   SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:2074-1
Rating:             important
References:         #816446 #861093 #928130 #935757 #939826 #942367 
                    #945825 #946117 #946309 #948562 #949744 #949936 
                    #951440 #952384 #953527 #954404 #955354 #955654 
                    #956708 #956709 #958463 #958886 #958951 #959190 
                    #959399 #961500 #961509 #961512 #963765 #963767 
                    #964201 #966437 #966460 #966662 #966693 #967972 
                    #967973 #967974 #967975 #968010 #968011 #968012 
                    #968013 #968670 #970504 #970892 #970909 #970911 
                    #970948 #970956 #970958 #970970 #971124 #971125 
                    #971126 #971360 #972510 #973570 #975945 #977847 
                    #978822 
Cross-References:   CVE-2013-2015 CVE-2013-7446 CVE-2015-0272
                    CVE-2015-3339 CVE-2015-5307 CVE-2015-6252
                    CVE-2015-6937 CVE-2015-7509 CVE-2015-7515
                    CVE-2015-7550 CVE-2015-7566 CVE-2015-7799
                    CVE-2015-7872 CVE-2015-7990 CVE-2015-8104
                    CVE-2015-8215 CVE-2015-8539 CVE-2015-8543
                    CVE-2015-8569 CVE-2015-8575 CVE-2015-8767
                    CVE-2015-8785 CVE-2015-8812 CVE-2015-8816
                    CVE-2016-0723 CVE-2016-2069 CVE-2016-2143
                    CVE-2016-2184 CVE-2016-2185 CVE-2016-2186
                    CVE-2016-2188 CVE-2016-2384 CVE-2016-2543
                    CVE-2016-2544 CVE-2016-2545 CVE-2016-2546
                    CVE-2016-2547 CVE-2016-2548 CVE-2016-2549
                    CVE-2016-2782 CVE-2016-2847 CVE-2016-3134
                    CVE-2016-3137 CVE-2016-3138 CVE-2016-3139
                    CVE-2016-3140 CVE-2016-3156 CVE-2016-4486
                   
Affected Products:
                    SUSE Linux Enterprise Server 11-SP2-LTSS
                    SUSE Linux Enterprise Debuginfo 11-SP2
______________________________________________________________________________

   An update that solves 48 vulnerabilities and has 13 fixes
   is now available.

Description:

   The SUSE Linux Enterprise 11 SP2 kernel was updated to receive various
   security and bug fixes.

