: enhance superblock sanity checks (FATE#306586 bnc#749651). - btrfs: update message levels (FATE#306586). - btrfs 3.3-rc6 updates : - avoid setting ->d_op twice (FATE#306586 bnc#731387). - btrfs: fix wrong information of the directory in the snapshot (FATE#306586). - btrfs: fix race in reada (FATE#306586). - btrfs: do not add both copies of DUP to reada extent tree (FATE#306586). - btrfs: stop silently switching single chunks to raid0 on balance (FATE#306586). - btrfs: fix locking issues in find_parent_nodes() (FATE#306586). - btrfs: fix casting error in scrub reada code (FATE#306586). - btrfs sync with upstream up to 3.3-rc5 (FATE#306586) - btrfs: Sector Size check during Mount - btrfs: avoid positive number with ERR_PTR - btrfs: return the internal error unchanged if btrfs_get_extent_fiemap() call failed for SEEK_DATA/SEEK_HOLE inquiry. - btrfs: fix trim 0 bytes after a device delete - btrfs: do not check DUP chunks twice - btrfs: fix memory leak in load_free_space_cache() - btrfs: delalloc for page dirtied out-of-band in fixup worker - btrfs: fix structs where bitfields and spinlock/atomic share 8B word. - btrfs: silence warning in raid array setup. - btrfs: honor umask when creating subvol root. - btrfs: fix return value check of extent_io_ops. - btrfs: fix deadlock on page lock when doing auto-defragment. - btrfs: check return value of lookup_extent_mapping() correctly. - btrfs: skip states when they does not contain bits to clear. - btrfs: kick out redundant stuff in convert_extent_bit. - btrfs: fix a bug on overcommit stuff. - btrfs: be less strict on finding next node in clear_extent_bit. - btrfs: improve error handling for btrfs_insert_dir_item callers. - btrfs: make sure we update latest_bdev. - btrfs: add extra sanity checks on the path names in btrfs_mksubvol. - btrfs: clear the extent uptodate bits during parent transid failures. - btrfs: increase the global block reserve estimates. - btrfs: fix compiler warnings on 32 bit systems. - Clean up unused code, fix use of error-indicated pointer in transaction teardown. (bnc#748854) - btrfs: fix return value check of extent_io_ops. - btrfs: fix deadlock on page lock when doing auto-defragment. - btrfs: check return value of lookup_extent_mapping() correctly. - btrfs: skip states when they does not contain bits to clear. - btrfs: kick out redundant stuff in convert_extent_bit. - btrfs: fix a bug on overcommit stuff. - btrfs: be less strict on finding next node in clear_extent_bit. - btrfs: do not reserve data with extents locked in btrfs_fallocate. - btrfs: avoid positive number with ERR_PTR. - btrfs: return the internal error unchanged if btrfs_get_extent_fiemap() call failed for SEEK_DATA/SEEK_HOLE inquiry. - btrfs: fix trim 0 bytes after a device delete. - btrfs: do not check DUP chunks twice. - btrfs: fix memory leak in load_free_space_cache(). - btrfs: fix permissions of new subvolume. (bnc#746373) - btrfs: set ioprio of scrub readahead to idle. - fix logic in condition in BTRFS_FEATURE_INCOMPAT_MIXED_GROUPS - fix incorrect exclusion of superblock from blockgroups. (bnc#751743) - patches.suse/btrfs-8059-handle-errors-when-excluding-sup er-extents.patch: fix incorrect default value. - fix aio/dio bio refcounting bnc#718918. - btrfs: fix locking issues in find_parent_nodes() - Btrfs: fix casting error in scrub reada code - patches.suse/btrfs-8059-handle-errors-when-excluding-sup er-extents.patch: Fix uninitialized variable. - btrfs: handle errors from read_tree_block. (bnc#748632) - btrfs: push-up errors from btrfs_num_copies. (bnc#748632) - patches.suse/btrfs-8059-handle-errors-when-excluding-sup er-extents.patch: disable due to potential corruptions (bnc#751743) XFS : - XFS read/write calls do not generate DMAPI events. (bnc#751885) - xfs/dmapi: Remove cached vfsmount. (bnc#749417) - xfs: Fix oops on IO error during xlog_recover_process_iunlinks() (bnc#716850). NFS : - nfs: Do not allow multiple mounts on same mountpoint when using -o noac. (bnc#745422) - lockd: fix arg parsing for grace_period and timeout (bnc#733761). MD : - raid10: Disable recovery when recovery cannot proceed. (bnc#751171) - md/bitmap: ensure to load bitmap when creating via sysfs. - md: do not set md arrays to readonly on shutdown. (bnc#740180, bnc#713148, bnc#734900) - md: allow last device to be forcibly removed from RAID1/RAID10. (bnc#746717) - md: allow re-add to failed arrays. (bnc#746717) - md: Correctly handle read failure from last working device in RAID10. (bnc#746717) - patches.suse/0003-md-raid1-add-failfast-handling-for-wri tes.patch: Refresh to not crash when handling write error on FailFast devices. bnc#747159 - md/raid10: Fix kernel oops during drive failure. (bnc#750995) - patches.suse/md-re-add-to-failed: Update references. (bnc#746717) - md/raid10: handle merge_bvec_fn in member devices. - md/raid10 - support resizing some RAID10 arrays. Hyper-V : - update hyperv drivers to 3.3-rc7 and move them out of staging: hv_timesource -> merged into core kernel hv_vmbus -> drivers/hv/hv_vmbus hv_utils -> drivers/hv/hv_utils hv_storvsc -> drivers/scsi/hv_storvsc hv_netvsc -> drivers/net/hyperv/hv_netvsc hv_mousevsc -> drivers/hid/hid-hyperv add compat modalias for hv_mousevsc update supported.conf rename all 333 patches, use msft-hv- and suse-hv- as prefix - net/hyperv: Use netif_tx_disable() instead of netif_stop_queue() when necessary. - net/hyperv: rx_bytes should account the ether header size. - net/hyperv: fix the issue that large packets be dropped under bridge. - net/hyperv: Fix the page buffer when an RNDIS message goes beyond page boundary. - net/hyperv: fix erroneous NETDEV_TX_BUSY use. SCSI : - sd: mark busy sd majors as allocated (bug#744658). - st: expand tape driver ability to write immediate filemarks. (bnc#688996) - scsi scan: do not fail scans when host is in recovery (bnc#747867). S/390 : - dasd: Implement block timeout handling. (bnc#746717) - callhome: fix broken proc interface and activate compid (bnc#748862,LTC#79115). - ctcmpc: use correct idal word list for ctcmpc (bnc#750173,LTC#79264). - Fix recovery in case of concurrent asynchronous deliveries (bnc#748629,LTC#78309). - kernel: 3215 console deadlock (bnc#748629,LTC#78612). - qeth: synchronize discipline module loading (bnc#748629,LTC#78788). - memory hotplug: prevent memory zone interleave (bnc#748629,LTC#79113). - dasd: fix fixpoint divide exception in define_extent (bnc#748629,LTC#79125). - kernel: incorrect kernel message tags (bnc#744795,LTC#78356). - lcs: lcs offline failure (bnc#752484,LTC#79788). - qeth: add missing wake_up call (bnc#752484,LTC#79899). - dasd: Terminate inactive cqrs correctly. (bnc#750995) - dasd: detailed I/O errors. (bnc#746717) - patches.suse/dasd-blk-timeout.patch: Only activate blk_timeout for failfast requests (bnc#753617). ALSA : - ALSA: hda - Set codec to D3 forcibly even if not used. (bnc#750426) - ALSA: hda - Add Realtek ALC269VC codec support. (bnc#748827) - ALSA: hda/realtek - Apply the coef-setup only to ALC269VB. (bnc#748827) - ALSA: pcm - Export snd_pcm_lib_default_mmap() helper. (bnc#748384,bnc#738597) - ALSA: hda - Add snoop option. (bnc#748384,bnc#738597) - ALSA: HDA: Add support for new AMD products. (bnc#748384,bnc#738597) - ALSA: hda - Fix audio playback support on HP Zephyr system. (bnc#749787) - ALSA: hda - Fix mute-LED VREF value for new HP laptops (bnc#745741). EXT3 : - enable patches.suse/ext3-increase-reservation-window.patch. DRM : - drm/i915: Force explicit bpp selection for intel_dp_link_required. (bnc#749980) - drm/i915/dp: Dither down to 6bpc if it makes the mode fit. (bnc#749980) - drm/i915/dp: Read more DPCD registers on connection probe. (bnc#749980) - drm/i915: fixup interlaced bits clearing in PIPECONF on PCH_SPLIT. (bnc#749980) - drm/i915: read full receiver capability field during DP hot plug. (bnc#749980) - drm/intel: Fix initialization if startup happens in interlaced mode [v2]. (bnc#749980) - drm/i915 IVY/SNB fix patches from upstream 3.3-rc5 & rc6: patches.drivers/drm-i915-Prevent-a-machine-hang-by-check