openSUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________
Announcement ID: openSUSE-SU-2016:2290-1
Rating: important
References: #963931 #970948 #971126 #971360 #974266 #978821
#978822 #979018 #979213 #979879 #980371 #981058
#981267 #986362 #986365 #986570 #987886 #989084
#989152 #989176 #990058 #991110 #991608 #991665
#994296 #994520
Cross-References: CVE-2015-8787 CVE-2016-1237 CVE-2016-2847
CVE-2016-3134 CVE-2016-3156 CVE-2016-4485
CVE-2016-4486 CVE-2016-4557 CVE-2016-4569
CVE-2016-4578 CVE-2016-4580 CVE-2016-4805
CVE-2016-4951 CVE-2016-4998 CVE-2016-5696
CVE-2016-6480 CVE-2016-6828
Affected Products:
openSUSE Leap 42.1
______________________________________________________________________________
An update that solves 17 vulnerabilities and has 9 fixes is
now available.
Description:
The openSUSE Leap 42.1 kernel was updated to 4.1.31 to receive various
security and bugfixes.
The following security bugs were fixed:
– CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of
unread data in pipes, which allowed local users to cause a denial of
service (memory consumption) by creating many pipes with non-default
sizes (bnc#970948).
– CVE-2016-3134: The netfilter subsystem in the Linux kernel did not
validate certain offset fields, which allowed local users to gain
privileges or cause a denial of service (heap memory corruption) via an
IPT_SO_SET_REPLACE setsockopt call (bnc#971126).
– CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandled
destruction of device objects, which allowed guest OS users to cause a
denial of service (host OS networking outage) by arranging for a large
number of IP addresses (bnc#971360).
– CVE-2016-4485: The llc_cmsg_rcv function in net/llc/af_llc.c in the
Linux kernel did not initialize a certain data structure, which allowed
attackers to obtain sensitive information from kernel stack memory by
reading a message (bnc#978821).
– CVE-2016-4486: The rtnl_fill_link_ifmap function in net/core/rtnetlink.c
in the Linux kernel did not initialize a certain data structure, which
allowed local users to obtain sensitive information from kernel stack
memory by reading a Netlink message (bnc#978822).
– CVE-2016-4557: The replace_map_fd_with_map_ptr function in
kernel/bpf/verifier.c in the Linux kernel did not properly maintain an
fd data structure, which allowed local users to gain privileges or cause
a denial of service (use-after-free) via crafted BPF instructions that
reference an incorrect file descriptor (bnc#979018).
– CVE-2016-4580: The x25_negotiate_facilities function in
net/x25/x25_facilities.c in the Linux kernel did not properly initialize
a certain data structure, which allowed attackers to obtain sensitive
information from kernel stack memory via an X.25 Call Request
(bnc#981267).
– CVE-2016-4805: Use-after-free vulnerability in
drivers/net/ppp/ppp_generic.c in the Linux kernel allowed local users to
cause a denial of service (memory corruption and system crash, or
spinlock) or possibly have unspecified other impact by removing a
network namespace, related to the ppp_register_net_channel and
ppp_unregister_channel functions (bnc#980371).
– CVE-2016-4951: The tipc_nl_publ_dump function in net/tipc/socket.c in
the Linux kernel did not verify socket existence, which allowed local
users to cause a denial of service (NULL pointer dereference and system
crash) or possibly have unspecified other impact via a dumpit operation
(bnc#981058).
– CVE-2015-8787: The nf_nat_redirect_ipv4 function in
net/netfilter/nf_nat_redirect.c in the Linux kernel allowed remote
attackers to cause a denial of service (NULL pointer dereference and
system crash) or possibly have unspecified other impact by sending
certain IPv4 packets to an incompletely configured interface, a related
issue to CVE-2003-1604 (bnc#963931).
– CVE-2016-4569: The snd_timer_user_params function in sound/core/timer.c
in the Linux kernel did not initialize a certain data structure, which
allowed local users to obtain sensitive information from kernel stack
memory via crafted use of the ALSA timer interface (bnc#979213).
– CVE-2016-4578: sound/core/timer.c in the Linux kernel did not initialize
certain r1 data structures, which allowed local users to obtain
sensitive information from kernel stack memory via crafted use of the
ALSA timer interface, related to the (1) snd_timer_user_ccallback and
(2) snd_timer_user_tinterrupt functions (bnc#979879).
