Vulnerabilities > CVE-2018-19985 - Out-of-bounds Read vulnerability in multiple products
Attack vector
PHYSICAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2019-4643.NASL description Description of changes: [4.14.35-1844.5.3.el7uek] - x86/mds: Add empty commit for CVE-2019-11091 (Konrad Rzeszutek Wilk) [Orabug: 29721848] {CVE-2019-11091} - x86/speculation/mds: Make mds_mitigation mutable after init (Konrad Rzeszutek Wilk) [Orabug: 29721835] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} [4.14.35-1844.5.2.el7uek] - xen: Fix x86 sched_clock() interface for xen (Juergen Gross) [Orabug: 29464437] - x86/xen/time: Output xen sched_clock time from 0 (Pavel Tatashin) [Orabug: 29464437] - repairing kmodstd to support cross compilation (Mark Nicholson) [Orabug: 29682406] - xfs: don last seen 2020-06-01 modified 2020-06-02 plugin id 125236 published 2019-05-17 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125236 title Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2019-4643) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Oracle Linux Security Advisory ELSA-2019-4643. # include("compat.inc"); if (description) { script_id(125236); script_version("1.5"); script_cvs_date("Date: 2020/01/15"); script_cve_id("CVE-2018-12126", "CVE-2018-12127", "CVE-2018-12130", "CVE-2018-19985", "CVE-2019-10124", "CVE-2019-11091"); script_name(english:"Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2019-4643) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Description of changes: [4.14.35-1844.5.3.el7uek] - x86/mds: Add empty commit for CVE-2019-11091 (Konrad Rzeszutek Wilk) [Orabug: 29721848] {CVE-2019-11091} - x86/speculation/mds: Make mds_mitigation mutable after init (Konrad Rzeszutek Wilk) [Orabug: 29721835] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} [4.14.35-1844.5.2.el7uek] - xen: Fix x86 sched_clock() interface for xen (Juergen Gross) [Orabug: 29464437] - x86/xen/time: Output xen sched_clock time from 0 (Pavel Tatashin) [Orabug: 29464437] - repairing kmodstd to support cross compilation (Mark Nicholson) [Orabug: 29682406] - xfs: don't overflow xattr listent buffer (Darrick J. Wong) [Orabug: 29697225] [4.14.35-1844.5.1.el7uek] - x86/speculation: Support 'mitigations=' cmdline option (Josh Poimboeuf) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - cpu/speculation: Add 'mitigations=' cmdline option (Josh Poimboeuf) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off (Konrad Rzeszutek Wilk) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation/mds: Fix comment (Boris Ostrovsky) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation/mds: Add debugfs for controlling MDS (Kanth Ghatraju) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation/mds: Add boot option to enable MDS protection only while in idle (Boris Ostrovsky) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation/mds: Add SMT warning message (Josh Poimboeuf) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation: Move arch_smt_update() call to after mitigation decisions (Josh Poimboeuf) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation/mds: Add mds=full,nosmt cmdline option (Josh Poimboeuf) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - Documentation: Add MDS vulnerability documentation (Thomas Gleixner) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - Documentation: Move L1TF to separate directory (Thomas Gleixner) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation/mds: Add mitigation mode VMWERV (Thomas Gleixner) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation/mds: Add sysfs reporting for MDS (Thomas Gleixner) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation/mds: Add mitigation control for MDS (Thomas Gleixner) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation/mds: Conditionally clear CPU buffers on idle entry (Thomas Gleixner) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/kvm/vmx: Add MDS protection when L1D Flush is not active (Thomas Gleixner) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation/mds: Clear CPU buffers on exit to user (Thomas Gleixner) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation/mds: Add mds_clear_cpu_buffers() (Thomas Gleixner) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests (Andi Kleen) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation/mds: Add BUG_MSBDS_ONLY (Thomas Gleixner) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation/mds: Add basic bug infrastructure for MDS (Andi Kleen) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation: Consolidate CPU whitelists (Thomas Gleixner) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/msr-index: Cleanup bit defines (Thomas Gleixner) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} file (Will Deacon) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/cpu: Sanitize FAM6_ATOM naming (Peter Zijlstra) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - Documentation/l1tf: Fix small spelling typo (Salvatore Bonaccorso) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - x86/speculation: Simplify the CPU bug detection logic (Dominik Brodowski) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} - tools include: Adopt linux/bits.h (Arnaldo Carvalho de Melo) [Orabug: 29526899] {CVE-2018-12126} {CVE-2018-12130} {CVE-2018-12127} [4.14.35-1844.5.0.el7uek] - swiotlb: save io_tlb_used to local variable before leaving critical section (Dongli Zhang) [Orabug: 29637519] - swiotlb: dump used and total slots when swiotlb buffer is full (Dongli Zhang) [Orabug: 29637519] - bonding: ratelimit no-delay interface up messages (Shamir Rabinovitch) [Orabug: 29016284] - xen/netfront: don't bug in case of too many frags (Juergen Gross) [Orabug: 29462653] - bnxt_en: Drop oversize TX packets to prevent errors. (Michael Chan) [Orabug: 29547792] - xen/netfront: tolerate frags with no data (Juergen Gross) [Orabug: 29632146] - net/mlx5: E-Switch, fix syndrome (0x678139) when turn on vepa (Huy Nguyen) [Orabug: 29455439] - net/mlx5: E-Switch, Fix access to invalid memory when toggling esw modes (Roi Dayan) [Orabug: 29455439] - net/mlx5: Avoid panic when setting vport mac, getting vport config (Tonghao Zhang) [Orabug: 29455439] - net/mlx5: Support ndo bridge_setlink and getlink (Huy Nguyen) [Orabug: 29455439] - net/mlx5: E-Switch, Add support for VEPA in legacy mode. (Huy Nguyen) [Orabug: 29455439] - net/mlx5: Split FDB fast path prio to multiple namespaces (Paul Blakey) [Orabug: 29455439] - net/mlx5: E-Switch, Remove unused argument when creating legacy FDB (Eli Cohen) [Orabug: 29455439] - net/mlx5: E-switch, Create a second level FDB flow table (Chris Mi) [Orabug: 29455439] - net/mlx5: Add cap bits for flow table destination in FDB table (Chris Mi) [Orabug: 29455439] - net/mlx5: E-Switch, Reorganize and rename fdb flow tables (Chris Mi) [Orabug: 29455439] - net/mlx5: Add destination e-switch owner (Shahar Klein) [Orabug: 29455439] - net/mlx5: Properly handle a vport destination when setting FTE (Shahar Klein) [Orabug: 29455439] - net/mlx5: E-Switch, Reload IB interface when switching devlink modes (Mark Bloch) [Orabug: 29455439] - net/mlx5: E-Switch, Optimize HW steering tables in switchdev mode (Mark Bloch) [Orabug: 29455439] - net/mlx5: E-Switch, Increase number of FTEs in FDB in switchdev mode (Mark Bloch) [Orabug: 29455439] - net/mlx5: Separate ingress/egress namespaces for each vport (Gal Pressman) [Orabug: 29455439] - net/mlx5: Fix ingress/egress naming mistake (Gal Pressman) [Orabug: 29455439] - net/mlx5: Initialize destination_flow struct to 0 (Rabie Loulou) [Orabug: 29455439] - USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data (Hui Peng) [Orabug: 29613788] {CVE-2018-19985} {CVE-2018-19985} - mm: hwpoison: fix thp split handing in soft_offline_in_use_page() (zhongjiang) [Orabug: 29613794] {CVE-2019-10124} - x86/bugs, kvm: don't miss SSBD when IBRS is in use. (Mihai Carabas) [Orabug: 29642112]" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2019-May/008741.html" ); script_set_attribute( attribute:"solution", value:"Update the affected unbreakable enterprise kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11091"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:kernel-uek-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/21"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/17"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl", "linux_alt_patch_detect.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); include("ksplice.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); if (get_one_kb_item("Host/ksplice/kernel-cves")) { rm_kb_item(name:"Host/uptrack-uname-r"); cve_list = make_list("CVE-2018-12126", "CVE-2018-12127", "CVE-2018-12130", "CVE-2018-19985", "CVE-2019-10124", "CVE-2019-11091"); if (ksplice_cves_check(cve_list)) { audit(AUDIT_PATCH_INSTALLED, "KSplice hotfix for ELSA-2019-4643"); } else { __rpm_report = ksplice_reporting_text(); } } kernel_major_minor = get_kb_item("Host/uname/major_minor"); if (empty_or_null(kernel_major_minor)) exit(1, "Unable to determine kernel major-minor level."); expected_kernel_major_minor = "4.14"; if (kernel_major_minor != expected_kernel_major_minor) audit(AUDIT_OS_NOT, "running kernel level " + expected_kernel_major_minor + ", it is running kernel level " + kernel_major_minor); flag = 0; if (rpm_exists(release:"EL7", rpm:"kernel-uek-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-4.14.35-1844.5.3.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-4.14.35-1844.5.3.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-debug-devel-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-debug-devel-4.14.35-1844.5.3.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-devel-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-devel-4.14.35-1844.5.3.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-doc-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-doc-4.14.35-1844.5.3.el7uek")) flag++; if (rpm_exists(release:"EL7", rpm:"kernel-uek-tools-4.14.35") && rpm_check(release:"EL7", cpu:"x86_64", reference:"kernel-uek-tools-4.14.35-1844.5.3.el7uek")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "affected kernel"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-65.NASL description The openSUSE Leap 15.0 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841). - CVE-2018-14625: An attacker might have bene able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients (bnc#1106615). - CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bsc#1120743). - CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946). - CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714). - CVE-2018-18397: The userfaultfd implementation mishandled access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c (bnc#1117656). - CVE-2018-12232: In net/socket.c there was a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr functions. fchownat did not increment the file descriptor reference count, which allowed close to set the socket to NULL during fchownat last seen 2020-03-18 modified 2019-01-22 plugin id 121289 published 2019-01-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121289 title openSUSE Security Update : the Linux Kernel (openSUSE-2019-65) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2019-65. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(121289); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/24"); script_cve_id("CVE-2013-2547", "CVE-2018-12232", "CVE-2018-14625", "CVE-2018-16862", "CVE-2018-16884", "CVE-2018-18397", "CVE-2018-19407", "CVE-2018-19824", "CVE-2018-19854", "CVE-2018-19985", "CVE-2018-20169", "CVE-2018-9568"); script_name(english:"openSUSE Security Update : the Linux Kernel (openSUSE-2019-65)"); script_summary(english:"Check for the openSUSE-2019-65 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "The openSUSE Leap 15.0 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : - CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841). - CVE-2018-14625: An attacker might have bene able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients (bnc#1106615). - CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bsc#1120743). - CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946). - CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714). - CVE-2018-18397: The userfaultfd implementation mishandled access control for certain UFFDIO_ ioctl calls, as demonstrated by allowing local users to write data into holes in a tmpfs file (if the user has read-only access to that file, and that file contains holes), related to fs/userfaultfd.c and mm/userfaultfd.c (bnc#1117656). - CVE-2018-12232: In net/socket.c there was a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr functions. fchownat did not increment the file descriptor reference count, which allowed close to set the socket to NULL during fchownat's execution, leading to a NULL pointer dereference and system crash (bnc#1097593). - CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319). - CVE-2018-16862: A security flaw was found in the way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one (bnc#1117186). - CVE-2018-19854: An issue was discovered in the crypto_report_one() and related functions in crypto/crypto_user.c (the crypto user configuration API) do not fully initialize structures that are copied to userspace, potentially leaking sensitive memory to user programs. NOTE: this is a CVE-2013-2547 regression but with easier exploitability because the attacker did not need a capability (however, the system must have the CONFIG_CRYPTO_USER kconfig option) (bnc#1118428). - CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152). The following non-security bugs were fixed : - ACPI / CPPC: Check for valid PCC subspace only if PCC is used (bsc#1117115). - ACPI / CPPC: Update all pr_(debug/err) messages to log the susbspace id (bsc#1117115). - aio: fix spectre gadget in lookup_ioctx (bsc#1120594). - alsa: cs46xx: Potential NULL dereference in probe (bsc#1051510). - alsa: emu10k1: Fix potential Spectre v1 vulnerabilities (bsc#1051510). - alsa: emux: Fix potential Spectre v1 vulnerabilities (bsc#1051510). - alsa: fireface: fix for state to fetch PCM frames (bsc#1051510). - alsa: fireface: fix reference to wrong register for clock configuration (bsc#1051510). - alsa: firewire-lib: fix wrong assignment for 'out_packet_without_header' tracepoint (bsc#1051510). - alsa: firewire-lib: fix wrong handling payload_length as payload_quadlet (bsc#1051510). - alsa: firewire-lib: use the same print format for 'without_header' tracepoints (bsc#1051510). - alsa: hda: add mute LED support for HP EliteBook 840 G4 (bsc#1051510). - alsa: hda: Add support for AMD Stoney Ridge (bsc#1051510). - alsa: hda/ca0132 - make pci_iounmap() call conditional (bsc#1051510). - alsa: hda: fix front speakers on Huawei MBXP (bsc#1051510). - alsa: hda/realtek - Add support for Acer Aspire C24-860 headset mic (bsc#1051510). - alsa: hda/realtek - Add unplug function into unplug state of Headset Mode for ALC225 (bsc#1051510). - alsa: hda/realtek: ALC286 mic and headset-mode fixups for Acer Aspire U27-880 (bsc#1051510). - alsa: hda/realtek: ALC294 mic and headset-mode fixups for ASUS X542UN (bsc#1051510). - alsa: hda/realtek - Disable headset Mic VREF for headset mode of ALC225 (bsc#1051510). - alsa: hda/realtek: Enable audio jacks of ASUS UX391UA with ALC294 (bsc#1051510). - alsa: hda/realtek: Enable audio jacks of ASUS UX433FN/UX333FA with ALC294 (bsc#1051510). - alsa: hda/realtek: Enable audio jacks of ASUS UX533FD with ALC294 (bsc#1051510). - alsa: hda/realtek: Enable the headset mic auto detection for ASUS laptops (bsc#1051510). - alsa: hda/realtek - Fixed headphone issue for ALC700 (bsc#1051510). - alsa: hda/realtek: Fix mic issue on Acer AIO Veriton Z4660G (bsc#1051510). - alsa: hda/realtek: Fix mic issue on Acer AIO Veriton Z4860G/Z6860G (bsc#1051510). - alsa: hda/realtek - Fix speaker output regression on Thinkpad T570 (bsc#1051510). - alsa: hda/realtek - Fix the mute LED regresion on Lenovo X1 Carbon (bsc#1051510). - alsa: hda/realtek - Support Dell headset mode for New AIO platform (bsc#1051510). - alsa: hda/tegra: clear pending irq handlers (bsc#1051510). - alsa: pcm: Call snd_pcm_unlink() conditionally at closing (bsc#1051510). - alsa: pcm: Fix interval evaluation with openmin/max (bsc#1051510). - alsa: pcm: Fix potential Spectre v1 vulnerability (bsc#1051510). - alsa: pcm: Fix starvation on down_write_nonblock() (bsc#1051510). - alsa: rme9652: Fix potential Spectre v1 vulnerability (bsc#1051510). - alsa: trident: Suppress gcc string warning (bsc#1051510). - alsa: usb-audio: Add SMSL D1 to quirks for native DSD support (bsc#1051510). - alsa: usb-audio: Add support for Encore mDSD USB DAC (bsc#1051510). - alsa: usb-audio: Avoid access before bLength check in build_audio_procunit() (bsc#1051510). - alsa: usb-audio: Fix an out-of-bound read in create_composite_quirks (bsc#1051510). - alsa: x86: Fix runtime PM for hdmi-lpe-audio (bsc#1051510). - apparmor: do not try to replace stale label in ptrace access check (git-fixes). - apparmor: do not try to replace stale label in ptraceme check (git-fixes). - apparmor: Fix uninitialized value in aa_split_fqname (git-fixes). - arm64: Add work around for Arm Cortex-A55 Erratum 1024718 (bsc#1120612). - arm64: atomics: Remove '&' from '+&' asm constraint in lse atomics (bsc#1120613). - arm64: cpu_errata: include required headers (bsc#1120615). - arm64: dma-mapping: Fix FORCE_CONTIGUOUS buffer clearing (bsc#1120633). - arm64: Fix /proc/iomem for reserved but not memory regions (bsc#1120632). - arm64: lse: Add early clobbers to some input/output asm operands (bsc#1120614). - arm64: lse: remove -fcall-used-x0 flag (bsc#1120618). - arm64: mm: always enable CONFIG_HOLES_IN_ZONE (bsc#1120617). - arm64/numa: Report correct memblock range for the dummy node (bsc#1120620). - arm64/numa: Unify common error path in numa_init() (bsc#1120621). - arm64: remove no-op -p linker flag (bsc#1120616). - ASoC: dapm: Recalculate audio map forcely when card instantiated (bsc#1051510). - ASoC: intel: cht_bsw_max98090_ti: Add pmc_plt_clk_0 quirk for Chromebook Clapper (bsc#1051510). - ASoC: intel: cht_bsw_max98090_ti: Add pmc_plt_clk_0 quirk for Chromebook Gnawty (bsc#1051510). - ASoC: intel: mrfld: fix uninitialized variable access (bsc#1051510). - ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred probing (bsc#1051510). - ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE (bsc#1051510). - ASoC: omap-mcbsp: Fix latency value calculation for pm_qos (bsc#1051510). - ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE (bsc#1051510). - ASoC: rsnd: fixup clock start checker (bsc#1051510). - ASoC: wm_adsp: Fix dma-unsafe read of scratch registers (bsc#1051510). - ath10k: do not assume this is a PCI dev in generic code (bsc#1051510). - ath6kl: Only use match sets when firmware supports it (bsc#1051510). - b43: Fix error in cordic routine (bsc#1051510). - bcache: fix miss key refill->end in writeback (Git-fixes). - bcache: trace missed reading by cache_missed (Git-fixes). - blk-mq: remove synchronize_rcu() from blk_mq_del_queue_tag_set() (Git-fixes). - block: allow max_discard_segments to be stacked (Git-fixes). - block: blk_init_allocated_queue() set q->fq as NULL in the fail case (Git-fixes). - block: really disable runtime-pm for blk-mq (Git-fixes). - block: reset bi_iter.bi_done after splitting bio (Git-fixes). - block/swim: Fix array bounds check (Git-fixes). - bnxt_en: do not try to offload VLAN 'modify' action (bsc#1050242 ). - bnxt_en: Fix enables field in HWRM_QUEUE_COS2BW_CFG request (bsc#1086282). - bnxt_en: Fix VNIC reservations on the PF (bsc#1086282 ). - bnxt_en: get the reduced max_irqs by the ones used by RDMA (bsc#1050242). - bpf: fix check of allowed specifiers in bpf_trace_printk (bsc#1083647). - bpf: use per htab salt for bucket hash (git-fixes). - btrfs: Always try all copies when reading extent buffers (git-fixes). - btrfs: delete dead code in btrfs_orphan_add() (bsc#1111469). - btrfs: delete dead code in btrfs_orphan_commit_root() (bsc#1111469). - btrfs: do not BUG_ON() in btrfs_truncate_inode_items() (bsc#1111469). - btrfs: do not check inode's runtime flags under root->orphan_lock (bsc#1111469). - btrfs: do not return ino to ino cache if inode item removal fails (bsc#1111469). - btrfs: fix ENOSPC caused by orphan items reservations (bsc#1111469). - btrfs: Fix error handling in btrfs_cleanup_ordered_extents (git-fixes). - btrfs: fix error handling in btrfs_truncate() (bsc#1111469). - btrfs: fix error handling in btrfs_truncate_inode_items() (bsc#1111469). - btrfs: fix fsync of files with multiple hard links in new directories (1120173). - btrfs: Fix memory barriers usage with device stats counters (git-fixes). - btrfs: fix use-after-free on root->orphan_block_rsv (bsc#1111469). - btrfs: get rid of BTRFS_INODE_HAS_ORPHAN_ITEM (bsc#1111469). - btrfs: get rid of unused orphan infrastructure (bsc#1111469). - btrfs: move btrfs_truncate_block out of trans handle (bsc#1111469). - btrfs: qgroup: Dirty all qgroups before rescan (bsc#1120036). - btrfs: refactor btrfs_evict_inode() reserve refill dance (bsc#1111469). - btrfs: renumber BTRFS_INODE_ runtime flags and switch to enums (bsc#1111469). - btrfs: reserve space for O_TMPFILE orphan item deletion (bsc#1111469). - btrfs: run delayed items before dropping the snapshot (bsc#1121263, bsc#1111188). - btrfs: stop creating orphan items for truncate (bsc#1111469). - btrfs: tree-checker: Do not check max block group size as current max chunk size limit is unreliable (fixes for bsc#1102882, bsc#1102896, bsc#1102879, bsc#1102877, bsc#1102875). - btrfs: update stale comments referencing vmtruncate() (bsc#1111469). - can: flexcan: flexcan_irq(): fix indention (bsc#1051510). - cdrom: do not attempt to fiddle with cdo->capability (bsc#1051510). - ceph: do not update importing cap's mseq when handing cap export (bsc#1121273). - char_dev: extend dynamic allocation of majors into a higher range (bsc#1121058). - char_dev: Fix off-by-one bugs in find_dynamic_major() (bsc#1121058). - clk: mmp: Off by one in mmp_clk_add() (bsc#1051510). - clk: mvebu: Off by one bugs in cp110_of_clk_get() (bsc#1051510). - compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations (git-fixes). - config: arm64: enable erratum 1024718 - cpufeature: avoid warning when compiling with clang (Git-fixes). - cpufreq / CPPC: Add cpuinfo_cur_freq support for CPPC (bsc#1117115). - cpufreq: CPPC: fix build in absence of v3 support (bsc#1117115). - cpupower: remove stringop-truncation waring (git-fixes). - crypto: bcm - fix normal/non key hash algorithm failure (bsc#1051510). - crypto: ccp - Add DOWNLOAD_FIRMWARE SEV command (). - crypto: ccp - Add GET_ID SEV command (). - crypto: ccp - Add psp enabled message when initialization succeeds (). - crypto: ccp - Add support for new CCP/PSP device ID (). - crypto: ccp - Allow SEV firmware to be chosen based on Family and Model (). - crypto: ccp - Fix static checker warning (). - crypto: ccp - Remove unused #defines (). - crypto: ccp - Support register differences between PSP devices (). - dasd: fix deadlock in dasd_times_out (bsc#1121477, LTC#174111). - dax: Check page->mapping isn't NULL (bsc#1120054). - dax: Do not access a freed inode (bsc#1120055). - device property: Define type of PROPERTY_ENRTY_*() macros (bsc#1051510). - device property: fix fwnode_graph_get_next_endpoint() documentation (bsc#1051510). - disable stringop truncation warnings for now (git-fixes). - dm: allocate struct mapped_device with kvzalloc (Git-fixes). - dm cache: destroy migration_cache if cache target registration failed (Git-fixes). - dm cache: fix resize crash if user does not reload cache table (Git-fixes). - dm cache metadata: ignore hints array being too small during resize (Git-fixes). - dm cache metadata: save in-core policy_hint_size to on-disk superblock (Git-fixes). - dm cache metadata: set dirty on all cache blocks after a crash (Git-fixes). - dm cache: only allow a single io_mode cache feature to be requested (Git-fixes). - dm crypt: do not decrease device limits (Git-fixes). - dm: fix report zone remapping to account for partition offset (Git-fixes). - dm integrity: change 'suspending' variable from bool to int (Git-fixes). - dm ioctl: harden copy_params()'s copy_from_user() from malicious users (Git-fixes). - dm linear: eliminate linear_end_io call if CONFIG_DM_ZONED disabled (Git-fixes). - dm linear: fix linear_end_io conditional definition (Git-fixes). - dm thin: handle running out of data space vs concurrent discard (Git-fixes). - dm thin metadata: remove needless work from __commit_transaction (Git-fixes). - dm thin: stop no_space_timeout worker when switching to write-mode (Git-fixes). - dm writecache: fix a crash due to reading past end of dirty_bitmap (Git-fixes). - dm writecache: report start_sector in status line (Git-fixes). - dm zoned: fix metadata block ref counting (Git-fixes). - dm zoned: fix various dmz_get_mblock() issues (Git-fixes). - doc/README.SUSE: correct GIT url No more gitorious, github we use. - drivers/net/usb: add device id for TP-LINK UE300 USB 3.0 Ethernet (bsc#1119749). - drivers/net/usb/r8152: remove the unneeded variable 'ret' in rtl8152_system_suspend (bsc#1119749). - drm/amdgpu/gmc8: update MC firmware for polaris (bsc#1113722) - drm/amdgpu: update mc firmware image for polaris12 variants (bsc#1113722) - drm/amdgpu: update SMC firmware image for polaris10 variants (bsc#1113722) - drm/i915/execlists: Apply a full mb before execution for Braswell (bsc#1113722) - drm/ioctl: Fix Spectre v1 vulnerabilities (bsc#1113722) - drm/nouveau/kms: Fix memory leak in nv50_mstm_del() (bsc#1113722) - drm: rcar-du: Fix external clock error checks (bsc#1113722) - drm: rcar-du: Fix vblank initialization (bsc#1113722) - drm/rockchip: psr: do not dereference encoder before it is null (bsc#1113722) - drm: set is_master to 0 upon drm_new_set_master() failure (bsc#1113722) - drm/vc4: Set ->is_yuv to false when num_planes == 1 (bsc#1113722) - drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE (bsc#1113722) - dt-bindings: add compatible string for Allwinner V3s SoC (git-fixes). - dt-bindings: arm: Document SoC compatible value for Armadillo-800 EVA (git-fixes). - dt-bindings: clock: add rk3399 DDR3 standard speed bins (git-fixes). - dt-bindings: clock: mediatek: add binding for fixed-factor clock axisel_d4 (git-fixes). - dt-bindings: mfd: axp20x: Add AXP806 to supported list of chips (git-fixes). - dt-bindings: net: Remove duplicate NSP Ethernet MAC binding document (git-fixes). - dt-bindings: panel: lvds: Fix path to display timing bindings (git-fixes). - dt-bindings: phy: sun4i-usb-phy: Add property descriptions for H3 (git-fixes). - dt-bindings: pwm: renesas: tpu: Fix 'compatible' prop description (git-fixes). - dt-bindings: rcar-dmac: Document missing error interrupt (git-fixes). - edac, (i7core,sb,skx)_edac: Fix uncorrected error counting (bsc#1114279). - edac, skx_edac: Fix logical channel intermediate decoding (bsc#1114279). - efi: Move some sysfs files to be read-only by root (bsc#1051510). - ethernet: fman: fix wrong of_node_put() in probe function (bsc#1119017). - exportfs: fix 'passing zero to ERR_PTR()' warning (bsc#1118773). - ext2: fix potential use after free (bsc#1118775). - ext4: avoid possible double brelse() in add_new_gdb() on error path (bsc#1118760). - ext4: fix EXT4_IOC_GROUP_ADD ioctl (bsc#1120604). - ext4: fix possible use after free in ext4_quota_enable (bsc#1120602). - ext4: missing unlock/put_page() in ext4_try_to_write_inline_data() (bsc#1120603). - extable: Consolidate *kernel_text_address() functions (bsc#1120092). - extable: Enable RCU if it is not watching in kernel_text_address() (bsc#1120092). - fbdev: fbcon: Fix unregister crash when more than one framebuffer (bsc#1113722) - fbdev: fbmem: behave better with small rotated displays and many CPUs (bsc#1113722) - firmware: add firmware_request_nowarn() - load firmware without warnings (). - Fix the breakage of KMP build on x86_64 (bsc#1121017) - fscache: Fix race in fscache_op_complete() due to split atomic_sub & read (Git-fixes). - fscache: Pass the correct cancelled indications to fscache_op_complete() (Git-fixes). - fs: fix lost error code in dio_complete (bsc#1118762). - fs/xfs: Use %pS printk format for direct addresses (git-fixes). - fuse: fix blocked_waitq wakeup (git-fixes). - fuse: fix leaked notify reply (git-fixes). - fuse: fix possibly missed wake-up after abort (git-fixes). - fuse: Fix use-after-free in fuse_dev_do_read() (git-fixes). - fuse: Fix use-after-free in fuse_dev_do_write() (git-fixes). - fuse: fix use-after-free in fuse_direct_IO() (git-fixes). - fuse: set FR_SENT while locked (git-fixes). - gcc-plugins: Add include required by GCC release 8 (git-fixes). - gcc-plugins: Use dynamic initializers (git-fixes). - gfs2: Do not leave s_fs_info pointing to freed memory in init_sbd (bsc#1118769). - gfs2: Fix loop in gfs2_rbm_find (bsc#1120601). - gfs2: Get rid of potential double-freeing in gfs2_create_inode (bsc#1120600). - gfs2_meta: ->mount() can get NULL dev_name (bsc#1118768). - gfs2: Put bitmap buffers in put_super (bsc#1118772). - git_sort.py: Remove non-existent remote tj/libata - gpio: davinci: Remove unused member of davinci_gpio_controller (git-fixes). - gpiolib-acpi: Only defer request_irq for GpioInt ACPI event handlers (bsc#1051510). - gpiolib: Fix return value of gpio_to_desc() stub if !GPIOLIB (bsc#1051510). - gpio: max7301: fix driver for use with CONFIG_VMAP_STACK (bsc#1051510). - gpio: mvebu: only fail on missing clk if pwm is actually to be used (bsc#1051510). - HID: Add quirk for Primax PIXART OEM mice (bsc#1119410). - HID: input: Ignore battery reported by Symbol DS4308 (bsc#1051510). - HID: multitouch: Add pointstick support for Cirque Touchpad (bsc#1051510). - hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined (bnc#1116336). - i2c: axxia: properly handle master timeout (bsc#1051510). - i2c: scmi: Fix probe error on devices with an empty SMB0001 ACPI device node (bsc#1051510). - ib/hfi1: Add mtu check for operational data VLs (bsc#1060463 ). - ibmvnic: Convert reset work item mutex to spin lock (). - ibmvnic: Fix non-atomic memory allocation in IRQ context (). - ib/rxe: support for 802.1q VLAN on the listener (bsc#1082387). - ieee802154: 6lowpan: set IFLA_LINK (bsc#1051510). - ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem (bsc#1051510). - ieee802154: at86rf230: use __func__ macro for debug messages (bsc#1051510). - ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem (bsc#1051510). - Include modules.fips in kernel-binary as well as kernel-binary-base (). - initramfs: fix initramfs rebuilds w/ compression after disabling (git-fixes). - input: add official Raspberry Pi's touchscreen driver (). - input: cros_ec_keyb - fix button/switch capability reports (bsc#1051510). - input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR (bsc#1051510). - input: elan_i2c - add ELAN0620 to the ACPI table (bsc#1051510). - input: elan_i2c - add support for ELAN0621 touchpad (bsc#1051510). - input: hyper-v - fix wakeup from suspend-to-idle (bsc#1051510). - input: matrix_keypad - check for errors from of_get_named_gpio() (bsc#1051510). - input: nomadik-ske-keypad - fix a loop timeout test (bsc#1051510). - input: omap-keypad - fix keyboard debounce configuration (bsc#1051510). - input: synaptics - add PNP ID for ThinkPad P50 to SMBus (bsc#1051510). - input: synaptics - enable SMBus for HP 15-ay000 (bsc#1051510). - input: xpad - quirk all PDP Xbox One gamepads (bsc#1051510). - integrity/security: fix digsig.c build error with header file (bsc#1051510). - intel_th: msu: Fix an off-by-one in attribute store (bsc#1051510). - iommu/amd: Fix amd_iommu=force_isolation (bsc#1106105). - iommu/vt-d: Handle domain agaw being less than iommu agaw (bsc#1106105). - iwlwifi: add new cards for 9560, 9462, 9461 and killer series (bsc#1051510). - iwlwifi: fix LED command capability bit (bsc#1119086). - iwlwifi: nvm: get num of hw addresses from firmware (bsc#1119086). - iwlwifi: pcie: do not reset TXQ write pointer (bsc#1051510). - jffs2: free jffs2_sb_info through jffs2_kill_sb() (bsc#1118767). - jump_label: Split out code under the hotplug lock (bsc#1106913). - kabi: hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined (bnc#1116336). - kabi protect hnae_ae_ops (bsc#1104353). - kbuild: allow to use GCC toolchain not in Clang search path (git-fixes). - kbuild: fix linker feature test macros when cross compiling with Clang (git-fixes). - kbuild: make missing $DEPMOD a Warning instead of an Error (git-fixes). - kbuild: rpm-pkg: keep spec file until make mrproper (git-fixes). - kbuild: suppress packed-not-aligned warning for default setting only (git-fixes). - kbuild: verify that $DEPMOD is installed (git-fixes). - kernfs: Replace strncpy with memcpy (bsc#1120053). - keys: Fix the