Vulnerabilities > CVE-2014-4508 - Numeric Errors vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2334-1.NASL description An flaw was discovered in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 77490 published 2014-09-03 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77490 title Ubuntu 12.04 LTS : linux vulnerabilities (USN-2334-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2334-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(77490); script_version("1.15"); script_cvs_date("Date: 2019/09/19 12:54:30"); script_cve_id("CVE-2014-3917", "CVE-2014-4027", "CVE-2014-4171", "CVE-2014-4508", "CVE-2014-4652", "CVE-2014-4653", "CVE-2014-4654", "CVE-2014-4655", "CVE-2014-4656", "CVE-2014-4667", "CVE-2014-5077"); script_bugtraq_id(67699, 67985, 68126, 68157, 68162, 68163, 68164, 68170, 68224, 68881); script_xref(name:"USN", value:"2334-1"); script_name(english:"Ubuntu 12.04 LTS : linux vulnerabilities (USN-2334-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "An flaw was discovered in the Linux kernel's audit subsystem when auditing certain syscalls. A local attacker could exploit this flaw to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS). (CVE-2014-3917) An information leak was discovered in the rd_mcp backend of the iSCSI target subsystem in the Linux kernel. A local user could exploit this flaw to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator. (CVE-2014-4027) Sasha Levin reported an issue with the Linux kernel's shared memory subsystem when used with range notifications and hole punching. A local user could exploit this flaw to cause a denial of service. (CVE-2014-4171) Toralf Forster reported an error in the Linux kernels syscall auditing on 32 bit x86 platforms. A local user could exploit this flaw to cause a denial of service (OOPS and system crash). (CVE-2014-4508) An information leak was discovered in the control implemenation of the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2014-4652) A use-after-free flaw was discovered in the Advanced Linux Sound Architecture (ALSA) control implementation of the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-4653) A authorization bug was discovered with the snd_ctl_elem_add function of the Advanced Linux Sound Architecture (ALSA) in the Linux kernel. A local user could exploit his bug to cause a denial of service (remove kernel controls). (CVE-2014-4654) A flaw discovered in how the snd_ctl_elem function of the Advanced Linux Sound Architecture (ALSA) handled a reference count. A local user could exploit this flaw to cause a denial of service (integer overflow and limit bypass). (CVE-2014-4655) An integer overflow flaw was discovered in the control implementation of the Advanced Linux Sound Architecture (ALSA). A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-4656) An integer underflow flaw was discovered in the Linux kernel's handling of the backlog value for certain SCTP packets. A remote attacker could exploit this flaw to cause a denial of service (socket outage) via a crafted SCTP packet. (CVE-2014-4667) Jason Gunthorpe reported a flaw with SCTP authentication in the Linux kernel. A remote attacker could exploit this flaw to cause a denial of service (NULL pointer dereference and OOPS). (CVE-2014-5077). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2334-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-generic-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-highbank"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:linux-image-3.2-virtual"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:12.04:-:lts"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/06/05"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/09/03"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("ksplice.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(12\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 12.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2014-3917", "CVE-2014-4027", "CVE-2014-4171", "CVE-2014-4508", "CVE-2014-4652", "CVE-2014-4653", "CVE-2014-4654", "CVE-2014-4655", "CVE-2014-4656", "CVE-2014-4667", "CVE-2014-5077"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for USN-2334-1"); } else { _ubuntu_report = ksplice_reporting_text(); } } flag = 0; if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.2.0-68-generic", pkgver:"3.2.0-68.102")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.2.0-68-generic-pae", pkgver:"3.2.0-68.102")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.2.0-68-highbank", pkgver:"3.2.0-68.102")) flag++; if (ubuntu_check(osver:"12.04", pkgname:"linux-image-3.2.0-68-virtual", pkgver:"3.2.0-68.102")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "linux-image-3.2-generic / linux-image-3.2-generic-pae / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-141202.NASL description The SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to fix various bugs and security issues. The following security bugs have been fixed : - The __request_module function in kernel/kmod.c in the Linux kernel before 3.4 did not set a certain killable attribute, which allowed local users to cause a denial of service (memory consumption) via a crafted application. (bnc#779488). (CVE-2012-4398) - drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allowed physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. (bnc#835839). (CVE-2013-2889) - The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allowed physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. (bnc#835839). (CVE-2013-2893) - Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allowed physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. (bnc#835839). (CVE-2013-2897) - drivers/hid/hid-picolcd_core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PICOLCD is enabled, allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device. (bnc#835839). (CVE-2013-2899) - The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allowed local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#853040, bnc#857643). (CVE-2013-7263) - Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in the Linux kernel through 3.16.3 allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with an event. (bnc#896382). (CVE-2014-3181) - The report_fixup functions in the HID subsystem in the Linux kernel before 3.16.2 allowed physically proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c. (bnc#896390). (CVE-2014-3184) - Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the Linux kernel before 3.16.2 allowed physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response. (bnc#896391). (CVE-2014-3185) - Buffer overflow in the picolcd_raw_event function in devices/hid/hid-picolcd_core.c in the PicoLCD HID device driver in the Linux kernel through 3.16.3, as used in Android on Nexus 7 devices, allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that sends a large report. (bnc#896392). (CVE-2014-3186) - The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculated the number of pages during the handling of a mapping failure, which allowed guest OS users to (1) cause a denial of service (host OS memory corruption) or possibly have unspecified other impact by triggering a large gfn value or (2) cause a denial of service (host OS memory consumption) by triggering a small gfn value that leads to permanently pinned pages. (bnc#892782). (CVE-2014-3601) - The WRMSR processing functionality in the KVM subsystem in the Linux kernel through 3.17.2 did not properly handle the writing of a non-canonical address to a model-specific register, which allowed guest OS users to cause a denial of service (host OS crash) by leveraging guest OS privileges, related to the wrmsr_interception function in arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c. (bnc#899192). (CVE-2014-3610) - arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2 did not have an exit handler for the INVVPID instruction, which allowed guest OS users to cause a denial of service (guest OS crash) via a crafted application. (bnc#899192). (CVE-2014-3646) - arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 did not properly perform RIP changes, which allowed guest OS users to cause a denial of service (guest OS crash) via a crafted application. (bnc#899192). (CVE-2014-3647) - The SCTP implementation in the Linux kernel through 3.17.2 allowed remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c. (bnc#902346, bnc#902349). (CVE-2014-3673) - arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allowed local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. (bnc#883724). (CVE-2014-4508) - * DISPUTED * Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allowed context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says: The Linux kernel is not affected; media hype. (bnc#883948). (CVE-2014-4608) - kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 did not properly handle private syscall numbers during use of the ftrace subsystem, which allowed local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application. (bnc#904013). (CVE-2014-7826) - An SCTP server doing ASCONF would panic on malformed INIT ping-of-death. (bnc#905100). (CVE-2014-7841) - The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 did not properly maintain a certain tail pointer, which allowed remote attackers to obtain sensitive cleartext information by reading packets. (bnc#904700). (CVE-2014-8709) - A local user with write access could have used this flaw to crash the kernel or elevate privileges (bnc#905522). The following non-security bugs have been fixed:. (CVE-2014-8884) - Build the KOTD against the SP3 Update project - HID: fix kabi breakage. - NFS: Provide stub nfs_fscache_wait_on_invalidate() for when CONFIG_NFS_FSCACHE=n. - NFS: fix inverted test for delegation in nfs4_reclaim_open_state. (bnc#903331) - NFS: remove incorrect Lock reclaim failed! warning. (bnc#903331) - NFSv4: nfs4_open_done first must check that GETATTR decoded a file type. (bnc#899574) - PCI: pciehp: Clear Data Link Layer State Changed during init. (bnc#898295) - PCI: pciehp: Enable link state change notifications. (bnc#898295) - PCI: pciehp: Handle push button event asynchronously. (bnc#898295) - PCI: pciehp: Make check_link_active() non-static. (bnc#898295) - PCI: pciehp: Use link change notifications for hot-plug and removal. (bnc#898295) - PCI: pciehp: Use per-slot workqueues to avoid deadlock. (bnc#898295) - PCI: pciehp: Use symbolic constants, not hard-coded bitmask. (bnc#898295) - PM / hibernate: Iterate over set bits instead of PFNs in swsusp_free(). (bnc#860441) - be2net: Fix invocation of be_close() after be_clear(). (bnc#895468) - block: Fix bogus partition statistics reports. (bnc#885077 / bnc#891211) - block: Fix computation of merged request priority. - btrfs: Fix wrong device size when we are resizing the device. - btrfs: Return right extent when fiemap gives unaligned offset and len. - btrfs: abtract out range locking in clone ioctl(). - btrfs: always choose work from prio_head first. - btrfs: balance delayed inode updates. - btrfs: cache extent states in defrag code path. - btrfs: check file extent type before anything else. (bnc#897694) - btrfs: clone, do not create invalid hole extent map. - btrfs: correctly determine if blocks are shared in btrfs_compare_trees. - btrfs: do not bug_on if we try to cow a free space cache inode. - btrfs: ensure btrfs_prev_leaf does not miss 1 item. - btrfs: ensure readers see new data after a clone operation. - btrfs: fill_holes: Fix slot number passed to hole_mergeable() call. - btrfs: filter invalid arg for btrfs resize. - btrfs: fix EINVAL checks in btrfs_clone. - btrfs: fix EIO on reading file after ioctl clone works on it. - btrfs: fix a crash of clone with inline extents split. - btrfs: fix crash of compressed writes. (bnc#898375) - btrfs: fix crash when starting transaction. - btrfs: fix deadlock with nested trans handles. - btrfs: fix hang on error (such as ENOSPC) when writing extent pages. - btrfs: fix leaf corruption after __btrfs_drop_extents. - btrfs: fix race between balance recovery and root deletion. - btrfs: fix wrong extent mapping for DirectIO. - btrfs: handle a missing extent for the first file extent. - btrfs: limit delalloc pages outside of find_delalloc_range. (bnc#898375) - btrfs: read lock extent buffer while walking backrefs. - btrfs: remove unused wait queue in struct extent_buffer. - btrfs: replace EINVAL with ERANGE for resize when ULLONG_MAX. - btrfs: replace error code from btrfs_drop_extents. - btrfs: unlock extent and pages on error in cow_file_range. - btrfs: unlock inodes in correct order in clone ioctl. - btrfs_ioctl_clone: Move clone code into its own function. - cifs: delay super block destruction until all cifsFileInfo objects are gone. (bnc#903653) - drm/i915: Flush the PTEs after updating them before suspend. (bnc#901638) - drm/i915: Undo gtt scratch pte unmapping again. (bnc#901638) - ext3: return 32/64-bit dir name hash according to usage type. (bnc#898554) - ext4: return 32/64-bit dir name hash according to usage type. (bnc#898554) - fix: use after free of xfs workqueues. (bnc#894895) - fs: add new FMODE flags: FMODE_32bithash and FMODE_64bithash. (bnc#898554) - futex: Ensure get_futex_key_refs() always implies a barrier (bnc#851603 (futex scalability series)). - futex: Fix a race condition between REQUEUE_PI and task death (bnc#851603 (futex scalability series)). - ipv6: add support of peer address. (bnc#896415) - ipv6: fix a refcnt leak with peer addr. (bnc#896415) - megaraid_sas: Disable fastpath writes for non-RAID0. (bnc#897502) - mm: change __remove_pages() to call release_mem_region_adjustable(). (bnc#891790) - netxen: Fix link event handling. (bnc#873228) - netxen: fix link notification order. (bnc#873228) - nfsd: rename int access to int may_flags in nfsd_open(). (bnc#898554) - nfsd: vfs_llseek() with 32 or 64 bit offsets (hashes). (bnc#898554) - ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page. (bnc#899843) - powerpc: Add smp_mb() to arch_spin_is_locked() (bsc#893758). - powerpc: Add smp_mb()s to arch_spin_unlock_wait() (bsc#893758). - powerpc: Add support for the optimised lockref implementation (bsc#893758). - powerpc: Implement arch_spin_is_locked() using arch_spin_value_unlocked() (bsc#893758). - refresh patches.xen/xen-blkback-multi-page-ring (bnc#897708)). - remove filesize checks for sync I/O journal commit. (bnc#800255) - resource: add __adjust_resource() for internal use. (bnc#891790) - resource: add release_mem_region_adjustable(). (bnc#891790) - revert PM / Hibernate: Iterate over set bits instead of PFNs in swsusp_free(). (bnc#860441) - rpm/mkspec: Generate specfiles according to Factory requirements. - rpm/mkspec: Generate a per-architecture per-package _constraints file - sched: Fix unreleased llc_shared_mask bit during CPU hotplug. (bnc#891368) - scsi_dh_alua: disable ALUA handling for non-disk devices. (bnc#876633) - usb: Do not re-read descriptors for wired devices in usb_authorize_device(). (bnc#904358) - usbback: Do not access request fields in shared ring more than once. - usbhid: add another mouse that needs QUIRK_ALWAYS_POLL. (bnc#888607) - vfs,proc: guarantee unique inodes in /proc. (bnc#868049) - x86, cpu hotplug: Fix stack frame warning incheck_irq_vectors_for_cpu_disable(). (bnc#887418) - x86, ioremap: Speed up check for RAM pages (Boot time optimisations (bnc#895387)). - x86: Add check for number of available vectors before CPU down. (bnc#887418) - x86: optimize resource lookups for ioremap (Boot time optimisations (bnc#895387)). - x86: use optimized ioresource lookup in ioremap function (Boot time optimisations (bnc#895387)). - xfs: Do not free EFIs before the EFDs are committed (bsc#755743). - xfs: Do not reference the EFI after it is freed (bsc#755743). - xfs: fix cil push sequence after log recovery (bsc#755743). - zcrypt: support for extended number of ap domains (bnc#894058, LTC#117041). - zcrypt: toleration of new crypto adapter hardware (bnc#894058, LTC#117041). last seen 2020-06-05 modified 2014-12-26 plugin id 80249 published 2014-12-26 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80249 title SuSE 11.3 Security Update : Linux kernel (SAT Patch Numbers 10037 / 10040) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(80249); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2012-4398", "CVE-2013-2889", "CVE-2013-2893", "CVE-2013-2897", "CVE-2013-2899", "CVE-2013-7263", "CVE-2014-3181", "CVE-2014-3184", "CVE-2014-3185", "CVE-2014-3186", "CVE-2014-3601", "CVE-2014-3610", "CVE-2014-3646", "CVE-2014-3647", "CVE-2014-3673", "CVE-2014-4508", "CVE-2014-4608", "CVE-2014-7826", "CVE-2014-7841", "CVE-2014-8709", "CVE-2014-8884"); script_name(english:"SuSE 11.3 Security Update : Linux kernel (SAT Patch Numbers 10037 / 10040)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to fix various bugs and security issues. The following security bugs have been fixed : - The __request_module function in kernel/kmod.c in the Linux kernel before 3.4 did not set a certain killable attribute, which allowed local users to cause a denial of service (memory consumption) via a crafted application. (bnc#779488). (CVE-2012-4398) - drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allowed physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. (bnc#835839). (CVE-2013-2889) - The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allowed physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. (bnc#835839). (CVE-2013-2893) - Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allowed physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. (bnc#835839). (CVE-2013-2897) - drivers/hid/hid-picolcd_core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PICOLCD is enabled, allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device. (bnc#835839). (CVE-2013-2899) - The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allowed local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#853040, bnc#857643). (CVE-2013-7263) - Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in the Linux kernel through 3.16.3 allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with an event. (bnc#896382). (CVE-2014-3181) - The report_fixup functions in the HID subsystem in the Linux kernel before 3.16.2 allowed physically proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c. (bnc#896390). (CVE-2014-3184) - Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the Linux kernel before 3.16.2 allowed physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response. (bnc#896391). (CVE-2014-3185) - Buffer overflow in the picolcd_raw_event function in devices/hid/hid-picolcd_core.c in the PicoLCD HID device driver in the Linux kernel through 3.16.3, as used in Android on Nexus 7 devices, allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that sends a large report. (bnc#896392). (CVE-2014-3186) - The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculated the number of pages during the handling of a mapping failure, which allowed guest OS users to (1) cause a denial of service (host OS memory corruption) or possibly have unspecified other impact by triggering a large gfn value or (2) cause a denial of service (host OS memory consumption) by triggering a small gfn value that leads to permanently pinned pages. (bnc#892782). (CVE-2014-3601) - The WRMSR processing functionality in the KVM subsystem in the Linux kernel through 3.17.2 did not properly handle the writing of a non-canonical address to a model-specific register, which allowed guest OS users to cause a denial of service (host OS crash) by leveraging guest OS privileges, related to the wrmsr_interception function in arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c. (bnc#899192). (CVE-2014-3610) - arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2 did not have an exit handler for the INVVPID instruction, which allowed guest OS users to cause a denial of service (guest OS crash) via a crafted application. (bnc#899192). (CVE-2014-3646) - arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 did not properly perform RIP changes, which allowed guest OS users to cause a denial of service (guest OS crash) via a crafted application. (bnc#899192). (CVE-2014-3647) - The SCTP implementation in the Linux kernel through 3.17.2 allowed remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c. (bnc#902346, bnc#902349). (CVE-2014-3673) - arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allowed local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. (bnc#883724). (CVE-2014-4508) - * DISPUTED * Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allowed context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says: The Linux kernel is not affected; media hype. (bnc#883948). (CVE-2014-4608) - kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 did not properly handle private syscall numbers during use of the ftrace subsystem, which allowed local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application. (bnc#904013). (CVE-2014-7826) - An SCTP server doing ASCONF would panic on malformed INIT ping-of-death. (bnc#905100). (CVE-2014-7841) - The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 did not properly maintain a certain tail pointer, which allowed remote attackers to obtain sensitive cleartext information by reading packets. (bnc#904700). (CVE-2014-8709) - A local user with write access could have used this flaw to crash the kernel or elevate privileges (bnc#905522). The following non-security bugs have been fixed:. (CVE-2014-8884) - Build the KOTD against the SP3 Update project - HID: fix kabi breakage. - NFS: Provide stub nfs_fscache_wait_on_invalidate() for when CONFIG_NFS_FSCACHE=n. - NFS: fix inverted test for delegation in nfs4_reclaim_open_state. (bnc#903331) - NFS: remove incorrect Lock reclaim failed! warning. (bnc#903331) - NFSv4: nfs4_open_done first must check that GETATTR decoded a file type. (bnc#899574) - PCI: pciehp: Clear Data Link Layer State Changed during init. (bnc#898295) - PCI: pciehp: Enable link state change notifications. (bnc#898295) - PCI: pciehp: Handle push button event asynchronously. (bnc#898295) - PCI: pciehp: Make check_link_active() non-static. (bnc#898295) - PCI: pciehp: Use link change notifications for hot-plug and removal. (bnc#898295) - PCI: pciehp: Use per-slot workqueues to avoid deadlock. (bnc#898295) - PCI: pciehp: Use symbolic constants, not hard-coded bitmask. (bnc#898295) - PM / hibernate: Iterate over set bits instead of PFNs in swsusp_free(). (bnc#860441) - be2net: Fix invocation of be_close() after be_clear(). (bnc#895468) - block: Fix bogus partition statistics reports. (bnc#885077 / bnc#891211) - block: Fix computation of merged request priority. - btrfs: Fix wrong device size when we are resizing the device. - btrfs: Return right extent when fiemap gives unaligned offset and len. - btrfs: abtract out range locking in clone ioctl(). - btrfs: always choose work from prio_head first. - btrfs: balance delayed inode updates. - btrfs: cache extent states in defrag code path. - btrfs: check file extent type before anything else. (bnc#897694) - btrfs: clone, do not create invalid hole extent map. - btrfs: correctly determine if blocks are shared in btrfs_compare_trees. - btrfs: do not bug_on if we try to cow a free space cache inode. - btrfs: ensure btrfs_prev_leaf does not miss 1 item. - btrfs: ensure readers see new data after a clone operation. - btrfs: fill_holes: Fix slot number passed to hole_mergeable() call. - btrfs: filter invalid arg for btrfs resize. - btrfs: fix EINVAL checks in btrfs_clone. - btrfs: fix EIO on reading file after ioctl clone works on it. - btrfs: fix a crash of clone with inline extents split. - btrfs: fix crash of compressed writes. (bnc#898375) - btrfs: fix crash when starting transaction. - btrfs: fix deadlock with nested trans handles. - btrfs: fix hang on error (such as ENOSPC) when writing extent pages. - btrfs: fix leaf corruption after __btrfs_drop_extents. - btrfs: fix race between balance recovery and root deletion. - btrfs: fix wrong extent mapping for DirectIO. - btrfs: handle a missing extent for the first file extent. - btrfs: limit delalloc pages outside of find_delalloc_range. (bnc#898375) - btrfs: read lock extent buffer while walking backrefs. - btrfs: remove unused wait queue in struct extent_buffer. - btrfs: replace EINVAL with ERANGE for resize when ULLONG_MAX. - btrfs: replace error code from btrfs_drop_extents. - btrfs: unlock extent and pages on error in cow_file_range. - btrfs: unlock inodes in correct order in clone ioctl. - btrfs_ioctl_clone: Move clone code into its own function. - cifs: delay super block destruction until all cifsFileInfo objects are gone. (bnc#903653) - drm/i915: Flush the PTEs after updating them before suspend. (bnc#901638) - drm/i915: Undo gtt scratch pte unmapping again. (bnc#901638) - ext3: return 32/64-bit dir name hash according to usage type. (bnc#898554) - ext4: return 32/64-bit dir name hash according to usage type. (bnc#898554) - fix: use after free of xfs workqueues. (bnc#894895) - fs: add new FMODE flags: FMODE_32bithash and FMODE_64bithash. (bnc#898554) - futex: Ensure get_futex_key_refs() always implies a barrier (bnc#851603 (futex scalability series)). - futex: Fix a race condition between REQUEUE_PI and task death (bnc#851603 (futex scalability series)). - ipv6: add support of peer address. (bnc#896415) - ipv6: fix a refcnt leak with peer addr. (bnc#896415) - megaraid_sas: Disable fastpath writes for non-RAID0. (bnc#897502) - mm: change __remove_pages() to call release_mem_region_adjustable(). (bnc#891790) - netxen: Fix link event handling. (bnc#873228) - netxen: fix link notification order. (bnc#873228) - nfsd: rename int access to int may_flags in nfsd_open(). (bnc#898554) - nfsd: vfs_llseek() with 32 or 64 bit offsets (hashes). (bnc#898554) - ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page. (bnc#899843) - powerpc: Add smp_mb() to arch_spin_is_locked() (bsc#893758). - powerpc: Add smp_mb()s to arch_spin_unlock_wait() (bsc#893758). - powerpc: Add support for the optimised lockref implementation (bsc#893758). - powerpc: Implement arch_spin_is_locked() using arch_spin_value_unlocked() (bsc#893758). - refresh patches.xen/xen-blkback-multi-page-ring (bnc#897708)). - remove filesize checks for sync I/O journal commit. (bnc#800255) - resource: add __adjust_resource() for internal use. (bnc#891790) - resource: add release_mem_region_adjustable(). (bnc#891790) - revert PM / Hibernate: Iterate over set bits instead of PFNs in swsusp_free(). (bnc#860441) - rpm/mkspec: Generate specfiles according to Factory requirements. - rpm/mkspec: Generate a per-architecture per-package _constraints file - sched: Fix unreleased llc_shared_mask bit during CPU hotplug. (bnc#891368) - scsi_dh_alua: disable ALUA handling for non-disk devices. (bnc#876633) - usb: Do not re-read descriptors for wired devices in usb_authorize_device(). (bnc#904358) - usbback: Do not access request fields in shared ring more than once. - usbhid: add another mouse that needs QUIRK_ALWAYS_POLL. (bnc#888607) - vfs,proc: guarantee unique inodes in /proc. (bnc#868049) - x86, cpu hotplug: Fix stack frame warning incheck_irq_vectors_for_cpu_disable(). (bnc#887418) - x86, ioremap: Speed up check for RAM pages (Boot time optimisations (bnc#895387)). - x86: Add check for number of available vectors before CPU down. (bnc#887418) - x86: optimize resource lookups for ioremap (Boot time optimisations (bnc#895387)). - x86: use optimized ioresource lookup in ioremap function (Boot time optimisations (bnc#895387)). - xfs: Do not free EFIs before the EFDs are committed (bsc#755743). - xfs: Do not reference the EFI after it is freed (bsc#755743). - xfs: fix cil push sequence after log recovery (bsc#755743). - zcrypt: support for extended number of ap domains (bnc#894058, LTC#117041). - zcrypt: toleration of new crypto adapter hardware (bnc#894058, LTC#117041)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=755743" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=779488" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=800255" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=835839" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=851603" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=853040" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=857643" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=860441" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=868049" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=873228" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=876633" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=883724" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=883948" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=885077" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=887418" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=888607" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=891211" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=891368" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=891790" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=892782" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=893758" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=894058" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=894895" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=895387" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=895468" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=896382" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=896390" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=896391" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=896392" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=896415" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=897502" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=897694" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=897708" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=898295" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=898375" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=898554" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=899192" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=899574" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=899843" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=901638" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=902346" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=902349" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=903331" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=903653" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=904013" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=904358" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=904700" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=905100" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=905522" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2012-4398.