SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID: SUSE-SU-2016:2074-1
Rating: important
References: #816446 #861093 #928130 #935757 #939826 #942367
#945825 #946117 #946309 #948562 #949744 #949936
#951440 #952384 #953527 #954404 #955354 #955654
#956708 #956709 #958463 #958886 #958951 #959190
#959399 #961500 #961509 #961512 #963765 #963767
#964201 #966437 #966460 #966662 #966693 #967972
#967973 #967974 #967975 #968010 #968011 #968012
#968013 #968670 #970504 #970892 #970909 #970911
#970948 #970956 #970958 #970970 #971124 #971125
#971126 #971360 #972510 #973570 #975945 #977847
#978822
Cross-References: CVE-2013-2015 CVE-2013-7446 CVE-2015-0272
CVE-2015-3339 CVE-2015-5307 CVE-2015-6252
CVE-2015-6937 CVE-2015-7509 CVE-2015-7515
CVE-2015-7550 CVE-2015-7566 CVE-2015-7799
CVE-2015-7872 CVE-2015-7990 CVE-2015-8104
CVE-2015-8215 CVE-2015-8539 CVE-2015-8543
CVE-2015-8569 CVE-2015-8575 CVE-2015-8767
CVE-2015-8785 CVE-2015-8812 CVE-2015-8816
CVE-2016-0723 CVE-2016-2069 CVE-2016-2143
CVE-2016-2184 CVE-2016-2185 CVE-2016-2186
CVE-2016-2188 CVE-2016-2384 CVE-2016-2543
CVE-2016-2544 CVE-2016-2545 CVE-2016-2546
CVE-2016-2547 CVE-2016-2548 CVE-2016-2549
CVE-2016-2782 CVE-2016-2847 CVE-2016-3134
CVE-2016-3137 CVE-2016-3138 CVE-2016-3139
CVE-2016-3140 CVE-2016-3156 CVE-2016-4486

Affected Products:
SUSE Linux Enterprise Server 11-SP2-LTSS
SUSE Linux Enterprise Debuginfo 11-SP2
______________________________________________________________________________

An update that solves 48 vulnerabilities and has 13 fixes
is now available.

Description:

The SUSE Linux Enterprise 11 SP2 kernel was updated to receive various
security and bug fixes.

