Vulnerabilities > CVE-2014-0155 - Improper Input Validation vulnerability in Linux Kernel

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2239-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(74359);
  script_version("1.19");
  script_cvs_date("Date: 2019/09/19 12:54:30");

  script_cve_id("CVE-2014-0155", "CVE-2014-2568", "CVE-2014-3122", "CVE-2014-3153");
  script_xref(name:"USN", value:"2239-1");

  script_name(english:"Ubuntu 12.04 LTS : linux-lts-saucy vulnerabilities (USN-2239-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An
unprivileged local user could exploit this flaw to cause a denial of
service (system crash) or gain administrative privileges.
(CVE-2014-3153)

A flaw was discovered in the Linux kernel virtual machine's (kvm)
validation of interrupt requests (irq). A guest OS user could exploit
this flaw to cause a denial of service (host OS crash).
(CVE-2014-0155)

An information leak was discovered in the netfilter subsystem of the
Linux kernel. An attacker could exploit this flaw to obtain sensitive
information from kernel memory. (CVE-2014-2568)

Sasha Levin reported a bug in the Linux kernel's virtual memory
management subsystem. An unprivileged local user could exploit this
flaw to cause a denial of service (system crash). (CVE-2014-3122).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/2239-1/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Update the affected linux-image-3.11-generic and / or
linux-image-3.11-generic-lpae packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Android "Towelroot" Futex Requeue Kernel Exploit');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.11-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.11-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/06/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/06");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2014-0155", "CVE-2014-2568", "CVE-2014-3122", "CVE-2014-3153");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2239-1");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.11.0-23-generic", pkgver:"3.11.0-23.40~precise1")) flag++;
if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.11.0-23-generic-lpae", pkgver:"3.11.0-23.40~precise1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.11-generic / linux-image-3.11-generic-lpae");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124801);
  script_version("1.5");
  script_cvs_date("Date: 2019/12/03");

  script_cve_id(
    "CVE-2013-7265",
    "CVE-2013-7266",
    "CVE-2013-7267",
    "CVE-2013-7268",
    "CVE-2013-7269",
    "CVE-2013-7270",
    "CVE-2013-7271",
    "CVE-2013-7281",
    "CVE-2013-7339",
    "CVE-2013-7421",
    "CVE-2013-7446",
    "CVE-2014-0038",
    "CVE-2014-0049",
    "CVE-2014-0069",
    "CVE-2014-0077",
    "CVE-2014-0100",
    "CVE-2014-0101",
    "CVE-2014-0102",
    "CVE-2014-0131",
    "CVE-2014-0155",
    "CVE-2014-0181"
  );
  script_bugtraq_id(
    64677,
    64739,
    64741,
    64742,
    64743,
    64744,
    64746,
    64747,
    65255,
    65588,
    65909,
    65943,
    65952,
    65961,
    66101,
    66351,
    66678,
    66688,
    67034,
    72322
  );

  script_name(english:"EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1477)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :

  - The pn_recvmsg function in net/phonet/datagram.c in the
    Linux kernel before 3.12.4 updates a certain length
    value before ensuring that an associated data structure
    has been initialized, which allows local users to
    obtain sensitive information from kernel stack memory
    via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system
    call.(CVE-2013-7265)

  - The mISDN_sock_recvmsg function in
    drivers/isdn/mISDN/socket.c in the Linux kernel before
    3.12.4 does not ensure that a certain length value is
    consistent with the size of an associated data
    structure, which allows local users to obtain sensitive
    information from kernel memory via a (1) recvfrom, (2)
    recvmmsg, or (3) recvmsg system call.(CVE-2013-7266)

  - The atalk_recvmsg function in net/appletalk/ddp.c in
    the Linux kernel before 3.12.4 updates a certain length
    value without ensuring that an associated data
    structure has been initialized, which allows local
    users to obtain sensitive information from kernel
    memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg
    system call.(CVE-2013-7267)

  - The ipx_recvmsg function in net/ipx/af_ipx.c in the
    Linux kernel before 3.12.4 updates a certain length
    value without ensuring that an associated data
    structure has been initialized, which allows local
    users to obtain sensitive information from kernel
    memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg
    system call.(CVE-2013-7268)

  - The nr_recvmsg function in net/netrom/af_netrom.c in
    the Linux kernel before 3.12.4 updates a certain length
    value without ensuring that an associated data
    structure has been initialized, which allows local
    users to obtain sensitive information from kernel
    memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg
    system call.(CVE-2013-7269)

  - The packet_recvmsg function in net/packet/af_packet.c
    in the Linux kernel before 3.12.4 updates a certain
    length value before ensuring that an associated data
    structure has been initialized, which allows local
    users to obtain sensitive information from kernel
    memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg
    system call.(CVE-2013-7270)

  - The x25_recvmsg function in net/x25/af_x25.c in the
    Linux kernel before 3.12.4 updates a certain length
    value without ensuring that an associated data
    structure has been initialized, which allows local
    users to obtain sensitive information from kernel
    memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg
    system call.(CVE-2013-7271)

  - The dgram_recvmsg function in net/ieee802154/dgram.c in
    the Linux kernel before 3.12.4 updates a certain length
    value without ensuring that an associated data
    structure has been initialized, which allows local
    users to obtain sensitive information from kernel stack
    memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg
    system call.(CVE-2013-7281)

  - A NULL pointer dereference flaw was found in the
    rds_ib_laddr_check() function in the Linux kernel's
    implementation of Reliable Datagram Sockets (RDS). A
    local, unprivileged user could use this flaw to crash
    the system.(CVE-2013-7339)

  - A flaw was found in the way the Linux kernel's Crypto
    subsystem handled automatic loading of kernel modules.
    A local user could use this flaw to load any installed
    kernel module, and thus increase the attack surface of
    the running kernel.(CVE-2013-7421)

  - A flaw was found in the Linux kernel's implementation
    of Unix sockets. A server polling for client-socket
    data could put the peer socket on a wait list the peer
    socket could then close the connection, making the
    reference on the wait list no longer valid. This could
    lead to bypassing the permissions on a Unix socket and
    packets being injected into the stream, and could also
    panic the machine (denial of service).(CVE-2013-7446)

  - The compat_sys_recvmmsg function in net/compat.c in the
    Linux kernel before 3.13.2, when CONFIG_X86_X32 is
    enabled, allows local users to gain privileges via a
    recvmmsg system call with a crafted timeout pointer
    parameter.(CVE-2014-0038)

  - Buffer overflow in the complete_emulated_mmio function
    in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6
    allows guest OS users to execute arbitrary code on the
    host OS by leveraging a loop that triggers an invalid
    memory copy affecting certain cancel_work_item
    data.(CVE-2014-0049)

  - The cifs_iovec_write function in fs/cifs/file.c in the
    Linux kernel through 3.13.5 does not properly handle
    uncached write operations that copy fewer than the
    requested number of bytes, which allows local users to
    obtain sensitive information from kernel memory, cause
    a denial of service (memory corruption and system
    crash), or possibly gain privileges via a writev system
    call with a crafted pointer.(CVE-2014-0069)

  - drivers/vhost/net.c in the Linux kernel before 3.13.10,
    when mergeable buffers are disabled, does not properly
    validate packet lengths, which allows guest OS users to
    cause a denial of service (memory corruption and host
    OS crash) or possibly gain privileges on the host OS
    via crafted packets, related to the handle_rx and
    get_rx_bufs functions.(CVE-2014-0077)

  - Race condition in the inet_frag_intern function in
    net/ipv4/inet_fragment.c in the Linux kernel through
    3.13.6 allows remote attackers to cause a denial of
    service (use-after-free error) or possibly have
    unspecified other impact via a large series of
    fragmented ICMP Echo Request packets to a system with a
    heavy CPU load.(CVE-2014-0100)

  - A flaw was found in the way the Linux kernel processed
    an authenticated COOKIE_ECHO chunk during the
    initialization of an SCTP connection. A remote attacker
    could use this flaw to crash the system by initiating a
    specially crafted SCTP handshake in order to trigger a
    NULL pointer dereference on the system.(CVE-2014-0101)

  - The keyring_detect_cycle_iterator function in
    security/keys/keyring.c in the Linux kernel through
    3.13.6 does not properly determine whether keyrings are
    identical, which allows local users to cause a denial
    of service (OOPS) via crafted keyctl
    commands.(CVE-2014-0102)

  - Use-after-free vulnerability in the skb_segment
    function in net/core/skbuff.c in the Linux kernel
    through 3.13.6 allows attackers to obtain sensitive
    information from kernel memory by leveraging the
    absence of a certain orphaning
    operation.(CVE-2014-0131)

  - The ioapic_deliver function in virt/kvm/ioapic.c in the
    Linux kernel through 3.14.1 does not properly validate
    the kvm_irq_delivery_to_apic return value, which allows
    guest OS users to cause a denial of service (host OS
    crash) via a crafted entry in the redirection table of
    an I/O APIC. NOTE: the affected code was moved to the
    ioapic_service function before the vulnerability was
    announced.(CVE-2014-0155)

  - It was found that the permission checks performed by
    the Linux kernel when a netlink message was received
    were not sufficient. A local, unprivileged user could
    potentially bypass these restrictions by passing a
    netlink socket as stdout or stderr to a more privileged
    process and altering the output of this
    process.(CVE-2014-0181)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1477
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a2db0b02");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel recvmmsg Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["kernel-3.10.0-862.14.1.6_42",
        "kernel-devel-3.10.0-862.14.1.6_42",
        "kernel-headers-3.10.0-862.14.1.6_42",
        "kernel-tools-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-3.10.0-862.14.1.6_42",
        "kernel-tools-libs-devel-3.10.0-862.14.1.6_42",
        "perf-3.10.0-862.14.1.6_42",
        "python-perf-3.10.0-862.14.1.6_42"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2337-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(77492);
  script_version("1.19");
  script_cvs_date("Date: 2019/09/19 12:54:30");

  script_cve_id("CVE-2014-0155", "CVE-2014-0181", "CVE-2014-0206", "CVE-2014-4014", "CVE-2014-4027", "CVE-2014-4171", "CVE-2014-4508", "CVE-2014-4652", "CVE-2014-4653", "CVE-2014-4654", "CVE-2014-4655", "CVE-2014-4656", "CVE-2014-4667", "CVE-2014-5045");
  script_bugtraq_id(66688, 67034, 67985, 67988, 68126, 68157, 68162, 68163, 68164, 68170, 68176, 68224, 68862);
  script_xref(name:"USN", value:"2337-1");

  script_name(english:"Ubuntu 14.04 LTS : linux vulnerabilities (USN-2337-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A flaw was discovered in the Linux kernel virtual machine's (kvm)
validation of interrupt requests (irq). A guest OS user could exploit
this flaw to cause a denial of service (host OS crash).
(CVE-2014-0155)

Andy Lutomirski discovered a flaw in the authorization of netlink
socket operations when a socket is passed to a process of more
privilege. A local user could exploit this flaw to bypass access
restrictions by having a privileged executable do something it was not
intended to do. (CVE-2014-0181)

An information leak was discovered in the Linux kernels
aio_read_events_ring function. A local user could exploit this flaw to
obtain potentially sensitive information from kernel memory.
(CVE-2014-0206)

A flaw was discovered in the Linux kernel's implementation of user
namespaces with respect to inode permissions. A local user could
exploit this flaw by creating a user namespace to gain administrative
privileges. (CVE-2014-4014)

