The openSUSE 13.2 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2015-8956: The rfcomm_sock_bind function in
net/bluetooth/rfcomm/sock.c in the Linux kernel allowed local users to
obtain sensitive information or cause a denial of service (NULL pointer
dereference) via vectors involving a bind system call on a Bluetooth
RFCOMM socket (bnc#1003925).
- CVE-2016-5195: A local privilege escalation using MAP_PRIVATE was fixed,
which is reportedly exploited in the wild (bsc#1004418).
- CVE-2016-8658: Stack-based buffer overflow
in the brcmf_cfg80211_start_ap function in
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c in the Linux
kernel allowed local users to cause a denial of service (system crash)
or possibly have unspecified other impact via a long SSID Information
Element in a command to a Netlink socket (bnc#1004462).
- CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg
function in net/socket.c in the Linux kernel allowed remote attackers
to execute arbitrary code via vectors involving a recvmmsg system call
that is mishandled during error processing (bnc#1003077).
- CVE-2016-0823: The pagemap_open function in fs/proc/task_mmu.c in the
Linux kernel before 3.19.3, as used in Android 6.0.1 before 2016-03-01,
allowed local users to obtain sensitive physical-address information by
reading a pagemap file, aka Android internal bug 25739721 (bnc#994759).
- CVE-2016-7425: The arcmsr_iop_message_xfer function in
drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel did not restrict
a certain length field, which allowed local users to gain privileges
or cause a denial of service (heap-based buffer overflow) via an
ARCMSR_MESSAGE_WRITE_WQBUFFER control code (bnc#999932).
- CVE-2016-6327: drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux
kernel allowed local users to cause a denial of service (NULL pointer
dereference and system crash) by using an ABORT_TASK command to abort
a device write operation (bnc#994748).
- CVE-2016-6828: The tcp_check_send_head function in include/net/tcp.h
in the Linux kernel did not properly maintain certain SACK state after a
failed data copy, which allowed local users to cause a denial of service
(tcp_xmit_retransmit_queue use-after-free and system crash) via a crafted
SACK option (bnc#994296).
- CVE-2016-5696: net/ipv4/tcp_input.c in the Linux kernel did not properly
determine the rate of challenge ACK segments, which made it easier for
man-in-the-middle attackers to hijack TCP sessions via a blind in-window
attack (bnc#989152)
- CVE-2016-6480: Race condition in the ioctl_send_fib function in
drivers/scsi/aacraid/commctrl.c in the Linux kernel allowed local users
to cause a denial of service (out-of-bounds access or system crash)
by changing a certain size value, aka a "double fetch" vulnerability
(bnc#991608).
- CVE-2015-7513: arch/x86/kvm/x86.c in the Linux kernel did not reset
the PIT counter values during state restoration, which allowed guest
OS users to cause a denial of service (divide-by-zero error and host
OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and
kvm_vm_ioctl_set_pit2 functions (bnc#960689).
- CVE-2016-1237: nfsd in the Linux kernel allowed local users to bypass
intended file-permission restrictions by setting a POSIX ACL, related
to nfs2acl.c, nfs3acl.c, and nfs4acl.c (bnc#986570).
The following non-security bugs were fixed:
- AF_VSOCK: Shrink the area influenced by prepare_to_wait (bsc#994520).
- xen: Fix refcnt regression in xen netback introduced by changes made for bug#881008 (bnc#978094)
- MSI-X: fix an error path (luckily none so far).
- usb: fix typo in wMaxPacketSize validation (bsc#991665).
- usb: validate wMaxPacketValue entries in endpoint descriptors (bnc#991665).
- Update patches.fixes/0002-nfsd-check-permissions-when-setting-ACLs.patch (bsc#986570 CVE#2016-1237).
- Update patches.fixes/0001-posix_acl-Add-set_posix_acl.patch (bsc#986570 CVE#2016-1237).
- apparmor: fix change_hat not finding hat after policy replacement (bsc#1000287).
- arm64: Honor __GFP_ZERO in dma allocations (bsc#1004045).
- arm64: __clear_user: handle exceptions on strb (bsc#994752).
- arm64: dma-mapping: always clear allocated buffers (bsc#1004045).
- arm64: perf: reject groups spanning multiple HW PMUs (bsc#1003931).
- blkfront: fix an error path memory leak (luckily none so far).
- blktap2: eliminate deadlock potential from shutdown path (bsc#909994).
- blktap2: eliminate race from deferred work queue handling (bsc#911687).
- btrfs: ensure that file descriptor used with subvol ioctls is a dir (bsc#999600).
- cdc-acm: added sanity checking for probe() (bsc#993891).
- kaweth: fix firmware download (bsc#993890).
- kaweth: fix oops upon failed memory allocation (bsc#993890).
- netback: fix flipping mode (bsc#996664).
- netback: fix flipping mode (bsc#996664).
- netfront: linearize SKBs requiring too many slots (bsc#991247).
- nfsd: check permissions when setting ACLs (bsc#986570).
- posix_acl: Add set_posix_acl (bsc#986570).
- ppp: defer netns reference release for ppp channel (bsc#980371).
- tunnels: Do not apply GRO to multiple layers of encapsulation (bsc#1001486).
- usb: hub: Fix auto-remount of safely removed or ejected USB-3 devices (bsc#922634).
- x86: suppress lazy MMU updates during vmalloc fault processing (bsc#951155).
- xen-netback-generalize.patch: Fold back into base patch.
- xen3-patch-2.6.31.patch: Fold back into base patch.
- xen3-patch-3.12.patch: Fold bac into base patch.
- xen3-patch-3.15.patch: Fold back into base patch.
- xen3-patch-3.3.patch: Fold back into base patch.
- xen3-patch-3.9.patch: Fold bac into base patch.
- xen3-patch-3.9.patch: Fold back into base patch.
- xenbus: do not bail early from xenbus_dev_request_and_reply() (luckily none so far).
- xenbus: inspect the correct type in xenbus_dev_request_and_reply().
- Submitted by Marcus Meissner (msmeissn)
- Reboot is suggested