Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2017:0494-1
Rating:	important
References:	bsc#1001419 bsc#1002165 bsc#1003077 bsc#1003253 bsc#1003925 bsc#1004517 bsc#1007944 bsc#1008374 bsc#1008645 bsc#1008831 bsc#1008833 bsc#1008850 bsc#1009875 bsc#1010150 bsc#1010467 bsc#1010501 bsc#1010507 bsc#1010711 bsc#1010713 bsc#1010716 bsc#1011685 bsc#1011820 bsc#1012183 bsc#1012422 bsc#1012832 bsc#1012851 bsc#1012852 bsc#1012895 bsc#1013038 bsc#1013042 bsc#1013531 bsc#1013542 bsc#1014454 bsc#1014746 bsc#1015878 bsc#1017710 bsc#1018446 bsc#1019079 bsc#1019783 bsc#1021258 bsc#821612 bsc#824171 bsc#914939 bsc#929141 bsc#935436 bsc#956514 bsc#961923 bsc#966826 bsc#967716 bsc#969340 bsc#973691 bsc#979595 bsc#987576 bsc#989152 bsc#989261 bsc#991665 bsc#992566 bsc#992569 bsc#992906 bsc#992991 bsc#993890 bsc#993891 bsc#994296 bsc#994618 bsc#994759 bsc#995968 bsc#996329 bsc#996541 bsc#996557 bsc#997059 bsc#997401 bsc#997708 bsc#998689 bsc#999932 bsc#999943
Cross-References:	CVE-2004-0230 CVE-2012-6704 CVE-2015-1350 CVE-2015-8956 CVE-2015-8962 CVE-2015-8964 CVE-2015-8970 CVE-2016-0823 CVE-2016-10088 CVE-2016-3841 CVE-2016-6828 CVE-2016-7042 CVE-2016-7097 CVE-2016-7117 CVE-2016-7425 CVE-2016-7910 CVE-2016-7911 CVE-2016-7916 CVE-2016-8399 CVE-2016-8632 CVE-2016-8633 CVE-2016-8646 CVE-2016-9555 CVE-2016-9685 CVE-2016-9756 CVE-2016-9793 CVE-2017-5551
CVSS scores:	CVE-2004-0230 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2012-6704 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2012-6704 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2015-1350 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2015-1350 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2015-8962 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2015-8962 ( NVD ): 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2015-8964 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE-2015-8970 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2015-8970 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-0823 ( NVD ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2016-10088 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-10088 ( NVD ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-3841 ( NVD ): 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2016-6828 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-7042 ( NVD ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-7097 ( NVD ): 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2016-7117 ( SUSE ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-7117 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-7117 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-7425 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-7425 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-7910 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-7910 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-7910 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-7911 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-7911 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-7916 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2016-8399 ( NVD ): 7.0 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-8632 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-8632 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-8633 ( SUSE ): 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-8633 ( NVD ): 6.8 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-8646 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-9555 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-9555 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-9555 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-9685 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-9756 ( SUSE ): 4.1 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVE-2016-9756 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2016-9793 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-9793 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-5551 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2017-5551 ( NVD ): 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Affected Products:	SUSE Cloud 5 SUSE Linux Enterprise Point of Service 11 SP3 SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 SUSE Manager Proxy 2.1 SUSE Manager Server 2.1

An update that solves 27 vulnerabilities and has 48 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 11 SP3 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

CVE-2015-8970: crypto/algif_skcipher.c in the Linux kernel did not verify that a setkey operation has been performed on an AF_ALG socket before an accept system call is processed, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted application that did not supply a key, related to the lrw_crypt function in crypto/lrw.c (bnc#1008374).
CVE-2017-5551: Clear S_ISGID on tmpfs when setting posix ACLs (bsc#1021258).
CVE-2016-7097: The filesystem implementation in the Linux kernel preserves the setgid bit during a setxattr call, which allowed local users to gain group privileges by leveraging the existence of a setgid program with restrictions on execute permissions (bnc#995968).