The following security bugs were fixed:
– CVE-2016-4486: Fixed 4 byte information leak in net/core/rtnetlink.c
(bsc#978822).
– CVE-2016-3134: The netfilter subsystem in the Linux kernel did not
validate certain offset fields, which allowed local users to gain
privileges or cause a denial of service (heap memory corruption) via an
IPT_SO_SET_REPLACE setsockopt call (bnc#971126).
– CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of
unread data in pipes, which allowed local users to cause a denial of
service (memory consumption) by creating many pipes with non-default
sizes (bnc#970948).
– CVE-2016-2188: The iowarrior_probe function in
drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically
proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a crafted endpoints value in a USB
device descriptor (bnc#970956).
– CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in
the Linux kernel allowed physically proximate attackers to cause a
denial of service (NULL pointer dereference and system crash) via a USB
device without both a control and a data endpoint descriptor
(bnc#970911).
– CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel
allowed physically proximate attackers to cause a denial of service
(NULL pointer dereference and system crash) via a USB device without
both an interrupt-in and an interrupt-out endpoint descriptor, related
to the cypress_generic_port_probe and cypress_open functions
(bnc#970970).
– CVE-2016-3140: The digi_port_init function in
drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed
physically proximate attackers to cause a denial of service (NULL
pointer dereference and system crash) via a crafted endpoints value in a
USB device descriptor (bnc#970892).
– CVE-2016-2186: The powermate_probe function in
drivers/input/misc/powermate.c in the Linux kernel allowed physically
proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a crafted endpoints value in a USB
device descriptor (bnc#970958).
– CVE-2016-2185: The ati_remote2_probe function in
drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically
proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a crafted endpoints value in a USB
device descriptor (bnc#971124).
– CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandles
destruction of device objects, which allowed guest OS users to cause a
denial of service (host OS networking outage) by arranging for a large
number of IP addresses (bnc#971360).
– CVE-2016-2184: The create_fixed_stream_quirk function in
sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel
allowed physically proximate attackers to cause a denial of service
(NULL pointer dereference or double free, and system crash) via a
crafted endpoints value in a USB device descriptor (bnc#971125).
– CVE-2016-3139: The wacom_probe function in
drivers/input/tablet/wacom_sys.c in the Linux kernel allowed physically
proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a crafted endpoints value in a USB
device descriptor (bnc#970909).
– CVE-2016-2143: The fork implementation in the Linux kernel on s390
platforms mishandled the case of four page-table levels, which allowed
local users to cause a denial of service (system crash) or possibly have
unspecified other impact via a crafted application, related to
arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h
(bnc#970504).
– CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in
the Linux kernel allowed physically proximate attackers to cause a
denial of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact by inserting a USB device that
lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670).
– CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in
the Linux kernel did not properly maintain a hub-interface data
structure, which allowed physically proximate attackers to cause a
denial of service (invalid memory access and system crash) or possibly
have unspecified other impact by unplugging a USB hub device
(bnc#968010).
– CVE-2015-7566: The clie_5_attach function in drivers/usb/serial/visor.c
in the Linux kernel allowed physically proximate attackers to cause a
denial of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact by inserting a USB device that
lacks a bulk-out endpoint (bnc#961512).
– CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel did not prevent
recursive callback access, which allowed local users to cause a denial
of service (deadlock) via a crafted ioctl call (bnc#968013).
– CVE-2016-2547: sound/core/timer.c in the Linux kernel employed a locking
approach that did not consider slave timer instances, which allowed
local users to cause a denial of service (race condition,
use-after-free, and system crash) via a crafted ioctl call (bnc#968011).
– CVE-2016-2548: sound/core/timer.c in the Linux kernel retained certain
linked lists after a close or stop action, which allowed local users to
cause a denial of service (system crash) via a crafted ioctl call,
related to the (1) snd_timer_close and (2) _snd_timer_stop functions
(bnc#968012).
– CVE-2016-2546: sound/core/timer.c in the Linux kernel used an incorrect
type of mutex, which allowed local users to cause a denial of service
(race condition, use-after-free, and system crash) via a crafted ioctl
call (bnc#967975).
– CVE-2016-2545: The snd_timer_interrupt function in sound/core/timer.c in
the Linux kernel did not properly maintain a certain linked list, which
allowed local users to cause a denial of service (race condition and
system crash) via a crafted ioctl call (bnc#967974).
– CVE-2016-2544: Race condition in the queue_delete function in
sound/core/seq/seq_queue.c in the Linux kernel allowed local users to
cause a denial of service (use-after-free and system crash) by making an
ioctl call at a certain time (bnc#967973).
– CVE-2016-2543: The snd_seq_ioctl_remove_events function in
sound/core/seq/seq_clientmgr.c in the Linux kernel did not verify FIFO
assignment before proceeding with FIFO clearing, which allowed local
users to cause a denial of service (NULL pointer dereference and OOPS)
via a crafted ioctl call (bnc#967972).
– CVE-2016-2384: Double free vulnerability in the snd_usbmidi_create
function in sound/usb/midi.c in the Linux kernel allowed physically
proximate attackers to cause a denial of service (panic) or possibly
have unspecified other impact via vectors involving an invalid USB
descriptor (bnc#966693).
– CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel
did not properly identify error conditions, which allowed remote
attackers to execute arbitrary code or cause a denial of service
(use-after-free) via crafted packets (bnc#966437).
– CVE-2015-8785: The fuse_fill_write_pages function in fs/fuse/file.c in
the Linux kernel allowed local users to cause a denial of service
(infinite loop) via a writev system call that triggers a zero length for
the first segment of an iov (bnc#963765).
– CVE-2016-2069: Race condition in arch/x86/mm/tlb.c in the Linux kernel
.4.1 allowed local users to gain privileges by triggering access to a
paging structure by a different CPU (bnc#963767).
– CVE-2016-0723: Race condition in the tty_ioctl function in
drivers/tty/tty_io.c in the Linux kernel allowed local users to obtain
sensitive information from kernel memory or cause a denial of service
(use-after-free and system crash) by making a TIOCGETD ioctl call during
processing of a TIOCSETD ioctl call (bnc#961500).
– CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the
Linux kernel allowed local users to bypass intended AF_UNIX socket
permissions or cause a denial of service (panic) via crafted epoll_ctl
calls (bnc#955654).
– CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux kernel did not
properly manage the relationship between a lock and a socket, which
allowed local users to cause a denial of service (deadlock) via a
crafted sctp_accept call (bnc#961509).
– CVE-2015-7515: The aiptek_probe function in
drivers/input/tablet/aiptek.c in the Linux kernel allowed physically
proximate attackers to cause a denial of service (NULL pointer
dereference and system crash) via a crafted USB device that lacks
endpoints (bnc#956708).
– CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel
did not validate attempted changes to the MTU value, which allowed
context-dependent attackers to cause a denial of service (packet loss)
via a value that is (1) smaller than the minimum compliant value or (2)
larger than the MTU of an interface, as demonstrated by a Router
Advertisement (RA) message that is not validated by a daemon, a
different vulnerability than CVE-2015-0272 (bnc#955354).
– CVE-2015-7550: The keyctl_read_key function in security/keys/keyctl.c in
the Linux kernel did not properly use a semaphore, which allowed local
users to cause a denial of service (NULL pointer dereference and system
crash) or possibly have unspecified other impact via a crafted
application that leverages a race condition between keyctl_revoke and
keyctl_read calls (bnc#958951).
– CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in
drivers/net/ppp/pptp.c in the Linux kernel did not verify an address
length, which allowed local users to obtain sensitive information from
kernel memory and bypass the KASLR protection mechanism via a crafted
application (bnc#959190).
– CVE-2015-8575: The sco_sock_bind function in net/bluetooth/sco.c in the
Linux kernel did not verify an address length, which allowed local users
to obtain sensitive information from kernel memory and bypass the KASLR
protection mechanism via a crafted application (bnc#959399).
– CVE-2015-8543: The networking implementation in the Linux kernel did not
validate protocol identifiers for certain protocol families, which
allowed local users to cause a denial of service (NULL function pointer
dereference and system crash) or possibly gain privileges by leveraging
CLONE_NEWUSER support to execute a crafted SOCK_RAW application
(bnc#958886).
– CVE-2015-8539: The KEYS subsystem in the Linux kernel allowed local
users to gain privileges or cause a denial of service (BUG) via crafted
keyctl commands that negatively instantiate a key, related to
security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and
security/keys/user_defined.c (bnc#958463).
– CVE-2015-7509: fs/ext4/namei.c in the Linux kernel allowed physically
proximate attackers to cause a denial of service (system crash) via a
crafted no-journal filesystem, a related issue to CVE-2013-2015
(bnc#956709).
– CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the
Linux kernel did not ensure that certain slot numbers are valid, which
allowed local users to cause a denial of service (NULL pointer
dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call
(bnc#949936).
– CVE-2015-8104: The KVM subsystem in the Linux kernel allowed guest OS
users to cause a denial of service (host OS panic or hang) by triggering
many #DB (aka Debug) exceptions, related to svm.c (bnc#954404).
– CVE-2015-5307: The KVM subsystem in the Linux kernel allowed guest OS
users to cause a denial of service (host OS panic or hang) by triggering
many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c
(bnc#953527).
– CVE-2015-7990: Race condition in the rds_sendmsg function in
net/rds/sendmsg.c in the Linux kernel allowed local users to cause a
denial of service (NULL pointer dereference and system crash) or
possibly have unspecified other impact by using a socket that was not
properly bound (bnc#952384).
– CVE-2015-7872: The key_gc_unused_keys function in security/keys/gc.c in
the Linux kernel allowed local users to cause a denial of service (OOPS)
via crafted keyctl commands (bnc#951440).
– CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in
the Linux kernel allowed local users to cause a denial of service (NULL
pointer dereference and system crash) or possibly have unspecified other
impact by using a socket that was not properly bound (bnc#945825).
– CVE-2015-6252: The vhost_dev_ioctl function in drivers/vhost/vhost.c in
the Linux kernel allowed local users to cause a denial of service
(memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers
permanent file-descriptor allocation (bnc#942367).
– CVE-2015-3339: Race condition in the prepare_binprm function in
fs/exec.c in the Linux kernel allowed local users to gain privileges by
executing a setuid program at a time instant when a chown to root is in
progress, and the ownership is changed but the setuid bit is not yet
stripped (bnc#928130).