An information leak was discovered in the rd_mcp backend of the iSCSI
target subsystem in the Linux kernel. A local user could exploit this
flaw to obtain sensitive information from ramdisk_mcp memory by
leveraging access to a SCSI initiator. (CVE-2014-4027)

Sasha Levin reported an issue with the Linux kernel's shared memory
subsystem when used with range notifications and hole punching. A
local user could exploit this flaw to cause a denial of service.
(CVE-2014-4171)

Toralf Forster reported an error in the Linux kernels syscall
auditing on 32 bit x86 platforms. A local user could exploit this flaw
to cause a denial of service (OOPS and system crash). (CVE-2014-4508)

An information leak was discovered in the control implemenation of the
Advanced Linux Sound Architecture (ALSA) subsystem in the Linux
kernel. A local user could exploit this flaw to obtain sensitive
information from kernel memory. (CVE-2014-4652)

A use-after-free flaw was discovered in the Advanced Linux Sound
Architecture (ALSA) control implementation of the Linux kernel. A
local user could exploit this flaw to cause a denial of service
(system crash). (CVE-2014-4653)

A authorization bug was discovered with the snd_ctl_elem_add function
of the Advanced Linux Sound Architecture (ALSA) in the Linux kernel. A
local user could exploit his bug to cause a denial of service (remove
kernel controls). (CVE-2014-4654)

A flaw discovered in how the snd_ctl_elem function of the Advanced
Linux Sound Architecture (ALSA) handled a reference count. A local
user could exploit this flaw to cause a denial of service (integer
overflow and limit bypass). (CVE-2014-4655)

An integer overflow flaw was discovered in the control implementation
of the Advanced Linux Sound Architecture (ALSA). A local user could
exploit this flaw to cause a denial of service (system crash).
(CVE-2014-4656)

An integer underflow flaw was discovered in the Linux kernel's
handling of the backlog value for certain SCTP packets. A remote
attacker could exploit this flaw to cause a denial of service (socket
outage) via a crafted SCTP packet. (CVE-2014-4667)

Vasily Averin discover a reference count flaw during attempts to
umount in conjunction with a symlink. A local user could exploit this
flaw to cause a denial of service (memory consumption or use after
free) or possibly have other unspecified impact. (CVE-2014-5045).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/2337-1/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Update the affected linux-image-3.13-generic,
linux-image-3.13-generic-lpae and / or linux-image-3.13-lowlatency
packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-lowlatency");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/09/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/03");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(14\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2014-0155", "CVE-2014-0181", "CVE-2014-0206", "CVE-2014-4014", "CVE-2014-4027", "CVE-2014-4171", "CVE-2014-4508", "CVE-2014-4652", "CVE-2014-4653", "CVE-2014-4654", "CVE-2014-4655", "CVE-2014-4656", "CVE-2014-4667", "CVE-2014-5045");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2337-1");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-35-generic", pkgver:"3.13.0-35.62")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-35-generic-lpae", pkgver:"3.13.0-35.62")) flag++;
if (ubuntu_check(osver:"14.04", pkgname:"linux-image-3.13.0-35-lowlatency", pkgver:"3.13.0-35.62")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.13-generic / linux-image-3.13-generic-lpae / etc");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2241-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(74361);
  script_version("1.19");
  script_cvs_date("Date: 2019/09/19 12:54:30");

  script_cve_id("CVE-2014-0155", "CVE-2014-2568", "CVE-2014-3122", "CVE-2014-3153");
  script_xref(name:"USN", value:"2241-1");

  script_name(english:"Ubuntu 13.10 : linux vulnerabilities (USN-2241-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Pinkie Pie discovered a flaw in the Linux kernel's futex subsystem. An
unprivileged local user could exploit this flaw to cause a denial of
service (system crash) or gain administrative privileges.
(CVE-2014-3153)

A flaw was discovered in the Linux kernel virtual machine's (kvm)
validation of interrupt requests (irq). A guest OS user could exploit
this flaw to cause a denial of service (host OS crash).
(CVE-2014-0155)

An information leak was discovered in the netfilter subsystem of the
Linux kernel. An attacker could exploit this flaw to obtain sensitive
information from kernel memory. (CVE-2014-2568)

Sasha Levin reported a bug in the Linux kernel's virtual memory
management subsystem. An unprivileged local user could exploit this
flaw to cause a denial of service (system crash). (CVE-2014-3122).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/2241-1/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Update the affected linux-image-3.11-generic and / or
linux-image-3.11-generic-lpae packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Android "Towelroot" Futex Requeue Kernel Exploit');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.11-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.11-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:13.10");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/06/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/06");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(13\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 13.10", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2014-0155", "CVE-2014-2568", "CVE-2014-3122", "CVE-2014-3153");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2241-1");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"13.10", pkgname:"linux-image-3.11.0-23-generic", pkgver:"3.11.0-23.40")) flag++;
if (ubuntu_check(osver:"13.10", pkgname:"linux-image-3.11.0-23-generic-lpae", pkgver:"3.11.0-23.40")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.11-generic / linux-image-3.11-generic-lpae");
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-2336-1. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include("compat.inc");

if (description)
{
  script_id(77491);
  script_version("1.19");
  script_cvs_date("Date: 2019/09/19 12:54:30");

  script_cve_id("CVE-2014-0155", "CVE-2014-0181", "CVE-2014-0206", "CVE-2014-4014", "CVE-2014-4027", "CVE-2014-4171", "CVE-2014-4508", "CVE-2014-4652", "CVE-2014-4653", "CVE-2014-4654", "CVE-2014-4655", "CVE-2014-4656", "CVE-2014-4667", "CVE-2014-5045");
  script_bugtraq_id(66688, 67034, 67985, 67988, 68126, 68157, 68162, 68163, 68164, 68170, 68176, 68224, 68862);
  script_xref(name:"USN", value:"2336-1");

  script_name(english:"Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2336-1)");
  script_summary(english:"Checks dpkg output for updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Ubuntu host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A flaw was discovered in the Linux kernel virtual machine's (kvm)
validation of interrupt requests (irq). A guest OS user could exploit
this flaw to cause a denial of service (host OS crash).
(CVE-2014-0155)

Andy Lutomirski discovered a flaw in the authorization of netlink
socket operations when a socket is passed to a process of more
privilege. A local user could exploit this flaw to bypass access
restrictions by having a privileged executable do something it was not
intended to do. (CVE-2014-0181)

An information leak was discovered in the Linux kernels
aio_read_events_ring function. A local user could exploit this flaw to
obtain potentially sensitive information from kernel memory.
(CVE-2014-0206)

A flaw was discovered in the Linux kernel's implementation of user
namespaces with respect to inode permissions. A local user could
exploit this flaw by creating a user namespace to gain administrative
privileges. (CVE-2014-4014)

An information leak was discovered in the rd_mcp backend of the iSCSI
target subsystem in the Linux kernel. A local user could exploit this
flaw to obtain sensitive information from ramdisk_mcp memory by
leveraging access to a SCSI initiator. (CVE-2014-4027)

Sasha Levin reported an issue with the Linux kernel's shared memory
subsystem when used with range notifications and hole punching. A
local user could exploit this flaw to cause a denial of service.
(CVE-2014-4171)

Toralf Forster reported an error in the Linux kernels syscall
auditing on 32 bit x86 platforms. A local user could exploit this flaw
to cause a denial of service (OOPS and system crash). (CVE-2014-4508)

An information leak was discovered in the control implemenation of the
Advanced Linux Sound Architecture (ALSA) subsystem in the Linux
kernel. A local user could exploit this flaw to obtain sensitive
information from kernel memory. (CVE-2014-4652)

A use-after-free flaw was discovered in the Advanced Linux Sound
Architecture (ALSA) control implementation of the Linux kernel. A
local user could exploit this flaw to cause a denial of service
(system crash). (CVE-2014-4653)

A authorization bug was discovered with the snd_ctl_elem_add function
of the Advanced Linux Sound Architecture (ALSA) in the Linux kernel. A
local user could exploit his bug to cause a denial of service (remove
kernel controls). (CVE-2014-4654)

A flaw discovered in how the snd_ctl_elem function of the Advanced
Linux Sound Architecture (ALSA) handled a reference count. A local
user could exploit this flaw to cause a denial of service (integer
overflow and limit bypass). (CVE-2014-4655)

An integer overflow flaw was discovered in the control implementation
of the Advanced Linux Sound Architecture (ALSA). A local user could
exploit this flaw to cause a denial of service (system crash).
(CVE-2014-4656)

An integer underflow flaw was discovered in the Linux kernel's
handling of the backlog value for certain SCTP packets. A remote
attacker could exploit this flaw to cause a denial of service (socket
outage) via a crafted SCTP packet. (CVE-2014-4667)

Vasily Averin discover a reference count flaw during attempts to
umount in conjunction with a symlink. A local user could exploit this
flaw to cause a denial of service (memory consumption or use after
free) or possibly have other unspecified impact. (CVE-2014-5045).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://usn.ubuntu.com/2336-1/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Update the affected linux-image-3.13-generic and / or
linux-image-3.13-generic-lpae packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.13-generic-lpae");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/09/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/03");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Ubuntu Local Security Checks");

  script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("ubuntu.inc");
include("ksplice.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Ubuntu/release");
if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
release = chomp(release);
if (! preg(pattern:"^(12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04", "Ubuntu " + release);
if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);

if (get_one_kb_item("Host/ksplice/kernel-cves"))
{
  rm_kb_item(name:"Host/uptrack-uname-r");
  cve_list = make_list("CVE-2014-0155", "CVE-2014-0181", "CVE-2014-0206", "CVE-2014-4014", "CVE-2014-4027", "CVE-2014-4171", "CVE-2014-4508", "CVE-2014-4652", "CVE-2014-4653", "CVE-2014-4654", "CVE-2014-4655", "CVE-2014-4656", "CVE-2014-4667", "CVE-2014-5045");
  if (ksplice_cves_check(cve_list))
  {
    audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2336-1");
  }
  else
  {
    _ubuntu_report = ksplice_reporting_text();
  }
}

flag = 0;

if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.13.0-35-generic", pkgver:"3.13.0-35.62~precise1")) flag++;
if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.13.0-35-generic-lpae", pkgver:"3.13.0-35.62~precise1")) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.13-generic / linux-image-3.13-generic-lpae");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2014-5235.
#

include("compat.inc");

if (description)
{
  script_id(73628);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2014-0155", "CVE-2014-2851");
  script_bugtraq_id(66688, 66779);
  script_xref(name:"FEDORA", value:"2014-5235");

  script_name(english:"Fedora 20 : kernel-3.13.10-200.fc20 (2014-5235)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The 3.13.10 stable update contains a number of important fixes across
the tree.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1081589"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1086730"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2014-April/131859.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?361199bb"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected kernel package."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/04/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/21");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC20", reference:"kernel-3.13.10-200.fc20")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2014-5609.
#

include("compat.inc");

if (description)
{
  script_id(73872);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2014-0155", "CVE-2014-2851");
  script_bugtraq_id(66688, 66779);
  script_xref(name:"FEDORA", value:"2014-5609");

  script_name(english:"Fedora 19 : kernel-3.13.11-100.fc19 (2014-5609)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The 3.13.11 stable kernel update contains a number of important fixes
across the tree. The 3.13.10 stable update contains a number of
important fixes across the tree.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1081589"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1086730"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132577.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?04ee5d0c"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected kernel package."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:kernel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:19");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/04/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/05/06");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^19([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 19.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC19", reference:"kernel-3.13.11-100.fc19")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#
# (C) Tenable Network Security, Inc.
#

# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2019-0004. The text
# itself is copyright (C) ZTE, Inc.

include("compat.inc");

if (description)
{
  script_id(127146);
  script_version("1.3");
  script_cvs_date("Date: 2019/09/24 11:01:33");

  script_cve_id(
    "CVE-2013-2888",
    "CVE-2013-2889",
    "CVE-2013-2892",
    "CVE-2013-2930",
    "CVE-2013-4127",
    "CVE-2013-4162",
    "CVE-2013-4163",
    "CVE-2013-4343",
    "CVE-2013-4348",
    "CVE-2013-4350",
    "CVE-2013-4387",
    "CVE-2013-4563",
    "CVE-2013-4579",
    "CVE-2013-4587",
    "CVE-2013-6367",
    "CVE-2013-6368",
    "CVE-2013-6376",
    "CVE-2013-6378",
    "CVE-2013-6380",
    "CVE-2013-6382",
    "CVE-2013-7026",
    "CVE-2013-7266",
    "CVE-2013-7267",
    "CVE-2013-7268",
    "CVE-2013-7269",
    "CVE-2013-7270",
    "CVE-2013-7271",
    "CVE-2014-0049",
    "CVE-2014-0055",
    "CVE-2014-0069",
    "CVE-2014-0077",
    "CVE-2014-0100",
    "CVE-2014-0101",
    "CVE-2014-0102",
    "CVE-2014-0131",
    "CVE-2014-0155",
    "CVE-2014-1438",
    "CVE-2014-1690",
    "CVE-2014-2309",
    "CVE-2014-2523",
    "CVE-2014-3122",
    "CVE-2014-3601",
    "CVE-2014-3610",
    "CVE-2014-4014",
    "CVE-2014-6416",
    "CVE-2014-8480",
    "CVE-2014-8989",
    "CVE-2015-2041",
    "CVE-2015-2042",
    "CVE-2015-7550",
    "CVE-2016-3713",
    "CVE-2016-8399",
    "CVE-2017-6353",
    "CVE-2017-7184",
    "CVE-2017-7541",
    "CVE-2017-7542",
    "CVE-2017-7558",
    "CVE-2017-11176",
    "CVE-2017-14106",
    "CVE-2017-1000111",
    "CVE-2017-1000112"
  );

  script_name(english:"NewStart CGSL MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0004)");

  script_set_attribute(attribute:"synopsis", value:
"The remote machine is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version MAIN 5.04, has kernel packages installed that are affected by multiple
vulnerabilities:

  - Multiple array index errors in drivers/hid/hid-core.c in
    the Human Interface Device (HID) subsystem in the Linux
    kernel through 3.11 allow physically proximate attackers
    to execute arbitrary code or cause a denial of service
    (heap memory corruption) via a crafted device that
    provides an invalid Report ID. (CVE-2013-2888)

  - drivers/hid/hid-zpff.c in the Human Interface Device
    (HID) subsystem in the Linux kernel through 3.11, when
    CONFIG_HID_ZEROPLUS is enabled, allows physically
    proximate attackers to cause a denial of service (heap-
    based out-of-bounds write) via a crafted device.
    (CVE-2013-2889)

  - drivers/hid/hid-pl.c in the Human Interface Device (HID)
    subsystem in the Linux kernel through 3.11, when
    CONFIG_HID_PANTHERLORD is enabled, allows physically
    proximate attackers to cause a denial of service (heap-
    based out-of-bounds write) via a crafted device.
    (CVE-2013-2892)

  - The perf_trace_event_perm function in
    kernel/trace/trace_event_perf.c in the Linux kernel
    before 3.12.2 does not properly restrict access to the
    perf subsystem, which allows local users to enable
    function tracing via a crafted application.
    (CVE-2013-2930)

  - Use-after-free vulnerability in the
    vhost_net_set_backend function in drivers/vhost/net.c in
    the Linux kernel through 3.10.3 allows local users to
    cause a denial of service (OOPS and system crash) via
    vectors involving powering on a virtual machine.
    (CVE-2013-4127)

  - The udp_v6_push_pending_frames function in
    net/ipv6/udp.c in the IPv6 implementation in the Linux
    kernel through 3.10.3 makes an incorrect function call
    for pending data, which allows local users to cause a
    denial of service (BUG and system crash) via a crafted
    application that uses the UDP_CORK option in a
    setsockopt system call. (CVE-2013-4162)

  - The ip6_append_data_mtu function in
    net/ipv6/ip6_output.c in the IPv6 implementation in the
    Linux kernel through 3.10.3 does not properly maintain
    information about whether the IPV6_MTU setsockopt option
    had been specified, which allows local users to cause a
    denial of service (BUG and system crash) via a crafted
    application that uses the UDP_CORK option in a
    setsockopt system call. (CVE-2013-4163)

  - Use-after-free vulnerability in drivers/net/tun.c in the
    Linux kernel through 3.11.1 allows local users to gain
    privileges by leveraging the CAP_NET_ADMIN capability
    and providing an invalid tuntap interface name in a
    TUNSETIFF ioctl call. (CVE-2013-4343)

  - The skb_flow_dissect function in
    net/core/flow_dissector.c in the Linux kernel through
    3.12 allows remote attackers to cause a denial of
    service (infinite loop) via a small value in the IHL
    field of a packet with IPIP encapsulation.
    (CVE-2013-4348)

  - The IPv6 SCTP implementation in net/sctp/ipv6.c in the
    Linux kernel through 3.11.1 uses data structures and
    function calls that do not trigger an intended
    configuration of IPsec encryption, which allows remote
    attackers to obtain sensitive information by sniffing
    the network. (CVE-2013-4350)

  - net/ipv6/ip6_output.c in the Linux kernel through 3.11.4
    does not properly determine the need for UDP
    Fragmentation Offload (UFO) processing of small packets
    after the UFO queueing of a large packet, which allows
    remote attackers to cause a denial of service (memory
    corruption and system crash) or possibly have
    unspecified other impact via network traffic that
    triggers a large response packet. (CVE-2013-4387)

  - The udp6_ufo_fragment function in net/ipv6/udp_offload.c
    in the Linux kernel through 3.12, when UDP Fragmentation
    Offload (UFO) is enabled, does not properly perform a
    certain size comparison before inserting a fragment
    header, which allows remote attackers to cause a denial
    of service (panic) via a large IPv6 UDP packet, as
    demonstrated by use of the Token Bucket Filter (TBF)
    queueing discipline. (CVE-2013-4563)

  - The ath9k_htc_set_bssid_mask function in
    drivers/net/wireless/ath/ath9k/htc_drv_main.c in the
    Linux kernel through 3.12 uses a BSSID masking approach
    to determine the set of MAC addresses on which a Wi-Fi
    device is listening, which allows remote attackers to
    discover the original MAC address after spoofing by
    sending a series of packets to MAC addresses with
    certain bit manipulations. (CVE-2013-4579)

  - Array index error in the kvm_vm_ioctl_create_vcpu
    function in virt/kvm/kvm_main.c in the KVM subsystem in
    the Linux kernel through 3.12.5 allows local users to
    gain privileges via a large id value. (CVE-2013-4587)

  - The apic_get_tmcct function in arch/x86/kvm/lapic.c in
    the KVM subsystem in the Linux kernel through 3.12.5
    allows guest OS users to cause a denial of service
    (divide-by-zero error and host OS crash) via crafted
    modifications of the TMICT value. (CVE-2013-6367)

  - The KVM subsystem in the Linux kernel through 3.12.5
    allows local users to gain privileges or cause a denial
    of service (system crash) via a VAPIC synchronization
    operation involving a page-end address. (CVE-2013-6368)

  - The recalculate_apic_map function in
    arch/x86/kvm/lapic.c in the KVM subsystem in the Linux
    kernel through 3.12.5 allows guest OS users to cause a
    denial of service (host OS crash) via a crafted ICR
    write operation in x2apic mode. (CVE-2013-6376)

  - The lbs_debugfs_write function in
    drivers/net/wireless/libertas/debugfs.c in the Linux
    kernel through 3.12.1 allows local users to cause a
    denial of service (OOPS) by leveraging root privileges
    for a zero-length write operation. (CVE-2013-6378)

  - The aac_send_raw_srb function in
    drivers/scsi/aacraid/commctrl.c in the Linux kernel
    through 3.12.1 does not properly validate a certain size
    value, which allows local users to cause a denial of
    service (invalid pointer dereference) or possibly have
    unspecified other impact via an FSACTL_SEND_RAW_SRB
    ioctl call that triggers a crafted SRB command.
    (CVE-2013-6380)

  - Multiple buffer underflows in the XFS implementation in
    the Linux kernel through 3.12.1 allow local users to
    cause a denial of service (memory corruption) or
    possibly have unspecified other impact by leveraging the
    CAP_SYS_ADMIN capability for a (1)
    XFS_IOC_ATTRLIST_BY_HANDLE or (2)
    XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted
    length value, related to the xfs_attrlist_by_handle
    function in fs/xfs/xfs_ioctl.c and the
    xfs_compat_attrlist_by_handle function in
    fs/xfs/xfs_ioctl32.c. (CVE-2013-6382)

  - Multiple race conditions in ipc/shm.c in the Linux
    kernel before 3.12.2 allow local users to cause a denial
    of service (use-after-free and system crash) or possibly
    have unspecified other impact via a crafted application
    that uses shmctl IPC_RMID operations in conjunction with
    other shm system calls. (CVE-2013-7026)

  - The mISDN_sock_recvmsg function in
    drivers/isdn/mISDN/socket.c in the Linux kernel before
    3.12.4 does not ensure that a certain length value is
    consistent with the size of an associated data
    structure, which allows local users to obtain sensitive
    information from kernel memory via a (1) recvfrom, (2)
    recvmmsg, or (3) recvmsg system call. (CVE-2013-7266)

  - The atalk_recvmsg function in net/appletalk/ddp.c in the
    Linux kernel before 3.12.4 updates a certain length
    value without ensuring that an associated data structure
    has been initialized, which allows local users to obtain
    sensitive information from kernel memory via a (1)
    recvfrom, (2) recvmmsg, or (3) recvmsg system call.
    (CVE-2013-7267)

  - The ipx_recvmsg function in net/ipx/af_ipx.c in the
    Linux kernel before 3.12.4 updates a certain length
    value without ensuring that an associated data structure
    has been initialized, which allows local users to obtain
    sensitive information from kernel memory via a (1)
    recvfrom, (2) recvmmsg, or (3) recvmsg system call.
    (CVE-2013-7268)

  - The nr_recvmsg function in net/netrom/af_netrom.c in the
    Linux kernel before 3.12.4 updates a certain length
    value without ensuring that an associated data structure
    has been initialized, which allows local users to obtain
    sensitive information from kernel memory via a (1)
    recvfrom, (2) recvmmsg, or (3) recvmsg system call.
    (CVE-2013-7269)

  - The packet_recvmsg function in net/packet/af_packet.c in
    the Linux kernel before 3.12.4 updates a certain length
    value before ensuring that an associated data structure
    has been initialized, which allows local users to obtain
    sensitive information from kernel memory via a (1)
    recvfrom, (2) recvmmsg, or (3) recvmsg system call.
    (CVE-2013-7270)