ing-crtc-act, patches.drivers/drm-i915-do-not-enable-RC6p-on-Sandy-Bri dge, patches.drivers/drm-i915-fix-operator-precedence-when-en abling-RC6p, patches.drivers/drm-i915-gen7-Disable-the-RHWO-optimizat ion-as-it-ca, patches.drivers/drm-i915-gen7-Implement-an-L3-caching-wo rkaround, patches.drivers/drm-i915-gen7-implement-rczunit-workarou nd, patches.drivers/drm-i915-gen7-work-around-a-system-hang- on-IVB - drm/i915: Clear the TV sense state bits on cantiga to make TV detection reliable. (bnc#750041) - drm/i915: Do not write DSPSURF for old chips. (bnc#747071) - drm: Do not delete DPLL Multiplier during DAC init. (bnc#728840) - drm: Set depth on low mem Radeon cards to 16 instead of 8. (bnc#746883) - patches.drivers/drm-i915-set-AUD_CONFIG_N_index-for-DP: Refresh. Updated the patch from the upstream. (bnc#722560) - Add a few missing drm/i915 fixes from upstream 3.2 kernel (bnc#744392) : - drm/i915: Sanitize BIOS debugging bits from PIPECONF. (bnc#751916) - drm/i915: Add lvds_channel module option. (bnc#739837) - drm/i915: Check VBIOS value for determining LVDS dual channel mode, too. (bnc#739837) - agp: fix scratch page cleanup. (bnc#738679) - drm/i915: suspend fbdev device around suspend/hibernate (bnc#732908). ACPI : - supported.conf: Add acpi_ipmi as supported (bnc#716971). MM : - cpusets: avoid looping when storing to mems_allowed if one. - cpusets: avoid stall when updating mems_allowed for mempolicy. - cpuset: mm: Reduce large amounts of memory barrier related slowdown. - mm: make swapin readahead skip over holes. - mm: allow PF_MEMALLOC from softirq context. - mm: Ensure processes do not remain throttled under memory pressure. (Swap over NFS (fate#304949, bnc#747944). - mm: Allow sparsemem usemap allocations for very large NUMA nodes. (bnc#749049) - backing-dev: fix wakeup timer races with bdi_unregister(). (bnc#741824) - readahead: fix pipeline break caused by block plug. (bnc#746454) - Fix uninitialised variable warning and obey the [get|put]_mems_allowed API. CIFS : - cifs: fix dentry refcount leak when opening a FIFO on lookup (CVE-2012-1090 / bnc#749569). USB : - xhci: Fix encoding for HS bulk/control NAK rate. (bnc#750402) - USB: Fix handoff when BIOS disables host PCI device. (bnc#747878) - USB: Do not fail USB3 probe on missing legacy PCI IRQ. (bnc#749543) - USB: Adding #define in hub_configure() and hcd.c file. (bnc#714604) - USB: remove BKL comments. (bnc#714604) - xHCI: Adding #define values used for hub descriptor. (bnc#714604) - xHCI: Kick khubd when USB3 resume really completes. (bnc#714604) - xhci: Fix oops caused by more USB2 ports than USB3 ports. (bnc#714604) - USB/xhci: Enable remote wakeup for USB3 devices. (bnc#714604) - USB: Suspend functions before putting dev into U3. (bnc#714604) - USB/xHCI: Enable USB 3.0 hub remote wakeup. (bnc#714604) - USB: Refactor hub remote wake handling. (bnc#714604) - USB/xHCI: Support device-initiated USB 3.0 resume. (bnc#714604) - USB: Set wakeup bits for all children hubs. (bnc#714604) - USB: Turn on auto-suspend for USB 3.0 hubs. (bnc#714604) - USB: Set hub depth after USB3 hub reset. (bnc#749115) - xhci: Fix USB 3.0 device restart on resume. (bnc#745867) - xhci: Remove scary warnings about transfer issues. (bnc#745867) - xhci: Remove warnings about MSI and MSI-X capabilities (bnc#745867). Other : - PCI / PCIe: Introduce command line option to disable ARI. (bnc#742845) - PCI: Set device power state to PCI_D0 for device without native PM support (bnc#752972). X86 : - x86/UV: Lower UV rtc clocksource rating. (bnc#748456) - x86, mce, therm_throt: Do not report power limit and package level thermal throttle events in mcelog. (bnc#745876) - x86: Unlock nmi lock after kdb_ipi call. (bnc#745424) - x86, tsc: Fix SMI induced variation in quick_pit_calibrate(). (bnc#751322) XEN : - Update Xen patches to 3.0.22. - xenbus_dev: add missing error checks to watch handling. - drivers/xen/: use strlcpy() instead of strncpy(). - xenoprof: backward compatibility for changed XENOPROF_ESCAPE_CODE. - blkfront: properly fail packet requests. (bnc#745929) - Refresh other Xen patches. (bnc#732070, bnc#742871) - xenbus: do not free other end details too early. - blkback: also call blkif_disconnect() when frontend switched to closed. - gnttab: add deferred freeing logic. - blkback: failure to write last seen 2020-06-05 modified 2012-04-24 plugin id 58845 published 2012-04-24 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58845 title SuSE 11.2 Security Update : Linux kernel (SAT Patch Numbers 6163 / 6164 / 6172) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1245-1.NASL description Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1576) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497) It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905) Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service. (CVE-2011-2928) Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188) Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191) Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service. (CVE-2011-3353) Gideon Naim discovered a flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 56644 published 2011-10-26 reporter Ubuntu Security Notice (C) 2011-2013 Canonical, Inc. / NASL script (C) 2011-2013 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56644 title Ubuntu 10.10 : linux-mvl-dove vulnerabilities (USN-1245-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-1479.NASL description Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * Using PCI passthrough without interrupt remapping support allowed Xen hypervisor guests to generate MSI interrupts and thus potentially inject traps. A privileged guest user could use this flaw to crash the host or possibly escalate their privileges on the host. The fix for this issue can prevent PCI passthrough working and guests starting. Refer to Red Hat Bugzilla bug 715555 for details. (CVE-2011-1898, Important) * A flaw was found in the way CIFS (Common Internet File System) shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate) * A NULL pointer dereference flaw was found in the way the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 56974 published 2011-11-30 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56974 title RHEL 5 : kernel (RHSA-2011:1479) NASL family SuSE Local Security Checks NASL id SUSE_KERNEL-8324.NASL description This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel. The following security issues have been fixed : - kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack). (CVE-2011-2494) - net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets. (CVE-2012-2744) - Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. (CVE-2012-3510) - The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key. (CVE-2011-4110) - The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. (CVE-2011-1044) - Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. (CVE-2012-3400) - The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. (CVE-2012-2136) - A small denial of service leak in dropping syn+fin messages was fixed. (CVE-2012-2663) The following non-security issues have been fixed : Packaging : - kbuild: Fix gcc -x syntax (bnc#773831). NFS : - knfsd: An assortment of little fixes to the sunrpc cache code. (bnc#767766) - knfsd: Unexport cache_fresh and fix a small race. (bnc#767766) - knfsd: nfsd: do not drop silently on upcall deferral. (bnc#767766) - knfsd: svcrpc: remove another silent drop from deferral code. (bnc#767766) - sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked. (bnc#767766) - sunrpc/cache: recheck cache validity after cache_defer_req. (bnc#767766) - sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req. (bnc#767766) - sunrpc/cache: avoid variable over-loading in cache_defer_req. (bnc#767766) - sunrpc/cache: allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update. (bnc#767766) - sunrpc/cache: Another fix for race problem with sunrpc cache deferal. (bnc#767766) - knfsd: nfsd: make all exp_finding functions return -errnos on err. (bnc#767766) - Fix kabi breakage in previous nfsd patch series. (bnc#767766) - nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout. (bnc#767766) - nfs: Fix a potential file corruption issue when writing. (bnc#773272) - nfs: Allow sync writes to be multiple pages. (bnc#763526) - nfs: fix reference counting for NFSv4 callback thread. (bnc#767504) - nfs: flush signals before taking down callback thread. (bnc#767504) - nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504). SCSI : - SCSI/ch: Check NULL for kmalloc() return. (bnc#783058) - drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc. (bnc#783058) - block: fail SCSI passthrough ioctls on partition devices. (bnc#738400) - dm: do not forward ioctls from logical volumes to the underlying device. (bnc#738400) - vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507). S/390 : - lgr: Make lgr_page static (bnc#772409,LTC#83520). - zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510). - kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203). - be2net: Fix EEH error reset before a flash dump completes. (bnc#755546) - mptfusion: fix msgContext in mptctl_hp_hostinfo. (bnc#767939) - PCI: Fix bus resource assignment on 32 bits with 64b resources. . (bnc#762581) - PCI: fix up setup-bus.c #ifdef. (bnc#762581) - x86: powernow-k8: Fix indexing issue. (bnc#758985) - net: Fix race condition about network device name allocation. (bnc#747576) XEN : - smpboot: adjust ordering of operations. - xen/x86-64: provide a memset() that can deal with 4Gb or above at a time. (bnc#738528) - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53. (bnc#760974) - xen/gntdev: fix multi-page slot allocation. (bnc#760974) last seen 2020-06-05 modified 2012-10-24 plugin id 62675 published 2012-10-24 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62675 title SuSE 10 Security Update : Linux kernel (ZYPP Patch Number 8324) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-120130.NASL description The SUSE Linux Enterprise 11 SP1 kernel was updated to 2.6.32.54, fixing lots of bugs and security issues. The following security issues have been fixed : - A potential hypervisor escape by issuing SG_IO commands to partitiondevices was fixed by restricting access to these commands. (CVE-2011-4127) - KEYS: Fix a NULL pointer deref in the user-defined key type, which allowed local attackers to Oops the kernel. (CVE-2011-4110) - Avoid potential NULL pointer deref in ghash, which allowed local attackers to Oops the kernel. (CVE-2011-4081) - Fixed a memory corruption possibility in xfs readlink, which could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image. (CVE-2011-4077) - A overflow in the xfs acl handling was fixed that could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image. (CVE-2012-0038) - A flaw in the ext3/ext4 filesystem allowed a local attacker to crash the kernel by getting a prepared ext3/ext4 filesystem mounted. (CVE-2011-4132) - Access to the taskstats /proc file was restricted to avoid local attackers gaining knowledge of IO of other users (and so effecting side-channel attacks for e.g. guessing passwords by typing speed). (CVE-2011-2494) - When using X.25 communication a malicious sender could corrupt data structures, causing crashes or potential code execution. Please note that X.25 needs to be setup to make this effective, which these days is usually not the case. (CVE-2010-3873) - When using X.25 communication a malicious sender could make the machine leak memory, causing crashes. Please note that X.25 needs to be setup to make this effective, which these days is usually not the case. (CVE-2010-4164) - A remote denial of service due to a NULL pointer dereference by using IPv6 fragments was fixed. The following non-security issues have been fixed:. (CVE-2011-2699) - elousb: Fixed bug in USB core API usage, code cleanup. (bnc#733863) - cifs: overhaul cifs_revalidate and rename to cifs_revalidate_dentry. (bnc#735453) - cifs: set server_eof in cifs_fattr_to_inode. (bnc#735453) - xfs: Fix missing xfs_iunlock() on error recovery path in xfs_readlink(). (bnc#726600) - block: add and use scsi_blk_cmd_ioctl. (bnc#738400 / CVE-2011-4127) - block: fail SCSI passthrough ioctls on partition devices. (bnc#738400 / CVE-2011-4127) - dm: do not forward ioctls from logical volumes to the underlying device. (bnc#738400 / CVE-2011-4127) - Silence some warnings about ioctls on partitions. - netxen: Remove all references to unified firmware file. (bnc#708625) - bonding: send out gratuitous arps even with no address configured. (bnc#742270) - patches.fixes/ocfs2-serialize_unaligned_aio.patch: ocfs2: serialize unaligned aio. (bnc#671479) - patches.fixes/bonding-check-if-clients-MAC-addr-has-chan ged.patch: Update references. (bnc#729854, bnc#731004) - xfs: Fix wait calculations on lock acquisition and use milliseconds instead of jiffies to print the wait time. - ipmi: reduce polling when interrupts are available. (bnc#740867) - ipmi: reduce polling. (bnc#740867) - Linux 2.6.32.54. - export shrink_dcache_for_umount_subtree. - patches.suse/stack-unwind: Fix more 2.6.29 merge problems plus a glue code problem. (bnc#736018) - PM / Sleep: Fix race between CPU hotplug and freezer. (bnc#740535) - jbd: Issue cache flush after checkpointing. (bnc#731770) - lpfc: make sure job exists when processing BSG. (bnc#735635) - Linux 2.6.32.53. - blktap: fix locking (again). (bnc#724734) - xen: Update Xen patches to 2.6.32.52. - Linux 2.6.32.52. - Linux 2.6.32.51. - Linux 2.6.32.50. - reiserfs: Lock buffers unconditionally in reiserfs_write_full_page(). (bnc#716023) - writeback: Include all dirty inodes in background writeback. (bnc#716023) - reiserfs: Fix quota mount option parsing. (bnc#728626) - bonding: check if clients MAC addr has changed. (bnc#729854) - rpc client can not deal with ENOSOCK, so translate it into ENOCONN. (bnc#733146) - st: modify tape driver to allow writing immediate filemarks. (bnc#688996) - xfs: fix for xfssyncd failure to wake. (bnc#722910) - ipmi: Fix deadlock in start_next_msg(). - net: bind() fix error return on wrong address family. (bnc#735216) - net: ipv4: relax AF_INET check in bind(). (bnc#735216) - net/ipv6: check for mistakenly passed in non-AF_INET6 sockaddrs. (bnc#735216) - Bluetooth: Fixed Atheros AR3012 Maryann PID/VID supported. (bnc#732296) - percpu: fix chunk range calculation. (bnc#668872) - x86, UV: Fix kdump reboot. (bnc#735446) - dm: Use done_bytes for io_completion. (bnc#711378) - Bluetooth: Add Atheros AR3012 Maryann PID/VID supported. (bnc#732296) - Bluetooth: Add Atheros AR3012 one PID/VID supported. (bnc#732296) - fix missing hunk in oplock break patch. (bnc#706973) - patches.arch/s390-34-01-pfault-cpu-hotplug.patch: Refresh. Surrounded s390x lowcore change with __GENKSYMS__. (bnc#728339) - patches.xen/xen3-patch-2.6.30: Refresh. - sched, x86: Avoid unnecessary overflow in sched_clock. (bnc#725709) - ACPI thermal: Do not invalidate thermal zone if critical trip point is bad. last seen 2020-06-05 modified 2012-02-07 plugin id 57854 published 2012-02-07 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57854 title SuSE 11.1 Security Update : Linux kernel (SAT Patch Number 5732) NASL family SuSE Local Security Checks NASL id SUSE_SU-2012-1391-1.NASL description This Linux kernel update fixes various security issues and bugs in the SUSE Linux Enterprise 10 SP4 kernel. The following security issues have been fixed : CVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password (a side channel attack). CVE-2012-2744: net/ipv6/netfilter/nf_conntrack_reasm.c in the Linux kernel, when the nf_conntrack_ipv6 module is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via certain types of fragmented IPv6 packets. CVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. CVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and updating a negative key into a fully instantiated key. CVE-2011-1044: The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel did not initialize a certain response