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2013-2889.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2013-2893.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2013-2897.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2013-2899.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2013-7263.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-3181.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-3184.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-3185.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-3186.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-3601.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-3610.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-3646.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-3647.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-3673.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-4508.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-4608.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-7826.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-7841.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-8709.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-8884.html" ); script_set_attribute( attribute:"solution", value:"Apply SAT patch number 10037 / 10040 as appropriate." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default-extra"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-default-man"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-ec2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-ec2-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-ec2-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-pae"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-pae-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-pae-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-pae-extra"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-syms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-trace"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-trace-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-trace-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-xen-extra"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:xen-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:xen-kmp-pae"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2014/12/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, "SuSE 11.3"); flag = 0; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-default-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-default-base-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-default-devel-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-default-extra-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-pae-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-pae-base-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-pae-devel-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-pae-extra-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-source-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-syms-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-trace-devel-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-xen-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-xen-base-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-xen-devel-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"kernel-xen-extra-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"xen-kmp-default-4.2.5_02_3.0.101_0.42-0.7.2")) flag++; if (rpm_check(release:"SLED11", sp:3, cpu:"i586", reference:"xen-kmp-pae-4.2.5_02_3.0.101_0.42-0.7.2")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-default-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-default-base-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-default-devel-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-ec2-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-ec2-base-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-ec2-devel-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-pae-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-pae-base-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-pae-devel-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-source-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-syms-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-trace-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-trace-base-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-trace-devel-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-xen-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-xen-base-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"kernel-xen-devel-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"xen-kmp-default-4.2.5_02_3.0.101_0.42-0.7.2")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"i586", reference:"xen-kmp-pae-4.2.5_02_3.0.101_0.42-0.7.2")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"s390x", reference:"kernel-default-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"s390x", reference:"kernel-default-base-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"s390x", reference:"kernel-default-devel-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"s390x", reference:"kernel-default-man-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"s390x", reference:"kernel-source-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"s390x", reference:"kernel-syms-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"s390x", reference:"kernel-trace-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"s390x", reference:"kernel-trace-base-3.0.101-0.42.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"s390x", reference:"kernel-trace-devel-3.0.101-0.42.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-BIGSMP-201409-140924.NASL description The SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to fix various bugs and security issues. The following security bugs have been fixed : - The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call. (bnc#882804). (CVE-2014-1739) - mm/shmem.c in the Linux kernel through 3.15.1 does not properly implement the interaction between range notification and hole punching, which allows local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call. (bnc#883518). (CVE-2014-4171) - arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. (bnc#883724). (CVE-2014-4508) - The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet. (bnc#885422). (CVE-2014-4667) - The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket. (bnc#887082). (CVE-2014-4943) - The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction. (bnc#889173). (CVE-2014-5077) - Stack consumption vulnerability in the parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (uncontrolled recursion, and system crash or reboot) via a crafted iso9660 image with a CL entry referring to a directory entry that has a CL entry. (bnc#892490). (CVE-2014-5471) - The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (unkillable mount process) via a crafted iso9660 image with a self-referential CL entry. (bnc#892490). (CVE-2014-5472) - Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c. (bnc#871797). (CVE-2014-2706) - The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator. (bnc#882639). (CVE-2014-4027) - The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification. (bnc#880892). (CVE-2014-3153) - Avoid infinite loop when processing indirect ICBs (bnc#896689) The following non-security bugs have been fixed:. (CVE-2014-6410) - ACPI / PAD: call schedule() when need_resched() is true. (bnc#866911) - ACPI: Fix bug when ACPI reset register is implemented in system memory. (bnc#882900) - ACPI: Limit access to custom_method. (bnc#884333) - ALSA: hda - Enabling Realtek ALC 671 codec. (bnc#891746) - Add option to automatically enforce module signatures when in Secure Boot mode. (bnc#884333) - Add secure_modules() call. (bnc#884333) - Add wait_on_atomic_t() and wake_up_atomic_t(). (bnc#880344) - Backported new patches of Lock down functions for UEFI secure boot Also updated series.conf and removed old patches. - Btrfs: Return EXDEV for cross file system snapshot. - Btrfs: abort the transaction when we does not find our extent ref. - Btrfs: avoid warning bomb of btrfs_invalidate_inodes. - Btrfs: cancel scrub on transaction abortion. - Btrfs: correctly set profile flags on seqlock retry. - Btrfs: does not check nodes for extent items. - Btrfs: fix a possible deadlock between scrub and transaction committing. - Btrfs: fix corruption after write/fsync failure + fsync + log recovery. (bnc#894200) - Btrfs: fix csum tree corruption, duplicate and outdated checksums. (bnc#891619) - Btrfs: fix double free in find_lock_delalloc_range. - Btrfs: fix possible memory leak in btrfs_create_tree(). - Btrfs: fix use of uninit last seen 2020-06-05 modified 2014-10-23 plugin id 78651 published 2014-10-23 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78651 title SuSE 11.3 Security Update : Linux kernel (SAT Patch Number 9750) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(78651); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2013-1979", "CVE-2014-1739", "CVE-2014-2706", "CVE-2014-3153", "CVE-2014-4027", "CVE-2014-4171", "CVE-2014-4508", "CVE-2014-4667", "CVE-2014-4943", "CVE-2014-5077", "CVE-2014-5471", "CVE-2014-5472", "CVE-2014-6410"); script_name(english:"SuSE 11.3 Security Update : Linux kernel (SAT Patch Number 9750)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to fix various bugs and security issues. The following security bugs have been fixed : - The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call. (bnc#882804). (CVE-2014-1739) - mm/shmem.c in the Linux kernel through 3.15.1 does not properly implement the interaction between range notification and hole punching, which allows local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call. (bnc#883518). (CVE-2014-4171) - arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. (bnc#883724). (CVE-2014-4508) - The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet. (bnc#885422). (CVE-2014-4667) - The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket. (bnc#887082). (CVE-2014-4943) - The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction. (bnc#889173). (CVE-2014-5077) - Stack consumption vulnerability in the parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (uncontrolled recursion, and system crash or reboot) via a crafted iso9660 image with a CL entry referring to a directory entry that has a CL entry. (bnc#892490). (CVE-2014-5471) - The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (unkillable mount process) via a crafted iso9660 image with a self-referential CL entry. (bnc#892490). (CVE-2014-5472) - Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c. (bnc#871797). (CVE-2014-2706) - The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator. (bnc#882639). (CVE-2014-4027) - The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification. (bnc#880892). (CVE-2014-3153) - Avoid infinite loop when processing indirect ICBs (bnc#896689) The following non-security bugs have been fixed:. (CVE-2014-6410) - ACPI / PAD: call schedule() when need_resched() is true. (bnc#866911) - ACPI: Fix bug when ACPI reset register is implemented in system memory. (bnc#882900) - ACPI: Limit access to custom_method. (bnc#884333) - ALSA: hda - Enabling Realtek ALC 671 codec. (bnc#891746) - Add option to automatically enforce module signatures when in Secure Boot mode. (bnc#884333) - Add secure_modules() call. (bnc#884333) - Add wait_on_atomic_t() and wake_up_atomic_t(). (bnc#880344) - Backported new patches of Lock down functions for UEFI secure boot Also updated series.conf and removed old patches. - Btrfs: Return EXDEV for cross file system snapshot. - Btrfs: abort the transaction when we does not find our extent ref. - Btrfs: avoid warning bomb of btrfs_invalidate_inodes. - Btrfs: cancel scrub on transaction abortion. - Btrfs: correctly set profile flags on seqlock retry. - Btrfs: does not check nodes for extent items. - Btrfs: fix a possible deadlock between scrub and transaction committing. - Btrfs: fix corruption after write/fsync failure + fsync + log recovery. (bnc#894200) - Btrfs: fix csum tree corruption, duplicate and outdated checksums. (bnc#891619) - Btrfs: fix double free in find_lock_delalloc_range. - Btrfs: fix possible memory leak in btrfs_create_tree(). - Btrfs: fix use of uninit 'ret' in end_extent_writepage(). - Btrfs: free delayed node outside of root->inode_lock. (bnc#866864) - Btrfs: make DEV_INFO ioctl available to anyone. - Btrfs: make FS_INFO ioctl available to anyone. - Btrfs: make device scan less noisy. - Btrfs: make sure there are not any read requests before stopping workers. - Btrfs: more efficient io tree navigation on wait_extent_bit. - Btrfs: output warning instead of error when loading free space cache failed. - Btrfs: retrieve more info from FS_INFO ioctl. - Btrfs: return EPERM when deleting a default subvolume. (bnc#869934) - Btrfs: unset DCACHE_DISCONNECTED when mounting default subvol. (bnc#866615) - Btrfs: use right type to get real comparison. - Btrfs: wake up @scrub_pause_wait as much as we can. - Btrfs: wake up transaction thread upon remount. - CacheFiles: Add missing retrieval completions. (bnc#880344) - CacheFiles: Does not try to dump the index key if the cookie has been cleared. (bnc#880344) - CacheFiles: Downgrade the requirements passed to the allocator. (bnc#880344) - CacheFiles: Fix the marking of cached pages. (bnc#880344) - CacheFiles: Implement invalidation. (bnc#880344) - CacheFiles: Make some debugging statements conditional. (bnc#880344) - Drivers: hv: util: Fix a bug in the KVP code. (bnc#886840) - Drivers: hv: vmbus: Fix a bug in the channel callback dispatch code. (bnc#886840) - FS-Cache: Add transition to handle invalidate immediately after lookup. (bnc#880344) - FS-Cache: Check that there are no read ops when cookie relinquished. (bnc#880344) - FS-Cache: Clear remaining page count on retrieval cancellation. (bnc#880344) - FS-Cache: Convert the object event ID #defines into an enum. (bnc#880344) - FS-Cache: Does not sleep in page release if __GFP_FS is not set. (bnc#880344) - FS-Cache: Does not use spin_is_locked() in assertions. (bnc#880344) - FS-Cache: Exclusive op submission can BUG if there is been an I/O error. (bnc#880344) - FS-Cache: Fix __wait_on_atomic_t() to call the action func if the counter != 0. (bnc#880344) - FS-Cache: Fix object state machine to have separate work and wait states. (bnc#880344) - FS-Cache: Fix operation state management and accounting. (bnc#880344) - FS-Cache: Fix signal handling during waits. (bnc#880344) - FS-Cache: Initialise the object event mask with the calculated mask. (bnc#880344) - FS-Cache: Limit the number of I/O error reports for a cache. (bnc#880344) - FS-Cache: Make cookie relinquishment wait for outstanding reads. (bnc#880344) - FS-Cache: Mark cancellation of in-progress operation. (bnc#880344) - FS-Cache: One of the write operation paths doeses not set the object state. (bnc#880344) - FS-Cache: Provide proper invalidation. (bnc#880344) - FS-Cache: Simplify cookie retention for fscache_objects, fixing oops. (bnc#880344) - FS-Cache: The retrieval remaining-pages counter needs to be atomic_t. (bnc#880344) - FS-Cache: Uninline fscache_object_init(). (bnc#880344) - FS-Cache: Wrap checks on object state. (bnc#880344) - HID: usbhid: add always-poll quirk. (bnc#888607) - HID: usbhid: enable always-poll quirk for Elan Touchscreen. (bnc#888607) - IB/iser: Add TIMEWAIT_EXIT event handling. (bnc#890297) - Ignore 'flags' change to event_constraint. (bnc#876114) - Ignore data_src/weight changes to perf_sample_data. (bnc#876114) - NFS: Allow more operations in an NFSv4.1 request. (bnc#890513) - NFS: Clean up helper function nfs4_select_rw_stateid(). (bnc#888968) - NFS: Does not copy read delegation stateids in setattr. (bnc#888968) - NFS: Does not use a delegation to open a file when returning that delegation. (bnc#888968, bnc#892200, bnc#893596, bnc#893496) - NFS: Fixes for NFS RCU-walk support in line with code going upstream - NFS: Use FS-Cache invalidation. (bnc#880344) - NFS: allow lockless access to access_cache. (bnc#866130) - NFS: avoid mountpoint being displayed as ' (deleted)' in /proc/mounts. (bnc#888591) - NFS: nfs4_do_open should add negative results to the dcache. (bnc#866130) - NFS: nfs_migrate_page() does not wait for FS-Cache to finish with a page. (bnc#880344) - NFS: nfs_open_revalidate: only evaluate parent if it will be used. (bnc#866130) - NFS: prepare for RCU-walk support but pushing tests later in code. (bnc#866130) - NFS: support RCU_WALK in nfs_permission(). (bnc#866130) - NFS: teach nfs_lookup_verify_inode to handle LOOKUP_RCU. (bnc#866130) - NFS: teach nfs_neg_need_reval to understand LOOKUP_RCU. (bnc#866130) - NFSD: Does not hand out delegations for 30 seconds after recalling them. (bnc#880370) - NFSv4 set open access operation call flag in nfs4_init_opendata_res. (bnc#888968, bnc#892200, bnc#893596, bnc#893496) - NFSv4: Add a helper for encoding opaque data. (bnc#888968) - NFSv4: Add a helper for encoding stateids. (bnc#888968) - NFSv4: Add helpers for basic copying of stateids. (bnc#888968) - NFSv4: Clean up nfs4_select_rw_stateid(). (bnc#888968) - NFSv4: Fix the return value of nfs4_select_rw_stateid. (bnc#888968) - NFSv4: Rename nfs4_copy_stateid(). (bnc#888968) - NFSv4: Resend the READ/WRITE RPC call if a stateid change causes an error. (bnc#888968) - NFSv4: Simplify the struct nfs4_stateid. (bnc#888968) - NFSv4: The stateid must remain the same for replayed RPC calls. (bnc#888968) - NFSv4: nfs4_stateid_is_current should return 'true' for an invalid stateid. (bnc#888968) - One more fix for kABI breakage. - PCI: Lock down BAR access when module security is enabled. (bnc#884333) - PCI: enable MPS 'performance' setting to properly handle bridge MPS. (bnc#883376) - PM / Hibernate: Add memory_rtree_find_bit function. (bnc#860441) - PM / Hibernate: Create a Radix-Tree to store memory bitmap. (bnc#860441) - PM / Hibernate: Implement position keeping in radix tree. (bnc#860441) - PM / Hibernate: Iterate over set bits instead of PFNs in swsusp_free(). (bnc#860441) - PM / Hibernate: Remove the old memory-bitmap implementation. (bnc#860441) - PM / Hibernate: Touch Soft Lockup Watchdog in rtree_next_node. (bnc#860441) - Restrict /dev/mem and /dev/kmem when module loading is restricted. (bnc#884333) - Reuse existing 'state' field to indicate PERF_X86_EVENT_PEBS_LDLAT. (bnc#876114) - USB: handle LPM errors during device suspend correctly. (bnc#849123) - Update kabi files to reflect fscache change. (bnc#880344) - Update x86_64 config files: re-enable SENSORS_W83627EHF. (bnc#891281) - VFS: Make more complete truncate operation available to CacheFiles. (bnc#880344) - [FEAT NET1222] ib_uverbs: Allow explicit mmio trigger (FATE#83366, ltc#83367). - acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted. (bnc#884333) - af_iucv: correct cleanup if listen backlog is full (bnc#885262, LTC#111728). - asus-wmi: Restrict debugfs interface when module loading is restricted. (bnc#884333) - autofs4: allow RCU-walk to walk through autofs4. (bnc#866130) - autofs4: avoid taking fs_lock during rcu-walk. (bnc#866130) - autofs4: does not take spinlock when not needed in autofs4_lookup_expiring. (bnc#866130) - autofs4: factor should_expire() out of autofs4_expire_indirect. (bnc#866130) - autofs4: make 'autofs4_can_expire' idempotent. (bnc#866130) - autofs4: remove a redundant assignment. (bnc#866130) - autofs: fix lockref lookup. (bnc#888591) - be2net: add dma_mapping_error() check for dma_map_page(). (bnc#881759) - block: add cond_resched() to potentially long running ioctl discard loop. (bnc#884725) - block: fix race between request completion and timeout handling. (bnc#881051) - cdc-ether: clean packet filter upon probe. (bnc#876017) - cpuset: Fix memory allocator deadlock. (bnc#876590) - crypto: Allow CRYPTO_FIPS without MODULE_SIGNATURES. Not all archs have them, but some are FIPS certified, with some kernel support. - crypto: fips - only panic on bad/missing crypto mod signatures. (bnc#887503) - crypto: testmgr - allow aesni-intel and ghash_clmulni-intel in fips mode. (bnc#889451) - dasd: validate request size before building CCW/TCW (bnc#891087, LTC#114068). - dm mpath: fix race condition between multipath_dtr and pg_init_done. (bnc#826486) - dm-mpath: fix panic on deleting sg device. (bnc#870161) - drm/ast: AST2000 cannot be detected correctly. (bnc#895983) - drm/ast: Actually load DP501 firmware when required. (bnc#895608 / bnc#871134) - drm/ast: Add missing entry to dclk_table[]. - drm/ast: Add reduced non reduced mode parsing for wide screen mode. (bnc#892723) - drm/ast: initial DP501 support (v0.2). (bnc#871134) - drm/ast: open key before detect chips. (bnc#895983) - drm/i915: Fix up cpt pixel multiplier enable sequence. (bnc#879304) - drm/i915: Only apply DPMS to the encoder if enabled. (bnc#893064) - drm/i915: clear the FPGA_DBG_RM_NOCLAIM bit at driver init. (bnc#869055) - drm/i915: create functions for the 'unclaimed register' checks. (bnc#869055) - drm/i915: use FPGA_DBG for the 'unclaimed register' checks. (bnc#869055) - drm/mgag200: Initialize data needed to map fbdev memory. (bnc#806990) - e1000e: enable support for new device IDs. (bnc#885509) - fs/fscache: remove spin_lock() from the condition in while(). (bnc#880344) - hibernate: Disable in a signed modules environment. (bnc#884333) - hugetlb: does not use ERR_PTR with VM_FAULT* values - ibmvscsi: Abort init sequence during error recovery. (bnc#885382) - ibmvscsi: Add memory barriers for send / receive. (bnc#885382) - inet: add a redirect generation id in inetpeer. (bnc#860593) - inetpeer: initialize ->redirect_genid in inet_getpeer(). (bnc#860593) - ipv6: tcp: fix tcp_v6_conn_request(). (bnc#887645) - kabi: hide bnc#860593 changes of struct inetpeer_addr_base. (bnc#860593) - kernel: 3215 tty hang (bnc#891087, LTC#114562). - kernel: fix data corruption when reading /proc/sysinfo (bnc#891087, LTC#114480). - kernel: fix kernel oops with load of fpc register (bnc#889061, LTC#113596). - kernel: sclp console tty reference counting (bnc#891087, LTC#115466). - kexec: Disable at runtime if the kernel enforces module loading restrictions. (bnc#884333) - md/raid6: avoid data corruption during recovery of double-degraded RAID6. - memcg, vmscan: Fix forced scan of anonymous pages (memory reclaim fix). - memcg: do not expose uninitialized mem_cgroup_per_node to world. (bnc#883096) - mm, hugetlb: add VM_NORESERVE check in vma_has_reserves() - mm, hugetlb: change variable name reservations to resv - mm, hugetlb: decrement reserve count if VM_NORESERVE alloc page cache - mm, hugetlb: defer freeing pages when gathering surplus pages - mm, hugetlb: do not use a page in page cache for cow optimization - mm, hugetlb: fix and clean-up node iteration code to alloc or free - mm, hugetlb: fix race in region tracking - mm, hugetlb: fix subpool accounting handling - mm, hugetlb: improve page-fault scalability - mm, hugetlb: improve, cleanup resv_map parameters - mm, hugetlb: move up the code which check availability of free huge page - mm, hugetlb: protect reserved pages when soft offlining a hugepage - mm, hugetlb: remove decrement_hugepage_resv_vma() - mm, hugetlb: remove redundant list_empty check in gather_surplus_pages() - mm, hugetlb: remove resv_map_put - mm, hugetlb: remove useless check about mapping type - mm, hugetlb: return a reserved page to a reserved pool if failed - mm, hugetlb: trivial commenting fix - mm, hugetlb: unify region structure handling - mm, hugetlb: unify region structure handling kabi - mm, hugetlb: use long vars instead of int in region_count() (Hugetlb Fault Scalability). - mm, hugetlb: use vma_resv_map() map types - mm, oom: fix badness score underflow. (bnc#884582, bnc#884767) - mm, oom: normalize oom scores to oom_score_adj scale only for userspace. (bnc#884582, bnc#884767) - mm, thp: do not allow thp faults to avoid cpuset restrictions. (bnc#888849) - net/mlx4_core: Load higher level modules according to ports type. (bnc#887680) - net/mlx4_core: Load the IB driver when the device supports IBoE. (bnc#887680) - net/mlx4_en: Fix a race between napi poll function and RX ring cleanup. (bnc#863586) - net/mlx4_en: Fix selftest failing on non 10G link speed. (bnc#888058) - net: fix checksumming features handling in output path. (bnc#891259) - pagecache_limit: batch large nr_to_scan targets. (bnc#895221) - pagecachelimit: reduce lru_lock congestion for heavy parallel reclaim fix. (bnc#895680) - perf/core: Add weighted samples. (bnc#876114) - perf/x86: Add flags to event constraints. (bnc#876114) - perf/x86: Add memory profiling via PEBS Load Latency. (bnc#876114) - perf: Add generic memory sampling interface. (bnc#876114) - qla2xxx: Avoid escalating the SCSI error handler if the command is not found in firmware. (bnc#859840) - qla2xxx: Clear loop_id for ports that are marked lost during fabric scanning. (bnc#859840) - qla2xxx: Does not check for firmware hung during the reset context for ISP82XX. (bnc#859840) - qla2xxx: Issue abort command for outstanding commands during cleanup when only firmware is alive. (bnc#859840) - qla2xxx: Reduce the time we wait for a command to complete during SCSI error handling. (bnc#859840) - qla2xxx: Set host can_queue value based on available resources. (bnc#859840) - restore smp_mb() in unlock_new_inode(). (bnc#890526) - s390/pci: introduce lazy IOTLB flushing for DMA unmap (bnc#889061, LTC#113725). - sched: fix the theoretical signal_wake_up() vs schedule() race. (bnc#876055) - sclp_vt220: Enable integrated ASCII console per default (bnc#885262, LTC#112035). - scsi_dh: use missing accessor 'scsi_device_from_queue'. (bnc#889614) - scsi_transport_fc: Cap dev_loss_tmo by fast_io_fail. (bnc#887608) - scsiback: correct grant page unmapping. - scsiback: fix retry handling in __report_luns(). - scsiback: free resources after error. - sunrpc/auth: allow lockless (rcu) lookup of credential cache. (bnc#866130) - supported.conf: remove external from drivers/net/veth. (bnc#889727) - supported.conf: support net/sched/act_police.ko. (bnc#890426) - tcp: adapt selected parts of RFC 5682 and PRR logic. (bnc#879921) - tg3: Change nvram command timeout value to 50ms. (bnc#855657) - tg3: Override clock, link aware and link idle mode during NVRAM dump. (bnc#855657) - tg3: Set the MAC clock to the fastest speed during boot code load. (bnc#855657) - usb: Does not enable LPM if the exit latency is zero. (bnc#832309) - usbcore: Does not log on consecutive debounce failures of the same port. (bnc#888105) - usbhid: fix PIXART optical mouse. (bnc#888607) - uswsusp: Disable when module loading is restricted. (bnc#884333) - vscsi: support larger transfer sizes. (bnc#774818) - writeback: Do not sync data dirtied after sync start. (bnc#833820) - x86 thermal: Delete power-limit-notification console messages. (bnc#882317) - x86 thermal: Disable power limit notification interrupt by default. (bnc#882317) - x86 thermal: Re-enable power limit notification interrupt by default. (bnc#882317) - x86, cpu hotplug: Fix stack frame warning in check_irq_vectors_for_cpu_disable(). (bnc#887418) - x86/UV: Add call to KGDB/KDB from NMI handler. (bnc#888847) - x86/UV: Add kdump to UV NMI handler. (bnc#888847) - x86/UV: Add summary of cpu activity to UV NMI handler. (bnc#888847) - x86/UV: Move NMI support. (bnc#888847) - x86/UV: Update UV support for external NMI signals. (bnc#888847) - x86/uv/nmi: Fix Sparse warnings. (bnc#888847) - x86: Add check for number of available vectors before CPU down. (bnc#887418) - x86: Lock down IO port access when module security is enabled. (bnc#884333) - x86: Restrict MSR access when module loading is