  - The x25_recvmsg function in net/x25/af_x25.c in the
    Linux kernel before 3.12.4 updates a certain length
    value without ensuring that an associated data structure
    has been initialized, which allows local users to obtain
    sensitive information from kernel memory via a (1)
    recvfrom, (2) recvmmsg, or (3) recvmsg system call.
    (CVE-2013-7271)

  - Buffer overflow in the complete_emulated_mmio function
    in arch/x86/kvm/x86.c in the Linux kernel before 3.13.6
    allows guest OS users to execute arbitrary code on the
    host OS by leveraging a loop that triggers an invalid
    memory copy affecting certain cancel_work_item data.
    (CVE-2014-0049)

  - The get_rx_bufs function in drivers/vhost/net.c in the
    vhost-net subsystem in the Linux kernel package before
    2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6
    does not properly handle vhost_get_vq_desc errors, which
    allows guest OS users to cause a denial of service (host
    OS crash) via unspecified vectors. (CVE-2014-0055)

  - The cifs_iovec_write function in fs/cifs/file.c in the
    Linux kernel through 3.13.5 does not properly handle
    uncached write operations that copy fewer than the
    requested number of bytes, which allows local users to
    obtain sensitive information from kernel memory, cause a
    denial of service (memory corruption and system crash),
    or possibly gain privileges via a writev system call
    with a crafted pointer. (CVE-2014-0069)

  - drivers/vhost/net.c in the Linux kernel before 3.13.10,
    when mergeable buffers are disabled, does not properly
    validate packet lengths, which allows guest OS users to
    cause a denial of service (memory corruption and host OS
    crash) or possibly gain privileges on the host OS via
    crafted packets, related to the handle_rx and
    get_rx_bufs functions. (CVE-2014-0077)

  - Race condition in the inet_frag_intern function in
    net/ipv4/inet_fragment.c in the Linux kernel through
    3.13.6 allows remote attackers to cause a denial of
    service (use-after-free error) or possibly have
    unspecified other impact via a large series of
    fragmented ICMP Echo Request packets to a system with a
    heavy CPU load. (CVE-2014-0100)

  - A flaw was found in the way the Linux kernel processed
    an authenticated COOKIE_ECHO chunk during the
    initialization of an SCTP connection. A remote attacker
    could use this flaw to crash the system by initiating a
    specially crafted SCTP handshake in order to trigger a
    NULL pointer dereference on the system. (CVE-2014-0101)

  - The keyring_detect_cycle_iterator function in
    security/keys/keyring.c in the Linux kernel through
    3.13.6 does not properly determine whether keyrings are
    identical, which allows local users to cause a denial of
    service (OOPS) via crafted keyctl commands.
    (CVE-2014-0102)

  - Use-after-free vulnerability in the skb_segment function
    in net/core/skbuff.c in the Linux kernel through 3.13.6
    allows attackers to obtain sensitive information from
    kernel memory by leveraging the absence of a certain
    orphaning operation. (CVE-2014-0131)

  - The ioapic_deliver function in virt/kvm/ioapic.c in the
    Linux kernel through 3.14.1 does not properly validate
    the kvm_irq_delivery_to_apic return value, which allows
    guest OS users to cause a denial of service (host OS
    crash) via a crafted entry in the redirection table of
    an I/O APIC. NOTE: the affected code was moved to the
    ioapic_service function before the vulnerability was
    announced. (CVE-2014-0155)

  - The restore_fpu_checking function in
    arch/x86/include/asm/fpu-internal.h in the Linux kernel
    before 3.12.8 on the AMD K7 and K8 platforms does not
    clear pending exceptions before proceeding to an EMMS
    instruction, which allows local users to cause a denial
    of service (task kill) or possibly gain privileges via a
    crafted application. (CVE-2014-1438)

  - The help function in net/netfilter/nf_nat_irc.c in the
    Linux kernel before 3.12.8 allows remote attackers to
    obtain sensitive information from kernel memory by
    establishing an IRC DCC session in which incorrect
    packet data is transmitted during use of the NAT mangle
    feature. (CVE-2014-1690)

  - The ip6_route_add function in net/ipv6/route.c in the
    Linux kernel through 3.13.6 does not properly count the
    addition of routes, which allows remote attackers to
    cause a denial of service (memory consumption) via a
    flood of ICMPv6 Router Advertisement packets.
    (CVE-2014-2309)

  - net/netfilter/nf_conntrack_proto_dccp.c in the Linux
    kernel through 3.13.6 uses a DCCP header pointer
    incorrectly, which allows remote attackers to cause a
    denial of service (system crash) or possibly execute
    arbitrary code via a DCCP packet that triggers a call to
    the (1) dccp_new, (2) dccp_packet, or (3) dccp_error
    function. (CVE-2014-2523)

  - It was found that the try_to_unmap_cluster() function in
    the Linux kernel's Memory Managment subsystem did not
    properly handle page locking in certain cases, which
    could potentially trigger the BUG_ON() macro in the
    mlock_vma_page() function. A local, unprivileged user
    could use this flaw to crash the system. (CVE-2014-3122)

  - A flaw was found in the way the Linux kernel's
    kvm_iommu_map_pages() function handled IOMMU mapping
    failures. A privileged user in a guest with an assigned
    host device could use this flaw to crash the host.
    (CVE-2014-3601)

  - It was found that KVM's Write to Model Specific Register
    (WRMSR) instruction emulation would write non-canonical
    values passed in by the guest to certain MSRs in the
    host's context. A privileged guest user could use this
    flaw to crash the host. (CVE-2014-3610)

  - The capabilities implementation in the Linux kernel
    before 3.14.8 does not properly consider that namespaces
    are inapplicable to inodes, which allows local users to
    bypass intended chmod restrictions by first creating a
    user namespace, as demonstrated by setting the setgid
    bit on a file with group ownership of root.
    (CVE-2014-4014)

  - Buffer overflow in net/ceph/auth_x.c in Ceph, as used in
    the Linux kernel before 3.16.3, allows remote attackers
    to cause a denial of service (memory corruption and
    panic) or possibly have unspecified other impact via a
    long unencrypted auth ticket. (CVE-2014-6416)

  - The instruction decoder in arch/x86/kvm/emulate.c in the
    KVM subsystem in the Linux kernel before 3.18-rc2 lacks
    intended decoder-table flags for certain RIP-relative
    instructions, which allows guest OS users to cause a
    denial of service (NULL pointer dereference and host OS
    crash) via a crafted application. (CVE-2014-8480)

  - The Linux kernel through 3.17.4 does not properly
    restrict dropping of supplemental group memberships in
    certain namespace scenarios, which allows local users to
    bypass intended file permissions by leveraging a POSIX
    ACL containing an entry for the group category that is
    more restrictive than the entry for the other category,
    aka a negative groups issue, related to
    kernel/groups.c, kernel/uid16.c, and
    kernel/user_namespace.c. (CVE-2014-8989)

  - net/llc/sysctl_net_llc.c in the Linux kernel before 3.19
    uses an incorrect data type in a sysctl table, which
    allows local users to obtain potentially sensitive
    information from kernel memory or possibly have
    unspecified other impact by accessing a sysctl entry.
    (CVE-2015-2041)

  - net/rds/sysctl.c in the Linux kernel before 3.19 uses an
    incorrect data type in a sysctl table, which allows
    local users to obtain potentially sensitive information
    from kernel memory or possibly have unspecified other
    impact by accessing a sysctl entry. (CVE-2015-2042)

  - A NULL-pointer dereference flaw was found in the kernel,
    which is caused by a race between revoking a user-type
    key and reading from it. The issue could be triggered by
    an unprivileged user with a local account, causing the
    kernel to crash (denial of service). (CVE-2015-7550)

  - The msr_mtrr_valid function in arch/x86/kvm/mtrr.c in
    the Linux kernel before 4.6.1 supports MSR 0x2f8, which
    allows guest OS users to read or write to the
    kvm_arch_vcpu data structure, and consequently obtain
    sensitive information or cause a denial of service
    (system crash), via a crafted ioctl call.
    (CVE-2016-3713)

  - A flaw was found in the Linux networking subsystem where
    a local attacker with CAP_NET_ADMIN capabilities could
    cause an out-of-bounds memory access by creating a
    smaller-than-expected ICMP header and sending to its
    destination via sendto(). (CVE-2016-8399)

  - A race condition issue was found in the way the raw
    packet socket implementation in the Linux kernel
    networking subsystem handled synchronization. A local
    user able to open a raw packet socket (requires the
    CAP_NET_RAW capability) could use this to waste
    resources in the kernel's ring buffer or possibly cause
    an out-of-bounds read on the heap leading to a system
    crash. (CVE-2017-1000111)

  - An exploitable memory corruption flaw was found in the
    Linux kernel. The append path can be erroneously
    switched from UFO to non-UFO in ip_ufo_append_data()
    when building an UFO packet with MSG_MORE option. If
    unprivileged user namespaces are available, this flaw
    can be exploited to gain root privileges.
    (CVE-2017-1000112)

  - A use-after-free flaw was found in the Netlink
    functionality of the Linux kernel networking subsystem.
    Due to the insufficient cleanup in the mq_notify
    function, a local attacker could potentially use this
    flaw to escalate their privileges on the system.
    (CVE-2017-11176)

  - A divide-by-zero vulnerability was found in the
    __tcp_select_window function in the Linux kernel. This
    can result in a kernel panic causing a local denial of
    service. (CVE-2017-14106)

  - It was found that the code in net/sctp/socket.c in the
    Linux kernel through 4.10.1 does not properly restrict
    association peel-off operations during certain wait
    states, which allows local users to cause a denial of
    service (invalid unlock and double free) via a
    multithreaded application. This vulnerability was
    introduced by CVE-2017-5986 fix (commit 2dcab5984841).
    (CVE-2017-6353)

  - Out-of-bounds kernel heap access vulnerability was found
    in xfrm, kernel's IP framework for transforming packets.
    An error dealing with netlink messages from an
    unprivileged user leads to arbitrary read/write and
    privilege escalation. (CVE-2017-7184)

  - Kernel memory corruption due to a buffer overflow was
    found in brcmf_cfg80211_mgmt_tx() function in Linux
    kernels from v3.9-rc1 to v4.13-rc1. The vulnerability
    can be triggered by sending a crafted NL80211_CMD_FRAME
    packet via netlink. This flaw is unlikely to be
    triggered remotely as certain userspace code is needed
    for this. An unprivileged local user could use this flaw
    to induce kernel memory corruption on the system,
    leading to a crash. Due to the nature of the flaw,
    privilege escalation cannot be fully ruled out, although
    it is unlikely. (CVE-2017-7541)

  - An integer overflow vulnerability in
    ip6_find_1stfragopt() function was found. A local
    attacker that has privileges (of CAP_NET_RAW) to open
    raw socket can cause an infinite loop inside the
    ip6_find_1stfragopt() function. (CVE-2017-7542)