   The following security bugs were fixed:
   - CVE-2016-4486: Fixed 4 byte information leak in net/core/rtnetlink.c
     (bsc#978822).
   - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not
     validate certain offset fields, which allowed local users to gain
     privileges or cause a denial of service (heap memory corruption) via an
     IPT_SO_SET_REPLACE setsockopt call (bnc#971126).
   - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of
     unread data in pipes, which allowed local users to cause a denial of
     service (memory consumption) by creating many pipes with non-default
     sizes (bnc#970948).
   - CVE-2016-2188: The iowarrior_probe function in
     drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically
     proximate attackers to cause a denial of service (NULL pointer
     dereference and system crash) via a crafted endpoints value in a USB
     device descriptor (bnc#970956).
   - CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in
     the Linux kernel allowed physically proximate attackers to cause a
     denial of service (NULL pointer dereference and system crash) via a USB
     device without both a control and a data endpoint descriptor
     (bnc#970911).
   - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel
     allowed physically proximate attackers to cause a denial of service
     (NULL pointer dereference and system crash) via a USB device without
     both an interrupt-in and an interrupt-out endpoint descriptor, related
     to the cypress_generic_port_probe and cypress_open functions
     (bnc#970970).
   - CVE-2016-3140: The digi_port_init function in
     drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed
     physically proximate attackers to cause a denial of service (NULL
     pointer dereference and system crash) via a crafted endpoints value in a
     USB device descriptor (bnc#970892).
   - CVE-2016-2186: The powermate_probe function in
     drivers/input/misc/powermate.c in the Linux kernel allowed physically
     proximate attackers to cause a denial of service (NULL pointer
     dereference and system crash) via a crafted endpoints value in a USB
     device descriptor (bnc#970958).
   - CVE-2016-2185: The ati_remote2_probe function in
     drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically
     proximate attackers to cause a denial of service (NULL pointer
     dereference and system crash) via a crafted endpoints value in a USB
     device descriptor (bnc#971124).
   - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandles
     destruction of device objects, which allowed guest OS users to cause a
     denial of service (host OS networking outage) by arranging for a large
     number of IP addresses (bnc#971360).
   - CVE-2016-2184: The create_fixed_stream_quirk function in
     sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel
     allowed physically proximate attackers to cause a denial of service
     (NULL pointer dereference or double free, and system crash) via a
     crafted endpoints value in a USB device descriptor (bnc#971125).
   - CVE-2016-3139: The wacom_probe function in
     drivers/input/tablet/wacom_sys.c in the Linux kernel allowed physically
     proximate attackers to cause a denial of service (NULL pointer
     dereference and system crash) via a crafted endpoints value in a USB
     device descriptor (bnc#970909).
   - CVE-2016-2143: The fork implementation in the Linux kernel on s390
     platforms mishandled the case of four page-table levels, which allowed
     local users to cause a denial of service (system crash) or possibly have
     unspecified other impact via a crafted application, related to
     arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h
     (bnc#970504).
   - CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in
     the Linux kernel allowed physically proximate attackers to cause a
     denial of service (NULL pointer dereference and system crash) or
     possibly have unspecified other impact by inserting a USB device that
     lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670).
   - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in
     the Linux kernel did not properly maintain a hub-interface data
     structure, which allowed physically proximate attackers to cause a
     denial of service (invalid memory access and system crash) or possibly
     have unspecified other impact by unplugging a USB hub device
     (bnc#968010).
   - CVE-2015-7566: The clie_5_attach function in drivers/usb/serial/visor.c
     in the Linux kernel allowed physically proximate attackers to cause a
     denial of service (NULL pointer dereference and system crash) or
     possibly have unspecified other impact by inserting a USB device that
     lacks a bulk-out endpoint (bnc#961512).
   - CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel did not prevent
     recursive callback access, which allowed local users to cause a denial
     of service (deadlock) via a crafted ioctl call (bnc#968013).
   - CVE-2016-2547: sound/core/timer.c in the Linux kernel employed a locking
     approach that did not consider slave timer instances, which allowed
     local users to cause a denial of service (race condition,
     use-after-free, and system crash) via a crafted ioctl call (bnc#968011).
   - CVE-2016-2548: sound/core/timer.c in the Linux kernel retained certain
     linked lists after a close or stop action, which allowed local users to
     cause a denial of service (system crash) via a crafted ioctl call,
     related to the (1) snd_timer_close and (2) _snd_timer_stop functions
     (bnc#968012).
   - CVE-2016-2546: sound/core/timer.c in the Linux kernel used an incorrect
     type of mutex, which allowed local users to cause a denial of service
     (race condition, use-after-free, and system crash) via a crafted ioctl
     call (bnc#967975).
   - CVE-2016-2545: The snd_timer_interrupt function in sound/core/timer.c in
     the Linux kernel did not properly maintain a certain linked list, which
     allowed local users to cause a denial of service (race condition and
     system crash) via a crafted ioctl call (bnc#967974).
   - CVE-2016-2544: Race condition in the queue_delete function in
     sound/core/seq/seq_queue.c in the Linux kernel allowed local users to
     cause a denial of service (use-after-free and system crash) by making an
     ioctl call at a certain time (bnc#967973).
   - CVE-2016-2543: The snd_seq_ioctl_remove_events function in
     sound/core/seq/seq_clientmgr.c in the Linux kernel did not verify FIFO
     assignment before proceeding with FIFO clearing, which allowed local
     users to cause a denial of service (NULL pointer dereference and OOPS)
     via a crafted ioctl call (bnc#967972).
   - CVE-2016-2384: Double free vulnerability in the snd_usbmidi_create
     function in sound/usb/midi.c in the Linux kernel allowed physically
     proximate attackers to cause a denial of service (panic) or possibly
     have unspecified other impact via vectors involving an invalid USB
     descriptor (bnc#966693).
   - CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel
     did not properly identify error conditions, which allowed remote
     attackers to execute arbitrary code or cause a denial of service
     (use-after-free) via crafted packets (bnc#966437).
   - CVE-2015-8785: The fuse_fill_write_pages function in fs/fuse/file.c in
     the Linux kernel allowed local users to cause a denial of service
     (infinite loop) via a writev system call that triggers a zero length for
     the first segment of an iov (bnc#963765).
   - CVE-2016-2069: Race condition in arch/x86/mm/tlb.c in the Linux kernel
     .4.1 allowed local users to gain privileges by triggering access to a
     paging structure by a different CPU (bnc#963767).
   - CVE-2016-0723: Race condition in the tty_ioctl function in
     drivers/tty/tty_io.c in the Linux kernel allowed local users to obtain
     sensitive information from kernel memory or cause a denial of service
     (use-after-free and system crash) by making a TIOCGETD ioctl call during
     processing of a TIOCSETD ioctl call (bnc#961500).
   - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the
     Linux kernel allowed local users to bypass intended AF_UNIX socket
     permissions or cause a denial of service (panic) via crafted epoll_ctl
     calls (bnc#955654).
   - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux kernel did not
     properly manage the relationship between a lock and a socket, which
     allowed local users to cause a denial of service (deadlock) via a
     crafted sctp_accept call (bnc#961509).
   - CVE-2015-7515: The aiptek_probe function in
     drivers/input/tablet/aiptek.c in the Linux kernel allowed physically
     proximate attackers to cause a denial of service (NULL pointer
     dereference and system crash) via a crafted USB device that lacks
     endpoints (bnc#956708).
   - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel
     did not validate attempted changes to the MTU value, which allowed
     context-dependent attackers to cause a denial of service (packet loss)
     via a value that is (1) smaller than the minimum compliant value or (2)
     larger than the MTU of an interface, as demonstrated by a Router
     Advertisement (RA) message that is not validated by a daemon, a
     different vulnerability than CVE-2015-0272 (bnc#955354).
   - CVE-2015-7550: The keyctl_read_key function in security/keys/keyctl.c in
     the Linux kernel did not properly use a semaphore, which allowed local
     users to cause a denial of service (NULL pointer dereference and system
     crash) or possibly have unspecified other impact via a crafted
     application that leverages a race condition between keyctl_revoke and
     keyctl_read calls (bnc#958951).
   - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in
     drivers/net/ppp/pptp.c in the Linux kernel did not verify an address
     length, which allowed local users to obtain sensitive information from
     kernel memory and bypass the KASLR protection mechanism via a crafted
     application (bnc#959190).
   - CVE-2015-8575: The sco_sock_bind function in net/bluetooth/sco.c in the
     Linux kernel did not verify an address length, which allowed local users     to obtain sensitive information from kernel memory and bypass the KASLR
     protection mechanism via a crafted application (bnc#959399).
   - CVE-2015-8543: The networking implementation in the Linux kernel did not
     validate protocol identifiers for certain protocol families, which
     allowed local users to cause a denial of service (NULL function pointer
     dereference and system crash) or possibly gain privileges by leveraging
     CLONE_NEWUSER support to execute a crafted SOCK_RAW application
     (bnc#958886).
   - CVE-2015-8539: The KEYS subsystem in the Linux kernel allowed local
     users to gain privileges or cause a denial of service (BUG) via crafted
     keyctl commands that negatively instantiate a key, related to
     security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and
     security/keys/user_defined.c (bnc#958463).
   - CVE-2015-7509: fs/ext4/namei.c in the Linux kernel allowed physically
     proximate attackers to cause a denial of service (system crash) via a
     crafted no-journal filesystem, a related issue to CVE-2013-2015
     (bnc#956709).
   - CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the
     Linux kernel did not ensure that certain slot numbers are valid, which
     allowed local users to cause a denial of service (NULL pointer
     dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call
     (bnc#949936).
   - CVE-2015-8104: The KVM subsystem in the Linux kernel allowed guest OS
     users to cause a denial of service (host OS panic or hang) by triggering
     many #DB (aka Debug) exceptions, related to svm.c (bnc#954404).
   - CVE-2015-5307: The KVM subsystem in the Linux kernel allowed guest OS
     users to cause a denial of service (host OS panic or hang) by triggering
     many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c
     (bnc#953527).
   - CVE-2015-7990: Race condition in the rds_sendmsg function in
     net/rds/sendmsg.c in the Linux kernel allowed local users to cause a
     denial of service (NULL pointer dereference and system crash) or
     possibly have unspecified other impact by using a socket that was not
     properly bound (bnc#952384).
   - CVE-2015-7872: The key_gc_unused_keys function in security/keys/gc.c in
     the Linux kernel allowed local users to cause a denial of service (OOPS)
     via crafted keyctl commands (bnc#951440).
   - CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in
     the Linux kernel allowed local users to cause a denial of service (NULL
     pointer dereference and system crash) or possibly have unspecified other
     impact by using a socket that was not properly bound (bnc#945825).
   - CVE-2015-6252: The vhost_dev_ioctl function in drivers/vhost/vhost.c in
     the Linux kernel allowed local users to cause a denial of service
     (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers     permanent file-descriptor allocation (bnc#942367).
   - CVE-2015-3339: Race condition in the prepare_binprm function in
     fs/exec.c in the Linux kernel allowed local users to gain privileges by
     executing a setuid program at a time instant when a chown to root is in
     progress, and the ownership is changed but the setuid bit is not yet
     stripped (bnc#928130).