– CVE-2016-6828: A use after free in tcp_xmit_retransmit_queue() was fixed
that could be used by local attackers to crash the kernel (bsc#994296).
– CVE-2016-6480: Race condition in the ioctl_send_fib function in
drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users
to cause a denial of service (out-of-bounds access or system crash) by
changing a certain size value, aka a “double fetch” vulnerability
(bnc#991608).
– CVE-2016-4998: The IPT_SO_SET_REPLACE setsockopt implementation in the
netfilter subsystem in the Linux kernel allowed local users to cause a
denial of service (out-of-bounds read) or possibly obtain sensitive
information from kernel heap memory by leveraging in-container root
access to provide a crafted offset value that leads to crossing a
ruleset blob boundary (bnc#986362 986365 990058).
– CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly
determine the rate of challenge ACK segments, which made it easier for
man-in-the-middle attackers to hijack TCP sessions via a blind in-window
attack (bnc#989152).
– CVE-2016-1237: nfsd in the Linux kernel allowed local users to bypass
intended file-permission restrictions by setting a POSIX ACL, related to
nfs2acl.c, nfs3acl.c, and nfs4acl.c (bnc#986570).
The following non-security bugs were fixed:
– AF_VSOCK: Shrink the area influenced by prepare_to_wait (bsc#994520).
– KVM: arm/arm64: Handle forward time correction gracefully (bnc#974266).
– Linux 4.1.29. Refreshed patch: patches.xen/xen3-fixup-xen Deleted
patches:
patches.fixes/0001-Revert-ecryptfs-forbid-opening-files-without-mmap-ha.pat
ch
patches.fixes/0001-ecryptfs-don-t-allow-mmap-when-the-lower-file-system.pat
ch patches.rpmify/Revert-mm-swap.c-flush-lru-pvecs-on-compound-page-ar
patches.rpmify/Revert-powerpc-Update-TM-user-feature-bits-in-scan_f
– Revert “mm/swap.c: flush lru pvecs on compound page arrival”
(boo#989084).
– Revert “powerpc: Update TM user feature bits in scan_features()”. Fix
the build error of 4.1.28 on ppc.
– Revive i8042_check_power_owner() for 4.1.31 kabi fix.
– USB: OHCI: Do not mark EDs as ED_OPER if scheduling fails (bnc#987886).
– USB: validate wMaxPacketValue entries in endpoint descriptors
(bnc#991665).
– Update patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch
(bsc#986570 CVE-2016-1237).
– Update patches.fixes/0001-posix_acl-Add-set_posix_acl.patch (bsc#986570
CVE-2016-1237).
– netfilter: x_tables: fix 4.1 stable backport (bsc#989176).
– nfsd: check permissions when setting ACLs (bsc#986570).
– posix_acl: Add set_posix_acl (bsc#986570).
– ppp: defer netns reference release for ppp channel (bsc#980371).
– series.conf: Move a kABI patch to its own section
– supported.conf: enable i2c-designware driver (bsc#991110)
– tcp: enable per-socket rate limiting of all “challenge acks”
(bsc#989152).
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
– openSUSE Leap 42.1:
zypper in -t patch openSUSE-2016-1076=1
To bring your system up-to-date, use “zypper patch”.