restricted. (bnc#884333)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=774818" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=806990" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=816708" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=826486" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=832309" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=849123" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=855657" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=859840" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=860441" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=860593" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=863586" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=866130" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=866615" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=866864" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=866911" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=869055" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=869934" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=870161" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=871797" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=876017" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=876055" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=876114" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=876590" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=879921" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=880344" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=880370" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=881051" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=881759" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=882317" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=882639" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=882804" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=882900" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=883376" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=883518" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=883724" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=884333" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=884582" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=884725" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=884767" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=885262" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=885382" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=885422" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=885509" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=886840" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=887082" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=887503" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=887608" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=887645" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=887680" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=888058" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=888105" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=888591" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=888607" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=888847" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=888849" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=888968" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=889061" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=889173" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=889451" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=889614" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=889727" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=890297" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=890426" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=890513" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=890526" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=891087" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=891259" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=891619" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=892200" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=892490" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=892723" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=893064" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=893496" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=893596" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=894200" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2013-1979.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-1739.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-2706.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-3153.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-4027.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-4171.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-4508.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-4667.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-4943.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-5077.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-5471.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-5472.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2014-6410.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 9750."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Android "Towelroot" Futex Requeue Kernel Exploit'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:iscsitarget-kmp-bigsmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-bigsmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-bigsmp-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kernel-bigsmp-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:ofed-kmp-bigsmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:oracleasm-kmp-bigsmp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (isnull(pl) || int(pl) != 3) audit(AUDIT_OS_NOT, "SuSE 11.3"); flag = 0; if (rpm_check(release:"SLED11", sp:3, cpu:"x86_64", reference:"kernel-bigsmp-devel-3.0.101-0.40.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"iscsitarget-kmp-bigsmp-1.4.20_3.0.101_0.40-0.38.83")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"kernel-bigsmp-3.0.101-0.40.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"kernel-bigsmp-base-3.0.101-0.40.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"kernel-bigsmp-devel-3.0.101-0.40.1")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"ofed-kmp-bigsmp-1.5.4.1_3.0.101_0.40-0.13.89")) flag++; if (rpm_check(release:"SLES11", sp:3, cpu:"x86_64", reference:"oracleasm-kmp-bigsmp-2.0.5_3.0.101_0.40-7.39.89")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2332-1.NASL description A bug was discovered in the handling of pathname components when used with an autofs direct mount. A local user could exploit this flaw to cause a denial of service (system crash) via an open system call. (CVE-2014-0203) Toralf Forster reported an error in the Linux kernels syscall auditing on 32 bit x86 platforms. A local user could exploit this flaw to cause a denial of service (OOPS and system crash). (CVE-2014-4508) An information leak was discovered in the control implemenation of the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2014-4652) A use-after-free flaw was discovered in the Advanced Linux Sound Architecture (ALSA) control implementation of the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-4653) A authorization bug was discovered with the snd_ctl_elem_add function of the Advanced Linux Sound Architecture (ALSA) in the Linux kernel. A local user could exploit his bug to cause a denial of service (remove kernel controls). (CVE-2014-4654) A flaw discovered in how the snd_ctl_elem function of the Advanced Linux Sound Architecture (ALSA) handled a reference count. A local user could exploit this flaw to cause a denial of service (integer overflow and limit bypass). (CVE-2014-4655) An integer overflow flaw was discovered in the control implementation of the Advanced Linux Sound Architecture (ALSA). A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-4656) An integer underflow flaw was discovered in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 77488 published 2014-09-03 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77488 title Ubuntu 10.04 LTS : linux vulnerabilities (USN-2332-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-791.NASL description The openSUSE 12.3 kernel was updated to fix security issues : This will be the final kernel update for openSUSE 13.2 during its lifetime, which ends January 4th 2015. CVE-2014-9322: A local privilege escalation in the x86_64 32bit compatibility signal handling was fixed, which could be used by local attackers to crash the machine or execute code. CVE-2014-9090: The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel did not properly handle faults associated with the Stack Segment (SS) segment register, which allowed local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the linux-clock-tests test suite. CVE-2014-8133: Insufficient validation of TLS register usage could leak information from the kernel stack to userspace. CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allowed local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. CVE-2014-8884: Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel allowed local users to cause a denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call. CVE-2014-3186: Buffer overflow in the picolcd_raw_event function in devices/hid/hid-picolcd_core.c in the PicoLCD HID device driver in the Linux kernel, as used in Android on Nexus 7 devices, allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that sends a large report. CVE-2014-7841: The sctp_process_param function in net/sctp/sm_make_chunk.c in the SCTP implementation in the Linux kernel, when ASCONF is used, allowed remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a malformed INIT chunk. CVE-2014-4608: Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel allowed context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. CVE-2014-8709: The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel did not properly maintain a certain tail pointer, which allowed remote attackers to obtain sensitive cleartext information by reading packets. CVE-2014-3185: Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the Linux kernel allowed physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response. CVE-2014-3184: The report_fixup functions in the HID subsystem in the Linux kernel might have allowed physically proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c. CVE-2014-3182: Array index error in the logi_dj_raw_event function in drivers/hid/hid-logitech-dj.c in the Linux kernel allowed physically proximate attackers to execute arbitrary code or cause a denial of service (invalid kfree) via a crafted device that provides a malformed REPORT_TYPE_NOTIF_DEVICE_UNPAIRED value. CVE-2014-3181: Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with an event. CVE-2014-7826: kernel/trace/trace_syscalls.c in the Linux kernel did not properly handle private syscall numbers during use of the ftrace subsystem, which allowed local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application. CVE-2013-7263: The Linux kernel updated certain length values before ensuring that associated data structures have been initialized, which allowed local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. This update fixes the leak of the port number when using ipv6 sockets. (bsc#853040). CVE-2014-6410: The __udf_read_inode function in fs/udf/inode.c in the Linux kernel did not restrict the amount of ICB indirection, which allowed physically proximate attackers to cause a denial of service (infinite loop or stack consumption) via a UDF filesystem with a crafted inode. CVE-2014-5471: Stack consumption vulnerability in the parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel allowed local users to cause a denial of service (uncontrolled recursion, and system crash or reboot) via a crafted iso9660 image with a CL entry referring to a directory entry that has a CL entry. CVE-2014-5472: The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel allowed local users to cause a denial of service (unkillable mount process) via a crafted iso9660 image with a self-referential CL entry. CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allowed local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. CVE-2014-4943: The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel allowed local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket. CVE-2014-5077: The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel, when SCTP authentication is enabled, allowed remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction. CVE-2014-4171: mm/shmem.c in the Linux kernel did not properly implement the interaction between range notification and hole punching, which allowed local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call. CVE-2013-2888, CVE-2013-2889, CVE-2013-2890, CVE-2013-2891, CVE-2013-2892, CVE-2013-2893, CVE-2013-2894, CVE-2013-2895, CVE-2013-2896, CVE-2013-2897, CVE-2013-2898, CVE-2013-2899: Multiple issues in the Human Interface Device (HID) subsystem in the Linux kernel allowed physically proximate attackers to cause a denial of service or system crash via (heap-based out-of-bounds write) via a crafted device. (Not separately listed.) Other bugfixes : - xfs: mark all internal workqueues as freezable (bnc#899785). - target/rd: Refactor rd_build_device_space + rd_release_device_space (bnc#882639) - Enable CONFIG_ATH9K_HTC for armv7hl/omap2plus config (bnc#890624) - swiotlb: don last seen 2020-06-05 modified 2014-12-22 plugin id 80150 published 2014-12-22 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80150 title openSUSE Security Update : the Linux Kernel (openSUSE-SU-2014:1669-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-793.NASL description The openSUSE 13.1 kernel was updated to fix security issues and bugs : Security issues fixed: CVE-2014-9322: A local privilege escalation in the x86_64 32bit compatibility signal handling was fixed, which could be used by local attackers to crash the machine or execute code. CVE-2014-9090: The do_double_fault function in arch/x86/kernel/traps.c in the Linux kernel did not properly handle faults associated with the Stack Segment (SS) segment register, which allowed local users to cause a denial of service (panic) via a modify_ldt system call, as demonstrated by sigreturn_32 in the linux-clock-tests test suite. CVE-2014-8133: Insufficient validation of TLS register usage could leak information from the kernel stack to userspace. CVE-2014-0181: The Netlink implementation in the Linux kernel through 3.14.1 did not provide a mechanism for authorizing socket operations based on the opener of a socket, which allowed local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program. (bsc#875051) CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allowed local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. CVE-2014-3688: The SCTP implementation in the Linux kernel allowed remote attackers to cause a denial of service (memory consumption) by triggering a large number of chunks in an association last seen 2020-06-05 modified 2014-12-22 plugin id 80152 published 2014-12-22 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/80152 title openSUSE Security Update : the Linux Kernel (openSUSE-SU-2014:1677-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2337-1.NASL description A flaw was discovered in the Linux kernel virtual machine last seen 2020-06-01 modified 2020-06-02 plugin id 77492 published 2014-09-03 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77492 title Ubuntu 14.04 LTS : linux vulnerabilities (USN-2337-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-478.NASL description The Linux Kernel was updated to fix various bugs and security issues. CVE-2014-4699: The Linux kernel on Intel processors did not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allowed local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls. CVE-2014-4667: The sctp_association_free function in net/sctp/associola.c in the Linux kernel did not properly manage a certain backlog value, which allowed remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet. CVE-2014-4171: mm/shmem.c in the Linux kernel did not properly implement the interaction between range notification and hole punching, which allowed local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call. CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allowed local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. CVE-2014-4656: Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel allowed local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel did not properly maintain the user_ctl_count value, which allowed local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel did not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allowed local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. CVE-2014-4653: sound/core/control.c in the ALSA