   The following non-security bugs were fixed:
   - Fix handling of re-write-before-commit for mmapped NFS pages
     (bsc#964201).
   - Fix lpfc_send_rscn_event allocation size claims bnc#935757
   - Fix ntpd clock synchronization in Xen PV domains (bnc#816446).
   - Fix vmalloc_fault oops during lazy MMU updates (bsc#948562).
   - Make sure XPRT_CONNECTING gets cleared when needed (bsc#946309).
   - SCSI: bfa: Fix to handle firmware tskim abort request response
     (bsc#972510).
   - USB: usbip: fix potential out-of-bounds write (bnc#975945).
   - af_unix: Guard against other == sk in unix_dgram_sendmsg (bsc#973570).
   - dm-snap: avoid deadock on s->lock when a read is split (bsc#939826).
   - mm/hugetlb: check for pte NULL pointer in __page_check_address()
     (bsc#977847).
   - nf_conntrack: fix bsc#758540 kabi fix (bsc#946117).
   - privcmd: allow preempting long running user-mode originating hypercalls
     (bnc#861093).
   - s390/cio: collect format 1 channel-path description data (bsc#966460,
     bsc#966662).
   - s390/cio: ensure consistent measurement state (bsc#966460, bsc#966662).
   - s390/cio: fix measurement characteristics memleak (bsc#966460,
     bsc#966662).
   - s390/cio: update measurement characteristics (bsc#966460, bsc#966662).
   - xfs: Fix lost direct IO write in the last block (bsc#949744).


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11-SP2-LTSS:

      zypper in -t patch slessp2-kernel-source-12693=1

   - SUSE Linux Enterprise Debuginfo 11-SP2:

      zypper in -t patch dbgsp2-kernel-source-12693=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64):

      kernel-default-3.0.101-0.7.40.1
      kernel-default-base-3.0.101-0.7.40.1
      kernel-default-devel-3.0.101-0.7.40.1
      kernel-source-3.0.101-0.7.40.1
      kernel-syms-3.0.101-0.7.40.1
      kernel-trace-3.0.101-0.7.40.1
      kernel-trace-base-3.0.101-0.7.40.1
      kernel-trace-devel-3.0.101-0.7.40.1

   - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 x86_64):

      kernel-ec2-3.0.101-0.7.40.1
      kernel-ec2-base-3.0.101-0.7.40.1
      kernel-ec2-devel-3.0.101-0.7.40.1
      kernel-xen-3.0.101-0.7.40.1
      kernel-xen-base-3.0.101-0.7.40.1
      kernel-xen-devel-3.0.101-0.7.40.1

