[security-announce] SUSE-SU-2016:1985-1: important: Security update for the Linux Kernel

news · August 8, 2016

SUSE Security Update: Security update for the Linux Kernel

______________________________________________________________________________

Announcement ID: SUSE-SU-2016:1985-1

Rating: important

References: #676471 #866130 #909589 #936530 #944309 #950998

#953369 #954847 #956491 #957986 #960857 #961518

#963762 #966245 #967914 #968500 #969149 #969391

#970114 #971030 #971126 #971360 #971446 #971944

#971947 #971989 #973378 #974620 #974646 #974787

#975358 #976739 #976868 #978401 #978821 #978822

#979213 #979274 #979347 #979419 #979548 #979595

#979867 #979879 #979915 #980246 #980371 #980725

#980788 #980931 #981231 #981267 #982532 #982544

#982691 #983143 #983213 #983721 #984107 #984755

#986362 #986572 #988498

Cross-References: CVE-2015-7833 CVE-2016-0758 CVE-2016-1583

CVE-2016-2053 CVE-2016-2187 CVE-2016-3134

CVE-2016-3707 CVE-2016-4470 CVE-2016-4482

CVE-2016-4485 CVE-2016-4486 CVE-2016-4565

CVE-2016-4569 CVE-2016-4578 CVE-2016-4580

CVE-2016-4805 CVE-2016-4913 CVE-2016-4997

CVE-2016-5244 CVE-2016-5829

Affected Products:

SUSE Linux Enterprise Real Time Extension 11-SP4

SUSE Linux Enterprise Debuginfo 11-SP4

______________________________________________________________________________

An update that solves 20 vulnerabilities and has 43 fixes

is now available.

Description:

The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various

security and bugfixes.

The following security bugs were fixed:

- CVE-2016-5829: Multiple heap-based buffer overflows in the

hiddev_ioctl_usage function in drivers/hid/usbhid/hiddev.c in the Linux

kernel allowed local users to cause a denial of service or possibly have

unspecified other impact via a crafted (1) HIDIOCGUSAGES or (2)

HIDIOCSUSAGES ioctl call (bnc#986572).

- CVE-2016-4997: The compat IPT_SO_SET_REPLACE setsockopt implementation

in the netfilter subsystem in the Linux kernel allowed local users to

gain privileges or cause a denial of service (memory corruption) by

leveraging in-container root access to provide a crafted offset value

that triggers an unintended decrement (bnc#986362).

- CVE-2016-4470: The key_reject_and_link function in security/keys/key.c

in the Linux kernel did not ensure that a certain data structure is

initialized, which allowed local users to cause a denial of service

(system crash) via vectors involving a crafted keyctl request2 command

(bnc#984755).

- CVE-2016-5244: The rds_inc_info_copy function in net/rds/recv.c in the

Linux kernel did not initialize a certain structure member, which

allowed remote attackers to obtain sensitive information from kernel

stack memory by reading an RDS message (bnc#983213).

- CVE-2016-1583: The ecryptfs_privileged_open function in

fs/ecryptfs/kthread.c in the Linux kernel allowed local users to gain

privileges or cause a denial of service (stack memory consumption) via

vectors involving crafted mmap calls for /proc pathnames, leading to

recursive pagefault handling (bnc#983143).

- CVE-2016-4913: The get_rock_ridge_filename function in fs/isofs/rock.c

in the Linux kernel mishandled NM (aka alternate name) entries

containing \0 characters, which allowed local users to obtain sensitive

information from kernel memory or possibly have unspecified other impact

via a crafted isofs filesystem (bnc#980725).

- CVE-2016-4580: The x25_negotiate_facilities function in

net/x25/x25_facilities.c in the Linux kernel did not properly initialize

a certain data structure, which allowed attackers to obtain sensitive

information from kernel stack memory via an X.25 Call Request

(bnc#981267).