control implementation in the Linux kernel did not ensure possession of a read/write lock, which allowed local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. CVE-2014-4652: Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel allowed local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. CVE-2014-4014: The capabilities implementation in the Linux kernel did not properly consider that namespaces are inapplicable to inodes, which allowed local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root. CVE-2014-2309: The ip6_route_add function in net/ipv6/route.c in the Linux kernel did not properly count the addition of routes, which allowed remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets. CVE-2014-3917: kernel/auditsc.c in the Linux kernel, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allowed local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number. CVE-2014-0131: Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel allowed attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. CVE-2014-3144: The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel did not check whether a certain length value is sufficiently large, which allowed local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. CVE-2014-3145: The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel used the reverse order in a certain subtraction, which allowed local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced. Additional Bug fixed : - HID: logitech-dj: Fix USB 3.0 issue (bnc#788080). last seen 2020-06-05 modified 2014-08-04 plugin id 76988 published 2014-08-04 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76988 title openSUSE Security Update : kernel (openSUSE-SU-2014:0957-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-103.NASL description This security upload has been prepared in cooperation of the Debian Kernel, Security and LTS Teams and features the upstream stable release 2.6.32.64 (see https://lkml.org/lkml/2014/11/23/181 for more information for that). It fixes the CVEs described below. Note: if you are using the openvz flavors, please consider three things: a.) we haven last seen 2020-03-17 modified 2015-03-26 plugin id 82087 published 2015-03-26 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82087 title Debian DLA-103-1 : linux-2.6 security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1528.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - An out-of-bounds memory access flaw was found in the Linux kernel last seen 2020-03-17 modified 2019-05-14 plugin id 124981 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124981 title EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1528) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2336-1.NASL description A flaw was discovered in the Linux kernel virtual machine last seen 2020-06-01 modified 2020-06-02 plugin id 77491 published 2014-09-03 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77491 title Ubuntu 12.04 LTS : linux-lts-trusty vulnerabilities (USN-2336-1) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-140924.NASL description The SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to fix various bugs and security issues. The following security bugs have been fixed : - The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call. (bnc#882804). (CVE-2014-1739) - mm/shmem.c in the Linux kernel through 3.15.1 does not properly implement the interaction between range notification and hole punching, which allows local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call. (bnc#883518). (CVE-2014-4171) - arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. (bnc#883724). (CVE-2014-4508) - The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet. (bnc#885422). (CVE-2014-4667) - The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket. (bnc#887082). (CVE-2014-4943) - The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction. (bnc#889173). (CVE-2014-5077) - Stack consumption vulnerability in the parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (uncontrolled recursion, and system crash or reboot) via a crafted iso9660 image with a CL entry referring to a directory entry that has a CL entry. (bnc#892490). (CVE-2014-5471) - The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (unkillable mount process) via a crafted iso9660 image with a self-referential CL entry. (bnc#892490). (CVE-2014-5472) - Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c. (bnc#871797). (CVE-2014-2706) - The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator. (bnc#882639). (CVE-2014-4027) - The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification. (bnc#880892). (CVE-2014-3153) - Avoid infinite loop when processing indirect ICBs (bnc#896689) The following non-security bugs have been fixed:. (CVE-2014-6410) - ACPI / PAD: call schedule() when need_resched() is true. (bnc#866911) - ACPI: Fix bug when ACPI reset register is implemented in system memory. (bnc#882900) - ACPI: Limit access to custom_method. (bnc#884333) - ALSA: hda - Enabling Realtek ALC 671 codec. (bnc#891746) - Add option to automatically enforce module signatures when in Secure Boot mode. (bnc#884333) - Add secure_modules() call. (bnc#884333) - Add wait_on_atomic_t() and wake_up_atomic_t(). (bnc#880344) - Backported new patches of Lock down functions for UEFI secure boot Also updated series.conf and removed old patches. - Btrfs: Return EXDEV for cross file system snapshot. - Btrfs: abort the transaction when we does not find our extent ref. - Btrfs: avoid warning bomb of btrfs_invalidate_inodes. - Btrfs: cancel scrub on transaction abortion. - Btrfs: correctly set profile flags on seqlock retry. - Btrfs: does not check nodes for extent items. - Btrfs: fix a possible deadlock between scrub and transaction committing. - Btrfs: fix corruption after write/fsync failure + fsync + log recovery. (bnc#894200) - Btrfs: fix csum tree corruption, duplicate and outdated checksums. (bnc#891619) - Btrfs: fix double free in find_lock_delalloc_range. - Btrfs: fix possible memory leak in btrfs_create_tree(). - Btrfs: fix use of uninit last seen 2020-06-05 modified 2014-10-23 plugin id 78650 published 2014-10-23 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78650 title SuSE 11.3 Security Update : Linux kernel (SAT Patch Numbers 9746 / 9749 / 9751) NASL family Fedora Local Security Checks NASL id FEDORA_2014-7863.NASL description The 3.14.9 stable update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-07-01 plugin id 76329 published 2014-07-01 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76329 title Fedora 20 : kernel-3.14.9-200.fc20 (2014-7863) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-493.NASL description The Linux kernel was updated to fix security issues and bugs : Security issues fixed: CVE-2014-4699: The Linux kernel on Intel processors did not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allowed local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls. CVE-2014-4667: The sctp_association_free function in net/sctp/associola.c in the Linux kernel did not properly manage a certain backlog value, which allowed remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet. CVE-2014-4171: mm/shmem.c in the Linux kernel did not properly implement the interaction between range notification and hole punching, which allowed local users to cause a denial of service (i_mutex hold) by using the mmap system call to access a hole, as demonstrated by interfering with intended shmem activity by blocking completion of (1) an MADV_REMOVE madvise call or (2) an FALLOC_FL_PUNCH_HOLE fallocate call. CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allowed local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. CVE-2014-0100: Race condition in the inet_frag_intern function in net/ipv4/inet_fragment.c in the Linux kernel allowed remote attackers to cause a denial of service (use-after-free error) or possibly have unspecified other impact via a large series of fragmented ICMP Echo Request packets to a system with a heavy CPU load. CVE-2014-4656: Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel allowed local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel did not properly maintain the user_ctl_count value, which allowed local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel did not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allowed local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. CVE-2014-4653: sound/core/control.c in the ALSA control implementation in the Linux kernel did not ensure possession of a read/write lock, which allowed local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. CVE-2014-4652: Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel allowed local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. CVE-2014-4014: The capabilities implementation in the Linux kernel did not properly consider that namespaces are inapplicable to inodes, which allowed local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root. CVE-2014-2309: The ip6_route_add function in net/ipv6/route.c in the Linux kernel did not properly count the addition of routes, which allowed remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets. CVE-2014-3917: kernel/auditsc.c in the Linux kernel, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allowed local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number. CVE-2014-0131: Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel allowed attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. Bugs fixed : - Don last seen 2020-06-05 modified 2014-08-13 plugin id 77177 published 2014-08-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77177 title openSUSE Security Update : kernel (openSUSE-SU-2014:0985-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2014-1105-1.NASL description The SUSE Linux Enterprise Server 11 SP2 LTSS received a roll up update to fix several security and non-security issues. The following security issues have been fixed : - CVE-2014-0055: The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors. (bnc#870173) - CVE-2014-0077: drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions. (bnc#870576) - CVE-2014-1739: The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging /dev/media0 read access for a MEDIA_IOC_ENUM_ENTITIES ioctl call. (bnc#882804) - CVE-2014-2706: Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c. (bnc#871797) - CVE-2014-2851: Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter. (bnc#873374) - CVE-2014-3144: The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr and __skb_get_nlattr_nest functions before the vulnerability was announced. (bnc#877257) - CVE-2014-3145: The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced. (bnc#877257) - CVE-2014-3917: kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number. (bnc#880484) - CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. (bnc#883724) - CVE-2014-4652: Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. (bnc#883795) - CVE-2014-4653: sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. (bnc#883795) - CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. (bnc#883795) - CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. (bnc#883795) - CVE-2014-4656: Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. (bnc#883795) - CVE-2014-4667: The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet. (bnc#885422) - CVE-2014-4699: The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls. (bnc#885725) - CVE-2014-5077: The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction. (bnc#889173) - CVE-2013-4299: Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linux kernel through 3.11.6 allows remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device. (bnc#846404) The following bugs have been fixed : - pagecachelimit: reduce lru_lock contention for heavy parallel reclaim (bnc#878509, bnc#864464). - pagecachelimit: reduce lru_lock contention for heavy parallel reclaim kabi fixup (bnc#878509, bnc#864464). - ACPI / PAD: call schedule() when need_resched() is true (bnc#866911). - kabi: Fix breakage due to addition of user_ctl_lock (bnc#883795). - cpuset: Fix memory allocator deadlock (bnc#876590). - tcp: allow to disable cwnd moderation in TCP_CA_Loss state (bnc#879921). - tcp: adapt selected parts of RFC 5682 and PRR logic (bnc#879921). - vlan: more careful checksum features handling (bnc#872634). - bonding: fix vlan_features computing (bnc#872634). - NFSv4: Minor cleanups for nfs4_handle_exception and nfs4_async_handle_error (bnc#889324). - NFS: Do not lose sockets when nfsd shutdown races with connection timeout (bnc#871854). - reiserfs: call truncate_setsize under tailpack mutex (bnc#878115). - reiserfs: drop vmtruncate (bnc#878115). - megaraid_sas: mask off flags in ioctl path (bnc#886474). - block: fix race between request completion and timeout handling (bnc#881051). - drivers/rtc/interface.c: fix infinite loop in initializing the alarm (bnc#871676). - xfrm: check peer pointer for null before calling inet_putpeer() (bnc#877775). - supported.conf: Add firewire/nosy as supported. This driver is the replacement for the ieee1394/pcilynx driver, which was supported. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-05-20 plugin id 83633 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83633 title SUSE SLES11 Security Update : kernel (SUSE-SU-2014:1105-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2531.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel before 4.5.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor.(CVE-2016-2186) - The snd_compr_tstamp function in sound/core/compress_offload.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices, does not properly initialize a timestamp data structure, which allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28770164 and Qualcomm internal bug CR568717.(CVE-2014-9892) - A memory leak in the cx23888_ir_probe() function in drivers/media/pci/cx23885/cx23888-ir.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering kfifo_alloc() failures, aka CID-a7b2df76b42b.(CVE-2019-19054) - A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.(CVE-2019-19060) - A memory leak in the adis_update_scan_mode_burst() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-9c0530e898f3.(CVE-2019-19061) - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042.(CVE-2019-19062) - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.(CVE-2019-18808) - In ashmem_ioctl of ashmem.c, there is an out-of-bounds write due to insufficient locking when accessing asma. This could lead to a local elevation of privilege enabling code execution as a privileged process with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-66954097.(CVE-2017-13216) - A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds.(CVE-2015-3332) - The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory by reading a Netlink message.(CVE-2016-4486) - The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allows remote attackers to have unspecified impact via vectors involving GRE flags in an IPv6 packet, which trigger an out-of-bounds access.