   - SUSE Linux Enterprise Server 11-SP2-LTSS (s390x):

      kernel-default-man-3.0.101-0.7.40.1

   - SUSE Linux Enterprise Server 11-SP2-LTSS (i586):

      kernel-pae-3.0.101-0.7.40.1
      kernel-pae-base-3.0.101-0.7.40.1
      kernel-pae-devel-3.0.101-0.7.40.1

   - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64):

      kernel-default-debuginfo-3.0.101-0.7.40.1
      kernel-default-debugsource-3.0.101-0.7.40.1
      kernel-default-devel-debuginfo-3.0.101-0.7.40.1
      kernel-trace-debuginfo-3.0.101-0.7.40.1
      kernel-trace-debugsource-3.0.101-0.7.40.1
      kernel-trace-devel-debuginfo-3.0.101-0.7.40.1

   - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 x86_64):

      kernel-ec2-debuginfo-3.0.101-0.7.40.1
      kernel-ec2-debugsource-3.0.101-0.7.40.1
      kernel-xen-debuginfo-3.0.101-0.7.40.1
      kernel-xen-debugsource-3.0.101-0.7.40.1
      kernel-xen-devel-debuginfo-3.0.101-0.7.40.1

   - SUSE Linux Enterprise Debuginfo 11-SP2 (i586):

      kernel-pae-debuginfo-3.0.101-0.7.40.1
      kernel-pae-debugsource-3.0.101-0.7.40.1
      kernel-pae-devel-debuginfo-3.0.101-0.7.40.1


References:

   https://www.suse.com/security/cve/CVE-2013-2015.html
   https://www.suse.com/security/cve/CVE-2013-7446.html
   https://www.suse.com/security/cve/CVE-2015-0272.html
   https://www.suse.com/security/cve/CVE-2015-3339.html
   https://www.suse.com/security/cve/CVE-2015-5307.html
   https://www.suse.com/security/cve/CVE-2015-6252.html
   https://www.suse.com/security/cve/CVE-2015-6937.html
   https://www.suse.com/security/cve/CVE-2015-7509.html
   https://www.suse.com/security/cve/CVE-2015-7515.html
   https://www.suse.com/security/cve/CVE-2015-7550.html
   https://www.suse.com/security/cve/CVE-2015-7566.html
   https://www.suse.com/security/cve/CVE-2015-7799.html
   https://www.suse.com/security/cve/CVE-2015-7872.html
   https://www.suse.com/security/cve/CVE-2015-7990.html
   https://www.suse.com/security/cve/CVE-2015-8104.html
   https://www.suse.com/security/cve/CVE-2015-8215.html
   https://www.suse.com/security/cve/CVE-2015-8539.html
   https://www.suse.com/security/cve/CVE-2015-8543.html
   https://www.suse.com/security/cve/CVE-2015-8569.html
   https://www.suse.com/security/cve/CVE-2015-8575.html
   https://www.suse.com/security/cve/CVE-2015-8767.html
   https://www.suse.com/security/cve/CVE-2015-8785.html
   https://www.suse.com/security/cve/CVE-2015-8812.html
   https://www.suse.com/security/cve/CVE-2015-8816.html
   https://www.suse.com/security/cve/CVE-2016-0723.html
   https://www.suse.com/security/cve/CVE-2016-2069.html
   https://www.suse.com/security/cve/CVE-2016-2143.html
   https://www.suse.com/security/cve/CVE-2016-2184.html
   https://www.suse.com/security/cve/CVE-2016-2185.html
   https://www.suse.com/security/cve/CVE-2016-2186.html
   https://www.suse.com/security/cve/CVE-2016-2188.html
   https://www.suse.com/security/cve/CVE-2016-2384.html
   https://www.suse.com/security/cve/CVE-2016-2543.html
   https://www.suse.com/security/cve/CVE-2016-2544.html
   https://www.suse.com/security/cve/CVE-2016-2545.html
   https://www.suse.com/security/cve/CVE-2016-2546.html
   https://www.suse.com/security/cve/CVE-2016-2547.html
   https://www.suse.com/security/cve/CVE-2016-2548.html
   https://www.suse.com/security/cve/CVE-2016-2549.html
   https://www.suse.com/security/cve/CVE-2016-2782.html
   https://www.suse.com/security/cve/CVE-2016-2847.html
   https://www.suse.com/security/cve/CVE-2016-3134.html
   https://www.suse.com/security/cve/CVE-2016-3137.html
   https://www.suse.com/security/cve/CVE-2016-3138.html
   https://www.suse.com/security/cve/CVE-2016-3139.html
   https://www.suse.com/security/cve/CVE-2016-3140.html
   https://www.suse.com/security/cve/CVE-2016-3156.html
   https://www.suse.com/security/cve/CVE-2016-4486.html
   https://bugzilla.suse.com/816446
   https://bugzilla.suse.com/861093
   https://bugzilla.suse.com/928130
   https://bugzilla.suse.com/935757
   https://bugzilla.suse.com/939826
   https://bugzilla.suse.com/942367
   https://bugzilla.suse.com/945825
   https://bugzilla.suse.com/946117
   https://bugzilla.suse.com/946309
   https://bugzilla.suse.com/948562
   https://bugzilla.suse.com/949744
   https://bugzilla.suse.com/949936
   https://bugzilla.suse.com/951440
   https://bugzilla.suse.com/952384
   https://bugzilla.suse.com/953527
   https://bugzilla.suse.com/954404
   https://bugzilla.suse.com/955354
   https://bugzilla.suse.com/955654
   https://bugzilla.suse.com/956708
   https://bugzilla.suse.com/956709
   https://bugzilla.suse.com/958463
   https://bugzilla.suse.com/958886
   https://bugzilla.suse.com/958951
   https://bugzilla.suse.com/959190
   https://bugzilla.suse.com/959399
   https://bugzilla.suse.com/961500
   https://bugzilla.suse.com/961509
   https://bugzilla.suse.com/961512
   https://bugzilla.suse.com/963765
   https://bugzilla.suse.com/963767
   https://bugzilla.suse.com/964201
   https://bugzilla.suse.com/966437
   https://bugzilla.suse.com/966460
   https://bugzilla.suse.com/966662
   https://bugzilla.suse.com/966693
   https://bugzilla.suse.com/967972
   https://bugzilla.suse.com/967973
   https://bugzilla.suse.com/967974
   https://bugzilla.suse.com/967975
   https://bugzilla.suse.com/968010
   https://bugzilla.suse.com/968011
   https://bugzilla.suse.com/968012
   https://bugzilla.suse.com/968013
   https://bugzilla.suse.com/968670
   https://bugzilla.suse.com/970504
   https://bugzilla.suse.com/970892
   https://bugzilla.suse.com/970909
   https://bugzilla.suse.com/970911
   https://bugzilla.suse.com/970948
   https://bugzilla.suse.com/970956
   https://bugzilla.suse.com/970958
   https://bugzilla.suse.com/970970
   https://bugzilla.suse.com/971124
   https://bugzilla.suse.com/971125
   https://bugzilla.suse.com/971126
   https://bugzilla.suse.com/971360
   https://bugzilla.suse.com/972510
   https://bugzilla.suse.com/973570
   https://bugzilla.suse.com/975945
   https://bugzilla.suse.com/977847
   https://bugzilla.suse.com/978822