use of the C++ keyword 'private' in uapi/linux/keyctl.h (Git-fixes). - kobject: Replace strncpy with memcpy (git-fixes). - kprobes: Make list and blacklist root user read only (git-fixes). - kvm: PPC: Book3S PR: Enable use on POWER9 inside HPT-mode guests (bsc#1118484). - kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb (bsc#1114279). - libata: whitelist all SAMSUNG MZ7KM* solid-state disks (bsc#1051510). - libceph: fall back to sendmsg for slab pages (bsc#1118316). - libnvdimm, pfn: Pad pfn namespaces relative to other regions (bsc#1118962). - lib/raid6: Fix arm64 test build (bsc#1051510). - lib/ubsan.c: do not mark __ubsan_handle_builtin_unreachable as noreturn (bsc#1051510). - Limit max FW API version for QCA9377 (bsc#1121714, bsc#1121715). - linux/bitmap.h: fix type of nbits in bitmap_shift_right() (bsc#1051510). - locking/barriers: Convert users of lockless_dereference() to READ_ONCE() (Git-fixes). - locking/static_keys: Improve uninitialized key warning (bsc#1106913). - mac80211: Clear beacon_int in ieee80211_do_stop (bsc#1051510). - mac80211: fix reordering of buffered broadcast packets (bsc#1051510). - mac80211_hwsim: fix module init error paths for netlink (bsc#1051510). - mac80211_hwsim: Timer should be initialized before device registered (bsc#1051510). - mac80211: ignore NullFunc frames in the duplicate detection (bsc#1051510). - mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext (bsc#1051510). - Mark HI and TASKLET softirq synchronous (git-fixes). - media: em28xx: Fix use-after-free when disconnecting (bsc#1051510). - media: em28xx: make v4l2-compliance happier by starting sequence on zero (bsc#1051510). - media: omap3isp: Unregister media device as first (bsc#1051510). - mmc: bcm2835: reset host on timeout (bsc#1051510). - mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support (bsc#1051510). - mmc: core: Reset HPI enabled state during re-init and in case of errors (bsc#1051510). - mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl (bsc#1051510). - mmc: dw_mmc-bluefield: Add driver extension (bsc#1118752). - mmc: dw_mmc-k3: add sd support for hi3660 (bsc#1118752). - MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 (bsc#1051510). - mmc: omap_hsmmc: fix DMA API warning (bsc#1051510). - mmc: sdhci: fix the timeout check window for clock and reset (bsc#1051510). - mm: do not miss the last page because of round-off error (bnc#1118798). - mm: do not warn about large allocations for slab (git fixes (slab)). - mm/huge_memory.c: reorder operations in __split_huge_page_tail() (VM Functionality bsc#1119962). - mm: hugetlb: yield when prepping struct pages (git fixes (memory initialisation)). - mm: lower the printk loglevel for __dump_page messages (generic hotplug debugability). - mm, memory_hotplug: be more verbose for memory offline failures (generic hotplug debugability). - mm, memory_hotplug: drop pointless block alignment checks from __offline_pages (generic hotplug debugability). - mm, memory_hotplug: print reason for the offlining failure (generic hotplug debugability). - mm: migration: fix migration of huge PMD shared pages (bnc#1086423). - mm: only report isolation failures when offlining memory (generic hotplug debugability). - mm: print more information about mapping in __dump_page (generic hotplug debugability). - mm: put_and_wait_on_page_locked() while page is migrated (bnc#1109272). - mm: sections are not offlined during memory hotremove (bnc#1119968). - mm: shmem.c: Correctly annotate new inodes for lockdep (Git fixes: shmem). - mm/vmstat.c: fix NUMA statistics updates (git fixes). - Move dell_rbu fix to sorted section (bsc#1087978). - mtd: cfi: convert inline functions to macros (git-fixes). - mtd: Fix comparison in map_word_andequal() (git-fixes). - namei: allow restricted O_CREAT of FIFOs and regular files (bsc#1118766). - nbd: do not allow invalid blocksize settings (Git-fixes). - net: bgmac: Fix endian access in bgmac_dma_tx_ring_free() (bsc#1051510). - net: dsa: mv88e6xxx: Fix binding documentation for MDIO busses (git-fixes). - net: dsa: qca8k: Add QCA8334 binding documentation (git-fixes). - net: ena: fix crash during ena_remove() (bsc#1111696 bsc#1117561). - net: ena: update driver version from 2.0.1 to 2.0.2 (bsc#1111696 bsc#1117561). - net: hns3: Add nic state check before calling netif_tx_wake_queue (bsc#1104353). - net: hns3: Add support for hns3_nic_netdev_ops.ndo_do_ioctl (bsc#1104353). - net: hns3: bugfix for buffer not free problem during resetting (bsc#1104353). - net: hns3: bugfix for handling mailbox while the command queue reinitialized (bsc#1104353). - net: hns3: bugfix for hclge_mdio_write and hclge_mdio_read (bsc#1104353). - net: hns3: bugfix for is_valid_csq_clean_head() (bsc#1104353 ). - net: hns3: bugfix for reporting unknown vector0 interrupt repeatly problem (bsc#1104353). - net: hns3: bugfix for rtnl_lock's range in the hclgevf_reset() (bsc#1104353). - net: hns3: bugfix for the initialization of command queue's spin lock (bsc#1104353). - net: hns3: Check hdev state when getting link status (bsc#1104353). - net: hns3: Clear client pointer when initialize client failed or unintialize finished (bsc#1104353). - net: hns3: Fix cmdq registers initialization issue for vf (bsc#1104353). - net: hns3: Fix error of checking used vlan id (bsc#1104353 ). - net: hns3: Fix ets validate issue (bsc#1104353). - net: hns3: Fix for netdev not up problem when setting mtu (bsc#1104353). - net: hns3: Fix for out-of-bounds access when setting pfc back pressure (bsc#1104353). - net: hns3: Fix for packet buffer setting bug (bsc#1104353 ). - net: hns3: Fix for rx vlan id handle to support Rev 0x21 hardware (bsc#1104353). - net: hns3: Fix for setting speed for phy failed problem (bsc#1104353). - net: hns3: Fix for vf vlan delete failed problem (bsc#1104353 ). - net: hns3: Fix loss of coal configuration while doing reset (bsc#1104353). - net: hns3: Fix parameter type for q_id in hclge_tm_q_to_qs_map_cfg() (bsc#1104353). - net: hns3: Fix ping exited problem when doing lp selftest (bsc#1104353). - net: hns3: Preserve vlan 0 in hardware table (bsc#1104353 ). - net: hns3: remove unnecessary queue reset in the hns3_uninit_all_ring() (bsc#1104353). - net: hns3: Set STATE_DOWN bit of hdev state when stopping net (bsc#1104353). - net/mlx4_core: Correctly set PFC param if global pause is turned off (bsc#1046299). - net: usb: r8152: constify usb_device_id (bsc#1119749). - net: usb: r8152: use irqsave() in USB's complete callback (bsc#1119749). - nospec: Allow index argument to have const-qualified type (git-fixes) - nospec: Kill array_index_nospec_mask_check() (git-fixes). - nvme-fc: resolve io failures during connect (bsc#1116803). - nvme-multipath: zero out ANA log buffer (bsc#1105168). - nvme: validate controller state before rescheduling keep alive (bsc#1103257). - objtool: Detect RIP-relative switch table references (bsc#1058115). - objtool: Detect RIP-relative switch table references, part 2 (bsc#1058115). - objtool: Fix another switch table detection issue (bsc#1058115). - objtool: Fix double-free in .cold detection error path (bsc#1058115). - objtool: Fix GCC 8 cold subfunction detection for aliased functions (bsc#1058115). - objtool: Fix 'noreturn' detection for recursive sibling calls (bsc#1058115). - objtool: Fix segfault in .cold detection with -ffunction-sections (bsc#1058115). - objtool: Support GCC 8's cold subfunctions (bsc#1058115). - objtool: Support GCC 8 switch tables (bsc#1058115). - panic: avoid deadlocks in re-entrant console drivers (bsc#1088386). - PCI: Add ACS quirk for Ampere root ports (bsc#1120058). - PCI: Add ACS quirk for APM X-Gene devices (bsc#1120058). - PCI: Convert device-specific ACS quirks from NULL termination to ARRAY_SIZE (bsc#1120058). - PCI: Delay after FLR of Intel DC P3700 NVMe (bsc#1120058). - PCI: Disable Samsung SM961/PM961 NVMe before FLR (bsc#1120058). - PCI: Export pcie_has_flr() (bsc#1120058). - PCI: iproc: Activate PAXC bridge quirk for more devices (bsc#1120058). - PCI: Mark Ceton InfiniTV4 INTx masking as broken (bsc#1120058). - PCI: Mark fall-through switch cases before enabling -Wimplicit-fallthrough (bsc#1120058). - PCI: Mark Intel XXV710 NIC INTx masking as broken (bsc#1120058). - perf tools: Fix tracing_path_mount proper path (git-fixes). - platform-msi: Free descriptors in platform_msi_domain_free() (bsc#1051510). - powerpc/64s: consolidate MCE counter increment (bsc#1094244). - powerpc/64s/radix: Fix process table entry cache invalidation (bsc#1055186, git-fixes). - powerpc/boot: Expose Kconfig symbols to wrapper (bsc#1065729). - powerpc/boot: Fix build failures with -j 1 (bsc#1065729). - powerpc/pkeys: Fix handling of pkey state across fork() (bsc#1078248, git-fixes). - powerpc/powernv: Fix save/restore of SPRG3 on entry/exit from stop (idle) (bsc#1055121). - powerpc/pseries: Track LMB nid instead of using device tree (bsc#1108270). - powerpc/traps: restore recoverability of machine_check interrupts (bsc#1094244). - power: supply: olpc_battery: correct the temperature units (bsc#1051510). - ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS (bsc#1106913). - qed: Add driver support for 20G link speed (bsc#1110558). - qed: Add support for virtual link (bsc#1111795). - qede: Add driver support for 20G link speed (bsc#1110558). - r8152: add byte_enable for ocp_read_word function (bsc#1119749). - r8152: add Linksys USB3GIGV1 id (bsc#1119749). - r8152: add r8153_phy_status function (bsc#1119749). - r8152: adjust lpm settings for RTL8153 (bsc#1119749). - r8152: adjust rtl8153_runtime_enable function (bsc#1119749). - r8152: adjust the settings about MAC clock speed down for RTL8153 (bsc#1119749). - r8152: adjust U2P3 for RTL8153 (bsc#1119749). - r8152: avoid rx queue more than 1000 packets (bsc#1119749). - r8152: check if disabling ALDPS is finished (bsc#1119749). - r8152: correct the definition (bsc#1119749). - r8152: disable RX aggregation on Dell TB16 dock (bsc#1119749). - r8152: disable RX aggregation on new Dell TB16 dock (bsc#1119749). - r8152: fix wrong checksum status for received IPv4 packets (bsc#1119749). - r8152: move calling delay_autosuspend function (bsc#1119749). - r8152: move the default coalesce setting for RTL8153 (bsc#1119749). - r8152: move the initialization to reset_resume function (bsc#1119749). - r8152: move the setting of rx aggregation (bsc#1119749). - r8152: replace napi_complete with napi_complete_done (bsc#1119749). - r8152: set rx mode early when linking on (bsc#1119749). - r8152: split rtl8152_resume function (bsc#1119749). - r8152: support new chip 8050 (bsc#1119749). - r8152: support RTL8153B (bsc#1119749). - rbd: whitelist RBD_FEATURE_OPERATIONS feature bit (Git-fixes). - rcu: Allow for page faults in NMI handlers (bsc#1120092). - rdma/bnxt_re: Add missing spin lock initialization (bsc#1050244 ). - rdma/bnxt_re: Avoid accessing the device structure after it is freed (bsc#1050244). - rdma/bnxt_re: Avoid NULL check after accessing the pointer (bsc#1086283). - rdma/bnxt_re: Fix system hang when registration with L2 driver fails (bsc#1086283). - rdma/hns: Bugfix pbl configuration for rereg mr (bsc#1104427 ). - rdma_rxe: make rxe work over 802.1q VLAN devices (bsc#1082387). - reset: remove remaining WARN_ON() in <linux/reset.h> (Git-fixes). - Revert commit ef9209b642f 'staging: rtl8723bs: Fix indenting errors and an off-by-one mistake in core/rtw_mlme_ext.c' (bsc#1051510). - Revert 'iommu/io-pgtable-arm: Check for v7s-incapable systems' (bsc#1106105). - Revert 'PCI/ASPM: Do not initialize link state when aspm_disabled is set' (bsc#1051510). - Revert 'scsi: lpfc: ls_rjt erroneus FLOGIs' (bsc#1119322). - ring-buffer: Allow for rescheduling when removing pages (bsc#1120238). - ring-buffer: Do no reuse reader page if still in use (bsc#1120096). - ring-buffer: Mask out the info bits when returning buffer page length (bsc#1120094). - rtc: hctosys: Add missing range error reporting (bsc#1051510). - rtc: m41t80: Correct alarm month range with RTC reads (bsc#1051510). - rtc: pcf2127: fix a kmemleak caused in pcf2127_i2c_gather_write (bsc#1051510). - rtc: snvs: Add timeouts to avoid kernel lockups (bsc#1051510). - rtl8xxxu: Fix missing break in switch (bsc#1051510). - s390/dasd: simplify locking in dasd_times_out (bsc#1104967,). - s390/kdump: Fix elfcorehdr size calculation (bsc#1117953, LTC#171112). - s390/kdump: Make elfcorehdr size calculation ABI compliant (bsc#1117953, LTC#171112). - s390/qeth: fix length check in SNMP processing (bsc#1117953, LTC#173657). - s390/qeth: remove outdated portname debug msg (bsc#1117953, LTC#172960). - s390/qeth: sanitize strings in debug messages (bsc#1117953, LTC#172960). - sbitmap: fix race in wait batch accounting (Git-fixes). - sched/core: Fix cpu.max vs. cpuhotplug deadlock (bsc#1106913). - sched/fair: Fix infinite loop in update_blocked_averages() by reverting a9e7f6544b9c (Git fixes (scheduler)). - sched/smt: Expose sched_smt_present static key (bsc#1106913). - sched/smt: Make sched_smt_present track topology (bsc#1106913). - sched, tracing: Fix trace_sched_pi_setprio() for deboosting (bsc#1120228). - scripts/git-pre-commit: make executable. - scripts/git_sort/git_sort.py: change SCSI git repos to make series sorting more failsafe. - scsi: lpfc: Cap NPIV vports to 256 (bsc#1118215). - scsi: lpfc: Correct code setting non existent bits in sli4 ABORT WQE (bsc#1118215). - scsi: lpfc: Correct topology type reporting on G7 adapters (bsc#1118215). - scsi: lpfc: Defer LS_ACC to FLOGI on point to point logins (bsc#1118215). - scsi: lpfc: Enable Management features for IF_TYPE=6 (bsc#1119322). - scsi: lpfc: Fix a duplicate 0711 log message number (bsc#1118215). - scsi: lpfc: fix block guard enablement on SLI3 adapters (bsc#1079935). - scsi: lpfc: Fix dif and first burst use in write commands (bsc#1118215). - scsi: lpfc: Fix discovery failures during port failovers with lots of vports (bsc#1118215). - scsi: lpfc: Fix driver release of fw-logging buffers (bsc#1118215). - scsi: lpfc: Fix kernel Oops due to null pring pointers (bsc#1118215). - scsi: lpfc: Fix panic when FW-log buffsize is not initialized (bsc#1118215). - scsi: lpfc: ls_rjt erroneus FLOGIs (bsc#1118215). - scsi: lpfc: refactor mailbox structure context fields (bsc#1118215). - scsi: lpfc: rport port swap discovery issue (bsc#1118215). - scsi: lpfc: update driver version to 12.0.0.9 (bsc#1118215). - scsi: lpfc: update manufacturer attribute to reflect Broadcom (bsc#1118215). - scsi: target: add emulate_pr backstore attr to toggle PR support (bsc#1091405). - scsi: target: drop unused pi_prot_format attribute storage (bsc#1091405). - scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown (bsc#1121483, LTC#174588). - skd: Avoid that module unloading triggers a use-after-free (Git-fixes). - skd: Submit requests to firmware before triggering the doorbell (Git-fixes). - soc: bcm2835: sync firmware properties with downstream () - spi: bcm2835: Avoid finishing transfer prematurely in IRQ mode (bsc#1051510). - spi: bcm2835: Fix book-keeping of DMA termination (bsc#1051510). - spi: bcm2835: Fix race on DMA termination (bsc#1051510). - spi: bcm2835: Unbreak the build of esoteric configs (bsc#1051510). - splice: do not read more than available pipe space (bsc#1119212). - staging: bcm2835-camera: Abort probe if there is no camera (bsc#1051510). - staging: rtl8712: Fix possible buffer overrun (bsc#1051510). - staging: rtl8723bs: Add missing return for cfg80211_rtw_get_station (bsc#1051510). - staging: rts5208: fix gcc-8 logic error warning (bsc#1051510). - staging: wilc1000: fix missing read_write setting when reading data (bsc#1051510). - Stop building F2FS (boo#1109665) As per the information in the bugzilla issue f2fs is no longer supported on opensuse distributions. - supported.conf: add raspberrypi-ts driver - supported.conf: whitelist bluefield eMMC driver - target/iscsi: avoid NULL dereference in CHAP auth error path (bsc#1117165). - target: se_dev_attrib.emulate_pr ABI stability (bsc#1091405). - team: no need to do team_notify_peers or team_mcast_rejoin when disabling port (bsc#1051510). - termios, tty/tty_baudrate.c: fix buffer overrun (bsc#1051510). - test_hexdump: use memcpy instead of strncpy (bsc#1051510). - tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset (bsc#1051510). - tools: hv: fcopy: set 'error' in case an unknown operation was requested (git-fixes). - tools: hv: include string.h in hv_fcopy_daemon (git-fixes). - tools/power/cpupower: fix compilation with STATIC=true (git-fixes). - tools/power turbostat: fix possible sprintf buffer overflow (git-fixes). - tracing/blktrace: Fix to allow setting same value (Git-fixes). - tracing: Fix bad use of igrab in trace_uprobe.c (bsc#1120046). - tracing: Fix crash when freeing instances with event triggers (bsc#1120230). - tracing: Fix crash when it fails to alloc ring buffer (bsc#1120097). - tracing: Fix double free of event_trigger_data (bsc#1120234). - tracing: Fix missing return symbol in function_graph output (bsc#1120232). - tracing: Fix possible double free in event_enable_trigger_func() (bsc#1120235). - tracing: Fix possible double free on failure of allocating trace buffer (bsc#1120214). - tracing: Fix regex_match_front() to not over compare the test string (bsc#1120223). - tracing: Fix trace_pipe behavior for instance traces (bsc#1120088). - tracing: Remove RCU work arounds from stack tracer (bsc#1120092). - tracing/samples: Fix creation and deletion of simple_thread_fn creation (git-fixes). - tty: Do not return -EAGAIN in blocking read (bsc#1116040). - tty: do not set TTY_IO_ERROR flag if console port (bsc#1051510). - tty: serial: 8250_mtk: always resume the device in probe (bsc#1051510). - ubifs: Handle re-linking of inodes correctly while recovery (bsc#1120598). - udf: Allow mounting volumes with incorrect identification strings (bsc#1118774). - unifdef: use memcpy instead of strncpy (bsc#1051510). - usb: appledisplay: Add 27' Apple Cinema Display (bsc#1051510). - usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series (bsc#1051510). - usb: dwc2: host: use hrtimer for NAK retries (git-fixes). - usb: hso: Fix OOB memory access in hso_probe/hso_get_config_data (bsc#1051510). - usbip: vhci_hcd: check rhport before using in vhci_hub_control() (bsc#1090888). - usb: omap_udc: fix crashes on probe error and module removal (bsc#1051510). - usb: omap_udc: fix omap_udc_start() on 15xx machines (bsc#1051510). - usb: omap_udc: fix USB gadget functionality on Palm Tungsten E (bsc#1051510). - usb: omap_udc: use devm_request_irq() (bsc#1051510). - usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device (bsc#1051510). - usb: serial: option: add Fibocom NL668 series (bsc#1051510). - usb: serial: option: add GosunCn ZTE WeLink ME3630 (bsc#1051510). - usb: serial: option: add HP lt4132 (bsc#1051510). - usb: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) (bsc#1051510). - usb: serial: option: add Telit LN940 series (bsc#1051510). - usb: usbip: Fix BUG: KASAN: slab-out-of-bounds in vhci_hub_control() (bsc#1106110). - usb: usb-storage: Add new IDs to ums-realtek (bsc#1051510). - usb: xhci: fix uninitialized completion when USB3 port got wrong status (bsc#1051510). - usb: xhci: Prevent bus suspend if a port connect change or polling state is detected (bsc#1051510). - userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails (bsc#1118761). - userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails (bsc#1118809). - v9fs_dir_readdir: fix double-free on p9stat_read error (bsc#1118771). - watchdog/core: Add missing prototypes for weak functions (git-fixes). - wireless: airo: potential buffer overflow in sprintf() (bsc#1051510). - wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()' (bsc#1051510). - x86/bugs: Add AMD's SPEC_CTRL MSR usage (bsc#1106913). - x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR (bsc#1106913). - x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features (bsc#1106913). - x86/decoder: Fix and update the opcodes map (bsc#1058115). - x86/kabi: Fix cpu_tlbstate issue (bsc#1106913). - x86/l1tf: Show actual SMT state (bsc#1106913). - x86/MCE/AMD: Fix the thresholding machinery initialization order (bsc#1114279). - x86/mm: Fix decoy address handling vs 32-bit builds (bsc#1120606). - x86/PCI: Add additional VMD device root ports to VMD AER quirk (bsc#1120058). - x86/PCI: Add 'pci=big_root_window' option for AMD 64-bit windows (bsc#1120058). - x86/PCI: Apply VMD's AERSID fixup generically (bsc#1120058). - x86/PCI: Avoid AMD SB7xx EHCI USB wakeup defect (bsc#1120058). - x86/PCI: Enable a 64bit BAR on AMD Family 15h (Models 00-1f, 30-3f, 60-7f) (bsc#1120058). - x86/PCI: Enable AMD 64-bit window on resume (bsc#1120058). - x86/PCI: Fix infinite loop in search for 64bit BAR placement (bsc#1120058). - x86/PCI: Move and shrink AMD 64-bit window to avoid conflict (bsc#1120058). - x86/PCI: Move VMD quirk to x86 fixups (bsc#1120058). - x86/PCI: Only enable a 64bit BAR on single-socket AMD Family 15h (bsc#1120058). - x86/PCI: Use is_vmd() rather than relying on the domain number (bsc#1120058). - x86/process: Consolidate and simplify switch_to_xtra() code (bsc#1106913). - x86/pti: Document fix wrong index (git-fixes). - x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support (bsc#1106913). - x86/retpoline: Remove minimal retpoline support (bsc#1106913). - x86/speculataion: Mark command line parser data __initdata (bsc#1106913). - x86/speculation: Add command line control for indirect branch speculation (bsc#1106913). - x86/speculation: Add prctl() control for indirect branch speculation (bsc#1106913). - x86/speculation: Add seccomp Spectre v2 user space protection mode (bsc#1106913). - x86/speculation: Apply IBPB more strictly to avoid cross-process data leak (bsc#1106913). - x86/speculation: Avoid __switch_to_xtra() calls (bsc#1106913). - x86/speculation: Clean up spectre_v2_parse_cmdline() (bsc#1106913). - x86/speculation: Disable STIBP when enhanced IBRS is in use (bsc#1106913). - x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation (bsc#1106913). - x86/speculation: Enable prctl mode for spectre_v2_user (bsc#1106913). - x86/speculation/l1tf: Drop the swap storage limit restriction when l1tf=off (bnc#1114871). - x86/speculation: Mark string arrays const correctly (bsc#1106913). - x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common() (bsc#1106913). - x86/speculation: Prepare arch_smt_update() for PRCTL mode (bsc#1106913). - x86/speculation: Prepare for conditional IBPB in switch_mm() (bsc#1106913). - x86/speculation: Prepare for per task indirect branch speculation control (bsc#1106913). - x86/speculation: Prevent stale SPEC_CTRL msr content (bsc#1106913). - x86/speculation: Propagate information about RSB filling mitigation to sysfs (bsc#1106913). - x86/speculation: Provide IBPB always command line options (bsc#1106913). - x86/speculation: Remove unnecessary ret variable in cpu_show_common() (bsc#1106913). - x86/speculation: Rename SSBD update functions (bsc#1106913). - x86/speculation: Reorder the spec_v2 code (bsc#1106913). - x86/speculation: Reorganize speculation control MSRs update (bsc#1106913). - x86/speculation: Rework SMT state change (bsc#1106913). - x86/speculation: Split out TIF update (bsc#1106913). - x86/speculation: Unify conditional spectre v2 print functions (bsc#1106913). - x86/speculation: Update the TIF_SSBD comment (bsc#1106913). - xen/netfront: tolerate frags with no data (bnc#1119804). - xen/x86: add diagnostic printout to xen_mc_flush() in case of error (bnc#1116183). - xfs: Align compat attrlist_by_handle with native implementation (git-fixes). - xfs: Fix xqmstats offsets in /proc/fs/xfs/xqmstat (git-fixes). - xfs: xfs_buf: drop useless LIST_HEAD (git-fixes). - xhci: Add quirk to workaround the errata seen on Cavium Thunder-X2 Soc (bsc#1117162). - xhci: Do not prevent USB2 bus suspend in state check intended for USB3 only (bsc#1051510). - xhci: Prevent U1/U2 link pm states if exit latency is too long (bsc#1051510). - xfs: fix quotacheck dquot id overflow infinite loop (bsc#1121621)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1024718" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1046299" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050242" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1050244" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1051510" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1055121" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1055186" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1058115" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1060463" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1065729" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1078248" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1079935" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1082387" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1083647" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1086282" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1086283" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1086423" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1087978" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1088386" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1090888" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1091405" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1094244" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1097593" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1102875" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1102877" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1102879" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1102882" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1102896" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1103257" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1104353" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1104427" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1104967" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1105168" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1106105" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1106110" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1106615" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1106913" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1108270" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1109272" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1109665" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1110558" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1111188" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1111469" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1111696" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1111795" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1113722" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1114279" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1114871" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1116040" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1116183" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1116336" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1116803" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1116841" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1117115" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1117162" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1117165" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1117186" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1117561" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1117656" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1117953" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118152" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118215" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118316" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118319" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118428" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118484" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118752" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118760" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118761" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118762" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118766" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118767" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118768" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118769" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118771" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118772" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118773" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118774" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118775" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118798" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118809" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1118962" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119017" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119086" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119212" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119322" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119410" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119714" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119749" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119804" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119946" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119962" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1119968" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120036" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120046" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120053" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120054" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120055" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120058" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120088" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120092" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120094" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120096" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120097" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120173" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120214" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120223" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120228" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120230" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120232" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120234" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120235" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120238" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120594" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120598" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120600" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120601" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120602" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120603" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120604" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120606" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120612" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120613" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120614" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120615" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120616" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120617" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120618" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120620" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120621" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120632" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120633" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1120743" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1121017" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1121058" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1121263" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1121273" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1121477" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1121483" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1121621" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1121714" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1121715" ); script_set_attribute( attribute:"solution", value:"Update the affected the Linux Kernel packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-9568"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-base-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-debug-devel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-base-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-default-devel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-docs-html"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-kvmsmall"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-kvmsmall-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-kvmsmall-base-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-kvmsmall-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-kvmsmall-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-kvmsmall-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-kvmsmall-devel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-macros"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-obs-build"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-obs-build-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-obs-qa"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-source"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-source-vanilla"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-syms"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-base-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:kernel-vanilla-devel-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/03/15"); script_set_attribute(attribute:"patch_publication_date", value:"2019/03/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.0", reference:"kernel-debug-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-debug-base-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-debug-base-debuginfo-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-debug-debuginfo-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-debug-debugsource-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-debug-devel-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-debug-devel-debuginfo-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-default-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-default-base-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-default-base-debuginfo-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-default-debuginfo-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-default-debugsource-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-default-devel-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-default-devel-debuginfo-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-devel-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-docs-html-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-kvmsmall-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-kvmsmall-base-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-kvmsmall-base-debuginfo-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-kvmsmall-debuginfo-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-kvmsmall-debugsource-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-kvmsmall-devel-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-kvmsmall-devel-debuginfo-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-macros-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-obs-build-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-obs-build-debugsource-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-obs-qa-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-source-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-source-vanilla-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-syms-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-vanilla-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-vanilla-base-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-vanilla-base-debuginfo-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-vanilla-debuginfo-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-vanilla-debugsource-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-vanilla-devel-4.12.14-lp150.12.45.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"kernel-vanilla-devel-debuginfo-4.12.14-lp150.12.45.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel-debug / kernel-debug-base / kernel-debug-base-debuginfo / etc"); }
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2019-4646.NASL description Description of changes: [2.6.39-400.311.1.el6uek] - USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data (Hui Peng) {CVE-2018-19985} {CVE-2018-19985} - binfmt_elf: switch to new creds when switching to new mm (Linus Torvalds) [Orabug: 29677235] {CVE-2019-11190} last seen 2020-06-01 modified 2020-06-02 plugin id 125238 published 2019-05-17 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125238 title Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2019-4646) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0439-1.NASL description The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743). CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946). CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714). CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319). CVE-2018-16862: A security flaw was found in a way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one (bnc#1117186). CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152). CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused. (bnc#1113769). CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751). CVE-2018-18690: A local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by triggering an unchecked error condition during an xfs attribute change, because xfs_attr_shortform_addname in fs/xfs/libxfs/xfs_attr.c mishandled ATTR_REPLACE operations with conversion of an attr from short to long form (bnc#1105025). CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825). CVE-2018-9516: In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (bnc#1108498). CVE-2019-3459, CVE-2019-3460: The Blutooth stack suffered from two remote information leak vulnerabilities in the code that handles incoming L2cap configuration packets (bsc#1120758). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 122343 published 2019-02-20 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122343 title SUSE SLES12 Security Update : kernel (SUSE-SU-2019:0439-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1234.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in can_can_gw_rcv() in the net/can/gw.c in the Linux kernel. The CAN driver may write arbitrary content beyond the data registers in the CAN controller last seen 2020-03-19 modified 2019-04-04 plugin id 123702 published 2019-04-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123702 title EulerOS Virtualization 2.5.4 : kernel (EulerOS-SA-2019-1234) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4118-1.NASL description It was discovered that the alarmtimer implementation in the Linux kernel contained an integer overflow vulnerability. A local attacker could use this to cause a denial of service. (CVE-2018-13053) Wen Xu discovered that the XFS filesystem implementation in the Linux kernel did not properly track inode validations. An attacker could use this to construct a malicious XFS image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13093) Wen Xu discovered that the f2fs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious f2fs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-13096, CVE-2018-13097, CVE-2018-13098, CVE-2018-13099, CVE-2018-13100, CVE-2018-14614, CVE-2018-14615, CVE-2018-14616) Wen Xu and Po-Ning Tseng discovered that btrfs file system implementation in the Linux kernel did not properly validate metadata. An attacker could use this to construct a malicious btrfs image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14609, CVE-2018-14610, CVE-2018-14611, CVE-2018-14612, CVE-2018-14613) Wen Xu discovered that the HFS+ filesystem implementation in the Linux kernel did not properly handle malformed catalog data in some situations. An attacker could use this to construct a malicious HFS+ image that, when mounted, could cause a denial of service (system crash). (CVE-2018-14617) Vasily Averin and Pavel Tikhomirov discovered that the cleancache subsystem of the Linux kernel did not properly initialize new files in some situations. A local attacker could use this to expose sensitive information. (CVE-2018-16862) Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985) Hui Peng and Mathias Payer discovered that the USB subsystem in the Linux kernel did not properly handle size checks when handling an extra USB descriptor. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-20169) Zhipeng Xie discovered that an infinite loop could triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784) It was discovered that a use-after-free error existed in the block layer subsystem of the Linux kernel when certain failure conditions occurred. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-20856) Eli Biham and Lior Neumann discovered that the Bluetooth implementation in the Linux kernel did not properly validate elliptic curve parameters during Diffie-Hellman key exchange in some situations. An attacker could use this to expose sensitive information. (CVE-2018-5383) It was discovered that the Intel wifi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (wifi disconnect). (CVE-2019-0136) It was discovered that a heap buffer overflow existed in the Marvell Wireless LAN device driver for the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-10126) It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207) Amit Klein and Benny Pinkas discovered that the Linux kernel did not sufficiently randomize IP ID values generated for connectionless networking protocols. A remote attacker could use this to track particular Linux devices. (CVE-2019-10638) Amit Klein and Benny Pinkas discovered that the location of kernel addresses could exposed by the implementation of connection-less network protocols in the Linux kernel. A remote attacker could possibly use this to assist in the exploitation of another vulnerability in the Linux kernel. (CVE-2019-10639) Adam Zabrocki discovered that the Intel i915 kernel mode graphics driver in the Linux kernel did not properly restrict mmap() ranges in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11085) It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487) Jann Horn discovered that a race condition existed in the Linux kernel when performing core dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2019-11599) It was discovered that a NULL pointer dereference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-11810) It was discovered that a race condition leading to a use-after-free existed in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel. The RDS protocol is blacklisted by default in Ubuntu. If enabled, a local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11815) It was discovered that the ext4 file system implementation in the Linux kernel did not properly zero out memory in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11833) It was discovered that the Bluetooth Human Interface Device Protocol (HIDP) implementation in the Linux kernel did not properly verify strings were NULL terminated in certain situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2019-11884) It was discovered that a NULL pointer dereference vulnerabilty existed in the Near-field communication (NFC) implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12818) It was discovered that the MDIO bus devices subsystem in the Linux kernel improperly dropped a device reference in an error condition, leading to a use-after-free. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12819) It was discovered that a NULL pointer dereference vulnerability existed in the Near-field communication (NFC) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-12984) Jann Horn discovered a use-after-free vulnerability in the Linux kernel when accessing LDT entries in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13233) Jann Horn discovered that the ptrace implementation in the Linux kernel did not properly record credentials in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2019-13272) It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13631) It was discovered that the floppy driver in the Linux kernel did not properly validate meta data, leading to a buffer overread. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14283) It was discovered that the floppy driver in the Linux kernel did not properly validate ioctl() calls, leading to a division-by-zero. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14284) Tuba Yavuz discovered that a race condition existed in the DesignWare USB3 DRD Controller device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-14763) It was discovered that an out-of-bounds read existed in the QLogic QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-15090) It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2019-15211) It was discovered at a double-free error existed in the USB Rio 500 device driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-15212) It was discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a potential use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) pro possibly execute arbitrary code. (CVE-2019-15214) It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215) It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15220) It was discovered that a use-after-free vulnerability existed in the Appletalk implementation in the Linux kernel if an error occurs during initialization. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-15292) It was discovered that the Empia EM28xx DVB USB device driver implementation in the Linux kernel contained a use-after-free vulnerability when disconnecting the device. An attacker could use this to cause a denial of service (system crash). (CVE-2019-2024) It was discovered that the USB video device class implementation in the Linux kernel did not properly validate control bits, resulting in an out of bounds buffer read. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2019-2101) It was discovered that the Marvell Wireless LAN device driver in the Linux kernel did not properly validate the BSS descriptor. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-3846) Jason Wang discovered that an infinite loop vulnerability existed in the virtio net driver in the Linux kernel. A local attacker in a guest VM could possibly use this to cause a denial of service in the host system. (CVE-2019-3900) Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered that the Bluetooth protocol BR/EDR specification did not properly require sufficiently strong encryption key lengths. A physicall proximate attacker could use this to expose sensitive information. (CVE-2019-9506) It was discovered that the Appletalk IP encapsulation driver in the Linux kernel did not properly prevent kernel addresses from being copied to user space. A local attacker with the CAP_NET_ADMIN capability could use this to expose sensitive information. (CVE-2018-20511) It was discovered that a race condition existed in the USB YUREX device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15216) It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel made improper assumptions about the device characteristics. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2019-15218) It was discovered that the Line 6 POD USB device driver in the Linux kernel did not properly validate data size information from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15221) Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701) Vladis Dronov discovered that the debug interface for the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 128478 published 2019-09-03 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128478 title Ubuntu 16.04 LTS / 18.04 LTS : linux-aws vulnerabilities (USN-4118-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0224-1.NASL description The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes. This update brings following features : Support for Enhanced-IBRS on new Intel CPUs (fate#326564) The following security bugs were fixed: CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319). CVE-2018-12232: In net/socket.c there is a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr functions. fchownat did not increment the file descriptor reference count, which allowed close to set the socket to NULL during fchownat last seen 2020-03-18 modified 2019-02-04 plugin id 121571 published 2019-02-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121571 title SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:0224-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2019-4644.NASL description Description of changes: kernel-uek [3.8.13-118.34.1.el7uek] - Input: wacom - move the USB (now hid) Wacom driver in drivers/hid (Benjamin Tissoires) [Orabug: 25512494] {CVE-2016-3139} - net: qmi_wwan: fix divide by 0 on bad descriptors (Bjø rn Mork) [Orabug: 27215229] {CVE-2017-16650} - USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data (Hui Peng) [Orabug: 29605987] {CVE-2018-19985} {CVE-2018-19985} - KEYS: encrypted: fix buffer overread in valid_master_desc() (Eric Biggers) [Orabug: 29605993] {CVE-2017-13305} - ecryptfs: don last seen 2020-06-01 modified 2020-06-02 plugin id 125237 published 2019-05-17 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125237 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4644) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-13979-1.NASL description The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2016-10741: fs/xfs/xfs_aops.c allowed local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated with a hole) that is handled with BUG_ON instead of an I/O failure (bnc#1114920 bnc#1124010). CVE-2017-18360: In change_port_settings in drivers/usb/serial/io_ti.c local users could cause a denial of service by division-by-zero in the serial device layer by trying to set very high baud rates (bnc#1123706). CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319). CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841). CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152). CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743). CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714). CVE-2019-7222: A information leak in exception handling in KVM could be used to expose host memory to guests. (bnc#1124735). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 122891 published 2019-03-18 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122891 title SUSE SLES11 Security Update : kernel (SUSE-SU-2019:13979-1) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2019-0022.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - scsi: libfc: sanitize E_D_TOV and R_A_TOV setting (Hannes Reinecke) [Orabug: 25933179] - scsi: libfc: use configured rport E_D_TOV (Hannes Reinecke) [Orabug: 25933179] - scsi: libfc: additional debugging messages (Hannes Reinecke) [Orabug: 25933179] - scsi: libfc: don last seen 2020-06-01 modified 2020-06-02 plugin id 125615 published 2019-05-31 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125615 title OracleVM 3.4 : Unbreakable / etc (OVMSA-2019-0022) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-140.NASL description The openSUSE Leap 42.3 Linux kernel was updated to 4.4.172 to receive various security and bugfixes. The following security bugs were fixed : - CVE-2019-3459,CVE-2019-3460: Two remote information leak vulnerabilities in the Bluetooth stack were fixed that could potentially leak kernel information (bsc#1120758) - CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841). - CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso _get_config_data that could be used by local attackers (bnc#1120743). - CVE-2018-1120: By mmap()ing a FUSE-backed file onto a process last seen 2020-03-18 modified 2019-02-07 plugin id 121633 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121633 title openSUSE Security Update : the Linux Kernel (openSUSE-2019-140) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2019-030-01.NASL description New kernel packages are available for Slackware 14.2 to fix security issues. last seen 2020-03-17 modified 2019-01-31 plugin id 121505 published 2019-01-31 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121505 title Slackware 14.2 : Slackware 14.2 kernel (SSA:2019-030-01) NASL family Scientific Linux Local Security Checks NASL id SL_20200407_KERNEL_ON_SL7_X.NASL description * kernel: out of bound read in DVB connexant driver. * kernel: Missing permissions check for request_key() destination allows local attackers to add keys to keyring without Write permission * kernel: denial of service via ioctl call in network tun handling * kernel: usb: missing size check in the __usb_get_extra_descriptor() * kernel: perf_event_open() and execve() race in setuid programs allows a data leak * kernel: brcmfmac frame validation bypass * kernel: NULL pointer dereference in hci_uart_set_flow_control * kernel: sensitive information disclosure from kernel stack memory via HIDPCONNADD command * kernel: unchecked kstrdup of fwstr in drm_load_edid_firmware leads to denial of service * kernel: use-after-free in arch/x86/lib/insn-eval.c * kernel: denial of service in arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c via sigreturn() system call * kernel: integer overflow and OOB read in drivers/block/floppy.c * kernel: memory leak in register_queue_kobjects() in net/core/net-sysfs.c leads to denial of service * kernel: buffer-overflow hardening in WiFi beacon validation code. * kernel: (powerpc) incomplete Spectre-RSB mitigation leads to information exposure * kernel: oob memory read in hso_probe in drivers/net/usb/hso.c * Kernel: net: weak IP ID generation leads to remote device tracking * Kernel: net: using kernel space address bits to derive IP ID may potentially break KASLR * kernel: ASLR bypass for setuid binaries due to late install_exec_creds() last seen 2020-04-30 modified 2020-04-21 plugin id 135813 published 2020-04-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135813 title Scientific Linux Security Update : kernel on SL7.x x86_64 (20200407) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-3517.NASL description An update for kernel is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es) : * kernel: nfs: use-after-free in svc_process_common() (CVE-2018-16884) * Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900) * Kernel: page cache side channel attacks (CVE-2019-5489) * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) * kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net /wireless/marvell/mwifiex/ie.c (CVE-2019-10126) * Kernel: KVM: OOB memory access via mmio ring buffer (CVE-2019-14821) * kernel: Information Disclosure in crypto_report_one in crypto/crypto_user.c (CVE-2018-19854) * kernel: usb: missing size check in the __usb_get_extra_descriptor() leading to DoS (CVE-2018-20169) * kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459) * kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460) * kernel: SCTP socket buffer memory leak leading to denial of service (CVE-2019-3874) * kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882) * kernel: NULL pointer dereference in hci_uart_set_flow_control (CVE-2019-10207) * kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599) * kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833) * kernel: sensitive information disclosure from kernel stack memory via HIDPCONNADD command (CVE-2019-11884) * kernel: use-after-free in arch/x86/lib/insn-eval.c (CVE-2019-13233) * kernel: memory leak in register_queue_kobjects() in net/core/net-sysfs.c leads to denial of service (CVE-2019-15916) * kernel: Linux stack ASLR implementation Integer overflow (CVE-2015-1593) * kernel: oob memory read in hso_probe in drivers/net/usb/hso.c (CVE-2018-19985) * Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222) * Kernel: net: weak IP ID generation leads to remote device tracking (CVE-2019-10638) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section. last seen 2020-05-15 modified 2019-11-06 plugin id 130547 published 2019-11-06 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130547 title RHEL 8 : kernel (RHSA-2019:3517) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1771.NASL description Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2018-14625 A use-after-free bug was found in the vhost driver for the Virtual Socket protocol. If this driver is used to communicate with a malicious virtual machine guest, the guest could read sensitive information from the host kernel. CVE-2018-16884 A flaw was found in the NFS 4.1 client implementation. Mounting NFS shares in multiple network namespaces at the same time could lead to a user-after-free. Local users might be able to use this for denial of service (memory corruption or crash) or possibly for privilege escalation. This can be mitigated by disabling unprivileged users from creating user namespaces, which is the default in Debian. CVE-2018-19824 Hui Peng and Mathias Payer discovered a use-after-free bug in the USB audio driver. A physically present attacker able to attach a specially designed USB device could use this for privilege escalation. CVE-2018-19985 Hui Peng and Mathias Payer discovered a missing bounds check in the hso USB serial driver. A physically present user able to attach a specially designed USB device could use this to read sensitive information from the kernel or to cause a denial of service (crash). CVE-2018-20169 Hui Peng and Mathias Payer discovered missing bounds checks in the USB core. A physically present attacker able to attach a specially designed USB device could use this to cause a denial of service (crash) or possibly for privilege escalation. CVE-2018-1000026 It was discovered that Linux could forward aggregated network packets with a segmentation size too large for the output device. In the specific case of Broadcom NetXtremeII 10Gb adapters, this would result in a denial of service (firmware crash). This update adds a mitigation to the bnx2x driver for this hardware. CVE-2019-3459, CVE-2019-3460 Shlomi Oberman, Yuli Shapiro and Karamba Security Ltd. research team discovered missing range checks in the Bluetooth L2CAP implementation. If Bluetooth is enabled, a nearby attacker could use these to read sensitive information from the kernel. CVE-2019-3701 Muyu Yu and Marcus Meissner reported that the CAN gateway implementation allowed the frame length to be modified, typically resulting in out-of-bounds memory-mapped I/O writes. On a system with CAN devices present, a local user with CAP_NET_ADMIN capability in the initial net namespace could use this to cause a crash (oops) or other hardware-dependent impact. CVE-2019-3819 A potential infinite loop was discovered in the HID debugfs interface exposed under /sys/kernel/debug/hid. A user with access to these files could use this for denial of service. This interface is only accessible to root by default, which fully mitigates the issue. CVE-2019-6974 Jann Horn reported a use-after-free bug in KVM. A local user with access to /dev/kvm could use this to cause a denial of service (memory corruption or crash) or possibly for privilege escalation. CVE-2019-7221 Jim Mattson and Felix Wilhelm reported a user-after-free bug in KVM last seen 2020-06-01 modified 2020-06-02 plugin id 124595 published 2019-05-06 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124595 title Debian DLA-1771-1 : linux-4.9 security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1587.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A malformed SG_IO ioctl issued for a SCSI device in the Linux kernel leads to a local kernel data leak manifesting in up to approximately 1000 memory pages copied to the userspace. The problem has limited scope as non-privileged users usually have no permissions to access SCSI device files.(CVE-2018-1000204) - A flaw in the load_elf_binary() function in the Linux kernel allows a local attacker to leak the base address of .text and stack sections for setuid binaries and bypass ASLR because install_exec_creds() is called too late in this function.(CVE-2019-11190) - A flaw was found in the Linux kernel in the hid_debug_events_read() function in the drivers/hid/hid-debug.c file. A lack of the certain checks may allow a privileged user ( last seen 2020-05-06 modified 2019-05-29 plugin id 125514 published 2019-05-29 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125514 title EulerOS 2.0 SP3 : kernel (EulerOS-SA-2019-1587) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3910-1.NASL description It was discovered that the f2fs filesystem implementation in the Linux kernel did not handle the noflush_merge mount option correctly. An attacker could use this to cause a denial of service (system crash). (CVE-2017-18241) It was discovered that the procfs filesystem did not properly handle processes mapping some memory elements onto files. A local attacker could use this to block utilities that examine the procfs filesystem to report operating system state, such as ps(1). (CVE-2018-1120) Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985) It was discovered that multiple integer overflows existed in the hugetlbfs implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-7740) Jann Horn discovered a race condition in the fork() system call in the Linux kernel. A local attacker could use this to gain access to services that cache authorizations. (CVE-2019-6133). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 122892 published 2019-03-18 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122892 title Ubuntu 16.04 LTS : linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities (USN-3910-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1514.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - The function hso_get_config_data in drivers/net/usb/hso.c in the Linux kernel through 4.19.8 reads if_num from the USB device (as a u8) and uses it to index a small array, resulting in an object out-of-bounds (OOB) read that potentially allows arbitrary read in the kernel address space.(CVE-2018-19985) - An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block. In a combination with the fact that memory accesses may populate the cache even when the block is being dropped and never committed (executed), an unprivileged local attacker could use this flaw to read privileged (kernel space) memory by conducting targeted cache side-channel attacks. Note: CVE-2017-5754 affects Intel x86-64 microprocessors. AMD x86-64 microprocessors are not affected by this issue.(CVE-2017-5754) - A non-privileged user is able to mount a fuse filesystem on RHEL 6 or 7 and crash a system if an application punches a hole in a file that does not end aligned to a page boundary.(CVE-2017-15121) - A flaw was found in the Linux kernel when attempting to last seen 2020-06-01 modified 2020-06-02 plugin id 124835 published 2019-05-13 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124835 title EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1514) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0541-1.NASL description The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.175 to receive various security and bugfixes. The following security bugs were fixed : CVE-2019-6974: kvm_ioctl_create_device in virt/kvm/kvm_main.c mishandled reference counting because of a race condition, leading to a use-after-free. (bnc#1124728) CVE-2019-7221: Fixed a user-after-free vulnerability in the KVM hypervisor related to the emulation of a preemption timer, allowing an guest user/process to crash the host kernel. (bsc#1124732). CVE-2019-7222: Fixed an information leakage in the KVM hypervisor related to handling page fault exceptions, which allowed a guest user/process to use this flaw to leak the host last seen 2020-06-01 modified 2020-06-02 plugin id 122609 published 2019-03-05 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122609 title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2019:0541-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1304.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An elevation of privilege vulnerability in the kernel scsi driver. Product: Android. Versions: Android kernel. Android ID A-65023233.(CVE-2017-13168) - Non-optimized code for key handling of shared futexes was found in the Linux kernel in the form of unbounded contention time due to the page lock for real-time users. Before the fix, the page lock was an unnecessarily heavy lock for the futex path that protected too much. After the fix, the page lock is only required in a specific corner case.(CVE-2018-9422) - A flaw in the load_elf_binary() function in the Linux kernel allows a local attacker to leak the base address of .text and stack sections for setuid binaries and bypass ASLR because install_exec_creds() is called too late in this function.