The following non-security bugs were fixed:
– Fix handling of re-write-before-commit for mmapped NFS pages
(bsc#964201).
– Fix lpfc_send_rscn_event allocation size claims bnc#935757
– Fix ntpd clock synchronization in Xen PV domains (bnc#816446).
– Fix vmalloc_fault oops during lazy MMU updates (bsc#948562).
– Make sure XPRT_CONNECTING gets cleared when needed (bsc#946309).
– SCSI: bfa: Fix to handle firmware tskim abort request response
(bsc#972510).
– USB: usbip: fix potential out-of-bounds write (bnc#975945).
– af_unix: Guard against other == sk in unix_dgram_sendmsg (bsc#973570).
– dm-snap: avoid deadock on s->lock when a read is split (bsc#939826).
– mm/hugetlb: check for pte NULL pointer in __page_check_address()
(bsc#977847).
– nf_conntrack: fix bsc#758540 kabi fix (bsc#946117).
– privcmd: allow preempting long running user-mode originating hypercalls
(bnc#861093).
– s390/cio: collect format 1 channel-path description data (bsc#966460,
bsc#966662).
– s390/cio: ensure consistent measurement state (bsc#966460, bsc#966662).
– s390/cio: fix measurement characteristics memleak (bsc#966460,
bsc#966662).
– s390/cio: update measurement characteristics (bsc#966460, bsc#966662).
– xfs: Fix lost direct IO write in the last block (bsc#949744).