- CVE-2016-4805: Use-after-free vulnerability in

drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to

cause a denial of service (memory corruption and system crash, or

spinlock) or possibly have unspecified other impact by removing a

network namespace, related to the ppp_register_net_channel and

ppp_unregister_channel functions (bnc#980371).

- CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux

kernel allowed local users to gain privileges via crafted ASN.1 data

(bnc#979867).

- CVE-2015-7833: The usbvision driver in the Linux kernel allowed

physically proximate attackers to cause a denial of service (panic) via

a nonzero bInterfaceNumber value in a USB device descriptor (bnc#950998).

- CVE-2016-3707: The icmp_check_sysrq function in net/ipv4/icmp.c in the

kernel.org projects/rt patches for the Linux kernel, allowed remote

attackers to execute SysRq commands via crafted ICMP Echo Request

packets, as demonstrated by a brute-force attack to discover a cookie,

or an attack that occurs after reading the local icmp_echo_sysrq file

(bnc#980246).

- CVE-2016-2187: The gtco_probe function in drivers/input/tablet/gtco.c in

the Linux kernel allowed physically proximate attackers to cause a

denial of service (NULL pointer dereference and system crash) via a

crafted endpoints value in a USB device descriptor (bnc#971944).

- CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c

in the Linux kernel did not initialize a certain data structure, which

allowed local users to obtain sensitive information from kernel stack

memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401).

- CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in

the Linux kernel allowed attackers to cause a denial of service (panic)

via an ASN.1 BER file that lacks a public key, leading to mishandling by

the public_key_verify_signature function in

crypto/asymmetric_keys/public_key.c (bnc#963762).

- CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel

incorrectly relied on the write system call, which allowed local users

to cause a denial of service (kernel memory write operation) or possibly

have unspecified other impact via a uAPI interface (bnc#979548).

- CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the

Linux kernel did not initialize a certain data structure, which allowed

attackers to obtain sensitive information from kernel stack memory by

reading a message (bnc#978821).

- CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize

certain r1 data structures, which allowed local users to obtain

sensitive information from kernel stack memory via crafted use of the

ALSA timer interface, related to the (1) snd_timer_user_ccallback and

(2) snd_timer_user_tinterrupt functions (bnc#979879).

- CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c

in the Linux kernel did not initialize a certain data structure, which

allowed local users to obtain sensitive information from kernel stack

memory via crafted use of the ALSA timer interface (bnc#979213).

- CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c

in the Linux kernel did not initialize a certain data structure, which

allowed local users to obtain sensitive information from kernel stack

memory by reading a Netlink message (bnc#978822).

- CVE-2016-3134: The netfilter subsystem in the Linux kernel did not

validate certain offset fields, which allowed local users to gain

privileges or cause a denial of service (heap memory corruption) via an

IPT_SO_SET_REPLACE setsockopt call (bnc#971126).

The following non-security bugs were fixed:

- ALSA: hrtimer: Handle start/stop more properly (bsc#973378).

- ALSA: oxygen: add Xonar DGX support (bsc#982691).

- Assign correct ->can_queue value in hv_storvsc (bnc#969391)

- Delete

patches.drivers/nvme-0165-Split-header-file-into-user-visible-and-kernel-.p

atch. SLE11-SP4 does not have uapi headers so move everything back to

the original header (bnc#981231)

- Driver: Vmxnet3: set CHECKSUM_UNNECESSARY for IPv6 packets (bsc#976739).

- Fix cifs_uniqueid_to_ino_t() function for s390x (bsc#944309)

- KVM: x86: fix maintenance of guest/host xcr0 state (bsc#961518).

- MM: increase safety margin provided by PF_LESS_THROTTLE (bsc#956491).

- NFS: Do not attempt to decode missing directory entries (bsc#980931).

- NFS: avoid deadlocks with loop-back mounted NFS filesystems (bsc#956491).