(CVE-2017-5897) - In the Linux kernel before version 4.12, Kerberos 5 tickets decoded when using the RXRPC keys incorrectly assumes the size of a field. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. This could possibly lead to memory corruption and possible privilege escalation.(CVE-2017-7482) - A flaw was found in the Linux Kernel where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients.(CVE-2018-14625) - drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted USB device.(CVE-2017-16647) - A memory leak in the ql_alloc_large_buffers() function in drivers/net/ethernet/qlogic/qla3xxx.c in the Linux kernel before 5.3.5 allows local users to cause a denial of service (memory consumption) by triggering pci_dma_mapping_error() failures, aka CID-1acb8f2a7a9f.(CVE-2019-18806) - An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR.(CVE-2018-7755) - The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red Hat Enterprise Linux (RHEL) 7.1 allows physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor.(CVE-2015-7833) - A flaw that allowed an attacker to corrupt memory and possibly escalate privileges was found in the mwifiex kernel module while connecting to a malicious wireless network.(CVE-2019-3846) - drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16232) - drivers/net/wireless/intel/iwlwifi/pcie/trans.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16234) - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16231) - Insufficient access control in the Intel(R) PROSet/Wireless WiFi Software driver before version 21.10 may allow an unauthenticated user to potentially enable denial of service via adjacent access.(CVE-2019-0136) - A flaw was found in the Linux kernel. A heap based buffer overflow in mwifiex_uap_parse_tail_ies function in drivers/net/wireless/marvell/mwifiex/ie.c might lead to memory corruption and possibly other consequences.(CVE-2019-10126) - The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka last seen 2020-05-08 modified 2019-12-09 plugin id 131805 published 2019-12-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131805 title EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-2531) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-141217.NASL description The SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to fix various bugs and security issues. The following security bugs have been fixed : - The __request_module function in kernel/kmod.c in the Linux kernel before 3.4 did not set a certain killable attribute, which allowed local users to cause a denial of service (memory consumption) via a crafted application. (bnc#779488). (CVE-2012-4398) - drivers/hid/hid-zpff.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_ZEROPLUS is enabled, allowed physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device. (bnc#835839). (CVE-2013-2889) - The Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_LOGITECH_FF, CONFIG_LOGIG940_FF, or CONFIG_LOGIWHEELS_FF is enabled, allowed physically proximate attackers to cause a denial of service (heap-based out-of-bounds write) via a crafted device, related to (1) drivers/hid/hid-lgff.c, (2) drivers/hid/hid-lg3ff.c, and (3) drivers/hid/hid-lg4ff.c. (bnc#835839). (CVE-2013-2893) - Multiple array index errors in drivers/hid/hid-multitouch.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_MULTITOUCH is enabled, allowed physically proximate attackers to cause a denial of service (heap memory corruption, or NULL pointer dereference and OOPS) via a crafted device. (bnc#835839). (CVE-2013-2897) - drivers/hid/hid-picolcd_core.c in the Human Interface Device (HID) subsystem in the Linux kernel through 3.11, when CONFIG_HID_PICOLCD is enabled, allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted device. (bnc#835839). (CVE-2013-2899) - The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allowed local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#853040, bnc#857643). (CVE-2013-7263) - Multiple stack-based buffer overflows in the magicmouse_raw_event function in drivers/hid/hid-magicmouse.c in the Magic Mouse HID driver in the Linux kernel through 3.16.3 allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with an event. (bnc#896382). (CVE-2014-3181) - The report_fixup functions in the HID subsystem in the Linux kernel before 3.16.2 allowed physically proximate attackers to cause a denial of service (out-of-bounds write) via a crafted device that provides a small report descriptor, related to (1) drivers/hid/hid-cherry.c, (2) drivers/hid/hid-kye.c, (3) drivers/hid/hid-lg.c, (4) drivers/hid/hid-monterey.c, (5) drivers/hid/hid-petalynx.c, and (6) drivers/hid/hid-sunplus.c. (bnc#896390). (CVE-2014-3184) - Multiple buffer overflows in the command_port_read_callback function in drivers/usb/serial/whiteheat.c in the Whiteheat USB Serial Driver in the Linux kernel before 3.16.2 allowed physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) via a crafted device that provides a large amount of (1) EHCI or (2) XHCI data associated with a bulk response. (bnc#896391). (CVE-2014-3185) - Buffer overflow in the picolcd_raw_event function in devices/hid/hid-picolcd_core.c in the PicoLCD HID device driver in the Linux kernel through 3.16.3, as used in Android on Nexus 7 devices, allowed physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted device that sends a large report. (bnc#896392). (CVE-2014-3186) - The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculated the number of pages during the handling of a mapping failure, which allowed guest OS users to (1) cause a denial of service (host OS memory corruption) or possibly have unspecified other impact by triggering a large gfn value or (2) cause a denial of service (host OS memory consumption) by triggering a small gfn value that leads to permanently pinned pages. (bnc#892782). (CVE-2014-3601) - The WRMSR processing functionality in the KVM subsystem in the Linux kernel through 3.17.2 did not properly handle the writing of a non-canonical address to a model-specific register, which allowed guest OS users to cause a denial of service (host OS crash) by leveraging guest OS privileges, related to the wrmsr_interception function in arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c. (bnc#899192). (CVE-2014-3610) - arch/x86/kvm/vmx.c in the KVM subsystem in the Linux kernel through 3.17.2 did not have an exit handler for the INVVPID instruction, which allowed guest OS users to cause a denial of service (guest OS crash) via a crafted application. (bnc#899192). (CVE-2014-3646) - arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 did not properly perform RIP changes, which allowed guest OS users to cause a denial of service (guest OS crash) via a crafted application. (bnc#899192). (CVE-2014-3647) - The SCTP implementation in the Linux kernel through 3.17.2 allowed remote attackers to cause a denial of service (system crash) via a malformed ASCONF chunk, related to net/sctp/sm_make_chunk.c and net/sctp/sm_statefuns.c. (bnc#902346, bnc#902349). (CVE-2014-3673) - arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allowed local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. (bnc#883724). (CVE-2014-4508) - * DISPUTED * Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allowed context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says: The Linux kernel is not affected; media hype. (bnc#883948). (CVE-2014-4608) - kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 did not properly handle private syscall numbers during use of the ftrace subsystem, which allowed local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application. (bnc#904013). (CVE-2014-7826) - An SCTP server doing ASCONF would panic on malformed INIT ping-of-death. (bnc#905100). (CVE-2014-7841) - The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 did not properly maintain a certain tail pointer, which allowed remote attackers to obtain sensitive cleartext information by reading packets. (bnc#904700). (CVE-2014-8709) - A local user with write access could have used this flaw to crash the kernel or elevate privileges (bnc#905522). The following non-security bugs have been fixed:. (CVE-2014-8884) - Build the KOTD against the SP3 Update project - HID: fix kabi breakage. - NFS: Provide stub nfs_fscache_wait_on_invalidate() for when CONFIG_NFS_FSCACHE=n. - NFS: fix inverted test for delegation in nfs4_reclaim_open_state. (bnc#903331) - NFS: remove incorrect Lock reclaim failed! warning. (bnc#903331) - NFSv4: nfs4_open_done first must check that GETATTR decoded a file type. (bnc#899574) - PCI: pciehp: Clear Data Link Layer State Changed during init. (bnc#898295) - PCI: pciehp: Enable link state change notifications. (bnc#898295) - PCI: pciehp: Handle push button event asynchronously. (bnc#898295) - PCI: pciehp: Make check_link_active() non-static. (bnc#898295) - PCI: pciehp: Use link change notifications for hot-plug and removal. (bnc#898295) - PCI: pciehp: Use per-slot workqueues to avoid deadlock. (bnc#898295) - PCI: pciehp: Use symbolic constants, not hard-coded bitmask. (bnc#898295) - PM / hibernate: Iterate over set bits instead of PFNs in swsusp_free(). (bnc#860441) - be2net: Fix invocation of be_close() after be_clear(). (bnc#895468) - block: Fix bogus partition statistics reports. (bnc#885077 / bnc#891211) - block: Fix computation of merged request priority. - btrfs: Fix wrong device size when we are resizing the device. - btrfs: Return right extent when fiemap gives unaligned offset and len. - btrfs: abtract out range locking in clone ioctl(). - btrfs: always choose work from prio_head first. - btrfs: balance delayed inode updates. - btrfs: cache extent states in defrag code path. - btrfs: check file extent type before anything else. (bnc#897694) - btrfs: clone, do not create invalid hole extent map. - btrfs: correctly determine if blocks are shared in btrfs_compare_trees. - btrfs: do not bug_on if we try to cow a free space cache inode. - btrfs: ensure btrfs_prev_leaf does not miss 1 item. - btrfs: ensure readers see new data after a clone operation. - btrfs: fill_holes: Fix slot number passed to hole_mergeable() call. - btrfs: filter invalid arg for btrfs resize. - btrfs: fix EINVAL checks in btrfs_clone. - btrfs: fix EIO on reading file after ioctl clone works on it. - btrfs: fix a crash of clone with inline extents split. - btrfs: fix crash of compressed writes. (bnc#898375) - btrfs: fix crash when starting transaction. - btrfs: fix deadlock with nested trans handles. - btrfs: fix hang on error (such as ENOSPC) when writing extent pages. - btrfs: fix leaf corruption after __btrfs_drop_extents. - btrfs: fix race between balance recovery and root deletion. - btrfs: fix wrong extent mapping for DirectIO. - btrfs: handle a missing extent for the first file extent. - btrfs: limit delalloc pages outside of find_delalloc_range. (bnc#898375) - btrfs: read lock extent buffer while walking backrefs. - btrfs: remove unused wait queue in struct extent_buffer. - btrfs: replace EINVAL with ERANGE for resize when ULLONG_MAX. - btrfs: replace error code from btrfs_drop_extents. - btrfs: unlock extent and pages on error in cow_file_range. - btrfs: unlock inodes in correct order in clone ioctl. - btrfs_ioctl_clone: Move clone code into its own function. - cifs: delay super block destruction until all cifsFileInfo objects are gone. (bnc#903653) - drm/i915: Flush the PTEs after updating them before suspend. (bnc#901638) - drm/i915: Undo gtt scratch pte unmapping again. (bnc#901638) - ext3: return 32/64-bit dir name hash according to usage type. (bnc#898554) - ext4: return 32/64-bit dir name hash according to usage type. (bnc#898554) - fix: use after free of xfs workqueues. (bnc#894895) - fs: add new FMODE flags: FMODE_32bithash and FMODE_64bithash. (bnc#898554) - futex: Ensure get_futex_key_refs() always implies a barrier (bnc#851603 (futex scalability series)). - futex: Fix a race condition between REQUEUE_PI and task death (bnc#851603 (futex scalability series)). - ipv6: add support of peer address. (bnc#896415) - ipv6: fix a refcnt leak with peer addr. (bnc#896415) - megaraid_sas: Disable fastpath writes for non-RAID0. (bnc#897502) - mm: change __remove_pages() to call release_mem_region_adjustable(). (bnc#891790) - netxen: Fix link event handling. (bnc#873228) - netxen: fix link notification order. (bnc#873228) - nfsd: rename int access to int may_flags in nfsd_open(). (bnc#898554) - nfsd: vfs_llseek() with 32 or 64 bit offsets (hashes). (bnc#898554) - ocfs2: fix NULL pointer dereference in ocfs2_duplicate_clusters_by_page. (bnc#899843) - powerpc: Add smp_mb() to arch_spin_is_locked() (bsc#893758). - powerpc: Add smp_mb()s to arch_spin_unlock_wait() (bsc#893758). - powerpc: Add support for the optimised lockref implementation (bsc#893758). - powerpc: Implement arch_spin_is_locked() using arch_spin_value_unlocked() (bsc#893758). - refresh patches.xen/xen-blkback-multi-page-ring (bnc#897708)). - remove filesize checks for sync I/O journal commit. (bnc#800255) - resource: add __adjust_resource() for internal use. (bnc#891790) - resource: add release_mem_region_adjustable(). (bnc#891790) - revert PM / Hibernate: Iterate over set bits instead of PFNs in swsusp_free(). (bnc#860441) - rpm/mkspec: Generate specfiles according to Factory requirements. - rpm/mkspec: Generate a per-architecture per-package _constraints file - sched: Fix unreleased llc_shared_mask bit during CPU hotplug. (bnc#891368) - scsi_dh_alua: disable ALUA handling for non-disk devices. (bnc#876633) - usb: Do not re-read descriptors for wired devices in usb_authorize_device(). (bnc#904358) - usbback: Do not access request fields in shared ring more than once. - usbhid: add another mouse that needs QUIRK_ALWAYS_POLL. (bnc#888607) - vfs,proc: guarantee unique inodes in /proc. (bnc#868049) - x86, cpu hotplug: Fix stack frame warning incheck_irq_vectors_for_cpu_disable(). (bnc#887418) - x86, ioremap: Speed up check for RAM pages (Boot time optimisations (bnc#895387)). - x86: Add check for number of available vectors before CPU down. (bnc#887418) - x86: optimize resource lookups for ioremap (Boot time optimisations (bnc#895387)). - x86: use optimized ioresource lookup in ioremap function (Boot time optimisations (bnc#895387)). - xfs: Do not free EFIs before the EFDs are committed (bsc#755743). - xfs: Do not reference the EFI after it is freed (bsc#755743). - xfs: fix cil push sequence after log recovery (bsc#755743). - zcrypt: support for extended number of ap domains (bnc#894058, LTC#117041). - zcrypt: toleration of new crypto adapter hardware (bnc#894058, LTC#117041). last seen 2020-06-05 modified 2014-12-26 plugin id 80250 published 2014-12-26 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80250 title SuSE 11.3 Security Update : Linux kernel (SAT Patch Number 10103) NASL family Fedora Local Security Checks NASL id FEDORA_2014-8487.NASL description Update to latest upstream stable release, Linux v3.14.13. Fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-07-26 plugin id 76851 published 2014-07-26 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76851 title Fedora 19 : kernel-3.14.13-100.fc19 (2014-8487) NASL family SuSE Local Security Checks NASL id SUSE_SU-2014-1138-1.NASL description The SUSE