SuSE: 2016:2074-1: important: the Linux Kernel

August 15, 2016

An update that solves 48 vulnerabilities and has 13 fixes An update that solves 48 vulnerabilities and has 13 fixes An update that solves 48 vulnerabilities and has 13 fixes is now...

Summary

The SUSE Linux Enterprise 11 SP2 kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2016-4486: Fixed 4 byte information leak in net/core/rtnetlink.c (bsc#978822). - CVE-2016-3134: The netfilter subsystem in the Linux kernel did not validate certain offset fields, which allowed local users to gain privileges or cause a denial of service (heap memory corruption) via an IPT_SO_SET_REPLACE setsockopt call (bnc#971126). - CVE-2016-2847: fs/pipe.c in the Linux kernel did not limit the amount of unread data in pipes, which allowed local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes (bnc#970948). - CVE-2016-2188: The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970956). - CVE-2016-3138: The acm_probe function in drivers/usb/class/cdc-acm.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both a control and a data endpoint descriptor (bnc#970911). - CVE-2016-3137: drivers/usb/serial/cypress_m8.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a USB device without both an interrupt-in and an interrupt-out endpoint descriptor, related to the cypress_generic_port_probe and cypress_open functions (bnc#970970). - CVE-2016-3140: The digi_port_init function in drivers/usb/serial/digi_acceleport.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970892). - CVE-2016-2186: The powermate_probe function in drivers/input/misc/powermate.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970958). - CVE-2016-2185: The ati_remote2_probe function in drivers/input/misc/ati_remote2.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971124). - CVE-2016-3156: The IPv4 implementation in the Linux kernel mishandles destruction of device objects, which allowed guest OS users to cause a denial of service (host OS networking outage) by arranging for a large number of IP addresses (bnc#971360). - CVE-2016-2184: The create_fixed_stream_quirk function in sound/usb/quirks.c in the snd-usb-audio driver in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference or double free, and system crash) via a crafted endpoints value in a USB device descriptor (bnc#971125). - CVE-2016-3139: The wacom_probe function in drivers/input/tablet/wacom_sys.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor (bnc#970909). - CVE-2016-2143: The fork implementation in the Linux kernel on s390 platforms mishandled the case of four page-table levels, which allowed local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted application, related to arch/s390/include/asm/mmu_context.h and arch/s390/include/asm/pgalloc.h (bnc#970504). - CVE-2016-2782: The treo_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a (1) bulk-in or (2) interrupt-in endpoint (bnc#968670). - CVE-2015-8816: The hub_activate function in drivers/usb/core/hub.c in the Linux kernel did not properly maintain a hub-interface data structure, which allowed physically proximate attackers to cause a denial of service (invalid memory access and system crash) or possibly have unspecified other impact by unplugging a USB hub device (bnc#968010). - CVE-2015-7566: The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint (bnc#961512). - CVE-2016-2549: sound/core/hrtimer.c in the Linux kernel did not prevent recursive callback access, which allowed local users to cause a denial of service (deadlock) via a crafted ioctl call (bnc#968013). - CVE-2016-2547: sound/core/timer.c in the Linux kernel employed a locking approach that did not consider slave timer instances, which allowed local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call (bnc#968011). - CVE-2016-2548: sound/core/timer.c in the Linux kernel retained certain linked lists after a close or stop action, which allowed local users to cause a denial of service (system crash) via a crafted ioctl call, related to the (1) snd_timer_close and (2) _snd_timer_stop functions (bnc#968012). - CVE-2016-2546: sound/core/timer.c in the Linux kernel used an incorrect type of mutex, which allowed local users to cause a denial of service (race condition, use-after-free, and system crash) via a crafted ioctl call (bnc#967975). - CVE-2016-2545: The snd_timer_interrupt function in sound/core/timer.c in the Linux kernel did not properly maintain a certain linked list, which allowed local users to cause a denial of service (race condition and system crash) via a crafted ioctl call (bnc#967974). - CVE-2016-2544: Race condition in the queue_delete function in sound/core/seq/seq_queue.c in the Linux kernel allowed local users to cause a denial of service (use-after-free and system crash) by making an ioctl call at a certain time (bnc#967973). - CVE-2016-2543: The snd_seq_ioctl_remove_events function in sound/core/seq/seq_clientmgr.c in the Linux kernel did not verify FIFO assignment before proceeding with FIFO clearing, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted ioctl call (bnc#967972). - CVE-2016-2384: Double free vulnerability in the snd_usbmidi_create function in sound/usb/midi.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (panic) or possibly have unspecified other impact via vectors involving an invalid USB descriptor (bnc#966693). - CVE-2015-8812: drivers/infiniband/hw/cxgb3/iwch_cm.c in the Linux kernel did not properly identify error conditions, which allowed remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted packets (bnc#966437). - CVE-2015-8785: The fuse_fill_write_pages function in fs/fuse/file.c in the Linux kernel allowed local users to cause a denial of service (infinite loop) via a writev system call that triggers a zero length for the first segment of an iov (bnc#963765). - CVE-2016-2069: Race condition in arch/x86/mm/tlb.c in the Linux kernel .4.1 allowed local users to gain privileges by triggering access to a paging structure by a different CPU (bnc#963767). - CVE-2016-0723: Race condition in the tty_ioctl function in drivers/tty/tty_io.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory or cause a denial of service (use-after-free and system crash) by making a TIOCGETD ioctl call during processing of a TIOCSETD ioctl call (bnc#961500). - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls (bnc#955654). - CVE-2015-8767: net/sctp/sm_sideeffect.c in the Linux kernel did not properly manage the relationship between a lock and a socket, which allowed local users to cause a denial of service (deadlock) via a crafted sctp_accept call (bnc#961509). - CVE-2015-7515: The aiptek_probe function in drivers/input/tablet/aiptek.