(CVE-2019-11190) - A flaw was found in the Linux kernel ext4 filesystem. An out-of-bound access is possible in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image.(CVE-2018-10877) - A vulnerability was found in polkit. When authentication is performed by a non-root user to perform an administrative task, the authentication is temporarily cached in such a way that a local attacker could impersonate the authorized process, thus gaining access to elevated privileges.(CVE-2019-6133) - A flaw was found in the Linux kernel in the function hso_probe() which reads if_num value from the USB device (as an u8) and uses it without a length check to index an array, resulting in an OOB memory read in hso_probe() or hso_get_config_data(). An attacker with a forged USB device and physical access to a system (needed to connect such a device) can cause a system crash and a denial of service.(CVE-2018-19985) - A flaw was found in the Linux kernel last seen 2020-05-06 modified 2019-05-01 plugin id 124431 published 2019-05-01 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124431 title EulerOS 2.0 SP5 : kernel (EulerOS-SA-2019-1304) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0196-1.NASL description The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (bnc#1118319). CVE-2018-12232: In net/socket.c in the there is a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr functions. fchownat did not increment the file descriptor reference count, which allowed close to set the socket to NULL during fchownat last seen 2020-03-18 modified 2019-01-30 plugin id 121466 published 2019-01-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121466 title SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2019:0196-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0148-1.NASL description The SUSE Linux Enterprise 12 SP3 kernel for Azure was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic was uninitialized (bnc#1116841). CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743). CVE-2018-3639: Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4 (bnc#1087082). CVE-2018-1120: By mmap()ing a FUSE-backed file onto a process last seen 2020-03-18 modified 2019-01-24 plugin id 121344 published 2019-01-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121344 title SUSE SLES12 Security Update : kernel (SUSE-SU-2019:0148-1) (Spectre) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2019-4642.NASL description Description of changes: [4.1.12-124.27.1.el6uek] - scsi: libfc: sanitize E_D_TOV and R_A_TOV setting (Hannes Reinecke) [Orabug: 25933179] - scsi: libfc: use configured rport E_D_TOV (Hannes Reinecke) [Orabug: 25933179] - scsi: libfc: additional debugging messages (Hannes Reinecke) [Orabug: 25933179] - scsi: libfc: don last seen 2020-06-01 modified 2020-06-02 plugin id 125235 published 2019-05-17 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125235 title Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2019-4642) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-1289-1.NASL description The SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive various security and bugfixes. Four new speculative execution information leak issues have been identified in Intel CPUs. (bsc#1111331) CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS) CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS) CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS) CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM) This kernel update contains software mitigations for these issues, which also utilize CPU microcode updates shipped in parallel. For more information on this set of information leaks, check out https://www.suse.com/support/kb/doc/?id=7023736 The following security bugs were fixed: CVE-2016-10741: fs/xfs/xfs_aops.c allowed local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated with a hole) that is handled with BUG_ON instead of an I/O failure (bnc#1114920 bnc#1124010). CVE-2017-1000407: By flooding the diagnostic port 0x80 an exception can be triggered leading to a kernel panic (bnc#1071021). CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674). CVE-2017-7273: The cp_report_fixup function in drivers/hid/hid-cypress.c allowed physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report (bnc#1031240). CVE-2017-7472: The KEYS subsystem allowed local users to cause a denial of service (memory consumption) via a series of KEY_REQKEY_DEFL_THREAD_KEYRING keyctl_set_reqkey_keyring calls (bnc#1034862). CVE-2018-14633: A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The attack requires the iSCSI target to be enabled on the victim host. Depending on how the target last seen 2020-06-01 modified 2020-06-02 plugin id 125283 published 2019-05-20 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125283 title SUSE SLES12 Security Update : kernel (SUSE-SU-2019:1289-1) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1731.NASL description The linux update issued as DLA-1731-1 caused a regression in the vmxnet3 (VMware virtual network adapter) driver. This update corrects that regression, and an earlier regression in the CIFS network filesystem implementation introduced in DLA-1422-1. For reference the original advisory text follows. Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2016-10741 A race condition was discovered in XFS that would result in a crash (BUG). A local user permitted to write to an XFS volume could use this for denial of service. CVE-2017-5753 Further instances of code that was vulnerable to Spectre variant 1 (bounds-check bypass) have been mitigated. CVE-2017-13305 A memory over-read was discovered in the keys subsystem last seen 2020-06-01 modified 2020-06-02 plugin id 123420 published 2019-03-28 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123420 title Debian DLA-1731-2 : linux regression update (Spectre) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-13937-1.NASL description The SUSE Linux Enterprise 12 SP3 kernel was updated to 3.0.101 to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-9516: In hid_debug_events_read of drivers/hid/hid-debug.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1108498). CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized (bnc#1116841). CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743). CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714). CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1118319). CVE-2018-19824: A local user could exploit a use-after-free in the ALSA driver by supplying a malicious USB Sound device (with zero interfaces) that is mishandled in usb_audio_probe in sound/usb/card.c (bnc#1118152). CVE-2018-18281: The mremap() syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate() removes entries from the pagetables of a task that is in the middle of mremap(), a stale TLB entry can remain for a short time that permits access to a physical page after it has been released back to the page allocator and reused (bnc#1113769). CVE-2018-18710: An information leak in cdrom_ioctl_select_disc in drivers/cdrom/cdrom.c could be used by local attackers to read kernel memory because a cast from unsigned long to int interferes with bounds checking. This is similar to CVE-2018-10940 and CVE-2018-16658 (bnc#1113751). CVE-2018-18386: drivers/tty/n_tty.c allowed local attackers (who are able to access pseudo terminals) to hang/block further usage of any pseudo terminal devices due to an EXTPROC versus ICANON confusion in TIOCINQ (bnc#1094825). CVE-2017-7273: The cp_report_fixup function in drivers/hid/hid-cypress.c allowed physically proximate attackers to cause a denial of service (integer underflow) or possibly have unspecified other impact via a crafted HID report (bnc#1031240). CVE-2017-16533: The usbhid_parse function in drivers/hid/usbhid/hid-core.c allowed local users to cause a denial of service (out-of-bounds read and system crash) or possibly have unspecified other impact via a crafted USB device (bnc#1066674). CVE-2017-1000407: Fixed a denial of service, which was caused by flooding the diagnostic port 0x80 an exception leading to a kernel panic (bnc#1071021). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 121468 published 2019-01-30 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121468 title SUSE SLES11 Security Update : kernel (SUSE-SU-2019:13937-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1302.NASL description According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the Linux kernel last seen 2020-05-06 modified 2019-04-30 plugin id 124398 published 2019-04-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124398 title EulerOS 2.0 SP2 : kernel (EulerOS-SA-2019-1302) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-0222-1.NASL description The SUSE Linux Enterprise 12 SP4 kernel for Azure was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c allowed local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic was uninitialized (bnc#1116841). CVE-2018-16884: NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious container user can cause a host kernel memory corruption and a system panic. Due to the nature of the flaw, privilege escalation cannot be fully ruled out (bnc#1119946). CVE-2018-20169: The USB subsystem mishandled size checks during the reading of an extra descriptor, related to __usb_get_extra_descriptor in drivers/usb/core/usb.c (bnc#1119714). CVE-2018-9568: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1118319). CVE-2018-16862: A security flaw was found in the way that the cleancache subsystem clears an inode after the final file truncation (removal). The new file created with the same inode may contain leftover pages from cleancache and the old file data instead of the new one (bnc#1117186). CVE-2018-14625: A flaw was found where an attacker may be able to have an uncontrolled read to kernel-memory from within a vm guest. A race condition between connect() and close() function may allow an attacker using the AF_VSOCK protocol to gather a 4 byte information leak or possibly intercept or corrupt AF_VSOCK messages destined to other clients (bnc#1106615). CVE-2018-19985: The function hso_probe read if_num from the USB device (as an u8) and used it without a length check to index an array, resulting in an OOB memory read in hso_probe or hso_get_config_data that could be used by local attackers (bnc#1120743). CVE-2018-12232: In net/socket.c there is a race condition between fchownat and close in cases where they target the same socket file descriptor, related to the sock_close and sockfs_setattr functions. fchownat did not increment the file descriptor reference count, which allowed close to set the socket to NULL during fchownat last seen 2020-03-18 modified 2019-02-04 plugin id 121569 published 2019-02-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121569 title SUSE SLES12 Security Update : kernel (SUSE-SU-2019:0222-1) (Spectre) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2020-1016.NASL description The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1016 advisory. - kernel: out of bound read in DVB connexant driver. (CVE-2015-9289) - kernel: Missing permissions check for request_key() destination allows local attackers to add keys to keyring without Write permission (CVE-2017-17807) - kernel: oob memory read in hso_probe in drivers/net/usb/hso.c (CVE-2018-19985) - kernel: usb: missing size check in the __usb_get_extra_descriptor() leading to DoS (CVE-2018-20169) - kernel: denial of service via ioctl call in network tun handling (CVE-2018-7191) - kernel: null-pointer dereference in hci_uart_set_flow_control (CVE-2019-10207) - Kernel: net: weak IP ID generation leads to remote device tracking (CVE-2019-10638) - Kernel: net: using kernel space address bits to derive IP ID may potentially break KASLR (CVE-2019-10639) - kernel: ASLR bypass for setuid binaries due to late install_exec_creds() (CVE-2019-11190) - kernel: sensitive information disclosure from kernel stack memory via HIDPCONNADD command (CVE-2019-11884) - kernel: unchecked kstrdup of fwstr in drm_load_edid_firmware leads to denial of service (CVE-2019-12382) - kernel: use-after-free in arch/x86/lib/insn-eval.c (CVE-2019-13233) - kernel: denial of service in arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c via sigreturn() system call (CVE-2019-13648) - kernel: integer overflow and OOB read in drivers/block/floppy.c (CVE-2019-14283) - kernel: memory leak in register_queue_kobjects() in net/core/net-sysfs.c leads to denial of service (CVE-2019-15916) - kernel: buffer-overflow hardening in WiFi beacon validation code. (CVE-2019-16746) - kernel: (powerpc) incomplete Spectre-RSB mitigation leads to information exposure (CVE-2019-18660) - kernel: perf_event_open() and execve() race in setuid programs allows a data leak (CVE-2019-3901) - kernel: brcmfmac frame validation bypass (CVE-2019-9503) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-06 modified 2020-04-10 plugin id 135316 published 2020-04-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135316 title CentOS 7 : kernel (CESA-2020:1016) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4115-2.NASL description USN 4115-1 fixed vulnerabilities in the Linux 4.15 kernel for Ubuntu 18.04 LTS and Ubuntu 16.04 LTS. Unfortunately, as part of the update, a regression was introduced that caused a kernel crash when handling fragmented packets in some situations. This update addresses the issue. We apologize for the inconvenience. Original advisory details : Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985) Zhipeng Xie discovered that an infinite loop could triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784) It was discovered that the Intel Wi-Fi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (Wi-Fi disconnect). (CVE-2019-0136) It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207) Amit Klein and Benny Pinkas discovered that the Linux kernel did not sufficiently randomize IP ID values generated for connectionless networking protocols. A remote attacker could use this to track particular Linux devices. (CVE-2019-10638) Amit Klein and Benny Pinkas discovered that the location of kernel addresses could be exposed by the implementation of connection-less network protocols in the Linux kernel. A remote attacker could possibly use this to assist in the exploitation of another vulnerability in the Linux kernel. (CVE-2019-10639) It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487) Jann Horn discovered that a race condition existed in the Linux kernel when performing core dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2019-11599) It was discovered that a NULL pointer dereference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-11810) It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13631) Praveen Pandey discovered that the Linux kernel did not properly validate sent signals in some situations on PowerPC systems with transactional memory disabled. A local attacker could use this to cause a denial of service. (CVE-2019-13648) It was discovered that the floppy driver in the Linux kernel did not properly validate meta data, leading to a buffer overread. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14283) It was discovered that the floppy driver in the Linux kernel did not properly validate ioctl() calls, leading to a division-by-zero. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14284) Tuba Yavuz discovered that a race condition existed in the DesignWare USB3 DRD Controller device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-14763) It was discovered that an out-of-bounds read existed in the QLogic QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-15090) It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2019-15211) It was discovered at a double-free error existed in the USB Rio 500 device driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-15212) It was discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a potential use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15214) It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215) It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15220) It was discovered that a use-after-free vulnerability existed in the AppleTalk implementation in the Linux kernel if an error occurs during initialization. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-15292) Jason Wang discovered that an infinite loop vulnerability existed in the virtio net driver in the Linux kernel. A local attacker in a guest VM could possibly use this to cause a denial of service in the host system. (CVE-2019-3900) Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered that the Bluetooth protocol BR/EDR specification did not properly require sufficiently strong encryption key lengths. A physically proximate attacker could use this to expose sensitive information. (CVE-2019-9506) It was discovered that a race condition existed in the USB YUREX device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15216) It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel made improper assumptions about the device characteristics. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2019-15218) It was discovered that the Line 6 POD USB device driver in the Linux kernel did not properly validate data size information from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15221) Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701) Vladis Dronov discovered that the debug interface for the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 128680 published 2019-09-11 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128680 title Ubuntu 16.04 LTS / 18.04 LTS : linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, (USN-4115-2) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1636.NASL description According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The kernel package contains the Linux kernel (vmlinuz), the core of any Linux operating system. The kernel handles the basic functions of the operating system: memory allocation, process allocation, device input and output, etc.Security Fix(es):An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.(CVE-2019-11815)A flaw was found in the Linux kernel last seen 2020-04-16 modified 2019-05-30 plugin id 125588 published 2019-05-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125588 title EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2019-1636) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-3309.NASL description An update for kernel-rt is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fix(es) : * kernel: nfs: use-after-free in svc_process_common() (CVE-2018-16884) * Kernel: vhost_net: infinite loop while receiving packets leads to DoS (CVE-2019-3900) * Kernel: page cache side channel attacks (CVE-2019-5489) * hardware: bluetooth: BR/EDR encryption key negotiation attacks (KNOB) (CVE-2019-9506) * kernel: Heap overflow in mwifiex_uap_parse_tail_ies function in drivers/net /wireless/marvell/mwifiex/ie.c (CVE-2019-10126) * Kernel: KVM: OOB memory access via mmio ring buffer (CVE-2019-14821) * kernel: Information Disclosure in crypto_report_one in crypto/crypto_user.c (CVE-2018-19854) * kernel: usb: missing size check in the __usb_get_extra_descriptor() leading to DoS (CVE-2018-20169) * kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459) * kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460) * kernel: SCTP socket buffer memory leak leading to denial of service (CVE-2019-3874) * kernel: denial of service vector through vfio DMA mappings (CVE-2019-3882) * kernel: NULL pointer dereference in hci_uart_set_flow_control (CVE-2019-10207) * kernel: fix race condition between mmget_not_zero()/get_task_mm() and core dumping (CVE-2019-11599) * kernel: fs/ext4/extents.c leads to information disclosure (CVE-2019-11833) * kernel: sensitive information disclosure from kernel stack memory via HIDPCONNADD command (CVE-2019-11884) * kernel: use-after-free in arch/x86/lib/insn-eval.c (CVE-2019-13233) * kernel: memory leak in register_queue_kobjects() in net/core/net-sysfs.c leads to denial of service (CVE-2019-15916) * kernel: oob memory read in hso_probe in drivers/net/usb/hso.c (CVE-2018-19985) * Kernel: KVM: leak of uninitialized stack contents to guest (CVE-2019-7222) * Kernel: net: weak IP ID generation leads to remote device tracking (CVE-2019-10638) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section. last seen 2020-05-08 modified 2019-11-06 plugin id 130526 published 2019-11-06 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130526 title RHEL 8 : kernel-rt (RHSA-2019:3309) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3910-2.NASL description USN-3910-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that the f2fs filesystem implementation in the Linux kernel did not handle the noflush_merge mount option correctly. An attacker could use this to cause a denial of service (system crash). (CVE-2017-18241) It was discovered that the procfs filesystem did not properly handle processes mapping some memory elements onto files. A local attacker could use this to block utilities that examine the procfs filesystem to report operating system state, such as ps(1). (CVE-2018-1120) Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985) It was discovered that multiple integer overflows existed in the hugetlbfs implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2018-7740) Jann Horn discovered a race condition in the fork() system call in the Linux kernel. A local attacker could use this to gain access to services that cache authorizations. (CVE-2019-6133). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 122893 published 2019-03-18 reporter Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122893 title Ubuntu 14.04 LTS : linux-lts-xenial, linux-aws vulnerabilities (USN-3910-2) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4115-1.NASL description Hui Peng and Mathias Payer discovered that the Option USB High Speed driver in the Linux kernel did not properly validate metadata received from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-19985) Zhipeng Xie discovered that an infinite loop could triggered in the CFS Linux kernel process scheduler. A local attacker could possibly use this to cause a denial of service. (CVE-2018-20784) It was discovered that the Intel wifi device driver in the Linux kernel did not properly validate certain Tunneled Direct Link Setup (TDLS). A physically proximate attacker could use this to cause a denial of service (wifi disconnect). (CVE-2019-0136) It was discovered that the Bluetooth UART implementation in the Linux kernel did not properly check for missing tty operations. A local attacker could use this to cause a denial of service. (CVE-2019-10207) Amit Klein and Benny Pinkas discovered that the Linux kernel did not sufficiently randomize IP ID values generated for connectionless networking protocols. A remote attacker could use this to track particular Linux devices. (CVE-2019-10638) Amit Klein and Benny Pinkas discovered that the location of kernel addresses could exposed by the implementation of connection-less network protocols in the Linux kernel. A remote attacker could possibly use this to assist in the exploitation of another vulnerability in the Linux kernel. (CVE-2019-10639) It was discovered that an integer overflow existed in the Linux kernel when reference counting pages, leading to potential use-after-free issues. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11487) Jann Horn discovered that a race condition existed in the Linux kernel when performing core dumps. A local attacker could use this to cause a denial of service (system crash) or expose sensitive information. (CVE-2019-11599) It was discovered that a NULL pointer dereference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-11810) It was discovered that the GTCO tablet input driver in the Linux kernel did not properly bounds check the initial HID report sent by the device. A physically proximate attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-13631) Praveen Pandey discovered that the Linux kernel did not properly validate sent signals in some situations on PowerPC systems with transactional memory disabled. A local attacker could use this to cause a denial of service. (CVE-2019-13648) It was discovered that the floppy driver in the Linux kernel did not properly validate meta data, leading to a buffer overread. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14283) It was discovered that the floppy driver in the Linux kernel did not properly validate ioctl() calls, leading to a division-by-zero. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-14284) Tuba Yavuz discovered that a race condition existed in the DesignWare USB3 DRD Controller device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-14763) It was discovered that an out-of-bounds read existed in the QLogic QEDI iSCSI Initiator Driver in the Linux kernel. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-15090) It was discovered that the Raremono AM/FM/SW radio device driver in the Linux kernel did not properly allocate memory, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2019-15211) It was discovered at a double-free error existed in the USB Rio 500 device driver for the Linux kernel. A physically proximate attacker could use this to cause a denial of service. (CVE-2019-15212) It was discovered that a race condition existed in the Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel, leading to a potential use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) pro possibly execute arbitrary code. (CVE-2019-15214) It was discovered that a race condition existed in the CPiA2 video4linux device driver for the Linux kernel, leading to a use-after-free. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-15215) It was discovered that a race condition existed in the Softmac USB Prism54 device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15220) It was discovered that a use-after-free vulnerability existed in the Appletalk implementation in the Linux kernel if an error occurs during initialization. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-15292) Jason Wang discovered that an infinite loop vulnerability existed in the virtio net driver in the Linux kernel. A local attacker in a guest VM could possibly use this to cause a denial of service in the host system. (CVE-2019-3900) Daniele Antonioli, Nils Ole Tippenhauer, and Kasper B. Rasmussen discovered that the Bluetooth protocol BR/EDR specification did not properly require sufficiently strong encryption key lengths. A physicall proximate attacker could use this to expose sensitive information. (CVE-2019-9506) It was discovered that a race condition existed in the USB YUREX device driver in the Linux kernel. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15216) It was discovered that the Siano USB MDTV receiver device driver in the Linux kernel made improper assumptions about the device characteristics. A physically proximate attacker could use this cause a denial of service (system crash). (CVE-2019-15218) It was discovered that the Line 6 POD USB device driver in the Linux kernel did not properly validate data size information from the device. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2019-15221) Muyu Yu discovered that the CAN implementation in the Linux kernel in some situations did not properly restrict the field size when processing outgoing frames. A local attacker with CAP_NET_ADMIN privileges could use this to execute arbitrary code. (CVE-2019-3701) Vladis Dronov discovered that the debug interface for the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 128475 published 2019-09-03 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128475 title Ubuntu 16.04 LTS / 18.04 LTS : linux, linux-azure, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, (USN-4115-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1016.NASL description The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1016 advisory. - kernel: out of bound read in DVB connexant driver. (CVE-2015-9289) - kernel: Missing permissions check for request_key() destination allows local attackers to add keys to keyring without Write permission (CVE-2017-17807) - kernel: oob memory read in hso_probe in drivers/net/usb/hso.c (CVE-2018-19985) - kernel: usb: missing size check in the __usb_get_extra_descriptor() leading to DoS (CVE-2018-20169) - kernel: denial of service via ioctl call in network tun handling (CVE-2018-7191) - kernel: null-pointer dereference in hci_uart_set_flow_control (CVE-2019-10207) - Kernel: net: weak IP ID generation leads to remote device tracking (CVE-2019-10638) - Kernel: net: using kernel space address bits to derive IP ID may potentially break KASLR (CVE-2019-10639) - kernel: ASLR bypass for setuid binaries due to late install_exec_creds() (CVE-2019-11190) - kernel: sensitive information disclosure from kernel stack memory via HIDPCONNADD command (CVE-2019-11884) - kernel: unchecked kstrdup of fwstr in drm_load_edid_firmware leads to denial of service (CVE-2019-12382) - kernel: use-after-free in arch/x86/lib/insn-eval.c (CVE-2019-13233) - kernel: denial of service in arch/powerpc/kernel/signal_32.c and arch/powerpc/kernel/signal_64.c via sigreturn() system call (CVE-2019-13648) - kernel: integer overflow and OOB read in drivers/block/floppy.c (CVE-2019-14283) - kernel: memory leak in register_queue_kobjects() in net/core/net-sysfs.c leads to denial of service (CVE-2019-15916) - kernel: buffer-overflow hardening in WiFi beacon validation code. (CVE-2019-16746) - kernel: (powerpc) incomplete Spectre-RSB mitigation leads to information exposure (CVE-2019-18660) - kernel: perf_event_open() and execve() race in setuid programs allows a data leak (CVE-2019-3901) - kernel: brcmfmac frame validation bypass (CVE-2019-9503) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-23 modified 2020-04-01 plugin id 135080 published 2020-04-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135080 title RHEL 7 : kernel (RHSA-2020:1016) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1070.NASL description The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1070 advisory. - kernel: out of bound read in DVB connexant driver. (CVE-2015-9289) - kernel: Missing permissions check for request_key() destination allows local attackers to add keys to keyring without Write permission (CVE-2017-17807) - kernel: oob memory read in hso_probe in drivers/net/usb/hso.c (CVE-2018-19985) - kernel: usb: missing size check in the __usb_get_extra_descriptor() leading to DoS (CVE-2018-20169) - kernel: denial of service via ioctl call in network tun handling (CVE-2018-7191) - kernel: null-pointer dereference in hci_uart_set_flow_control (CVE-2019-10207) - Kernel: net: weak IP ID generation leads to remote device tracking (CVE-2019-10638) - Kernel: net: using kernel space address bits to derive IP ID may potentially break KASLR (CVE-2019-10639) - kernel: ASLR bypass for setuid binaries due to late install_exec_creds() (CVE-2019-11190) - kernel: sensitive information disclosure from kernel stack memory via HIDPCONNADD command (CVE-2019-11884) - kernel: unchecked kstrdup of fwstr in drm_load_edid_firmware leads to denial of service (CVE-2019-12382) - kernel: use-after-free in arch/x86/lib/insn-eval.c (CVE-2019-13233) - kernel: integer overflow and OOB read in drivers/block/floppy.c (CVE-2019-14283) - kernel: memory leak in register_queue_kobjects() in net/core/net-sysfs.c leads to denial of service (CVE-2019-15916) - kernel: buffer-overflow hardening in WiFi beacon validation code. (CVE-2019-16746) - kernel: perf_event_open() and execve() race in setuid programs allows a data leak (CVE-2019-3901) - kernel: brcmfmac frame validation bypass (CVE-2019-9503) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-23 modified 2020-04-01 plugin id 135078 published 2020-04-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135078 title RHEL 7 : kernel-rt (RHSA-2020:1070)
Redhat
advisories |
| ||||||||
rpms |
|
References
- https://seclists.org/bugtraq/2019/Jan/52
- https://hexhive.epfl.ch/projects/perifuzz/
- http://packetstormsecurity.com/files/151420/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html
- http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2019-01/msg00023.html
- https://lists.debian.org/debian-lts-announce/2019/03/msg00034.html
- https://lists.debian.org/debian-lts-announce/2019/04/msg00004.html
- https://security.netapp.com/advisory/ntap-20190404-0002/
- https://lists.debian.org/debian-lts-announce/2019/05/msg00002.html
- https://usn.ubuntu.com/4115-1/
- https://usn.ubuntu.com/4118-1/
- https://access.redhat.com/errata/RHSA-2019:3517
- https://access.redhat.com/errata/RHSA-2019:3309