| Errata ID | 383 |
|---|---|
| Date | 2017-02-01 |
| Source package | linux |
| Fixed in version | 4.1.6-1.222.201701250821 |
| Description | This update of the Linux kernel to 4.1.38 addresses the following issues: * The rfcomm_sock_bind function in net/bluetooth/rfcomm/sock.c in the Linux kernel before 4.2 allows local users to obtain sensitive information or cause a denial of service (NULL pointer dereference) via vectors involving a bind system call on a Bluetooth RFCOMM socket. (CVE-2015-8956) * The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file. (CVE-2016-7042) * The arcmsr_iop_message_xfer function in drivers/scsi/arcmsr/arcmsr_hba.c in the Linux kernel through 4.8.2 does not restrict a certain length field, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) via an ARCMSR_MESSAGE_WRITE_WQBUFFER control code. (CVE-2016-7425) * drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allows remote attackers to execute arbitrary code via crafted fragmented packets (CVE-2016-8633) * The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel before 4.7.5 does not initialize a certain integer variable, which allows local users to obtain sensitive information from kernel stack memory by triggering failure of a get_user_ex call (CVE-2016-9178) * af_packet.c race condition (local root) (CVE-2016-8655) * The tipc_msg_build function in net/tipc/msg.c in the Linux kernel through 4.8.11 does not validate the relationship between the minimum fragment length and the maximum packet size, which allows local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (CVE-2016-8632) * fs: Avoid premature clearing of capabilities (CVE-2015-1350) * posix_acl: Clear SGID bit when setting file permissions (CVE-2016-7097) * mnt: Add a per mount namespace limit on the number of mounts (CVE-2016-6213) * ptrace: being capable wrt a process requires mapped uids/gids (CVE-2015-8709) * net: add recursion limit to GRO (CVE-2016-7039) * net: ping: check minimum size on ICMP header length (CVE-2016-8399) * kvm: nVMX: uncaught software exceptions in L1 guest lead to DoS (CVE-2016-9588) * Memory corruption in SCSI generic device interface (CVE-2016-10088) * crash by spawning mcrypt(alg) with incompatible algorithm (CVE-2016-10147) * KVM: x86: fix emulation of "MOV SS, null selector" (CVE-2017-2583) * kvm: use after free in complete_emulated_mmio (CVE-2017-2584) * The simple-framebuffer has been disabled because it breaks the linux console for many DRM drivers. * sgid bit not cleared on tmpfs (CVE-2017-5551) |
| Additional notes | This is the first part of the update. |
| CVE ID | CVE-2016-7042 CVE-2015-1350 CVE-2015-8709 CVE-2015-8956 CVE-2016-6213 CVE-2016-7039 CVE-2016-7097 CVE-2016-7425 CVE-2016-8399 CVE-2016-8632 CVE-2016-8655 CVE-2016-8633 CVE-2016-9178 CVE-2016-9588 CVE-2016-10088 CVE-2016-10147 CVE-2017-2583 CVE-2017-2584 CVE-2017-5551 |
| UCS Bug number | #42754 |
