Overview Details Repositories Revisions Requests Users Attributes Meta
Security update for the Linux Kernel

The openSUSE Leap 42.1 kernel to 4.1.38 to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2016-7117: Use-after-free vulnerability in the __sys_recvmmsg function in net/socket.c in the Linux kernel allowed remote attackers to execute arbitrary code via vectors involving a recvmmsg system call that is mishandled during error processing (bnc#1003077).
- CVE-2017-5551: tmpfs: Fixed a bug that could have allowed users to set setgid bits on files they don't down (bsc#1021258).
- CVE-2016-10147: crypto/mcryptd.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) by using an AF_ALG socket with an incompatible algorithm, as demonstrated by mcryptd(md5) (bnc#1020381).
- CVE-2016-10088: The sg implementation in the Linux kernel did not properly restrict write operations in situations where the KERNEL_DS option is set, which allowed local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9576 (bnc#1017710).
- CVE-2016-7917: The nfnetlink_rcv_batch function in net/netfilter/nfnetlink.c in the Linux kernel did not check whether a batch message's length field is large enough, which allowed local users to obtain sensitive information from kernel memory or cause a denial of service (infinite loop or out-of-bounds read) by leveraging the CAP_NET_ADMIN capability (bnc#1010444).
- CVE-2016-8645: The TCP stack in the Linux kernel mishandled skb truncation, which allowed local users to cause a denial of service (system crash) via a crafted application that made sendto system calls, related to net/ipv4/tcp_ipv4.c and net/ipv6/tcp_ipv6.c (bnc#1009969).
- CVE-2016-9806: Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel allowed local users to cause a denial of service (double free) or possibly have unspecified other impact via a crafted application that made sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated (bnc#1013540 1017589).
- CVE-2016-9793: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the (1) SO_SNDBUFFORCE or (2) SO_RCVBUFFORCE option (bnc#1013531 1013542).

The following non-security bugs were fixed:

- PCI: generic: Fix pci_remap_iospace() failure path (bsc#1019658).
- bcache: partition support: add 16 minors per bcacheN device (bsc#1019784).
- bnx2x: Correct ringparam estimate when DOWN (bsc#1020214).
- clk: xgene: Do not call __pa on ioremaped address (bsc#1019660).
- kABI workaround for 4.1.37 mount changes (stable-4.1.37).
- kABI: reintroduce sk_filter (bsc#1009969).
- kabi/severities: Ignore inode_change_ok change It's renamed in 4.1.37 to setattr_prepare()
- mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] (bsc#1011820).
- net: introduce __sock_queue_rcv_skb() function (bsc#1009969).
- netback: correct array index (bsc#983348).
- netfront: do not truncate grant references.
- netfront: use correct linear area after linearizing an skb (bsc#1007886).
- reiserfs: fix race in prealloc discard (bsc#987576).
- rose: limit sk_filter trim to payload (bsc#1009969).
- scsi: bfa: Increase requested firmware version to 3.2.5.1 (bsc#1013273).
- xenbus: correctly signal errors from xenstored_local_init() (luckily none so far).
- xenbus: do not invoke ->is_ready() for most device states (bsc#987333).

Fixed bugs
bnc#1003077
VUL-0: CVE-2016-7117: kernel: use after free in the recvmmsg exit path
bnc#1007886
missing bugfix in netfront.c
bnc#1009969
VUL-0: CVE-2016-8645: kernel: BUG() statement can be hit in net/ipv4/tcp_input.c
bnc#1010444
VUL-0: CVE-2016-7917: kernel: infinite loop triggered if nlh->nlmsg_len is zero
bnc#1011820
VUL-0: CVE-2016-8650: kernel: Null pointer dereference via keyctl
bnc#1013273
Brocade BR1741M-k 10GbE 2P CNA network cards - 10Gb Interfaces are not operative anymore after update
bnc#1013531
VUL-0: CVE-2016-9793: kernel-source: signed overflows for SO_{SND|RCV}BUFFORCE
bnc#1013540
VUL-0: CVE-2016-9806: kernel-source: double free in netlink_dump
bnc#1013542
VUL-0: CVE-2012-6704: kernel-source: signed overflows for SO_{SND|RCV}BUF
bnc#1017589
VUL-0: CVE-2016-9806: kernel live patch: double free in netlink_dump
bnc#1017710
VUL-0: CVE-2016-10088: kernel: sg: write operations not properly restricted when KERNEL_DS option is set (incomplete fix for CVE-2016-9576)
bnc#1019658
PCI: generic: Fix pci_remap_iospace() failure path
bnc#1019660
clk: xgene: Don't call __pa on ioremaped address
bnc#1019784
Missing partition support of bcache for Leap 42.1 & 42.2
bnc#1020214
L3: bnx2x: Correct ringparam estimate when DOWN
bnc#1020381
VUL-0: CVE-2016-10147: kernel-source: Kernel crash by spawning mcrypt(alg) with incompatible algorithm
bnc#1021258
VUL-1: CVE-2017-5551: kernel-source: tmpfs:clear S_ISGID when setting posix ACLs
bnc#983348
L3-Question: Xen DomU hangs under heavy load: grant still in use by backend domain
bnc#987333
Panic when using xen_blfront in SLES VM on OVM
bnc#987576
REISERFS error : vs-4080 _reiserfs_free_block - FS goes readonly
CVE-2016-7117
CVE-2017-5551
CVE-2016-10147
CVE-2016-10088
CVE-2016-7917
CVE-2016-8645
CVE-2016-9806
CVE-2016-9793
Selected Binaries
openSUSE Build Service is sponsored by
Places