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted USB device that lacks endpoints (bnc#956708). - CVE-2015-8215: net/ipv6/addrconf.c in the IPv6 stack in the Linux kernel did not validate attempted changes to the MTU value, which allowed context-dependent attackers to cause a denial of service (packet loss) via a value that is (1) smaller than the minimum compliant value or (2) larger than the MTU of an interface, as demonstrated by a Router Advertisement (RA) message that is not validated by a daemon, a different vulnerability than CVE-2015-0272 (bnc#955354). - CVE-2015-7550: The keyctl_read_key function in security/keys/keyctl.c in the Linux kernel did not properly use a semaphore, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted application that leverages a race condition between keyctl_revoke and keyctl_read calls (bnc#958951). - CVE-2015-8569: The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel did not verify an address length, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application (bnc#959190). - CVE-2015-8575: The sco_sock_bind function in net/bluetooth/sco.c in the Linux kernel did not verify an address length, which allowed local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application (bnc#959399). - CVE-2015-8543: The networking implementation in the Linux kernel did not validate protocol identifiers for certain protocol families, which allowed local users to cause a denial of service (NULL function pointer dereference and system crash) or possibly gain privileges by leveraging CLONE_NEWUSER support to execute a crafted SOCK_RAW application (bnc#958886). - CVE-2015-8539: The KEYS subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service (BUG) via crafted keyctl commands that negatively instantiate a key, related to security/keys/encrypted-keys/encrypted.c, security/keys/trusted.c, and security/keys/user_defined.c (bnc#958463). - CVE-2015-7509: fs/ext4/namei.c in the Linux kernel allowed physically proximate attackers to cause a denial of service (system crash) via a crafted no-journal filesystem, a related issue to CVE-2013-2015 (bnc#956709). - CVE-2015-7799: The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel did not ensure that certain slot numbers are valid, which allowed local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call (bnc#949936). - CVE-2015-8104: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c (bnc#954404). - CVE-2015-5307: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c (bnc#953527). - CVE-2015-7990: Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound (bnc#952384). - CVE-2015-7872: The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel allowed local users to cause a denial of service (OOPS) via crafted keyctl commands (bnc#951440). - CVE-2015-6937: The __rds_conn_create function in net/rds/connection.c in the Linux kernel allowed local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound (bnc#945825). - CVE-2015-6252: The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux kernel allowed local users to cause a denial of service (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers permanent file-descriptor allocation (bnc#942367). - CVE-2015-3339: Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel allowed local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped (bnc#928130). The following non-security bugs were fixed: - Fix handling of re-write-before-commit for mmapped NFS pages (bsc#964201). - Fix lpfc_send_rscn_event allocation size claims bnc#935757 - Fix ntpd clock synchronization in Xen PV domains (bnc#816446). - Fix vmalloc_fault oops during lazy MMU updates (bsc#948562). - Make sure XPRT_CONNECTING gets cleared when needed (bsc#946309). - SCSI: bfa: Fix to handle firmware tskim abort request response (bsc#972510). - USB: usbip: fix potential out-of-bounds write (bnc#975945). - af_unix: Guard against other == sk in unix_dgram_sendmsg (bsc#973570). - dm-snap: avoid deadock on s->lock when a read is split (bsc#939826). - mm/hugetlb: check for pte NULL pointer in __page_check_address() (bsc#977847). - nf_conntrack: fix bsc#758540 kabi fix (bsc#946117). - privcmd: allow preempting long running user-mode originating hypercalls (bnc#861093). - s390/cio: collect format 1 channel-path description data (bsc#966460, bsc#966662). - s390/cio: ensure consistent measurement state (bsc#966460, bsc#966662). - s390/cio: fix measurement characteristics memleak (bsc#966460, bsc#966662). - s390/cio: update measurement characteristics (bsc#966460, bsc#966662). - xfs: Fix lost direct IO write in the last block (bsc#949744). Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11-SP2-LTSS: zypper in -t patch slessp2-kernel-source-12693=1 - SUSE Linux Enterprise Debuginfo 11-SP2: zypper in -t patch dbgsp2-kernel-source-12693=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64): kernel-default-3.0.101-0.7.40.1 kernel-default-base-3.0.101-0.7.40.1 kernel-default-devel-3.0.101-0.7.40.1 kernel-source-3.0.101-0.7.40.1 kernel-syms-3.0.101-0.7.40.1 kernel-trace-3.0.101-0.7.40.1 kernel-trace-base-3.0.101-0.7.40.1 kernel-trace-devel-3.0.101-0.7.40.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586 x86_64): kernel-ec2-3.0.101-0.7.40.1 kernel-ec2-base-3.0.101-0.7.40.1 kernel-ec2-devel-3.0.101-0.7.40.1 kernel-xen-3.0.101-0.7.40.1 kernel-xen-base-3.0.101-0.7.40.1 kernel-xen-devel-3.0.101-0.7.40.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (s390x): kernel-default-man-3.0.101-0.7.40.1 - SUSE Linux Enterprise Server 11-SP2-LTSS (i586): kernel-pae-3.0.101-0.7.40.1 kernel-pae-base-3.0.101-0.7.40.1 kernel-pae-devel-3.0.101-0.7.40.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64): kernel-default-debuginfo-3.0.101-0.7.40.1 kernel-default-debugsource-3.0.101-0.7.40.1 kernel-default-devel-debuginfo-3.0.101-0.7.40.1 kernel-trace-debuginfo-3.0.101-0.7.40.1 kernel-trace-debugsource-3.0.101-0.7.40.1 kernel-trace-devel-debuginfo-3.0.101-0.7.40.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586 x86_64): kernel-ec2-debuginfo-3.0.101-0.7.40.1 kernel-ec2-debugsource-3.0.101-0.7.40.1 kernel-xen-debuginfo-3.0.101-0.7.40.1 kernel-xen-debugsource-3.0.101-0.7.40.1 kernel-xen-devel-debuginfo-3.0.101-0.7.40.1 - SUSE Linux Enterprise Debuginfo 11-SP2 (i586): kernel-pae-debuginfo-3.0.101-0.7.40.1 kernel-pae-debugsource-3.0.101-0.7.40.1 kernel-pae-devel-debuginfo-3.0.101-0.7.40.1