  - A kernel data leak due to an out-of-bound read was found
    in the Linux kernel in inet_diag_msg_sctp{,l}addr_fill()
    and sctp_get_sctp_info() functions present since version
    4.7-rc1 through version 4.13. A data leak happens when
    these functions fill in sockaddr data structures used to
    export socket's diagnostic information. As a result, up
    to 100 bytes of the slab data could be leaked to a
    userspace. (CVE-2017-7558)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0004");
  script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL kernel packages. Note that updated packages may not be available yet. Please contact ZTE for
more information.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-2523");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");


  script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"NewStart CGSL Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/ZTE-CGSL/release");
if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");

if (release !~ "CGSL MAIN 5.04")
  audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 5.04');

if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);

flag = 0;

pkgs = {
  "CGSL MAIN 5.04": [
    "kernel-3.10.0-693.5.2.el7.cgsl2058",
    "kernel-abi-whitelists-3.10.0-693.5.2.el7.cgsl2058",
    "kernel-debug-3.10.0-693.5.2.el7.cgsl2058",
    "kernel-debug-debuginfo-3.10.0-693.5.2.el7.cgsl2058",
    "kernel-debug-devel-3.10.0-693.5.2.el7.cgsl2058",
    "kernel-debuginfo-3.10.0-693.5.2.el7.cgsl2058",
    "kernel-debuginfo-common-x86_64-3.10.0-693.5.2.el7.cgsl2058",
    "kernel-devel-3.10.0-693.5.2.el7.cgsl2058",
    "kernel-doc-3.10.0-693.5.2.el7.cgsl2058",
    "kernel-headers-3.10.0-693.5.2.el7.cgsl2058",
    "kernel-tools-3.10.0-693.5.2.el7.cgsl2058",
    "kernel-tools-debuginfo-3.10.0-693.5.2.el7.cgsl2058",
    "kernel-tools-libs-3.10.0-693.5.2.el7.cgsl2058",
    "kernel-tools-libs-devel-3.10.0-693.5.2.el7.cgsl2058",
    "perf-3.10.0-693.5.2.el7.cgsl2058",
    "perf-debuginfo-3.10.0-693.5.2.el7.cgsl2058",
    "python-perf-3.10.0-693.5.2.el7.cgsl2058",
    "python-perf-debuginfo-3.10.0-693.5.2.el7.cgsl2058"
  ]
};
pkg_list = pkgs[release];

foreach (pkg in pkg_list)
  if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124795);
  script_version("1.24");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");

  script_cve_id(
    "CVE-2013-2889",
    "CVE-2013-4345",
    "CVE-2013-7421",
    "CVE-2014-0155",
    "CVE-2014-3122",
    "CVE-2014-4014",
    "CVE-2015-3332",
    "CVE-2015-4176",
    "CVE-2016-2184",
    "CVE-2016-2545",
    "CVE-2016-2546",
    "CVE-2017-14340",
    "CVE-2017-16531",
    "CVE-2017-18218",
    "CVE-2017-18360",
    "CVE-2017-5669",
    "CVE-2018-10675",
    "CVE-2018-11232",
    "CVE-2018-18710",
    "CVE-2018-7480"
  );
  script_bugtraq_id(
    62042,
    62740,
    66688,
    67162,
    67988,
    72322,
    74232
  );

  script_name(english:"EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1471)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization for ARM 64 host is missing multiple security
updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the kernel packages installed, the
EulerOS Virtualization for ARM 64 installation on the remote host is
affected by the following vulnerabilities :

  - drivers/hid/hid-zpff.c in the Human Interface Device
    (HID) subsystem in the Linux kernel through 3.11, when
    CONFIG_HID_ZEROPLUS is enabled, allows physically
    proximate attackers to cause a denial of service
    (heap-based out-of-bounds write) via a crafted
    device.(CVE-2013-2889i1/4%0

  - The capabilities implementation in the Linux kernel
    before 3.14.8 does not properly consider that
    namespaces are inapplicable to inodes, which allows
    local users to bypass intended chmod restrictions by
    first creating a user namespace, as demonstrated by
    setting the setgid bit on a file with group ownership
    of root.(CVE-2014-4014i1/4%0

  - The function drivers/usb/core/config.c in the Linux
    kernel, allows local users to cause a denial of service
    (out-of-bounds read and system crash) or possibly have
    unspecified other impact via a crafted USB device,
    related to the USB_DT_INTERFACE_ASSOCIATION
    descriptor.(CVE-2017-16531i1/4%0

  - The snd_timer_interrupt function in sound/core/timer.c
    in the Linux kernel before 4.4.1 does not properly
    maintain a certain linked list, which allows local
    users to cause a denial of service (race condition and
    system crash) via a crafted ioctl
    call.(CVE-2016-2545i1/4%0

  - A flaw was found in the Linux kernel where the deletion
    of a file or directory could trigger an unmount and
    reveal data under a mount point. This flaw was
    inadvertently introduced with the new feature of being
    able to lazily unmount a mount tree when using file
    system user namespaces.(CVE-2015-4176i1/4%0

  - The do_shmat function in ipc/shm.c in the Linux kernel,
    through 4.9.12, does not restrict the address
    calculated by a certain rounding operation. This allows
    privileged local users to map page zero and,
    consequently, bypass a protection mechanism that exists
    for the mmap system call. This is possible by making
    crafted shmget and shmat system calls in a privileged
    context.(CVE-2017-5669i1/4%0

  - In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the
    Linux kernel, before 4.13, local users can cause a
    denial of service (use-after-free and BUG) or possibly
    have unspecified other impact by leveraging differences
    in skb handling between hns_nic_net_xmit_hw and
    hns_nic_net_xmit.(CVE-2017-18218i1/4%0

  - The ioapic_deliver function in virt/kvm/ioapic.c in the
    Linux kernel through 3.14.1 does not properly validate
    the kvm_irq_delivery_to_apic return value, which allows
    guest OS users to cause a denial of service (host OS
    crash) via a crafted entry in the redirection table of
    an I/O APIC. NOTE: the affected code was moved to the
    ioapic_service function before the vulnerability was
    announced.(CVE-2014-0155i1/4%0

  - A flaw was found in the way the Linux kernel's Crypto
    subsystem handled automatic loading of kernel modules.
    A local user could use this flaw to load any installed
    kernel module, and thus increase the attack surface of
    the running kernel.(CVE-2013-7421i1/4%0

  - Off-by-one error in the get_prng_bytes function in
    crypto/ansi_cprng.c in the Linux kernel through 3.11.4
    makes it easier for context-dependent attackers to
    defeat cryptographic protection mechanisms via multiple
    requests for small amounts of data, leading to improper
    management of the state of the consumed
    data.(CVE-2013-4345i1/4%0

  - sound/core/timer.c in the Linux kernel before 4.4.1
    uses an incorrect type of mutex, which allows local
    users to cause a denial of service (race condition,
    use-after-free, and system crash) via a crafted ioctl
    call.(CVE-2016-2546i1/4%0

  - The do_get_mempolicy function in mm/mempolicy.c in the
    Linux kernel before 4.12.9 allows local users to cause
    a denial of service (use-after-free) or possibly have
    unspecified other impact via crafted system
    calls.(CVE-2018-10675i1/4%0

  - A certain backport in the TCP Fast Open implementation
    for the Linux kernel before 3.18 does not properly
    maintain a count value, which allow local users to
    cause a denial of service (system crash) via the Fast
    Open feature, as demonstrated by visiting the
    chrome://flags/#enable-tcp-fast-open URL when using
    certain 3.10.x through 3.16.x kernel builds, including
    longterm-maintenance releases and ckt (aka Canonical
    Kernel Team) builds.(CVE-2015-3332i1/4%0

  - It was found that the try_to_unmap_cluster() function
    in the Linux kernel's Memory Managment subsystem did
    not properly handle page locking in certain cases,
    which could potentially trigger the BUG_ON() macro in
    the mlock_vma_page() function. A local, unprivileged
    user could use this flaw to crash the
    system.(CVE-2014-3122i1/4%0

  - The blkcg_init_queue function in block/blk-cgroup.c in
    the Linux kernel, before 4.11, allows local users to
    cause a denial of service (double free) or possibly
    have unspecified other impact by triggering a creation
    failure.(CVE-2018-7480i1/4%0

  - The create_fixed_stream_quirk function in
    sound/usb/quirks.c in the snd-usb-audio driver in the
    Linux kernel before 4.5.1 allows physically proximate
    attackers to cause a denial of service (NULL pointer
    dereference or double free, and system crash) via a
    crafted endpoints value in a USB device
    descriptor.(CVE-2016-2184i1/4%0

  - The etm_setup_aux function in
    drivers/hwtracing/coresight/coresight-etm-perf.c in the
    Linux kernel before 4.10.2 allows attackers to cause a
    denial of service (panic) because a parameter is
    incorrectly used as a local variable.(CVE-2018-11232i1/4%0

  - A division-by-zero in set_termios(), when debugging is
    enabled, was found in the Linux kernel. When the
    [io_ti] driver is loaded, a local unprivileged attacker
    can request incorrect high transfer speed in the
    change_port_settings() in the
    drivers/usb/serial/io_ti.c so that the divisor value
    becomes zero and causes a system crash resulting in a
    denial of service.(CVE-2017-18360i1/4%0

  - A flaw was found where the XFS filesystem code
    mishandles a user-settable inode flag in the Linux
    kernel prior to 4.14-rc1. This can cause a local denial
    of service via a kernel panic.(CVE-2017-14340i1/4%0

  - An issue was discovered in the Linux kernel through
    4.19. An information leak in cdrom_ioctl_select_disc in
    drivers/cdrom/cdrom.c could be used by local attackers
    to read kernel memory because a cast from unsigned long
    to int interferes with bounds
    checking.(CVE-2018-18710i1/4%0

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1471
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d86ae156");
  script_set_attribute(attribute:"solution", value:
"Update the affected kernel packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

flag = 0;

pkgs = ["kernel-4.19.28-1.2.117",
        "kernel-devel-4.19.28-1.2.117",
        "kernel-headers-4.19.28-1.2.117",
        "kernel-tools-4.19.28-1.2.117",
        "kernel-tools-libs-4.19.28-1.2.117",
        "kernel-tools-libs-devel-4.19.28-1.2.117",
        "perf-4.19.28-1.2.117",
        "python-perf-4.19.28-1.2.117"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from SuSE 11 update information. The text itself is
# copyright (C) Novell, Inc.
#

if (NASL_LEVEL < 3000) exit(0);

include("compat.inc");

if (description)
{
  script_id(76557);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2012-2372", "CVE-2013-2929", "CVE-2013-4299", "CVE-2013-4579", "CVE-2013-6382", "CVE-2013-7339", "CVE-2014-0055", "CVE-2014-0077", "CVE-2014-0101", "CVE-2014-0131", "CVE-2014-0155", "CVE-2014-1444", "CVE-2014-1445", "CVE-2014-1446", "CVE-2014-1874", "CVE-2014-2309", "CVE-2014-2523", "CVE-2014-2678", "CVE-2014-2851", "CVE-2014-3122", "CVE-2014-3144", "CVE-2014-3145", "CVE-2014-3917", "CVE-2014-4508", "CVE-2014-4652", "CVE-2014-4653", "CVE-2014-4654", "CVE-2014-4655", "CVE-2014-4656", "CVE-2014-4699");

  script_name(english:"SuSE 11.3 Security Update : Linux kernel (SAT Patch Numbers 9488 / 9491 / 9493)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SuSE 11 host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to
fix various bugs and security issues.