buffer, which allowed local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649. CVE-2012-3400: Heap-based buffer overflow in the udf_load_logicalvol function in fs/udf/super.c in the Linux kernel allowed remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted UDF filesystem. CVE-2012-2136: The sock_alloc_send_pskb function in net/core/sock.c in the Linux kernel did not properly validate a certain length value, which allowed local users to cause a denial of service (heap-based buffer overflow and system crash) or possibly gain privileges by leveraging access to a TUN/TAP device. CVE-2012-2663: A small denial of service leak in dropping syn+fin messages was fixed. The following non-security issues have been fixed : Packaging : - kbuild: Fix gcc -x syntax (bnc#773831). NFS : - knfsd: An assortment of little fixes to the sunrpc cache code (bnc#767766). - knfsd: Unexport cache_fresh and fix a small race (bnc#767766). - knfsd: nfsd: do not drop silently on upcall deferral (bnc#767766). - knfsd: svcrpc: remove another silent drop from deferral code (bnc#767766). - sunrpc/cache: simplify cache_fresh_locked and cache_fresh_unlocked (bnc#767766). - sunrpc/cache: recheck cache validity after cache_defer_req (bnc#767766). - sunrpc/cache: use list_del_init for the list_head entries in cache_deferred_req (bnc#767766). - sunrpc/cache: avoid variable over-loading in cache_defer_req (bnc#767766). - sunrpc/cache: allow thread to block while waiting for cache update (bnc#767766). - sunrpc/cache: Fix race in sunrpc/cache introduced by patch to allow thread to block while waiting for cache update (bnc#767766). - sunrpc/cache: Another fix for race problem with sunrpc cache deferal (bnc#767766). - knfsd: nfsd: make all exp_finding functions return -errnos on err (bnc#767766). - Fix kabi breakage in previous nfsd patch series (bnc#767766). - nfsd: Work around incorrect return type for wait_for_completion_interruptible_timeout (bnc#767766). - nfs: Fix a potential file corruption issue when writing (bnc#773272). - nfs: Allow sync writes to be multiple pages (bnc#763526). - nfs: fix reference counting for NFSv4 callback thread (bnc#767504). - nfs: flush signals before taking down callback thread (bnc#767504). - nfsv4: Ensure nfs_callback_down() calls svc_destroy() (bnc#767504). SCSI : - SCSI/ch: Check NULL for kmalloc() return (bnc#783058). drivers/scsi/aic94xx/aic94xx_init.c: correct the size argument to kmalloc (bnc#783058). block: fail SCSI passthrough ioctls on partition devices (bnc#738400). dm: do not forward ioctls from logical volumes to the underlying device (bnc#738400). vmware: Fix VMware hypervisor detection (bnc#777575, bnc#770507). S/390 : - lgr: Make lgr_page static (bnc#772409,LTC#83520). - zfcp: Fix oops in _blk_add_trace() (bnc#772409,LTC#83510). kernel: Add z/VM LGR detection (bnc#767277,LTC#RAS1203). be2net: Fix EEH error reset before a flash dump completes (bnc#755546). - mptfusion: fix msgContext in mptctl_hp_hostinfo (bnc#767939). - PCI: Fix bus resource assignment on 32 bits with 64b resources. (bnc#762581) - PCI: fix up setup-bus.c #ifdef. (bnc#762581) x86: powernow-k8: Fix indexing issue (bnc#758985). net: Fix race condition about network device name allocation (bnc#747576). XEN : - smpboot: adjust ordering of operations. - xen/x86-64: provide a memset() that can deal with 4Gb or above at a time (bnc#738528). - xen: fix VM_FOREIGN users after c/s 878:eba6fe6d8d53 (bnc#760974). - xen/gntdev: fix multi-page slot allocation (bnc#760974). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-05-20 plugin id 83563 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83563 title SUSE SLED10 / SLES10 Security Update : kernel (SUSE-SU-2012:1391-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1281-1.NASL description Andrea Righi discovered a race condition in the KSM memory merging support. If KSM was being used, a local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2183) It was discovered that an mmap() call with the MAP_PRIVATE flag on last seen 2020-06-01 modified 2020-06-02 plugin id 56949 published 2011-11-26 reporter Ubuntu Security Notice (C) 2011-2012 Canonical, Inc. / NASL script (C) 2011-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56949 title USN-1281-1 : linux-ti-omap4 vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1239-1.NASL description Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1576) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497) It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905) Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service. (CVE-2011-2928) Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188) Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191) Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service. (CVE-2011-3353) Gideon Naim discovered a flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 56638 published 2011-10-26 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56638 title Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-1239-1) NASL family Scientific Linux Local Security Checks NASL id SL_20111122_KERNEL_ON_SL6_X.NASL description The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : - IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system last seen 2020-06-01 modified 2020-06-02 plugin id 61179 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61179 title Scientific Linux Security Update : kernel on SL6.x i386/x86_64 NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1279-1.NASL description Andrea Righi discovered a race condition in the KSM memory merging support. If KSM was being used, a local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2183) Vasily Averin discovered that the NFS Lock Manager (NLM) incorrectly handled unlock requests. A local attacker could exploit this to cause a denial of service. (CVE-2011-2491) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) It was discovered that the wireless stack incorrectly verified SSID lengths. A local attacker could exploit this to cause a denial of service or gain root privileges. (CVE-2011-2517) Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905) Vasiliy Kulikov discovered that the Comedi driver did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-2909). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56947 published 2011-11-26 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56947 title Ubuntu 10.04 LTS : linux-lts-backport-natty vulnerabilities (USN-1279-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1275-1.NASL description Peter Huewe discovered an information leak in the handling of reading security-related TPM data. A local, unprivileged user could read the results of a previous TPM command. (CVE-2011-1162) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Mathieu Desnoyers discovered that the kernel sockets implementation incorrectly dereferenced user pointers. A local attacker could possibly exploit this to crash the system. (CVE-2011-4594). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56917 published 2011-11-22 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56917 title Ubuntu 11.10 : linux vulnerability (USN-1275-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-1465.NASL description Updated kernel packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system last seen 2020-06-01 modified 2020-06-02 plugin id 56927 published 2011-11-23 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56927 title RHEL 6 : kernel (RHSA-2011:1465) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1256-1.NASL description It was discovered that the /proc filesystem did not correctly handle permission changes when programs executed. A local attacker could hold open files to examine details about programs running with higher privileges, potentially increasing the chances of exploiting additional vulnerabilities. (CVE-2011-1020) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079) Vasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080) Johan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093) Peter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160) Dan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180) Ryan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478) It was discovered that the security fix for CVE-2010-4250 introduced a regression. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1479) Dan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges. (CVE-2011-1493) It was discovered that the Stream Control Transmission Protocol (SCTP) implementation incorrectly calculated lengths. If the net.sctp.addip_enable variable was turned on, a remote attacker could send specially crafted traffic to crash the system. (CVE-2011-1573) Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1576) Timo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577) Phil Oester discovered that the network bonding system did not correctly handle large queues. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1581) It was discovered that CIFS incorrectly handled authentication. When a user had a CIFS share mounted that required authentication, a local user could mount the same share without knowing the correct password. (CVE-2011-1585) It was discovered that the GRE protocol incorrectly handled netns initialization. A remote attacker could send a packet while the ip_gre module was loading, and crash the system, leading to a denial of service. (CVE-2011-1767) It was discovered that the IP/IP protocol incorrectly handled netns initialization. A remote attacker could send a packet while the ipip module was loading, and crash the system, leading to a denial of service. (CVE-2011-1768) Ben Greear discovered that CIFS did not correctly handle direct I/O. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-1771) Timo Warns discovered that the EFI GUID partition table was not correctly parsed. A physically local attacker that could insert mountable devices could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1776) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Ben Hutchings reported a flaw in the kernel last seen 2020-06-01 modified 2020-06-02 plugin id 56768 published 2011-11-10 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56768 title Ubuntu 10.04 LTS : linux-lts-backport-natty vulnerabilities (USN-1256-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1241-1.NASL description It was discovered that the Stream Control Transmission Protocol (SCTP) implementation incorrectly calculated lengths. If the net.sctp.addip_enable variable was turned on, a remote attacker could send specially crafted traffic to crash the system. (CVE-2011-1573) Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1576) Timo Warns discovered that the EFI GUID partition table was not correctly parsed. A physically local attacker that could insert mountable devices could exploit this to crash the system or possibly gain root privileges. (CVE-2011-1776) Dan Rosenberg discovered that the IPv4 diagnostic routines did not correctly validate certain requests. A local attacker could exploit this to consume CPU resources, leading to a denial of service. (CVE-2011-2213) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) Robert Swiecki discovered that mapping extensions were incorrectly handled. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2496) Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497) It was discovered that the wireless stack incorrectly verified SSID lengths. A local attacker could exploit this to cause a denial of service or gain root privileges. (CVE-2011-2517) Ben Pfaff discovered that Classless Queuing Disciplines (qdiscs) were being incorrectly handled. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2525) It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695) Herbert Xu discovered that certain fields were incorrectly handled when Generic Receive Offload (CVE-2011-2723) Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905) Vasiliy Kulikov discovered that the Comedi driver did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-2909) Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service. (CVE-2011-2928) Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188) Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191) Yogesh Sharma discovered that CIFS did not correctly handle UNCs that had no prefixpaths. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-3363) last seen 2020-06-01 modified 2020-06-02 plugin id 56640 published 2011-10-26 reporter Ubuntu Security Notice (C) 2011 Canonical, Inc. / NASL script (C) 2011-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56640 title USN-1241-1 : linux-fsl-imx51 vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1240-1.NASL description Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1576) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497) It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905) Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service. (CVE-2011-2928) Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188) Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191) Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service. (CVE-2011-3353) Gideon Naim discovered a flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 56639 published 2011-10-26 reporter Ubuntu Security Notice (C) 2011-2013 Canonical, Inc. / NASL script (C) 2011-2013 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56639 title Ubuntu 10.04 LTS : linux-mvl-dove vulnerabilities (USN-1240-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1236-1.NASL description It was discovered that the Auerswald usb driver incorrectly handled lengths of the USB string descriptors. A local attacker with physical access could insert a specially crafted USB device and gain root privileges. (CVE-2009-4067) It was discovered that the Stream Control Transmission Protocol (SCTP) implementation incorrectly calculated lengths. If the net.sctp.addip_enable variable was turned on, a remote attacker could send specially crafted traffic to crash the system. (CVE-2011-1573) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56583 published 2011-10-21 reporter Ubuntu Security Notice (C) 2011-2020 Canonical, Inc. / NASL script (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56583 title Ubuntu 8.04 LTS : linux vulnerabilities (USN-1236-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2013-1832-1.NASL description The SUSE Linux Enterprise Server 10 SP3 LTSS kernel received a roll up update to fix lots of moderate security issues and several bugs. The Following security issues have been fixed : CVE-2012-4530: The load_script function in fs/binfmt_script.c in the Linux kernel did not properly handle recursion, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2011-2494: kernel/taskstats.c in the Linux kernel allowed local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another users password. CVE-2013-2234: The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel did not initialize certain structure members, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket. CVE-2013-2237: The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket. CVE-2013-2147: The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel did not initialize certain data structures, which allowed local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c. CVE-2013-2141: The do_tkill function in kernel/signal.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel memory via a crafted application that makes a (1) tkill or (2) tgkill system call. CVE-2013-0160: The Linux kernel allowed local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device. CVE-2012-6537: net/xfrm/xfrm_user.c in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability. CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3223: The ax25_recvmsg function in net/ax25/af_ax25.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3224: The bt_sock_recvmsg function in net/bluetooth/af_bluetooth.c in the Linux kernel did not properly initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3228: The irda_recvmsg_dgram function in net/irda/af_irda.