References

#816446 #861093 #928130 #935757 #939826 #942367

#945825 #946117 #946309 #948562 #949744 #949936

#951440 #952384 #953527 #954404 #955354 #955654

#956708 #956709 #958463 #958886 #958951 #959190

#959399 #961500 #961509 #961512 #963765 #963767

#964201 #966437 #966460 #966662 #966693 #967972

#967973 #967974 #967975 #968010 #968011 #968012

#968013 #968670 #970504 #970892 #970909 #970911

#970948 #970956 #970958 #970970 #971124 #971125

#971126 #971360 #972510 #973570 #975945 #977847

#978822

Cross- CVE-2013-2015 CVE-2013-7446 CVE-2015-0272

CVE-2015-3339 CVE-2015-5307 CVE-2015-6252

CVE-2015-6937 CVE-2015-7509 CVE-2015-7515

CVE-2015-7550 CVE-2015-7566 CVE-2015-7799

CVE-2015-7872 CVE-2015-7990 CVE-2015-8104

CVE-2015-8215 CVE-2015-8539 CVE-2015-8543

CVE-2015-8569 CVE-2015-8575 CVE-2015-8767

CVE-2015-8785 CVE-2015-8812 CVE-2015-8816

CVE-2016-0723 CVE-2016-2069 CVE-2016-2143

CVE-2016-2184 CVE-2016-2185 CVE-2016-2186

CVE-2016-2188 CVE-2016-2384 CVE-2016-2543

CVE-2016-2544 CVE-2016-2545 CVE-2016-2546

CVE-2016-2547 CVE-2016-2548 CVE-2016-2549

CVE-2016-2782 CVE-2016-2847 CVE-2016-3134

CVE-2016-3137 CVE-2016-3138 CVE-2016-3139

CVE-2016-3140 CVE-2016-3156 CVE-2016-4486

Affected Products:

SUSE Linux Enterprise Server 11-SP2-LTSS

SUSE Linux Enterprise Debuginfo 11-SP2

https://www.suse.com/security/cve/CVE-2013-2015.html

https://www.suse.com/security/cve/CVE-2013-7446.html

https://www.suse.com/security/cve/CVE-2015-0272.html

https://www.suse.com/security/cve/CVE-2015-3339.html

https://www.suse.com/security/cve/CVE-2015-5307.html

https://www.suse.com/security/cve/CVE-2015-6252.html

https://www.suse.com/security/cve/CVE-2015-6937.html

https://www.suse.com/security/cve/CVE-2015-7509.html

https://www.suse.com/security/cve/CVE-2015-7515.html

https://www.suse.com/security/cve/CVE-2015-7550.html

https://www.suse.com/security/cve/CVE-2015-7566.html

https://www.suse.com/security/cve/CVE-2015-7799.html

https://www.suse.com/security/cve/CVE-2015-7872.html

https://www.suse.com/security/cve/CVE-2015-7990.html

https://www.suse.com/security/cve/CVE-2015-8104.html

https://www.suse.com/security/cve/CVE-2015-8215.html

https://www.suse.com/security/cve/CVE-2015-8539.html

https://www.suse.com/security/cve/CVE-2015-8543.html

https://www.suse.com/security/cve/CVE-2015-8569.html

https://www.suse.com/security/cve/CVE-2015-8575.html

https://www.suse.com/security/cve/CVE-2015-8767.html

https://www.suse.com/security/cve/CVE-2015-8785.html

https://www.suse.com/security/cve/CVE-2015-8812.html

https://www.suse.com/security/cve/CVE-2015-8816.html

https://www.suse.com/security/cve/CVE-2016-0723.html

https://www.suse.com/security/cve/CVE-2016-2069.html

https://www.suse.com/security/cve/CVE-2016-2143.html

https://www.suse.com/security/cve/CVE-2016-2184.html

https://www.suse.com/security/cve/CVE-2016-2185.html

https://www.suse.com/security/cve/CVE-2016-2186.html

https://www.suse.com/security/cve/CVE-2016-2188.html

https://www.suse.com/security/cve/CVE-2016-2384.html

https://www.suse.com/security/cve/CVE-2016-2543.html

https://www.suse.com/security/cve/CVE-2016-2544.html

https://www.suse.com/security/cve/CVE-2016-2545.html

https://www.suse.com/security/cve/CVE-2016-2546.html

https://www.suse.com/security/cve/CVE-2016-2547.html

https://www.suse.com/security/cve/CVE-2016-2548.html

https://www.suse.com/security/cve/CVE-2016-2549.html

https://www.suse.com/security/cve/CVE-2016-2782.html

https://www.suse.com/security/cve/CVE-2016-2847.html

https://www.suse.com/security/cve/CVE-2016-3134.html

https://www.suse.com/security/cve/CVE-2016-3137.html

https://www.suse.com/security/cve/CVE-2016-3138.html

https://www.suse.com/security/cve/CVE-2016-3139.html

https://www.suse.com/security/cve/CVE-2016-3140.html

https://www.suse.com/security/cve/CVE-2016-3156.html

https://www.suse.com/security/cve/CVE-2016-4486.html

https://bugzilla.suse.com/816446

https://bugzilla.suse.com/861093

https://bugzilla.suse.com/928130

https://bugzilla.suse.com/935757

https://bugzilla.suse.com/939826

https://bugzilla.suse.com/942367

https://bugzilla.suse.com/945825

https://bugzilla.suse.com/946117

https://bugzilla.suse.com/946309

https://bugzilla.suse.com/948562

https://bugzilla.suse.com/949744

https://bugzilla.suse.com/949936

https://bugzilla.suse.com/951440

https://bugzilla.suse.com/952384

https://bugzilla.suse.com/953527

https://bugzilla.suse.com/954404

https://bugzilla.suse.com/955354

https://bugzilla.suse.com/955654

https://bugzilla.suse.com/956708

https://bugzilla.suse.com/956709

https://bugzilla.suse.com/958463

https://bugzilla.suse.com/958886

https://bugzilla.suse.com/958951

https://bugzilla.suse.com/959190

https://bugzilla.suse.com/959399

https://bugzilla.suse.com/961500

https://bugzilla.suse.com/961509

https://bugzilla.suse.com/961512

https://bugzilla.suse.com/963765

https://bugzilla.suse.com/963767

https://bugzilla.suse.com/964201

https://bugzilla.suse.com/966437

https://bugzilla.suse.com/966460

https://bugzilla.suse.com/966662

https://bugzilla.suse.com/966693

https://bugzilla.suse.com/967972

https://bugzilla.suse.com/967973

https://bugzilla.suse.com/967974

https://bugzilla.suse.com/967975

https://bugzilla.suse.com/968010

https://bugzilla.suse.com/968011

https://bugzilla.suse.com/968012

https://bugzilla.suse.com/968013

https://bugzilla.suse.com/968670

https://bugzilla.suse.com/970504

https://bugzilla.suse.com/970892

https://bugzilla.suse.com/970909

https://bugzilla.suse.com/970911

https://bugzilla.suse.com/970948

https://bugzilla.suse.com/970956

https://bugzilla.suse.com/970958

https://bugzilla.suse.com/970970

https://bugzilla.suse.com/971124

https://bugzilla.suse.com/971125

https://bugzilla.suse.com/971126

https://bugzilla.suse.com/971360

https://bugzilla.suse.com/972510

https://bugzilla.suse.com/973570

https://bugzilla.suse.com/975945

https://bugzilla.suse.com/977847

https://bugzilla.suse.com/978822

Severity

Announcement ID: SUSE-SU-2016:2074-1

Rating: important

Get the Latest News & Insights

SuSE: 2016:2074-1: important: the Linux Kernel

Summary

References

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By