The following security bugs have been fixed :

  - The rds_ib_xmit function in net/rds/ib_send.c in the
    Reliable Datagram Sockets (RDS) protocol implementation
    in the Linux kernel 3.7.4 and earlier allows local users
    to cause a denial of service (BUG_ON and kernel panic)
    by establishing an RDS connection with the source IP
    address equal to the IPoIB interfaces own IP address, as
    demonstrated by rds-ping. (bnc#767610). (CVE-2012-2372)

  - The Linux kernel before 3.12.2 does not properly use the
    get_dumpable function, which allows local users to
    bypass intended ptrace restrictions or obtain sensitive
    information from IA64 scratch registers via a crafted
    application, related to kernel/ptrace.c and
    arch/ia64/include/asm/processor.h. (bnc#847652).
    (CVE-2013-2929)

  - Interpretation conflict in
    drivers/md/dm-snap-persistent.c in the Linux kernel
    through 3.11.6 allows remote authenticated users to
    obtain sensitive information or modify data via a
    crafted mapping to a snapshot block device.
    (bnc#846404). (CVE-2013-4299)

  - The ath9k_htc_set_bssid_mask function in
    drivers/net/wireless/ath/ath9k/htc_drv_main.c in the
    Linux kernel through 3.12 uses a BSSID masking approach
    to determine the set of MAC addresses on which a Wi-Fi
    device is listening, which allows remote attackers to
    discover the original MAC address after spoofing by
    sending a series of packets to MAC addresses with
    certain bit manipulations. (bnc#851426). (CVE-2013-4579)

  - Multiple buffer underflows in the XFS implementation in
    the Linux kernel through 3.12.1 allow local users to
    cause a denial of service (memory corruption) or
    possibly have unspecified other impact by leveraging the
    CAP_SYS_ADMIN capability for a (1)
    XFS_IOC_ATTRLIST_BY_HANDLE or (2)
    XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted
    length value, related to the xfs_attrlist_by_handle
    function in fs/xfs/xfs_ioctl.c and the
    xfs_compat_attrlist_by_handle function in
    fs/xfs/xfs_ioctl32.c. (bnc#852553). (CVE-2013-6382)

  - The rds_ib_laddr_check function in net/rds/ib.c in the
    Linux kernel before 3.12.8 allows local users to cause a
    denial of service (NULL pointer dereference and system
    crash) or possibly have unspecified other impact via a
    bind system call for an RDS socket on a system that
    lacks RDS transports. (bnc#869563). (CVE-2013-7339)

  - The get_rx_bufs function in drivers/vhost/net.c in the
    vhost-net subsystem in the Linux kernel package before
    2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6
    does not properly handle vhost_get_vq_desc errors, which
    allows guest OS users to cause a denial of service (host
    OS crash) via unspecified vectors. (bnc#870173).
    (CVE-2014-0055)

  - drivers/vhost/net.c in the Linux kernel before 3.13.10,
    when mergeable buffers are disabled, does not properly
    validate packet lengths, which allows guest OS users to
    cause a denial of service (memory corruption and host OS
    crash) or possibly gain privileges on the host OS via
    crafted packets, related to the handle_rx and
    get_rx_bufs functions. (bnc#870576). (CVE-2014-0077)

  - The sctp_sf_do_5_1D_ce function in
    net/sctp/sm_statefuns.c in the Linux kernel through
    3.13.6 does not validate certain auth_enable and
    auth_capable fields before making an
    sctp_sf_authenticate call, which allows remote attackers
    to cause a denial of service (NULL pointer dereference
    and system crash) via an SCTP handshake with a modified
    INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO
    chunk. (bnc#866102). (CVE-2014-0101)

  - Use-after-free vulnerability in the skb_segment function
    in net/core/skbuff.c in the Linux kernel through 3.13.6
    allows attackers to obtain sensitive information from
    kernel memory by leveraging the absence of a certain
    orphaning operation. (bnc#867723). (CVE-2014-0131)

  - The ioapic_deliver function in virt/kvm/ioapic.c in the
    Linux kernel through 3.14.1 does not properly validate
    the kvm_irq_delivery_to_apic return value, which allows
    guest OS users to cause a denial of service (host OS
    crash) via a crafted entry in the redirection table of
    an I/O APIC. NOTE: the affected code was moved to the
    ioapic_service function before the vulnerability was
    announced. (bnc#872540). (CVE-2014-0155)

  - The fst_get_iface function in drivers/net/wan/farsync.c
    in the Linux kernel before 3.11.7 does not properly
    initialize a certain data structure, which allows local
    users to obtain sensitive information from kernel memory
    by leveraging the CAP_NET_ADMIN capability for an
    SIOCWANDEV ioctl call. (bnc#858869). (CVE-2014-1444)

  - The wanxl_ioctl function in drivers/net/wan/wanxl.c in
    the Linux kernel before 3.11.7 does not properly
    initialize a certain data structure, which allows local
    users to obtain sensitive information from kernel memory
    via an ioctl call. (bnc#858870). (CVE-2014-1445)

  - The yam_ioctl function in drivers/net/hamradio/yam.c in
    the Linux kernel before 3.12.8 does not initialize a
    certain structure member, which allows local users to
    obtain sensitive information from kernel memory by
    leveraging the CAP_NET_ADMIN capability for an
    SIOCYAMGCFG ioctl call. (bnc#858872). (CVE-2014-1446)

  - The security_context_to_sid_core function in
    security/selinux/ss/services.c in the Linux kernel
    before 3.13.4 allows local users to cause a denial of
    service (system crash) by leveraging the CAP_MAC_ADMIN
    capability to set a zero-length security context.
    (bnc#863335). (CVE-2014-1874)

  - The ip6_route_add function in net/ipv6/route.c in the
    Linux kernel through 3.13.6 does not properly count the
    addition of routes, which allows remote attackers to
    cause a denial of service (memory consumption) via a
    flood of ICMPv6 Router Advertisement packets.
    (bnc#867531). (CVE-2014-2309)

  - net/netfilter/nf_conntrack_proto_dccp.c in the Linux
    kernel through 3.13.6 uses a DCCP header pointer
    incorrectly, which allows remote attackers to cause a
    denial of service (system crash) or possibly execute
    arbitrary code via a DCCP packet that triggers a call to
    the (1) dccp_new, (2) dccp_packet, or (3) dccp_error
    function. (bnc#868653). (CVE-2014-2523)

  - The rds_iw_laddr_check function in net/rds/iw.c in the
    Linux kernel through 3.14 allows local users to cause a
    denial of service (NULL pointer dereference and system
    crash) or possibly have unspecified other impact via a
    bind system call for an RDS socket on a system that
    lacks RDS transports. (bnc#871561). (CVE-2014-2678)

  - Integer overflow in the ping_init_sock function in
    net/ipv4/ping.c in the Linux kernel through 3.14.1
    allows local users to cause a denial of service
    (use-after-free and system crash) or possibly gain
    privileges via a crafted application that leverages an
    improperly managed reference counter. (bnc#873374).
    (CVE-2014-2851)

  - The try_to_unmap_cluster function in mm/rmap.c in the
    Linux kernel before 3.14.3 does not properly consider
    which pages must be locked, which allows local users to
    cause a denial of service (system crash) by triggering a
    memory-usage pattern that requires removal of page-table
    mappings. (bnc#876102). (CVE-2014-3122)

  - The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST
    extension implementations in the sk_run_filter function
    in net/core/filter.c in the Linux kernel through 3.14.3
    do not check whether a certain length value is
    sufficiently large, which allows local users to cause a
    denial of service (integer underflow and system crash)
    via crafted BPF instructions. NOTE: the affected code
    was moved to the __skb_get_nlattr and
    __skb_get_nlattr_nest functions before the vulnerability
    was announced. (bnc#877257). (CVE-2014-3144)

  - The BPF_S_ANC_NLATTR_NEST extension implementation in
    the sk_run_filter function in net/core/filter.c in the
    Linux kernel through 3.14.3 uses the reverse order in a
    certain subtraction, which allows local users to cause a
    denial of service (over-read and system crash) via
    crafted BPF instructions. NOTE: the affected code was
    moved to the __skb_get_nlattr_nest function before the
    vulnerability was announced. (bnc#877257).
    (CVE-2014-3145)

  - kernel/auditsc.c in the Linux kernel through 3.14.5,
    when CONFIG_AUDITSYSCALL is enabled with certain syscall
    rules, allows local users to obtain potentially
    sensitive single-bit values from kernel memory or cause
    a denial of service (OOPS) via a large value of a
    syscall number. (bnc#880484). (CVE-2014-3917)

  - arch/x86/kernel/entry_32.S in the Linux kernel through
    3.15.1 on 32-bit x86 platforms, when syscall auditing is
    enabled and the sep CPU feature flag is set, allows
    local users to cause a denial of service (OOPS and
    system crash) via an invalid syscall number, as
    demonstrated by number. (CVE-2014-4508)

    -. (bnc#883724)

  - Race condition in the tlv handler functionality in the
    snd_ctl_elem_user_tlv function in sound/core/control.c
    in the ALSA control implementation in the Linux kernel
    before 3.15.2 allows local users to obtain sensitive
    information from kernel memory by leveraging
    /dev/snd/controlCX access. (bnc#883795). (CVE-2014-4652)

  - sound/core/control.c in the ALSA control implementation
    in the Linux kernel before 3.15.2 does not ensure
    possession of a read/write lock, which allows local
    users to cause a denial of service (use-after-free) and
    obtain sensitive information from kernel memory by
    leveraging /dev/snd/controlCX access. (bnc#883795).
    (CVE-2014-4653)

  - The snd_ctl_elem_add function in sound/core/control.c in
    the ALSA control implementation in the Linux kernel
    before 3.15.2 does not check authorization for
    SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows
    local users to remove kernel controls and cause a denial
    of service (use-after-free and system crash) by
    leveraging /dev/snd/controlCX access for an ioctl call.
    (bnc#883795). (CVE-2014-4654)

  - The snd_ctl_elem_add function in sound/core/control.c in
    the ALSA control implementation in the Linux kernel
    before 3.15.2 does not properly maintain the
    user_ctl_count value, which allows local users to cause
    a denial of service (integer overflow and limit bypass)
    by leveraging /dev/snd/controlCX access for a large
    number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls.
    (bnc#883795). (CVE-2014-4655)

  - Multiple integer overflows in sound/core/control.c in
    the ALSA control implementation in the Linux kernel
    before 3.15.2 allow local users to cause a denial of
    service by leveraging /dev/snd/controlCX access, related
    to (1) index values in the snd_ctl_add function and (2)
    numid values in the snd_ctl_remove_numid_conflict
    function. (bnc#883795). (CVE-2014-4656)

  - The Linux kernel before 3.15.4 on Intel processors does
    not properly restrict use of a non-canonical value for
    the saved RIP address in the case of a system call that
    does not use IRET, which allows local users to leverage
    a race condition and gain privileges, or cause a denial
    of service (double fault), via a crafted application
    that makes ptrace and fork system calls. (bnc#885725).
    (CVE-2014-4699)

Also the following non-security bugs have been fixed :

  - kernel: avoid page table walk on user space access
    (bnc#878407, LTC#110316).

  - spinlock: fix system hang with spin_retry <= 0
    (bnc#874145, LTC#110189).