CVE-2016-10088: The sg implementation in the Linux kernel did not properly restrict write operations in situations where the KERNEL_DS option is set, which allowed local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576 (bnc#1017710).
CVE-2004-0230: TCP, when using a large Window Size, made it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP (bnc#969340).
CVE-2016-8632: The tipc_msg_build function in net/tipc/msg.c in the Linux kernel did not validate the relationship between the minimum fragment length and the maximum packet size, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (bnc#1008831).
CVE-2016-8399: An elevation of privilege vulnerability in the kernel networking subsystem could have enabled a local malicious application to execute arbitrary code within the context of the kernel bnc#1014746).
CVE-2016-9793: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option (bnc#1013531).
CVE-2012-6704: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUF or (2) SO_RCVBUF option (bnc#1013542).
CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux kernel did not properly initialize Code Segment (CS) in certain error cases, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application (bnc#1013038).
CVE-2016-3841: The IPv6 stack in the Linux kernel mishandled options data, which allowed local users to gain privileges or cause a denial of service (use-after-free and system crash) via a crafted sendmsg system call (bnc#992566).
CVE-2016-9685: Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel allowed local users to cause a denial of service (memory consumption) via crafted XFS filesystem operations (bnc#1012832).
CVE-2015-1350: The VFS subsystem in the Linux kernel provided an incomplete set of requirements for setattr operations that underspecifies removing extended privilege attributes, which allowed local users to cause a denial of service (capability stripping) via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program (bnc#914939).
CVE-2015-8962: Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (memory corruption and system crash) by detaching a device during an SG_IO ioctl call (bnc#1010501).
CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacked chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service (out-of-bounds slab access) or possibly have unspecified other impact via crafted SCTP data (bnc#1011685).
CVE-2016-7910: Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel allowed local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed (bnc#1010716).
CVE-2016-7911: Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel allowed local users to gain privileges or cause a denial of service (use-after-free) via a crafted ioprio_get system call (bnc#1010711).
CVE-2015-8964: The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a tty data structure (bnc#1010507).
CVE-2016-7916: Race condition in the environ_read function in fs/proc/base.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete (bnc#1010467).
CVE-2016-8646: The hash_accept function in crypto/algif_hash.c in the Linux kernel allowed local users to cause a denial of service (OOPS) by attempting to trigger use of in-kernel hash algorithms for a socket that has received zero bytes of data (bnc#1010150).
CVE-2016-8633: drivers/firewire/net.c in the Linux kernel in certain unusual hardware configurations allowed remote attackers to execute arbitrary code via crafted fragmented packets (bnc#1008833).
CVE-2016-7042: The proc_keys_show function in security/keys/proc.c in the Linux, when the GNU Compiler Collection (gcc) stack protector is enabled, used an incorrect buffer size for certain timeout data, which allowed local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file (bnc#1004517).
CVE-2015-8956: The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket (bnc#1003925).
CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077).
CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel allowed local users to obtain sensitive physical-address information by reading a pagemap file (bnc#994759).
CVE-2016-7425: The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict a certain length field, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).
CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h in the Linux kernel did not properly maintain certain SACK state after a failed data copy, which allowed local users to cause a denial of service (tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted SACK option (bnc#994296).

The following non-security bugs were fixed:

Always include the git commit in KOTD builds. This allows us not to set it explicitly in builds submitted to the official distribution (bnc#821612, bnc#824171).
KVM: x86: SYSENTER emulation is broken (bsc#994618).
NFS: Do not disconnect open-owner on NFS4ERR_BAD_SEQID (bsc#989261).
NFS: Refresh open-owner id when server says SEQID is bad (bsc#989261).
NFSv4: Ensure that we do not drop a state owner more than once (bsc#979595).
NFSv4: add flock_owner to open context (bnc#998689).
NFSv4: change nfs4_do_setattr to take an open_context instead of a nfs4_state (bnc#998689).
