Security update for the Linux Kernel
Announcement ID: | SUSE-SU-2016:1672-1 |
---|---|
Rating: | important |
References: |
|
Cross-References: |
|
CVSS scores: |
|
Affected Products: |
|
An update that solves 29 vulnerabilities and has 61 security fixes can now be installed.
Description:
The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes.
Notable changes in this kernel: - It is now possible to mount a NFS export on the exporting host directly.
The following security bugs were fixed: - CVE-2016-5244: A kernel information leak in rds_inc_info_copy was fixed that could leak kernel stack memory to userspace (bsc#983213). - CVE-2016-1583: Prevent the usage of mmap when the lower file system does not allow it. This could have lead to local privilege escalation when ecryptfs-utils was installed and /sbin/mount.ecryptfs_private was setuid (bsc#983143). - CVE-2016-4913: The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel mishandles NM (aka alternate name) entries containing \0 characters, which allowed local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem (bnc#980725). - CVE-2016-4580: The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel did not properly initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request (bnc#981267). - CVE-2016-4805: Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions (bnc#980371). - CVE-2016-0758: Tags with indefinite length could have corrupted pointers in asn1_find_indefinite_length (bsc#979867). - CVE-2016-2187: The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971944). - CVE-2016-4482: The proc_connectinfo function in drivers/usb/core/devio.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via a crafted USBDEVFS_CONNECTINFO ioctl call (bnc#978401). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bnc#963762). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relies on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bnc#979548). - CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel did not initialize a certain data structure, which allowed attackers to obtain sensitive information from kernel stack memory by reading a message (bnc#978821). - CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize certain r1 data structures, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions (bnc#979879). - CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface (bnc#979213). - CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c in the Linux kernel did not initialize a certain data structure, which allowed local users to obtain sensitive information from kernel stack memory by reading a Netlink message (bnc#978822). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126). - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of unread data in pipes, which allowed local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes (bnc#970948). - CVE-2016-2188: The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970956). - CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor (bnc#970911). - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions (bnc#970970). - CVE-2016-3140: The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970892). - CVE-2016-2186: The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970958). - CVE-2016-2185: The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971124). - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandles destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bnc#971360). - CVE-2016-2184: The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971125). - CVE-2016-3139: The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970909). - CVE-2016-2143: The fork implementation in the Linux kernel on s390 platforms mishandles the case of four page-table levels, which allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h (bnc#970504). - CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bnc#968010). - CVE-2015-7566: The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacked a bulk-out endpoint (bnc#961512).
The following non-security bugs were fixed: - acpi / PCI: Account for ARI in _PRT lookups (bsc#968566). - af_unix: Guard against other == sk in unix_dgram_sendmsg (bsc#973570). - alsa: hrtimer: Handle start/stop more properly (bsc#973378). - alsa: oxygen: add Xonar DGX support (bsc#982691). - alsa: pcm: Fix potential deadlock in OSS emulation (bsc#968018). - alsa: rawmidi: Fix race at copying and updating the position (bsc#968018). - alsa: rawmidi: Make snd_rawmidi_transmit() race-free (bsc#968018). - alsa: seq: Fix double port list deletion (bsc#968018). - alsa: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup() (bsc#968018). - alsa: seq: Fix leak of pool buffer at concurrent writes (bsc#968018). - alsa: seq: Fix lockdep warnings due to double mutex locks (bsc#968018). - alsa: seq: Fix race at closing in virmidi driver (bsc#968018). - alsa: seq: Fix yet another races among ALSA timer accesses (bsc#968018). - alsa: timer: Call notifier in the same spinlock (bsc#973378). - alsa: timer: Code cleanup (bsc#968018). - alsa: timer: Fix leftover link at closing (bsc#968018). - alsa: timer: Fix link corruption due to double start or stop (bsc#968018). - alsa: timer: Fix race between stop and interrupt (bsc#968018). - alsa: timer: Fix wrong instance passed to slave callbacks (bsc#968018). - alsa: timer: Protect the whole snd_timer_close() with open race (bsc#973378). - alsa: timer: Sync timer deletion at closing the system timer (bsc#973378). - alsa: timer: Use mod_timer() for rearming the system timer (bsc#973378). - cgroups: do not attach task to subsystem if migration failed (bnc#979274). - cgroups: more safe tasklist locking in cgroup_attach_proc (bnc#979274). - cpuset: Fix potential deadlock w/ set_mems_allowed (bsc#960857, bsc#974646). - dasd: fix hanging system after LCU changes (bnc#968500, LTC#136671). - dcache: use IS_ROOT to decide where dentry is hashed (bsc#949752). - Delete patches.drivers/nvme-0165-Split-header-file-into-user-visible-and-kernel-.patch. SLE11-SP4 does not have uapi headers so move everything back to the original header (bnc#981231) - Driver: Vmxnet3: set CHECKSUM_UNNECESSARY for IPv6 packets (bsc#976739). - enic: set netdev->vlan_features (bsc#966245). - fcoe: fix reset of fip selection time (bsc#974787). - Fix cifs_uniqueid_to_ino_t() function for s390x (bsc#944309) - fs, seqfile: always allow oom killer (bnc#968687). - fs/seq_file: fallback to vmalloc allocation (bnc#968687). - fs, seq_file: fallback to vmalloc instead of oom kill processes (bnc#968687). - hid-elo: kill not flush the work (bnc#982532). - hpsa: fix issues with multilun devices (bsc#959381). - hv: Assign correct ->can_queue value in hv_storvsc (bnc#969391) - ibmvscsi: Remove unsupported host config MAD (bsc#973556). - Import kabi files from kernel 3.0.101-71 - iommu/vt-d: Improve fault handler error messages (bsc#975772). - iommu/vt-d: Ratelimit fault handler (bsc#975772). - ipc,sem: fix use after free on IPC_RMID after a task using same semaphore set exits (bsc#967914). - ipv4/fib: do not warn when primary address is missing if in_dev is dead (bsc#971360). - ipv4: fix ineffective source address selection (bsc#980788). - ipv6: make fib6 serial number per namespace (bsc#965319). - ipv6: mld: fix add_grhead skb_over_panic for devs with large MTUs (bsc#956852). - ipv6: per netns fib6 walkers (bsc#965319). - ipv6: per netns FIB garbage collection (bsc#965319). - ipv6: replace global gc_args with local variable (bsc#965319). - ipvs: count pre-established TCP states as active (bsc#970114). - isofs: Revert "get_rock_ridge_filename(): handle malformed NM entries" This reverts commit cb6ce3ec7a964e56da9ba9cd3c9f0e708b5