  - x86/UV: Set n_lshift based on GAM_GR_CONFIG MMR for UV3.
    (bnc#876176)

  - x86: Enable multiple CPUs in crash kernel. (bnc#846690)

  - x86/mce: Fix CMCI preemption bugs. (bnc#786450)

  - x86, CMCI: Add proper detection of end of CMCI storms.
    (bnc#786450)

  - futex: revert back to the explicit waiter counting code.
    (bnc#851603)

  - futex: avoid race between requeue and wake. (bnc#851603)

  - intel-iommu: fix off-by-one in pagetable freeing.
    (bnc#874577)

  - ia64: Change default PSR.ac from '1' to '0' (Fix erratum
    #237). (bnc#874108)

  - drivers/rtc/interface.c: fix infinite loop in
    initializing the alarm. (bnc#871676)

  - drm/ast: Fix double lock at PM resume. (bnc#883380)

  - drm/ast: add widescreen + rb modes from X.org driver
    (v2). (bnc#883380)

  - drm/ast: deal with bo reserve fail in dirty update path.
    (bnc#883380)

  - drm/ast: do not attempt to acquire a reservation while
    in an interrupt handler. (bnc#883380)

  - drm/ast: fix the ast open key function. (bnc#883380)

  - drm/ast: fix value check in cbr_scan2. (bnc#883380)

  - drm/ast: inline reservations. (bnc#883380)

  - drm/ast: invalidate page tables when pinning a BO.
    (bnc#883380)

  - drm/ast: rename the mindwm/moutdwm and deinline them.
    (bnc#883380)

  - drm/ast: resync the dram post code with upstream.
    (bnc#883380)

  - drm: ast: use drm_can_sleep. (bnc#883380)

  - drm/ast: use drm_modeset_lock_all. (bnc#883380)

  - drm/: Unified handling of unimplemented
    fb->create_handle. (bnc#883380)

  - drm/mgag200,ast,cirrus: fix regression with
    drm_can_sleep conversion. (bnc#883380)

  - drm/mgag200: Consolidate depth/bpp handling.
    (bnc#882324)

  - drm/ast: Initialized data needed to map fbdev memory.
    (bnc#880007)

  - drm/ast: add AST 2400 support. (bnc#880007)

  - drm/ast: Initialized data needed to map fbdev memory.
    (bnc#880007)

  - drm/mgag200: on cards with < 2MB VRAM default to 16-bit.
    (bnc#882324)

  - drm/mgag200: fix typo causing bw limits to be ignored on
    some chips. (bnc#882324)

  - drm/ttm: do not oops if no invalidate_caches().
    (bnc#869414)

  - drm/i915: Break encoder->crtc link separately in
    intel_sanitize_crtc(). (bnc#855126)

  - dlm: keep listening connection alive with sctp mode.
    (bnc#881939)

  - series.conf: Clarify comment about Xen kabi adjustments
    (bnc#876114#c25)

  - btrfs: fix a crash when running balance and defrag
    concurrently.

  - btrfs: unset DCACHE_DISCONNECTED when mounting default
    subvol. (bnc#866615)

  - btrfs: free delayed node outside of root->inode_lock.
    (bnc#866864)

  - btrfs: return EPERM when deleting a default subvolume.
    (bnc#869934)

  - btrfs: do not loop on large offsets in readdir.
    (bnc#863300)

  - sched: Consider pi boosting in setscheduler.

  - sched: Queue RT tasks to head when prio drops.

  - sched: Adjust sched_reset_on_fork when nothing else
    changes.

  - sched: Fix clock_gettime(CLOCK__CPUTIME_ID)
    monotonicity. (bnc#880357)

  - sched: Do not allow scheduler time to go backwards.
    (bnc#880357)

  - sched: Make scale_rt_power() deal with backward clocks.
    (bnc#865310)

  - sched: Use CPUPRI_NR_PRIORITIES instead of MAX_RT_PRIO
    in cpupri check. (bnc#871861)

  - sched: update_rq_clock() must skip ONE update.
    (bnc#869033, bnc#868528)

  - tcp: allow to disable cwnd moderation in TCP_CA_Loss
    state. (bnc#879921)

  - tcp: clear xmit timers in tcp_v4_syn_recv_sock().
    (bnc#862429)

  - net: add missing bh_unlock_sock() calls. (bnc#862429)

  - bonding: fix vlan_features computing. (bnc#872634)

  - vlan: more careful checksum features handling.
    (bnc#872634)

  - xfrm: fix race between netns cleanup and state expire
    notification. (bnc#879957)

  - xfrm: check peer pointer for null before calling
    inet_putpeer(). (bnc#877775)

  - ipv6: do not overwrite inetpeer metrics prematurely.
    (bnc#867362)

  - pagecachelimit: reduce lru_lock contention for heavy
    parallel kabi fixup:. (bnc#878509, bnc#864464)

  - pagecachelimit: reduce lru_lock contention for heavy
    parallel reclaim. (bnc#878509, bnc#864464)

  - TTY: serial, cleanup include file. (bnc#881571)

  - TTY: serial, fix includes in some drivers. (bnc#881571)

  - serial_core: Fix race in uart_handle_dcd_change.
    (bnc#881571)

  - powerpc/perf: Power8 PMU support. (bnc#832710)

  - powerpc/perf: Add support for SIER. (bnc#832710)

  - powerpc/perf: Add regs_no_sipr(). (bnc#832710)

  - powerpc/perf: Add an accessor for regs->result.
    (bnc#832710)

  - powerpc/perf: Convert mmcra_sipr/sihv() to
    regs_sipr/sihv(). (bnc#832710)

  - powerpc/perf: Add an explict flag indicating presence of
    SLOT field. (bnc#832710)

  - swiotlb: do not assume PA 0 is invalid. (bnc#865882)

  - lockref: implement lockless reference count updates
    using cmpxchg() (FATE#317271).

  - af_iucv: wrong mapping of sent and confirmed skbs
    (bnc#878407, LTC#110452).

  - af_iucv: recvmsg problem for SOCK_STREAM sockets
    (bnc#878407, LTC#110452).

  - af_iucv: fix recvmsg by replacing skb_pull() function
    (bnc#878407, LTC#110452).

  - qla2xxx: Poll during initialization for ISP25xx and
    ISP83xx. (bnc#837563)

  - qla2xxx: Fix request queue null dereference.
    (bnc#859840)

  - lpfc 8.3.41: Fixed SLI3 failing FCP write on
    check-condition no-sense with residual zero.
    (bnc#850915)

  - reiserfs: call truncate_setsize under tailpack mutex.
    (bnc#878115)

  - reiserfs: drop vmtruncate. (bnc#878115)

  - ipvs: handle IPv6 fragments with one-packet scheduling.
    (bnc#861980)

  - kabi: hide modifications of struct sk_buff done by
    bnc#861980 fix. (bnc#861980)

  - loop: remove the incorrect write_begin/write_end
    shortcut. (bnc#878123)

  - watchdog: hpwdt patch to display informative string.
    (bnc#862934)

  - watchdog: hpwdt: Patch to ignore auxilary iLO devices.
    (bnc#862934)

  - watchdog: hpwdt: Add check for UEFI bits. (bnc#862934)

  - watchdog: hpwdt.c: Increase version string. (bnc#862934)

  - hpilo: Correct panic when an AUX iLO is detected.
    (bnc#837563)

  - locking/mutexes: Introduce cancelable MCS lock for
    adaptive spinning (FATE#317271).

  - locking/mutexes: Modify the way optimistic spinners are
    queued (FATE#317271).

  - locking/mutexes: Return false if task need_resched() in
    mutex_can_spin_on_owner() (FATE#317271).

  - mutex: Enable the queuing of mutex spinners with MCS
    lock (FATE#317271). config: disabled on all flavors

  - mutex: Queue mutex spinners with MCS lock to reduce
    cacheline contention (FATE#317271).

  - memcg: deprecate memory.force_empty knob. (bnc#878274)

  - kabi: protect struct net from bnc#877013 changes.
    (bnc#877013)

  - netfilter: nfnetlink_queue: add net namespace support
    for nfnetlink_queue. (bnc#877013)

  - netfilter: make /proc/net/netfilter pernet. (bnc#877013)

  - netfilter: xt_hashlimit: fix proc entry leak in netns
    destroy path. (bnc#871634)

  - netfilter: xt_hashlimit: fix namespace destroy path.
    (bnc#871634)

  - netfilter: nf_queue: reject NF_STOLEN verdicts from
    userspace. (bnc#870877)

  - netfilter: avoid double free in nf_reinject.
    (bnc#870877)

  - netfilter: ctnetlink: fix race between delete and
    timeout expiration. (bnc#863410)

  - netfilter: reuse skb->nfct_reasm for ipvs conn
    reference. (bnc#861980)

  - mm: per-thread vma caching (FATE#317271). config: enable
    CONFIG_VMA_CACHE for x86_64/bigsmp

  - mm, hugetlb: improve page-fault scalability
    (FATE#317271).

  - mm: vmscan: Do not throttle based on pfmemalloc reserves
    if node has no ZONE_NORMAL. (bnc#870496)

  - mm: fix off-by-one bug in print_nodes_state().
    (bnc#792271)

  - hugetlb: ensure hugepage access is denied if hugepages
    are not supported (PowerKVM crash when mounting
    hugetlbfs without hugepage support (bnc#870498)).

  - SELinux: Increase ebitmap_node size for 64-bit
    configuration (FATE#317271).

  - SELinux: Reduce overhead of mls_level_isvalid() function
    call (FATE#317271).

  - mutex: Fix debug_mutexes (FATE#317271).

  - mutex: Fix debug checks (FATE#317271).

  - locking/mutexes: Unlock the mutex without the wait_lock
    (FATE#317271).

  - epoll: do not take the nested ep->mtx on EPOLL_CTL_DEL
    (FATE#317271).

  - epoll: do not take global 'epmutex' for simple
    topologies (FATE#317271).

  - epoll: optimize EPOLL_CTL_DEL using rcu (FATE#317271).

  - vfs: Fix missing unlock of vfsmount_lock in unlazy_walk.
    (bnc#880437)

  - dcache: kABI fixes for lockref dentries (FATE#317271).

  - vfs: make sure we do not have a stale root path if
    unlazy_walk() fails (FATE#317271).

  - vfs: fix dentry RCU to refcounting possibly sleeping
    dput() (FATE#317271).

  - vfs: use lockref 'dead' flag to mark unrecoverably dead
    dentries (FATE#317271).

  - vfs: reimplement d_rcu_to_refcount() using
    lockref_get_or_lock() (FATE#317271).

  - vfs: Remove second variable named error in __dentry_path
    (FATE#317271).

  - make prepend_name() work correctly when called with
    negative *buflen (FATE#317271).

  - prepend_path() needs to reinitialize dentry/vfsmount on
    restarts (FATE#317271).

  - dcache: get/release read lock in read_seqbegin_or_lock()
    &amp; friend (FATE#317271).

  - seqlock: Add a new locking reader type (FATE#317271).

  - dcache: Translating dentry into pathname without taking
    rename_lock (FATE#317271).

  - vfs: make the dentry cache use the lockref
    infrastructure (FATE#317271).

  - vfs: Remove dentry->d_lock locking from
    shrink_dcache_for_umount_subtree() (FATE#317271).

  - vfs: use lockref_get_not_zero() for optimistic lockless
    dget_parent() (FATE#317271).

  - vfs: constify dentry parameter in d_count()
    (FATE#317271).

  - helper for reading ->d_count (FATE#317271).

  - lockref: use arch_mutex_cpu_relax() in CMPXCHG_LOOP()
    (FATE#317271).

  - lockref: allow relaxed cmpxchg64 variant for lockless
    updates (FATE#317271).

  - lockref: use cmpxchg64 explicitly for lockless updates
    (FATE#317271).

  - lockref: add ability to mark lockrefs 'dead'
    (FATE#317271).

  - lockref: fix docbook argument names (FATE#317271).

  - lockref: Relax in cmpxchg loop (FATE#317271).

  - lockref: implement lockless reference count updates
    using cmpxchg() (FATE#317271).

  - lockref: uninline lockref helper functions
    (FATE#317271).