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3229: The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3231: The llc_ui_recvmsg function in net/llc/af_llc.c in the Linux kernel did not initialize a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3232: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3234: The rose_recvmsg function in net/rose/af_rose.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-3235: net/tipc/socket.c in the Linux kernel did not initialize a certain data structure and a certain length variable, which allowed local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. CVE-2013-1827: net/dccp/ccid.h in the Linux kernel allowed local users to gain privileges or cause a denial of service (NULL pointer dereference and system crash) by leveraging the CAP_NET_ADMIN capability for a certain (1) sender or (2) receiver getsockopt call. CVE-2012-6549: The isofs_export_encode_fh function in fs/isofs/export.c in the Linux kernel did not initialize a certain structure member, which allowed local users to obtain sensitive information from kernel heap memory via a crafted application. CVE-2012-6547: The __tun_chr_ioctl function in drivers/net/tun.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2012-6546: The ATM implementation in the Linux kernel did not initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2012-6544: The Bluetooth protocol stack in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that targets the (1) L2CAP or (2) HCI implementation. CVE-2012-6545: The Bluetooth RFCOMM implementation in the Linux kernel did not properly initialize certain structures, which allowed local users to obtain sensitive information from kernel memory via a crafted application. CVE-2012-6542: The llc_ui_getname function in net/llc/af_llc.c in the Linux kernel had an incorrect return value in certain circumstances, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application that leverages an uninitialized pointer argument. CVE-2012-6541: The ccid3_hc_tx_getsockopt function in net/dccp/ccids/ccid3.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2012-6540: The do_ip_vs_get_ctl function in net/netfilter/ipvs/ip_vs_ctl.c in the Linux kernel did not initialize a certain structure for IP_VS_SO_GET_TIMEOUT commands, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2013-0914: The flush_signal_handlers function in kernel/signal.c in the Linux kernel preserved the value of the sa_restorer field across an exec operation, which made it easier for local users to bypass the ASLR protection mechanism via a crafted application containing a sigaction system call. CVE-2011-2492: The bluetooth subsystem in the Linux kernel did not properly initialize certain data structures, which allowed local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. CVE-2013-2206: The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel did not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic. CVE-2012-6539: The dev_ifconf function in net/socket.c in the Linux kernel did not initialize a certain structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application. CVE-2013-2232: The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel allowed local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface. CVE-2013-2164: The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. CVE-2012-4444: The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel allowed remote attackers to bypass intended network restrictions via overlapping IPv6 fragments. CVE-2013-1928: The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel on unspecified architectures lacked a certain error check, which might have allowed local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device. CVE-2013-0871: Race condition in the ptrace functionality in the Linux kernel allowed local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death. CVE-2013-0268: The msr_open function in arch/x86/kernel/msr.c in the Linux kernel allowed local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c. CVE-2012-3510: Use-after-free vulnerability in the xacct_add_tsk function in kernel/tsacct.c in the Linux kernel allowed local users to obtain potentially sensitive information from kernel memory or cause a denial of service (system crash) via a taskstats TASKSTATS_CMD_ATTR_PID command. CVE-2011-4110: The user_update function in security/keys/user_defined.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and last seen 2020-06-05 modified 2015-05-20 plugin id 83603 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83603 title SUSE SLES10 Security Update : kernel (SUSE-SU-2013:1832-1) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-120129.NASL description The SUSE Linux Enterprise 11 SP1 kernel has been updated to 2.6.32.54, fixing numerous bugs and security issues. The following security issues have been fixed : - A potential hypervisor escape by issuing SG_IO commands to partitiondevices was fixed by restricting access to these commands. (CVE-2011-4127) - KEYS: Fix a NULL pointer deref in the user-defined key type, which allowed local attackers to Oops the kernel. (CVE-2011-4110) - Avoid potential NULL pointer deref in ghash, which allowed local attackers to Oops the kernel. (CVE-2011-4081) - Fixed a memory corruption possibility in xfs readlink, which could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image. (CVE-2011-4077) - A overflow in the xfs acl handling was fixed that could be used by local attackers to crash the system or potentially execute code by mounting a prepared xfs filesystem image. (CVE-2012-0038) - A flaw in the ext3/ext4 filesystem allowed a local attacker to crash the kernel by getting a prepared ext3/ext4 filesystem mounted. (CVE-2011-4132) - Access to the taskstats /proc file was restricted to avoid local attackers gaining knowledge of IO of other users (and so effecting side-channel attacks for e.g. guessing passwords by typing speed). (CVE-2011-2494) - When using X.25 communication a malicious sender could corrupt data structures, causing crashes or potential code execution. Please note that X.25 needs to be setup to make this effective, which these days is usually not the case. (CVE-2010-3873) - When using X.25 communication a malicious sender could make the machine leak memory, causing crashes. Please note that X.25 needs to be setup to make this effective, which these days is usually not the case. (CVE-2010-4164) - A remote denial of service due to a NULL pointer dereference by using IPv6 fragments was fixed. (CVE-2011-2699) The following non-security issues have been fixed (excerpt from changelog) : - elousb: Fixed bug in USB core API usage, code cleanup. - cifs: overhaul cifs_revalidate and rename to cifs_revalidate_dentry. - cifs: set server_eof in cifs_fattr_to_inode. - xfs: Fix missing xfs_iunlock() on error recovery path in xfs_readlink(). - Silence some warnings about ioctls on partitions. - netxen: Remove all references to unified firmware file. - bonding: send out gratuitous arps even with no address configured. - patches.fixes/ocfs2-serialize_unaligned_aio.patch: ocfs2: serialize unaligned aio. - patches.fixes/bonding-check-if-clients-MAC-addr-has-chan ged.patch: Update references. - xfs: Fix wait calculations on lock acquisition and use milliseconds instead of jiffies to print the wait time. - ipmi: reduce polling when interrupts are available. - ipmi: reduce polling. - export shrink_dcache_for_umount_subtree. - patches.suse/stack-unwind: Fix more 2.6.29 merge problems plus a glue code problem. - PM / Sleep: Fix race between CPU hotplug and freezer. - jbd: Issue cache flush after checkpointing. - lpfc: make sure job exists when processing BSG. - blktap: fix locking (again). - xen: Update Xen patches to 2.6.32.52. - reiserfs: Lock buffers unconditionally in reiserfs_write_full_page(). - writeback: Include all dirty inodes in background