NFSv4: change nfs4_select_rw_stateid to take a lock_context inplace of lock_owner (bnc#998689).
NFSv4: enhance nfs4_copy_lock_stateid to use a flock stateid if there is one (bnc#998689).
NFSv4: fix broken patch relating to v4 read delegations (bsc#956514, bsc#989261, bsc#979595).
SELinux: Fix possible NULL pointer dereference in selinux_inode_permission() (bsc#1012895).
USB: fix typo in wMaxPacketSize validation (bsc#991665).
USB: validate wMaxPacketValue entries in endpoint descriptors (bnc#991665).
Update patches.xen/xen3-auto-arch-x86.diff (bsc#929141, among others).
__ptrace_may_access() should not deny sub-threads (bsc#1012851).
apparmor: fix IRQ stack overflow during free_profile (bsc#1009875).
arch/powerpc: Remove duplicate/redundant Altivec entries (bsc#967716).
cdc-acm: added sanity checking for probe() (bsc#993891).
include/linux/math64.h: add div64_ul() (bsc#996329).
kabi-fix for flock_owner addition (bsc#998689).
kabi: get back scsi_device.current_cmnd (bsc#935436).
kaweth: fix firmware download (bsc#993890).
kaweth: fix oops upon failed memory allocation (bsc#993890).
kexec: add a kexec_crash_loaded() function (bsc#973691).
md linear: fix a race between linear_add() and linear_congested() (bsc#1018446).
mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] (bsc#1011820).
mpt3sas: Fix panic when aer correct error occurred (bsc#997708, bsc#999943).
mremap: enforce rmap src/dst vma ordering in case of vma_merge() succeeding in copy_vma() (VM Functionality, bsc#1008645).
nfs4: reset states to use open_stateid when returning delegation voluntarily (bsc#1007944).
ocfs2: fix BUG_ON() in ocfs2_ci_checkpointed() (bnc#1019783).
posix-timers: Remove remaining uses of tasklist_lock (bnc#997401).
posix-timers: Use sighand lock instead of tasklist_lock for task clock sample (bnc#997401).
posix-timers: Use sighand lock instead of tasklist_lock on timer deletion (bnc#997401).
powerpc: Add ability to build little endian kernels (bsc#967716).
powerpc: Avoid load of static chain register when calling nested functions through a pointer on 64bit (bsc#967716).
powerpc: Do not build assembly files with ABIv2 (bsc#967716).
powerpc: Do not use ELFv2 ABI to build the kernel (bsc#967716).
powerpc: Fix 64 bit builds with binutils 2.24 (bsc#967716).
powerpc: Fix error when cross building TAGS and cscope (bsc#967716).
powerpc: Make the vdso32 also build big-endian (bsc#967716).
powerpc: Remove altivec fix for gcc versions before 4.0 (bsc#967716).
powerpc: Remove buggy 9-year-old test for binutils lower than 2.12.1 (bsc#967716).
powerpc: Require gcc 4.0 on 64-bit (bsc#967716).
powerpc: dtc is required to build dtb files (bsc#967716).
printk/sched: Introduce special printk_sched() for those awkward (bsc#1013042, bsc#996541, bsc#1015878).
qlcnic: Schedule napi directly in netpoll (bsc#966826).
reiserfs: fix race in prealloc discard (bsc#987576).
rpm/config.sh: Set a fitting release string (bsc#997059)
rpm/kernel-binary.spec.in: Export a make-stderr.log file (bsc#1012422)
rpm/mkspec: Read a default release string from rpm/config.sh (bsc997059)
s390/dasd: fix failfast for disconnected devices (bnc#961923, LTC#135138).
sched/core: Fix a race between try_to_wake_up() and a woken up task (bnc#1002165).
sched/core: Fix an SMP ordering race in try_to_wake_up() vs. schedule() (bnc#1001419).
sched: Fix possible divide by zero in avg_atom() calculation (bsc#996329).
scsi