Package List:
– openSUSE Leap 42.1 (i586 x86_64):
hdjmod-debugsource-1.28-24.1
hdjmod-kmp-default-1.28_k4.1.31_30-24.1
hdjmod-kmp-default-debuginfo-1.28_k4.1.31_30-24.1
hdjmod-kmp-pv-1.28_k4.1.31_30-24.1
hdjmod-kmp-pv-debuginfo-1.28_k4.1.31_30-24.1
hdjmod-kmp-xen-1.28_k4.1.31_30-24.1
hdjmod-kmp-xen-debuginfo-1.28_k4.1.31_30-24.1
ipset-6.25.1-5.1
ipset-debuginfo-6.25.1-5.1
ipset-debugsource-6.25.1-5.1
ipset-devel-6.25.1-5.1
ipset-kmp-default-6.25.1_k4.1.31_30-5.1
ipset-kmp-default-debuginfo-6.25.1_k4.1.31_30-5.1
ipset-kmp-pv-6.25.1_k4.1.31_30-5.1
ipset-kmp-pv-debuginfo-6.25.1_k4.1.31_30-5.1
ipset-kmp-xen-6.25.1_k4.1.31_30-5.1
ipset-kmp-xen-debuginfo-6.25.1_k4.1.31_30-5.1
kernel-default-4.1.31-30.2
kernel-default-base-4.1.31-30.2
kernel-default-base-debuginfo-4.1.31-30.2
kernel-default-debuginfo-4.1.31-30.2
kernel-default-debugsource-4.1.31-30.2
kernel-default-devel-4.1.31-30.2
kernel-obs-build-4.1.31-30.3
kernel-obs-build-debugsource-4.1.31-30.3
kernel-obs-qa-4.1.31-30.1
kernel-obs-qa-xen-4.1.31-30.1
kernel-syms-4.1.31-30.1
libipset3-6.25.1-5.1
libipset3-debuginfo-6.25.1-5.1
pcfclock-0.44-266.1
pcfclock-debuginfo-0.44-266.1
pcfclock-debugsource-0.44-266.1
pcfclock-kmp-default-0.44_k4.1.31_30-266.1
pcfclock-kmp-default-debuginfo-0.44_k4.1.31_30-266.1
pcfclock-kmp-pv-0.44_k4.1.31_30-266.1
pcfclock-kmp-pv-debuginfo-0.44_k4.1.31_30-266.1
vhba-kmp-debugsource-20140928-5.1
vhba-kmp-default-20140928_k4.1.31_30-5.1
vhba-kmp-default-debuginfo-20140928_k4.1.31_30-5.1
vhba-kmp-pv-20140928_k4.1.31_30-5.1
vhba-kmp-pv-debuginfo-20140928_k4.1.31_30-5.1
vhba-kmp-xen-20140928_k4.1.31_30-5.1
vhba-kmp-xen-debuginfo-20140928_k4.1.31_30-5.1
– openSUSE Leap 42.1 (i686 x86_64):
kernel-debug-4.1.31-30.2
kernel-debug-base-4.1.31-30.2
kernel-debug-base-debuginfo-4.1.31-30.2
kernel-debug-debuginfo-4.1.31-30.2
kernel-debug-debugsource-4.1.31-30.2
kernel-debug-devel-4.1.31-30.2
kernel-debug-devel-debuginfo-4.1.31-30.2
kernel-ec2-4.1.31-30.2
kernel-ec2-base-4.1.31-30.2
kernel-ec2-base-debuginfo-4.1.31-30.2
kernel-ec2-debuginfo-4.1.31-30.2
kernel-ec2-debugsource-4.1.31-30.2
kernel-ec2-devel-4.1.31-30.2
kernel-pv-4.1.31-30.2
kernel-pv-base-4.1.31-30.2
kernel-pv-base-debuginfo-4.1.31-30.2
kernel-pv-debuginfo-4.1.31-30.2
kernel-pv-debugsource-4.1.31-30.2
kernel-pv-devel-4.1.31-30.2
kernel-vanilla-4.1.31-30.2
kernel-vanilla-debuginfo-4.1.31-30.2
kernel-vanilla-debugsource-4.1.31-30.2
kernel-vanilla-devel-4.1.31-30.2
kernel-xen-4.1.31-30.2
kernel-xen-base-4.1.31-30.2
kernel-xen-base-debuginfo-4.1.31-30.2
kernel-xen-debuginfo-4.1.31-30.2
kernel-xen-debugsource-4.1.31-30.2
kernel-xen-devel-4.1.31-30.2
– openSUSE Leap 42.1 (x86_64):
drbd-8.4.6-8.1
drbd-debugsource-8.4.6-8.1
drbd-kmp-default-8.4.6_k4.1.31_30-8.1
drbd-kmp-default-debuginfo-8.4.6_k4.1.31_30-8.1
drbd-kmp-pv-8.4.6_k4.1.31_30-8.1
drbd-kmp-pv-debuginfo-8.4.6_k4.1.31_30-8.1
drbd-kmp-xen-8.4.6_k4.1.31_30-8.1
drbd-kmp-xen-debuginfo-8.4.6_k4.1.31_30-8.1