  - lockref: add lockref_get_or_lock() helper (FATE#317271).

  - Add new lockref infrastructure reference implementation
    (FATE#317271).

  - vfs: make lremovexattr retry once on ESTALE error.
    (bnc#876463)

  - vfs: make removexattr retry once on ESTALE. (bnc#876463)

  - vfs: make llistxattr retry once on ESTALE error.
    (bnc#876463)

  - vfs: make listxattr retry once on ESTALE error.
    (bnc#876463)

  - vfs: make lgetxattr retry once on ESTALE. (bnc#876463)

  - vfs: make getxattr retry once on an ESTALE error.
    (bnc#876463)

  - vfs: allow lsetxattr() to retry once on ESTALE errors.
    (bnc#876463)

  - vfs: allow setxattr to retry once on ESTALE errors.
    (bnc#876463)

  - vfs: allow utimensat() calls to retry once on an ESTALE
    error. (bnc#876463)

  - vfs: fix user_statfs to retry once on ESTALE errors.
    (bnc#876463)

  - vfs: make fchownat retry once on ESTALE errors.
    (bnc#876463)

  - vfs: make fchmodat retry once on ESTALE errors.
    (bnc#876463)

  - vfs: have chroot retry once on ESTALE error.
    (bnc#876463)

  - vfs: have chdir retry lookup and call once on ESTALE
    error. (bnc#876463)

  - vfs: have faccessat retry once on an ESTALE error.
    (bnc#876463)

  - vfs: have do_sys_truncate retry once on an ESTALE error.
    (bnc#876463)

  - vfs: fix renameat to retry on ESTALE errors.
    (bnc#876463)

  - vfs: make do_unlinkat retry once on ESTALE errors.
    (bnc#876463)

  - vfs: make do_rmdir retry once on ESTALE errors.
    (bnc#876463)

  - vfs: fix linkat to retry once on ESTALE errors.
    (bnc#876463)

  - vfs: fix symlinkat to retry on ESTALE errors.
    (bnc#876463)

  - vfs: fix mkdirat to retry once on an ESTALE error.
    (bnc#876463)

  - vfs: fix mknodat to retry on ESTALE errors. (bnc#876463)

  - vfs: add a flags argument to user_path_parent.
    (bnc#876463)

  - vfs: fix readlinkat to retry on ESTALE. (bnc#876463)

  - vfs: make fstatat retry on ESTALE errors from getattr
    call. (bnc#876463)

  - vfs: add a retry_estale helper function to handle
    retries on ESTALE. (bnc#876463)

  - crypto: s390 - fix aes,des ctr mode concurrency finding
    (bnc#874145, LTC#110078).

  - s390/cio: fix unlocked access of global bitmap
    (bnc#874145, LTC#109378).

  - s390/css: stop stsch loop after cc 3 (bnc#874145,
    LTC#109378).

  - s390/pci: add kmsg man page (bnc#874145, LTC#109224).

  - s390/pci/dma: use correct segment boundary size
    (bnc#866081, LTC#104566).

  - cio: Fix missing subchannels after CHPID configure on
    (bnc#866081, LTC#104808).

  - cio: Fix process hangs during subchannel scan
    (bnc#866081, LTC#104805).

  - cio: fix unusable device (bnc#866081, LTC#104168).

  - qeth: postpone freeing of qdio memory (bnc#874145,
    LTC#107873).

  - Fix race between starved list and device removal.
    (bnc#861636)

  - namei.h: include errno.h. (bnc#876463)

  - ALSA: hda - Implement bind mixer ctls for Conexant.
    (bnc#872188)

  - ALSA: hda - Fix invalid Auto-Mute Mode enum from cxt
    codecs. (bnc#872188)

  - ALSA: hda - Fix conflicting Capture Source on cxt
    codecs. (bnc#872188)

  - ALSA: usb-audio: Fix NULL dereference while quick
    replugging. (bnc#870335)

  - powerpc: Bring all threads online prior to
    migration/hibernation. (bnc#870591)

  - powerpc/pseries: Update dynamic cache nodes for
    suspend/resume operation. (bnc#873463)

  - powerpc/pseries: Device tree should only be updated once
    after suspend/migrate. (bnc#873463)

  - powerpc/pseries: Expose in kernel device tree update to
    drmgr. (bnc#873463)

  - powerpc: Add second POWER8 PVR entry. (bnc#874440)

  - libata/ahci: accommodate tag ordered controllers.
    (bnc#871728)

  - md: try to remove cause of a spinning md thread.
    (bnc#875386)

  - md: fix up plugging (again). (bnc#866800)

  - NFSv4: Fix a reboot recovery race when opening a file.
    (bnc#864404)

  - NFSv4: Ensure delegation recall and byte range lock
    removal do not conflict. (bnc#864404)

  - NFSv4: Fix up the return values of
    nfs4_open_delegation_recall. (bnc#864404)

  - NFSv4.1: Do not lose locks when a server reboots during
    delegation return. (bnc#864404)

  - NFSv4.1: Prevent deadlocks between state recovery and
    file locking. (bnc#864404)

  - NFSv4: Allow the state manager to mark an open_owner as
    being recovered. (bnc#864404)

  - NFS: nfs_inode_return_delegation() should always flush
    dirty data. (bnc#864404)

  - NFSv4: nfs_client_return_marked_delegations cannot flush
    data. (bnc#864404)

  - NFS: avoid excessive GETATTR request when attributes
    expired but cached directory is valid. (bnc#857926)

  - seqlock: add 'raw_seqcount_begin()' function.
    (bnc#864404)

  - Allow nfsdv4 to work when fips=1. (bnc#868488)

  - NFSv4: Add ACCESS operation to OPEN compound.
    (bnc#870958)

  - NFSv4: Fix unnecessary delegation returns in
    nfs4_do_open. (bnc#870958)

  - NFSv4: The NFSv4.0 client must send RENEW calls if it
    holds a delegation. (bnc#863873)

  - NFSv4: nfs4_proc_renew should be declared static.
    (bnc#863873)

  - NFSv4: do not put ACCESS in OPEN compound if O_EXCL.
    (bnc#870958)

  - NFS: revalidate on open if dcache is negative.
    (bnc#876463)

  - NFSD add module parameter to disable delegations.
    (bnc#876463)

  - Do not lose sockets when nfsd shutdown races with
    connection timeout. (bnc#871854)

  - timer: Prevent overflow in apply_slack. (bnc#873061)

  - mei: me: do not load the driver if the FW does not
    support MEI interface. (bnc#821619)

  - ipmi: Reset the KCS timeout when starting error
    recovery. (bnc#870618)

  - ipmi: Fix a race restarting the timer. (bnc#870618)

  - ipmi: increase KCS timeouts. (bnc#870618)

  - bnx2x: Fix kernel crash and data miscompare after EEH
    recovery. (bnc#881761)

  - bnx2x: Adapter not recovery from EEH error injection.
    (bnc#881761)

  - kabi: hide modifications of struct inet_peer done by
    bnc#867953 fix. (bnc#867953)

  - inetpeer: prevent unlinking from unused list twice.
    (bnc#867953)

  - Ignore selected taints for tracepoint modules
    (bnc#870450, FATE#317134).

  - Use 'E' instead of 'X' for unsigned module taint flag
    (bnc#870450,FATE#317134).

  - Fix: module signature vs tracepoints: add new
    TAINT_UNSIGNED_MODULE (bnc#870450,FATE#317134).

  - xhci: extend quirk for Renesas cards. (bnc#877497)

  - scsi: return target failure on EMC inactive snapshot.
    (bnc#840524)

  - virtio_balloon: do not softlockup on huge balloon
    changes. (bnc#871899)

  - ch: add refcounting. (bnc#867517)

  - storvsc: NULL pointer dereference fix. (bnc#865330)

  - Unlock the rename_lock in dentry_path() in the case when
    path is too long. (bnc#868748)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=767610"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=786450"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=792271"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=821619"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=832710"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=837563"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=840524"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=846404"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=846690"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=847652"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=850915"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=851426"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=851603"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=852553"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=855126"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=857926"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=858869"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=858870"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=858872"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=859840"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=861636"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=861980"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=862429"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=862934"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=863300"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=863335"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=863410"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=863873"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=864404"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=864464"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=865310"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=865330"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=865882"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=866081"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=866102"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=866615"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=866800"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=866864"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=867362"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=867517"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=867531"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=867723"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=867953"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=868488"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=868528"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=868653"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=868748"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=869033"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=869414"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=869563"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=869934"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=870173"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=870335"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=870450"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=870496"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=870498"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=870576"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=870591"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=870618"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=870877"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=870958"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=871561"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=871634"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=871676"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=871728"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=871854"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=871861"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=871899"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=872188"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=872540"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=872634"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=873061"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=873374"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=873463"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=874108"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=874145"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=874440"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=874577"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=875386"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=876102"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=876114"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=876176"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=876463"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=877013"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=877257"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=877497"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=877775"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=878115"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=878123"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=878274"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=878407"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=878509"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=879921"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=879957"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=880007"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=880357"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=880437"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=880484"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=881571"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=881761"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=881939"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=882324"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=883380"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=883795"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=885725"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2012-2372.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2929.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-4299.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-4579.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-6382.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-7339.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-0055.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-0077.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-0101.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-0131.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-0155.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-1444.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-1445.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-1446.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-1874.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-2309.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-2523.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-2678.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-2851.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-3122.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-3144.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-3145.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-3917.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-4508.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-4652.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-4653.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-4654.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-4655.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-4656.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2014-4699.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Apply SAT patch number 9488 / 9491 / 9493 as appropriate."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default-man");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-ec2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-ec2-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-ec2-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-pae");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-pae-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-pae-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-pae-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-source");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-syms");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-trace");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-trace-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-trace-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen-base");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:xen-kmp-default");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:xen-kmp-pae");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/07/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/07/17");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11");
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu);

pl = get_kb_item("Host/SuSE/patchlevel");
if (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, "SuSE 11.3");


flag = 0;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-default-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-default-base-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-default-devel-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-default-extra-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-pae-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-pae-base-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-pae-devel-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-pae-extra-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-source-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-syms-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-trace-devel-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-xen-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-xen-base-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-xen-devel-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-xen-extra-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"xen-kmp-default-4.2.4_02_3.0.101_0.35-0.7.45")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"xen-kmp-pae-4.2.4_02_3.0.101_0.35-0.7.45")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-default-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-default-base-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-default-devel-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-default-extra-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-source-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-syms-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-trace-devel-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-xen-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-xen-base-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-xen-devel-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-xen-extra-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"xen-kmp-default-4.2.4_02_3.0.101_0.35-0.7.45")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-default-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-default-base-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-default-devel-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-source-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-syms-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-trace-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-trace-base-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, reference:"kernel-trace-devel-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-ec2-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-ec2-base-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-ec2-devel-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-pae-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-pae-base-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-pae-devel-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-xen-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-xen-base-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-xen-devel-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"xen-kmp-default-4.2.4_02_3.0.101_0.35-0.7.45")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"xen-kmp-pae-4.2.4_02_3.0.101_0.35-0.7.45")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"s390x", reference:"kernel-default-man-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"kernel-ec2-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"kernel-ec2-base-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"kernel-ec2-devel-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"kernel-xen-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"kernel-xen-base-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"kernel-xen-devel-3.0.101-0.35.1")) flag++;
if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"xen-kmp-default-4.2.4_02_3.0.101_0.35-0.7.45")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");