Linux Enterprise Server 11 SP1 LTSS received a roll up update to fix several security and non-security issues. The following security issues have been fixed : - CVE-2013-1860: Heap-based buffer overflow in the wdm_in_callback function in drivers/usb/class/cdc-wdm.c in the Linux kernel before 3.8.4 allows physically proximate attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a crafted cdc-wdm USB device. (bnc#806431) - CVE-2013-4162: The udp_v6_push_pending_frames function in net/ipv6/udp.c in the IPv6 implementation in the Linux kernel through 3.10.3 makes an incorrect function call for pending data, which allows local users to cause a denial of service (BUG and system crash) via a crafted application that uses the UDP_CORK option in a setsockopt system call. (bnc#831058) - CVE-2014-0203: The __do_follow_link function in fs/namei.c in the Linux kernel before 2.6.33 does not properly handle the last pathname component during use of certain filesystems, which allows local users to cause a denial of service (incorrect free operations and system crash) via an open system call. (bnc#883526) - CVE-2014-3144: The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr and __skb_get_nlattr_nest functions before the vulnerability was announced. (bnc#877257) - CVE-2014-3145: The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced. (bnc#877257) - CVE-2014-3917: kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number. (bnc#880484) - CVE-2014-4508: arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. (bnc#883724) - CVE-2014-4652: Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. (bnc#883795) - CVE-2014-4653: sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. (bnc#883795) - CVE-2014-4654: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. (bnc#883795) - CVE-2014-4655: The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. (bnc#883795) - CVE-2014-4656: Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. (bnc#883795) - CVE-2014-4667: The sctp_association_free function in net/sctp/associola.c in the Linux kernel before 3.15.2 does not properly manage a certain backlog value, which allows remote attackers to cause a denial of service (socket outage) via a crafted SCTP packet. (bnc#885422) - CVE-2014-4699: The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls. (bnc#885725) - CVE-2014-4943: The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket. (bnc#887082) - CVE-2014-5077: The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction. (bnc#889173) - CVE-2013-7266: The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#854722) - CVE-2013-7267: The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#854722) - CVE-2013-7268: The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#854722) - CVE-2013-7269: The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#854722) - CVE-2013-7270: The packet_recvmsg function in net/packet/af_packet.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#854722) - CVE-2013-7271: The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#854722) The following bugs have been fixed : - mac80211: Fix AP powersave TX vs. wakeup race (bnc#871797). - tcp: Allow to disable cwnd moderation in TCP_CA_Loss state (bnc#879921). - tcp: Adapt selected parts of RFC 5682 and PRR logic (bnc#879921). - flock: Fix allocation and BKL (bnc#882809). - sunrpc: Close a rare race in xs_tcp_setup_socket (bnc#794824, bnc#884530). - isofs: Fix unbounded recursion when processing relocated directories (bnc#892490). - bonding: Fix a race condition on cleanup in bond_send_unsolicited_na() (bnc#856756). - block: Fix race between request completion and timeout handling (bnc#881051). - Fix kABI breakage due to addition of user_ctl_lock (bnc#883795). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-05-20 plugin id 83640 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83640 title SUSE SLES11 Security Update : kernel (SUSE-SU-2014:1138-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2333-1.NASL description A bug was discovered in the handling of pathname components when used with an autofs direct mount. A local user could exploit this flaw to cause a denial of service (system crash) via an open system call. (CVE-2014-0203) Toralf Forster reported an error in the Linux kernels syscall auditing on 32 bit x86 platforms. A local user could exploit this flaw to cause a denial of service (OOPS and system crash). (CVE-2014-4508) An information leak was discovered in the control implemenation of the Advanced Linux Sound Architecture (ALSA) subsystem in the Linux kernel. A local user could exploit this flaw to obtain sensitive information from kernel memory. (CVE-2014-4652) A use-after-free flaw was discovered in the Advanced Linux Sound Architecture (ALSA) control implementation of the Linux kernel. A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-4653) A authorization bug was discovered with the snd_ctl_elem_add function of the Advanced Linux Sound Architecture (ALSA) in the Linux kernel. A local user could exploit his bug to cause a denial of service (remove kernel controls). (CVE-2014-4654) A flaw discovered in how the snd_ctl_elem function of the Advanced Linux Sound Architecture (ALSA) handled a reference count. A local user could exploit this flaw to cause a denial of service (integer overflow and limit bypass). (CVE-2014-4655) An integer overflow flaw was discovered in the control implementation of the Advanced Linux Sound Architecture (ALSA). A local user could exploit this flaw to cause a denial of service (system crash). (CVE-2014-4656) An integer underflow flaw was discovered in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 77489 published 2014-09-03 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77489 title Ubuntu 10.04 LTS : linux-ec2 vulnerabilities (USN-2333-1) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2014-368.NASL description arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number 1000. Array index error in the aio_read_events_ring function in fs/aio.c in the Linux kernel through 3.15.1 allows local users to obtain sensitive information from kernel memory via a large head value. The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root. ** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says last seen 2020-06-01 modified 2020-06-02 plugin id 78311 published 2014-10-12 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78311 title Amazon Linux AMI : kernel (ALAS-2014-368) NASL family SuSE Local Security Checks NASL id SUSE_11_KERNEL-140709.NASL description The SUSE Linux Enterprise 11 Service Pack 3 kernel has been updated to fix various bugs and security issues. The following security bugs have been fixed : - The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel 3.7.4 and earlier allows local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interfaces own IP address, as demonstrated by rds-ping. (bnc#767610). (CVE-2012-2372) - The Linux kernel before 3.12.2 does not properly use the get_dumpable function, which allows local users to bypass intended ptrace restrictions or obtain sensitive information from IA64 scratch registers via a crafted application, related to kernel/ptrace.c and arch/ia64/include/asm/processor.h. (bnc#847652). (CVE-2013-2929) - Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linux kernel through 3.11.6 allows remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device. (bnc#846404). (CVE-2013-4299) - The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations. (bnc#851426). (CVE-2013-4579) - Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. (bnc#852553). (CVE-2013-6382) - The rds_ib_laddr_check function in net/rds/ib.c in the Linux kernel before 3.12.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports. (bnc#869563). (CVE-2013-7339) - The get_rx_bufs function in drivers/vhost/net.c in the vhost-net subsystem in the Linux kernel package before 2.6.32-431.11.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle vhost_get_vq_desc errors, which allows guest OS users to cause a denial of service (host OS crash) via unspecified vectors. (bnc#870173). (CVE-2014-0055) - drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions. (bnc#870576). (CVE-2014-0077) - The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk. (bnc#866102). (CVE-2014-0101) - Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers to obtain sensitive information from kernel memory by leveraging the absence of a certain orphaning operation. (bnc#867723). (CVE-2014-0131) - The ioapic_deliver function in virt/kvm/ioapic.c in the Linux kernel through 3.14.1 does not properly validate the kvm_irq_delivery_to_apic return value, which allows guest OS users to cause a denial of service (host OS crash) via a crafted entry in the redirection table of an I/O APIC. NOTE: the affected code was moved to the ioapic_service function before the vulnerability was announced. (bnc#872540). (CVE-2014-0155) - The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869). (CVE-2014-1444) - The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. (bnc#858870). (CVE-2014-1445) - The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. (bnc#858872). (CVE-2014-1446) - The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context. (bnc#863335). (CVE-2014-1874) - The ip6_route_add function in net/ipv6/route.c in the Linux kernel through 3.13.6 does not properly count the addition of routes, which allows remote attackers to cause a denial of service (memory consumption) via a flood of ICMPv6 Router Advertisement packets. (bnc#867531). (CVE-2014-2309) - net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function. (bnc#868653). (CVE-2014-2523) - The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel through 3.14 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports. (bnc#871561). (CVE-2014-2678) - Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter. (bnc#873374). (CVE-2014-2851) - The try_to_unmap_cluster function in mm/rmap.c in the Linux kernel before 3.14.3 does not properly consider which pages must be locked, which allows local users to cause a denial of service (system crash) by triggering a memory-usage pattern that requires removal of page-table mappings. (bnc#876102). (CVE-2014-3122) - The (1) BPF_S_ANC_NLATTR and (2) BPF_S_ANC_NLATTR_NEST extension implementations in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 do not check whether a certain length value is sufficiently large, which allows local users to cause a denial of service (integer underflow and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr and __skb_get_nlattr_nest functions before the vulnerability was announced. (bnc#877257). (CVE-2014-3144) - The BPF_S_ANC_NLATTR_NEST extension implementation in the sk_run_filter function in net/core/filter.c in the Linux kernel through 3.14.3 uses the reverse order in a certain subtraction, which allows local users to cause a denial of service (over-read and system crash) via crafted BPF instructions. NOTE: the affected code was moved to the __skb_get_nlattr_nest function before the vulnerability was announced. (bnc#877257). (CVE-2014-3145) - kernel/auditsc.c in the Linux kernel through 3.14.5, when CONFIG_AUDITSYSCALL is enabled with certain syscall rules, allows local users to obtain potentially sensitive single-bit values from kernel memory or cause a denial of service (OOPS) via a large value of a syscall number. (bnc#880484). (CVE-2014-3917) - arch/x86/kernel/entry_32.S in the Linux kernel through 3.15.1 on 32-bit x86 platforms, when syscall auditing is enabled and the sep CPU feature flag is set, allows local users to cause a denial of service (OOPS and system crash) via an invalid syscall number, as demonstrated by number. (CVE-2014-4508) -. (bnc#883724) - Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users to obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. (bnc#883795). (CVE-2014-4652) - sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not ensure possession of a read/write lock, which allows local users to cause a denial of service (use-after-free) and obtain sensitive information from kernel memory by leveraging /dev/snd/controlCX access. (bnc#883795). (CVE-2014-4653) - The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not check authorization for SNDRV_CTL_IOCTL_ELEM_REPLACE commands, which allows local users to remove kernel controls and cause a denial of service (use-after-free and system crash) by leveraging /dev/snd/controlCX access for an ioctl call. (bnc#883795). (CVE-2014-4654) - The snd_ctl_elem_add function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 does not properly maintain the user_ctl_count value, which allows local users to cause a denial of service (integer overflow and limit bypass) by leveraging /dev/snd/controlCX access for a large number of SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl calls. (bnc#883795). (CVE-2014-4655) - Multiple integer overflows in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allow local users to cause a denial of service by leveraging /dev/snd/controlCX access, related to (1) index values in the snd_ctl_add function and (2) numid values in the snd_ctl_remove_numid_conflict function. (bnc#883795). (CVE-2014-4656) - The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls. (bnc#885725). (CVE-2014-4699) Also the following non-security bugs have been fixed : - kernel: avoid page table walk on user space access (bnc#878407, LTC#110316). - spinlock: fix system hang with spin_retry <= 0 (bnc#874145, LTC#110189). - x86/UV: Set n_lshift based on GAM_GR_CONFIG MMR for UV3. (bnc#876176) - x86: Enable multiple CPUs in crash kernel. (bnc#846690) - x86/mce: Fix CMCI preemption bugs. (bnc#786450) - x86, CMCI: Add proper detection of end of CMCI storms. (bnc#786450) - futex: revert back to the explicit waiter counting code. (bnc#851603) - futex: avoid race between requeue and wake. (bnc#851603) - intel-iommu: fix off-by-one in pagetable freeing. (bnc#874577) - ia64: Change default PSR.ac from last seen 2020-06-05 modified 2014-07-17 plugin id 76557 published 2014-07-17 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76557 title SuSE 11.3 Security Update : Linux kernel (SAT Patch Numbers 9488 / 9491 / 9493)
References
- http://article.gmane.org/gmane.linux.kernel/1726110
- http://article.gmane.org/gmane.linux.kernel/1726110
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html
- http://openwall.com/lists/oss-security/2014/06/20/1
- http://openwall.com/lists/oss-security/2014/06/20/1
- http://secunia.com/advisories/58964
- http://secunia.com/advisories/58964
- http://secunia.com/advisories/60564
- http://secunia.com/advisories/60564
- http://www.openwall.com/lists/oss-security/2014/06/20/10
- http://www.openwall.com/lists/oss-security/2014/06/20/10
- http://www.openwall.com/lists/oss-security/2020/11/12/3
- http://www.openwall.com/lists/oss-security/2020/11/12/3
- http://www.securityfocus.com/bid/68126
- http://www.securityfocus.com/bid/68126
- http://www.ubuntu.com/usn/USN-2334-1
- http://www.ubuntu.com/usn/USN-2334-1
- https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.61
- https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.61