- NFS: avoid waiting at all in nfs_release_page when congested

(bsc#956491).

- NFS: fix memory corruption rooted in get_ih_name pointer math

(bsc#984107).

- NFS: reduce access cache shrinker locking (bnc#866130).

- NFSv4: Ensure that we do not drop a state owner more than once

(bsc#979595).

- NFSv4: OPEN must handle the NFS4ERR_IO return code correctly

(bsc#979595).

- NVMe: Unify controller probe and resume (bsc#979347).

- RDMA/cxgb4: Configure 0B MRs to match HW implementation (bsc#909589).

- RDMA/cxgb4: Do not hang threads forever waiting on WR replies

(bsc#909589).

- RDMA/cxgb4: Fix locking issue in process_mpa_request (bsc#909589).

- RDMA/cxgb4: Handle NET_XMIT return codes (bsc#909589).

- RDMA/cxgb4: Increase epd buff size for debug interface (bsc#909589).

- RDMA/cxgb4: Limit MRs to less than 8GB for T4/T5 devices (bsc#909589).

- RDMA/cxgb4: Serialize CQ event upcalls with CQ destruction (bsc#909589).

- RDMA/cxgb4: Wake up waiters after flushing the qp (bsc#909589).

- SCSI: Increase REPORT_LUNS timeout (bsc#971989).

- Update

patches.drivers/nvme-0265-fix-max_segments-integer-truncation.patch

(bsc#979419). Fix reference.

- Update

patches.fixes/bnx2x-Alloc-4k-fragment-for-each-rx-ring-buffer-elem.patch

(bsc#953369 bsc#975358).

- bridge: superfluous skb->nfct check in br_nf_dev_queue_xmit (bsc#982544).

- cgroups: do not attach task to subsystem if migration failed

(bnc#979274).

- cgroups: more safe tasklist locking in cgroup_attach_proc (bnc#979274).

- cpuset: Fix potential deadlock w/ set_mems_allowed (bsc#960857,

bsc#974646).

- dasd: fix hanging system after LCU changes (bnc#968500, LTC#136671).

- enic: set netdev->vlan_features (bsc#966245).

- fcoe: fix reset of fip selection time (bsc#974787).

- hid-elo: kill not flush the work (bnc#982532).

- ipc,sem: fix use after free on IPC_RMID after a task using same

semaphore set exits (bsc#967914).

- ipv4/fib: do not warn when primary address is missing if in_dev is dead

(bsc#971360).

- ipv4: fix ineffective source address selection (bsc#980788).

- ipvs: count pre-established TCP states as active (bsc#970114).

- iucv: call skb_linearize() when needed (bnc#979915, LTC#141240).

- kabi: prevent spurious modversion changes after bsc#982544 fix

(bsc#982544).

- mm/hugetlb.c: correct missing private flag clearing (VM Functionality,

bnc#971446).

- mm/hugetlb: fix backport of upstream commit 07443a85ad (VM

Functionality, bnc#971446).

- mm/swap.c: flush lru pvecs on compound page arrival (bnc#983721).

- mm/vmscan.c: avoid throttling reclaim for loop-back nfsd threads

(bsc#956491).

- mm: Fix DIF failures on ext3 filesystems (bsc#971030).

- net/qlge: Avoids recursive EEH error (bsc#954847).

- netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in

br_validate_ipv6 (bsc#982544).

- netfilter: bridge: do not leak skb in error paths (bsc#982544).

- netfilter: bridge: forward IPv6 fragmented packets (bsc#982544).

- nvme: fix max_segments integer truncation (bsc#676471).

- ocfs2: do not set fs read-only if rec[0] is empty while committing

truncate (bnc#971947).

- ocfs2: extend enough credits for freeing one truncate record while

replaying truncate records (bnc#971947).

- ocfs2: extend transaction for ocfs2_remove_rightmost_path() and

ocfs2_update_edge_lengths() before to avoid inconsistency between inode

and et (bnc#971947).