writeback. - reiserfs: Fix quota mount option parsing. - bonding: check if clients MAC addr has changed. - rpc client can not deal with ENOSOCK, so translate it into ENOCONN. - st: modify tape driver to allow writing immediate filemarks. - xfs: fix for xfssyncd failure to wake. - ipmi: Fix deadlock in start_next_msg(). - net: bind() fix error return on wrong address family. - net: ipv4: relax AF_INET check in bind(). - net/ipv6: check for mistakenly passed in non-AF_INET6 sockaddrs. - Bluetooth: Fixed Atheros AR3012 Maryann PID/VID supported. - percpu: fix chunk range calculation. - x86, UV: Fix kdump reboot. - dm: Use done_bytes for io_completion. - Bluetooth: Add Atheros AR3012 Maryann PID/VID supported. - Bluetooth: Add Atheros AR3012 one PID/VID supported. - fix missing hunk in oplock break patch. - patches.arch/s390-34-01-pfault-cpu-hotplug.patch: Refresh. - Surrounded s390x lowcore change with __GENKSYMS__ - patches.xen/xen3-patch-2.6.30: Refresh. - sched, x86: Avoid unnecessary overflow in sched_clock. - ACPI thermal: Do not invalidate thermal zone if critical trip point is bad. last seen 2020-06-05 modified 2012-02-07 plugin id 57853 published 2012-02-07 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57853 title SuSE 11.1 Security Update : Linux Kernel (SAT Patch Numbers 5723 / 5725) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1242-1.NASL description It was discovered that the security fix for CVE-2010-4250 introduced a regression. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1479) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695) Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905) Vasiliy Kulikov discovered that the Comedi driver did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-2909) Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188) Yogesh Sharma discovered that CIFS did not correctly handle UNCs that had no prefixpaths. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-3363). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56641 published 2011-10-26 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56641 title Ubuntu 10.04 LTS : linux-lts-backport-maverick vulnerabilities (USN-1242-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-1479.NASL description From Red Hat Security Advisory 2011:1479 : Updated kernel packages that fix multiple security issues, several bugs, and add one enhancement are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * Using PCI passthrough without interrupt remapping support allowed Xen hypervisor guests to generate MSI interrupts and thus potentially inject traps. A privileged guest user could use this flaw to crash the host or possibly escalate their privileges on the host. The fix for this issue can prevent PCI passthrough working and guests starting. Refer to Red Hat Bugzilla bug 715555 for details. (CVE-2011-1898, Important) * A flaw was found in the way CIFS (Common Internet File System) shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate) * A NULL pointer dereference flaw was found in the way the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 68394 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68394 title Oracle Linux 5 : kernel (ELSA-2011-1479) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-2033.NASL description Description of changes: * CVE-2011-1161: Information leak in transmission logic of TPM driver. A missing buffer size check in tpm_transmit could allow leaking of potentially sensitive kernel memory. * CVE-2011-1162: Information leak in TPM driver. A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low) * CVE-2011-2494: Information leak in task/process statistics. The I/O statistics from the taskstats subsystem could be read without any restrictions. A local, unprivileged user could use this flaw to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494, Low) * CVE-2011-3188: Weak TCP sequence number generation. The way IPv4 and IPv6 protocol sequence numbers and fragment IDs were generated could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188, Moderate) * CVE-2011-1577: Missing boundary checks in GPT partition handling. A heap overflow flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 68424 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68424 title Oracle Linux 5 / 6 : Unbreakable Enterprise kernel (ELSA-2011-2033) NASL family SuSE Local Security Checks NASL id SUSE_SU-2014-0536-1.NASL description The SUSE Linux Enterprise Server 10 Service Pack 4 LTSS kernel has been updated to fix various security issues and several bugs. The following security issues have been addressed : CVE-2011-2492: The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. (bnc#702014) CVE-2011-2494: kernel/taskstats.c in the Linux kernel before 3.1 allows local users to obtain sensitive I/O statistics by sending taskstats commands to a netlink socket, as demonstrated by discovering the length of another user last seen 2020-06-05 modified 2015-05-20 plugin id 83618 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83618 title SUSE SLES10 Security Update : kernel (SUSE-SU-2014:0536-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1294-1.NASL description Peter Huewe discovered an information leak in the handling of reading security-related TPM data. A local, unprivileged user could read the results of a previous TPM command. (CVE-2011-1162) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Qianfeng Zhang discovered that the bridge networking interface incorrectly handled certain network packets. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2942) Yasuaki Ishimatsu discovered a flaw in the kernel last seen 2020-06-01 modified 2020-06-02 plugin id 57058 published 2011-12-09 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57058 title Ubuntu 10.04 LTS : linux-lts-backport-oneiric vulnerabilities (USN-1294-1) NASL family Scientific Linux Local Security Checks NASL id SL_20111129_KERNEL_ON_SL5_X.NASL description The kernel packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : - Using PCI passthrough without interrupt remapping support allowed Xen hypervisor guests to generate MSI interrupts and thus potentially inject traps. A privileged guest user could use this flaw to crash the host or possibly escalate their privileges on the host. The fix for this issue can prevent PCI passthrough working and guests starting.(CVE-2011-1898, Important) - A flaw was found in the way CIFS (Common Internet File System) shares with DFS referrals at their root were handled. An attacker on the local network who is able to deploy a malicious CIFS server could create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate) - A NULL pointer dereference flaw was found in the way the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 61181 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61181 title Scientific Linux Security Update : kernel on SL5.x i386/x86_64 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-0010.NASL description Updated kernel-rt packages that fix several security issues and two bugs are now available for Red Hat Enterprise MRG 2.0. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. This update fixes the following security issues : * A malicious CIFS (Common Internet File System) server could send a specially crafted response to a directory read request that would result in a denial of service or privilege escalation on a system that has a CIFS share mounted. (CVE-2011-3191, Important) * The way fragmented IPv6 UDP datagrams over the bridge with UDP Fragmentation Offload (UFO) functionality on were handled could allow a remote attacker to cause a denial of service. (CVE-2011-4326, Important) * GRO (Generic Receive Offload) fields could be left in an inconsistent state. An attacker on the local network could use this flaw to cause a denial of service. GRO is enabled by default in all network drivers that support it. (CVE-2011-2723, Moderate) * IPv4 and IPv6 protocol sequence number and fragment ID generation could allow a man-in-the-middle attacker to inject packets and possibly hijack connections. Protocol sequence numbers and fragment IDs are now more random. (CVE-2011-3188, Moderate) * A flaw in the FUSE (Filesystem in Userspace) implementation could allow a local user in the fuse group who has access to mount a FUSE file system to cause a denial of service. (CVE-2011-3353, Moderate) * A flaw in the b43 driver. If a system had an active wireless interface that uses the b43 driver, an attacker able to send a specially crafted frame to that interface could cause a denial of service. (CVE-2011-3359, Moderate) * A flaw in the way CIFS shares with DFS referrals at their root were handled could allow an attacker on the local network, who is able to deploy a malicious CIFS server, to create a CIFS network share that, when mounted, would cause the client system to crash. (CVE-2011-3363, Moderate) * A flaw in the m_stop() implementation could allow a local, unprivileged user to trigger a denial of service. (CVE-2011-3637, Moderate) * Flaws in ghash_update() and ghash_final() could allow a local, unprivileged user to cause a denial of service. (CVE-2011-4081, Moderate) * A flaw in the key management facility could allow a local, unprivileged user to cause a denial of service via the keyctl utility. (CVE-2011-4110, Moderate) * A flaw in the Journaling Block Device (JBD) could allow a local attacker to crash the system by mounting a specially crafted ext3 or ext4 disk. (CVE-2011-4132, Moderate) * A flaw in the way memory containing security-related data was handled in tpm_read() could allow a local, unprivileged user to read the results of a previously run TPM command. (CVE-2011-1162, Low) * I/O statistics from the taskstats subsystem could be read without any restrictions, which could allow a local, unprivileged user to gather confidential information, such as the length of a password used in a process. (CVE-2011-2494, Low) * Flaws in tpacket_rcv() and packet_recvmsg() could allow a local, unprivileged user to leak information to user-space. (CVE-2011-2898, Low) Red Hat would like to thank Darren Lavender for reporting CVE-2011-3191; Brent Meshier for reporting CVE-2011-2723; Dan Kaminsky for reporting CVE-2011-3188; Yogesh Sharma for reporting CVE-2011-3363; Nick Bowler for reporting CVE-2011-4081; Peter Huewe for reporting CVE-2011-1162; and Vasiliy Kulikov of Openwall for reporting CVE-2011-2494. This update also fixes the following bugs : * Previously, a mismatch in the build-id of the kernel-rt and the one in the related debuginfo package caused failures in SystemTap and perf. (BZ#768413) * IBM x3650m3 systems were not able to boot the MRG Realtime kernel because they require a pmcraid driver that was not available. The pmcraid driver is included in this update. (BZ#753992) Users should upgrade to these updated packages, which correct these issues. The system must be rebooted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 76635 published 2014-07-22 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76635 title RHEL 6 : MRG (RHSA-2012:0010) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2011-26.NASL description IPv6 fragment identification value generation could allow a remote attacker to disrupt a target system last seen 2020-06-01 modified 2020-06-02 plugin id 69585 published 2013-09-04 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/69585 title Amazon Linux AMI : kernel (ALAS-2011-26) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1253-1.NASL description Ryan Sweat discovered that the kernel incorrectly handled certain VLAN packets. On some systems, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1576) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) Dan Rosenberg discovered that the Bluetooth stack incorrectly handled certain L2CAP requests. If a system was using Bluetooth, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-2497) It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905) Time Warns discovered that long symlinks were incorrectly handled on Be filesystems. A local attacker could exploit this with a malformed Be filesystem and crash the system, leading to a denial of service. (CVE-2011-2928) Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188) Darren Lavender discovered that the CIFS client incorrectly handled certain large values. A remote attacker with a malicious server could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2011-3191) Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user who can mount a FUSE file system could cause a denial of service. (CVE-2011-3353) Gideon Naim discovered a flaw in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 56747 published 2011-11-09 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56747 title Ubuntu 10.04 LTS : linux vulnerabilities (USN-1253-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1285-1.NASL description Andrea Righi discovered a race condition in the KSM memory merging support. If KSM was being used, a local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2183) Vasily Averin discovered that the NFS Lock Manager (NLM) incorrectly handled unlock requests. A local attacker could exploit this to cause a denial of service. (CVE-2011-2491) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) It was discovered that the wireless stack incorrectly verified SSID lengths. A local attacker could exploit this to cause a denial of service or gain root privileges. (CVE-2011-2517) Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905) Vasiliy Kulikov discovered that the Comedi driver did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-2909). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56978 published 2011-11-30 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56978 title Ubuntu 11.04 : linux vulnerabilities (USN-1285-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1243-1.NASL description It was discovered that the security fix for CVE-2010-4250 introduced a regression. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1479) Vasiliy Kulikov discovered that taskstats did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2494) Vasiliy Kulikov discovered that /proc/PID/io did not enforce access restrictions. A local attacker could exploit this to read certain information, leading to a loss of privacy. (CVE-2011-2495) It was discovered that the EXT4 filesystem contained multiple off-by-one flaws. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2695) Christian Ohm discovered that the perf command looks for configuration files in the current directory. If a privileged user were tricked into running perf in a directory containing a malicious configuration file, an attacker could run arbitrary commands and possibly gain privileges. (CVE-2011-2905) Vasiliy Kulikov discovered that the Comedi driver did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-2909) Dan Kaminsky discovered that the kernel incorrectly handled random sequence number generation. An attacker could use this flaw to possibly predict sequence numbers and inject packets. (CVE-2011-3188) Yogesh Sharma discovered that CIFS did not correctly handle UNCs that had no prefixpaths. A local attacker with access to a CIFS partition could exploit this to crash the system, leading to a denial of service. (CVE-2011-3363). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56642 published 2011-10-26 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56642 title Ubuntu 10.10 : linux vulnerabilities (USN-1243-1)
Redhat
| rpms |
|
References
- http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.1
- https://github.com/torvalds/linux/commit/1a51410abe7d0ee4b1d112780f46df87d3621043
- http://www.openwall.com/lists/oss-security/2011/06/27/1
- https://bugzilla.redhat.com/show_bug.cgi?id=716842
- http://secunia.com/advisories/48898
- http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00021.html
- http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=1a51410abe7d0ee4b1d112780f46df87d3621043