lttng-modules-2.7.0-2.1
lttng-modules-debugsource-2.7.0-2.1
lttng-modules-kmp-default-2.7.0_k4.1.31_30-2.1
lttng-modules-kmp-default-debuginfo-2.7.0_k4.1.31_30-2.1
lttng-modules-kmp-pv-2.7.0_k4.1.31_30-2.1
lttng-modules-kmp-pv-debuginfo-2.7.0_k4.1.31_30-2.1
– openSUSE Leap 42.1 (noarch):
kernel-devel-4.1.31-30.1
kernel-docs-4.1.31-30.3
kernel-docs-html-4.1.31-30.3
kernel-docs-pdf-4.1.31-30.3
kernel-macros-4.1.31-30.1
kernel-source-4.1.31-30.1
kernel-source-vanilla-4.1.31-30.1
– openSUSE Leap 42.1 (i686):
kernel-pae-4.1.31-30.2
kernel-pae-base-4.1.31-30.2
kernel-pae-base-debuginfo-4.1.31-30.2
kernel-pae-debuginfo-4.1.31-30.2
kernel-pae-debugsource-4.1.31-30.2
kernel-pae-devel-4.1.31-30.2
– openSUSE Leap 42.1 (i586):
hdjmod-kmp-pae-1.28_k4.1.31_30-24.1
hdjmod-kmp-pae-debuginfo-1.28_k4.1.31_30-24.1
ipset-kmp-pae-6.25.1_k4.1.31_30-5.1
ipset-kmp-pae-debuginfo-6.25.1_k4.1.31_30-5.1
pcfclock-kmp-pae-0.44_k4.1.31_30-266.1
pcfclock-kmp-pae-debuginfo-0.44_k4.1.31_30-266.1
vhba-kmp-pae-20140928_k4.1.31_30-5.1
vhba-kmp-pae-debuginfo-20140928_k4.1.31_30-5.1
References:
https://www.suse.com/security/cve/CVE-2015-8787.html
https://www.suse.com/security/cve/CVE-2016-1237.html
https://www.suse.com/security/cve/CVE-2016-2847.html
https://www.suse.com/security/cve/CVE-2016-3134.html
https://www.suse.com/security/cve/CVE-2016-3156.html
https://www.suse.com/security/cve/CVE-2016-4485.html
https://www.suse.com/security/cve/CVE-2016-4486.html
https://www.suse.com/security/cve/CVE-2016-4557.html
https://www.suse.com/security/cve/CVE-2016-4569.html
https://www.suse.com/security/cve/CVE-2016-4578.html
https://www.suse.com/security/cve/CVE-2016-4580.html
https://www.suse.com/security/cve/CVE-2016-4805.html
https://www.suse.com/security/cve/CVE-2016-4951.html
https://www.suse.com/security/cve/CVE-2016-4998.html
https://www.suse.com/security/cve/CVE-2016-5696.html
https://www.suse.com/security/cve/CVE-2016-6480.html
https://www.suse.com/security/cve/CVE-2016-6828.html
https://bugzilla.suse.com/963931
https://bugzilla.suse.com/970948
https://bugzilla.suse.com/971126
https://bugzilla.suse.com/971360
https://bugzilla.suse.com/974266
https://bugzilla.suse.com/978821
https://bugzilla.suse.com/978822
https://bugzilla.suse.com/979018
https://bugzilla.suse.com/979213
https://bugzilla.suse.com/979879
https://bugzilla.suse.com/980371
https://bugzilla.suse.com/981058
https://bugzilla.suse.com/981267
https://bugzilla.suse.com/986362
https://bugzilla.suse.com/986365
https://bugzilla.suse.com/986570
https://bugzilla.suse.com/987886
https://bugzilla.suse.com/989084
https://bugzilla.suse.com/989152
https://bugzilla.suse.com/989176
https://bugzilla.suse.com/990058
https://bugzilla.suse.com/991110
https://bugzilla.suse.com/991608
https://bugzilla.suse.com/991665
https://bugzilla.suse.com/994296
https://bugzilla.suse.com/994520
—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org