- qeth: delete napi struct when removing a qeth device (bnc#979915,

LTC#143590).

- rpm/modprobe-xen.conf: Revert comment change to allow parallel install

(bsc#957986). This reverts commit

855c7ce885fd412ce2a25ccc12a46e565c83f235.

- s390/dasd: prevent incorrect length error under z/VM after PAV changes

(bnc#968500, LTC#136670).

- s390/mm: fix asce_bits handling with dynamic pagetable levels

(bnc#979915, LTC#141456).

- s390/pci: add extra padding to function measurement block (bnc#968500,

LTC#139445).

- s390/pci: enforce fmb page boundary rule (bnc#968500, LTC#139445).

- s390/pci: extract software counters from fmb (bnc#968500, LTC#139445).

- s390/pci: fix use after free in dma_init (bnc#979915, LTC#141626).

- s390/pci: remove pdev pointer from arch data (bnc#968500, LTC#139444).

- s390/pci_dma: fix DMA table corruption with > 4 TB main memory

(bnc#968500, LTC#139401).

- s390/pci_dma: handle dma table failures (bnc#968500, LTC#139442).

- s390/pci_dma: improve debugging of errors during dma map (bnc#968500,

LTC#139442).

- s390/pci_dma: unify label of invalid translation table entries

(bnc#968500, LTC#139442).

- s390/spinlock: avoid yield to non existent cpu (bnc#968500, LTC#141106).

- s390: fix test_fp_ctl inline assembly contraints (bnc#979915,

LTC#143138).

- sched/cputime: Fix clock_nanosleep()/clock_gettime() inconsistency

(bnc#988498).

- sched/cputime: Fix cpu_timer_sample_group() double accounting

(bnc#988498).

- sched: Provide update_curr callbacks for stop/idle scheduling classes

(bnc#988498).

- veth: do not modify ip_summed (bsc#969149).

- vgaarb: Add more context to error messages (bsc#976868).

- virtio_scsi: Implement eh_timed_out callback (bsc#936530).

- x86, kvm: fix kvm's usage of kernel_fpu_begin/end() (bsc#961518).

- x86, kvm: use kernel_fpu_begin/end() in kvm_load/put_guest_fpu()

(bsc#961518).

- x86/mm/pat, /dev/mem: Remove superfluous error message (bsc#974620).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- SUSE Linux Enterprise Real Time Extension 11-SP4:

zypper in -t patch slertesp4-linux-kernel-12681=1

- SUSE Linux Enterprise Debuginfo 11-SP4:

zypper in -t patch dbgsp4-linux-kernel-12681=1

To bring your system up-to-date, use "zypper patch".

Package List:

- SUSE Linux Enterprise Real Time Extension 11-SP4 (x86_64):

kernel-rt-3.0.101.rt130-57.1

kernel-rt-base-3.0.101.rt130-57.1

kernel-rt-devel-3.0.101.rt130-57.1

kernel-rt_trace-3.0.101.rt130-57.1

kernel-rt_trace-base-3.0.101.rt130-57.1

kernel-rt_trace-devel-3.0.101.rt130-57.1

kernel-source-rt-3.0.101.rt130-57.1

kernel-syms-rt-3.0.101.rt130-57.1

- SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64):

kernel-rt-debuginfo-3.0.101.rt130-57.1

kernel-rt-debugsource-3.0.101.rt130-57.1

kernel-rt_debug-debuginfo-3.0.101.rt130-57.1

kernel-rt_debug-debugsource-3.0.101.rt130-57.1

kernel-rt_trace-debuginfo-3.0.101.rt130-57.1

kernel-rt_trace-debugsource-3.0.101.rt130-57.1

References:

https://www.suse.com/security/cve/CVE-2015-7833.html

https://www.suse.com/security/cve/CVE-2016-0758.html

https://www.suse.com/security/cve/CVE-2016-1583.html

https://www.suse.com/security/cve/CVE-2016-2053.html

https://www.suse.com/security/cve/CVE-2016-2187.html

https://www.suse.com/security/cve/CVE-2016-3134.html

https://www.suse.com/security/cve/CVE-2016-3707.html

https://www.suse.com/security/cve/CVE-2016-4470.html

https://www.suse.com/security/cve/CVE-2016-4482.html

https://www.suse.com/security/cve/CVE-2016-4485.html

https://www.suse.com/security/cve/CVE-2016-4486.html

https://www.suse.com/security/cve/CVE-2016-4565.html

https://www.suse.com/security/cve/CVE-2016-4569.html

https://www.suse.com/security/cve/CVE-2016-4578.html

https://www.suse.com/security/cve/CVE-2016-4580.html

https://www.suse.com/security/cve/CVE-2016-4805.html

https://www.suse.com/security/cve/CVE-2016-4913.html

https://www.suse.com/security/cve/CVE-2016-4997.html

https://www.suse.com/security/cve/CVE-2016-5244.html

https://www.suse.com/security/cve/CVE-2016-5829.html

https://bugzilla.suse.com/676471

https://bugzilla.suse.com/866130

https://bugzilla.suse.com/909589

https://bugzilla.suse.com/936530

https://bugzilla.suse.com/944309

https://bugzilla.suse.com/950998

https://bugzilla.suse.com/953369

https://bugzilla.suse.com/954847

https://bugzilla.suse.com/956491

https://bugzilla.suse.com/957986

https://bugzilla.suse.com/960857

https://bugzilla.suse.com/961518

https://bugzilla.suse.com/963762

https://bugzilla.suse.com/966245

https://bugzilla.suse.com/967914

https://bugzilla.suse.com/968500

https://bugzilla.suse.com/969149

https://bugzilla.suse.com/969391

https://bugzilla.suse.com/970114

https://bugzilla.suse.com/971030

https://bugzilla.suse.com/971126

https://bugzilla.suse.com/971360

https://bugzilla.suse.com/971446

https://bugzilla.suse.com/971944

https://bugzilla.suse.com/971947

https://bugzilla.suse.com/971989

https://bugzilla.suse.com/973378

https://bugzilla.suse.com/974620

https://bugzilla.suse.com/974646

https://bugzilla.suse.com/974787

https://bugzilla.suse.com/975358

https://bugzilla.suse.com/976739

https://bugzilla.suse.com/976868

https://bugzilla.suse.com/978401

https://bugzilla.suse.com/978821

https://bugzilla.suse.com/978822

https://bugzilla.suse.com/979213

https://bugzilla.suse.com/979274

https://bugzilla.suse.com/979347

https://bugzilla.suse.com/979419

https://bugzilla.suse.com/979548

https://bugzilla.suse.com/979595

https://bugzilla.suse.com/979867

https://bugzilla.suse.com/979879

https://bugzilla.suse.com/979915

https://bugzilla.suse.com/980246

https://bugzilla.suse.com/980371

https://bugzilla.suse.com/980725

https://bugzilla.suse.com/980788

https://bugzilla.suse.com/980931

https://bugzilla.suse.com/981231

https://bugzilla.suse.com/981267

https://bugzilla.suse.com/982532

https://bugzilla.suse.com/982544

https://bugzilla.suse.com/982691

https://bugzilla.suse.com/983143

https://bugzilla.suse.com/983213

https://bugzilla.suse.com/983721

https://bugzilla.suse.com/984107

https://bugzilla.suse.com/984755

https://bugzilla.suse.com/986362

https://bugzilla.suse.com/986572

https://bugzilla.suse.com/988498

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

Sign In

[security-announce] SUSE-SU-2016:1985-1: important: Security update for the Linux Kernel

Recommended Posts

news 28

Share this post

Link to post

Please sign in to comment

Browse

Activity