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Server 11-SP2-LTSS:

zypper in -t patch slessp2-kernel-source-12693=1

– SUSE Linux Enterprise Debuginfo 11-SP2:

zypper in -t patch dbgsp2-kernel-source-12693=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64):

kernel-default-3.0.101-0.7.40.1
kernel-default-base-3.0.101-0.7.40.1
kernel-default-devel-3.0.101-0.7.40.1
kernel-source-3.0.101-0.7.40.1
kernel-syms-3.0.101-0.7.40.1
kernel-trace-3.0.101-0.7.40.1
kernel-trace-base-3.0.101-0.7.40.1
kernel-trace-devel-3.0.101-0.7.40.1

– SUSE Linux Enterprise Server 11-SP2-LTSS (i586 x86_64):

kernel-ec2-3.0.101-0.7.40.1
kernel-ec2-base-3.0.101-0.7.40.1
kernel-ec2-devel-3.0.101-0.7.40.1
kernel-xen-3.0.101-0.7.40.1
kernel-xen-base-3.0.101-0.7.40.1
kernel-xen-devel-3.0.101-0.7.40.1

– SUSE Linux Enterprise Server 11-SP2-LTSS (s390x):

kernel-default-man-3.0.101-0.7.40.1

– SUSE Linux Enterprise Server 11-SP2-LTSS (i586):

kernel-pae-3.0.101-0.7.40.1
kernel-pae-base-3.0.101-0.7.40.1
kernel-pae-devel-3.0.101-0.7.40.1

– SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64):

kernel-default-debuginfo-3.0.101-0.7.40.1
kernel-default-debugsource-3.0.101-0.7.40.1
kernel-default-devel-debuginfo-3.0.101-0.7.40.1
kernel-trace-debuginfo-3.0.101-0.7.40.1
kernel-trace-debugsource-3.0.101-0.7.40.1
kernel-trace-devel-debuginfo-3.0.101-0.7.40.1

– SUSE Linux Enterprise Debuginfo 11-SP2 (i586 x86_64):

kernel-ec2-debuginfo-3.0.101-0.7.40.1
kernel-ec2-debugsource-3.0.101-0.7.40.1
kernel-xen-debuginfo-3.0.101-0.7.40.1
kernel-xen-debugsource-3.0.101-0.7.40.1
kernel-xen-devel-debuginfo-3.0.101-0.7.40.1

– SUSE Linux Enterprise Debuginfo 11-SP2 (i586):

kernel-pae-debuginfo-3.0.101-0.7.40.1
kernel-pae-debugsource-3.0.101-0.7.40.1
kernel-pae-devel-debuginfo-3.0.101-0.7.40.1

References:

https://www.suse.com/security/cve/CVE-2013-2015.html
https://www.suse.com/security/cve/CVE-2013-7446.html
https://www.suse.com/security/cve/CVE-2015-0272.html
https://www.suse.com/security/cve/CVE-2015-3339.html
https://www.suse.com/security/cve/CVE-2015-5307.html
https://www.suse.com/security/cve/CVE-2015-6252.html
https://www.suse.com/security/cve/CVE-2015-6937.html
https://www.suse.com/security/cve/CVE-2015-7509.html
https://www.suse.com/security/cve/CVE-2015-7515.html
https://www.suse.com/security/cve/CVE-2015-7550.html
https://www.suse.com/security/cve/CVE-2015-7566.html
https://www.suse.com/security/cve/CVE-2015-7799.html
https://www.suse.com/security/cve/CVE-2015-7872.html
https://www.suse.com/security/cve/CVE-2015-7990.html
https://www.suse.com/security/cve/CVE-2015-8104.html
https://www.suse.com/security/cve/CVE-2015-8215.html
https://www.suse.com/security/cve/CVE-2015-8539.html
https://www.suse.com/security/cve/CVE-2015-8543.html
https://www.suse.com/security/cve/CVE-2015-8569.html
https://www.suse.com/security/cve/CVE-2015-8575.html
https://www.suse.com/security/cve/CVE-2015-8767.html
https://www.suse.com/security/cve/CVE-2015-8785.html
https://www.suse.com/security/cve/CVE-2015-8812.html
https://www.suse.com/security/cve/CVE-2015-8816.html
https://www.suse.com/security/cve/CVE-2016-0723.html
https://www.suse.com/security/cve/CVE-2016-2069.html
https://www.suse.com/security/cve/CVE-2016-2143.html
https://www.suse.com/security/cve/CVE-2016-2184.html
https://www.suse.com/security/cve/CVE-2016-2185.html
https://www.suse.com/security/cve/CVE-2016-2186.html
https://www.suse.com/security/cve/CVE-2016-2188.html
https://www.suse.com/security/cve/CVE-2016-2384.html
https://www.suse.com/security/cve/CVE-2016-2543.html
https://www.suse.com/security/cve/CVE-2016-2544.html
https://www.suse.com/security/cve/CVE-2016-2545.html
https://www.suse.com/security/cve/CVE-2016-2546.html
https://www.suse.com/security/cve/CVE-2016-2547.html
https://www.suse.com/security/cve/CVE-2016-2548.html
https://www.suse.com/security/cve/CVE-2016-2549.html
https://www.suse.com/security/cve/CVE-2016-2782.html
https://www.suse.com/security/cve/CVE-2016-2847.html
https://www.suse.com/security/cve/CVE-2016-3134.html
https://www.suse.com/security/cve/CVE-2016-3137.html
https://www.suse.com/security/cve/CVE-2016-3138.html
https://www.suse.com/security/cve/CVE-2016-3139.html
https://www.suse.com/security/cve/CVE-2016-3140.html
https://www.suse.com/security/cve/CVE-2016-3156.html
https://www.suse.com/security/cve/CVE-2016-4486.html
https://bugzilla.suse.com/816446
https://bugzilla.suse.com/861093
https://bugzilla.suse.com/928130
https://bugzilla.suse.com/935757
https://bugzilla.suse.com/939826
https://bugzilla.suse.com/942367
https://bugzilla.suse.com/945825
https://bugzilla.suse.com/946117
https://bugzilla.suse.com/946309
https://bugzilla.suse.com/948562
https://bugzilla.suse.com/949744
https://bugzilla.suse.com/949936
https://bugzilla.suse.com/951440
https://bugzilla.suse.com/952384
https://bugzilla.suse.com/953527
https://bugzilla.suse.com/954404
https://bugzilla.suse.com/955354
https://bugzilla.suse.com/955654
https://bugzilla.suse.com/956708
https://bugzilla.suse.com/956709
https://bugzilla.suse.com/958463
https://bugzilla.suse.com/958886
https://bugzilla.suse.com/958951
https://bugzilla.suse.com/959190
https://bugzilla.suse.com/959399
https://bugzilla.suse.com/961500
https://bugzilla.suse.com/961509
https://bugzilla.suse.com/961512
https://bugzilla.suse.com/963765
https://bugzilla.suse.com/963767
https://bugzilla.suse.com/964201
https://bugzilla.suse.com/966437
https://bugzilla.suse.com/966460
https://bugzilla.suse.com/966662
https://bugzilla.suse.com/966693
https://bugzilla.suse.com/967972
https://bugzilla.suse.com/967973
https://bugzilla.suse.com/967974
https://bugzilla.suse.com/967975
https://bugzilla.suse.com/968010
https://bugzilla.suse.com/968011
https://bugzilla.suse.com/968012
https://bugzilla.suse.com/968013
https://bugzilla.suse.com/968670
https://bugzilla.suse.com/970504
https://bugzilla.suse.com/970892
https://bugzilla.suse.com/970909
https://bugzilla.suse.com/970911
https://bugzilla.suse.com/970948
https://bugzilla.suse.com/970956
https://bugzilla.suse.com/970958
https://bugzilla.suse.com/970970
https://bugzilla.suse.com/971124
https://bugzilla.suse.com/971125
https://bugzilla.suse.com/971126
https://bugzilla.suse.com/971360
https://bugzilla.suse.com/972510
https://bugzilla.suse.com/973570
https://bugzilla.suse.com/975945
https://bugzilla.suse.com/977847
https://bugzilla.suse.com/978822

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org