The SUSE Linux Enterprise 11 SP4 kernel was updated to 3.0.101-94 to receive various security and bugfixes. The following security bugs were fixed: - CVE-2017-5551: tmpfs: clear S_ISGID when setting posix ACLs . - CVE-2016-10088: The sg implementation in the Linux kernel did not properly restrict write operations in situations where the KERNEL_DS option is set, which allowed local users to read or write to arbitrary kernel memory locations or cause a denial of service by leveraging access to a /dev/sg device NOTE: this vulnerability existed because of an incomplete fix for CVE-2016-9576 . - CVE-2016-5696: TCP, when using a large Window Size, made it easier for remote attackers to guess sequence numbers and cause a denial of service to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP . - CVE-2015-1350: The VFS subsystem in the Linux kernel 3.x provided an incomplete set of requirements for setattr operations that underspecified removing extended privilege attributes, which allowed local users to cause a denial of service via a failed invocation of a system call, as demonstrated by using chown to remove a capability from the ping or Wireshark dumpcap program . - CVE-2016-8632: The tipc_msg_build function in net/tipc/msg.c in the Linux kernel did not validate the relationship between the minimum fragment length and the maximum packet size, which allowed local users to gain privileges or cause a denial of service by leveraging the CAP_NET_ADMIN capability . - CVE-2016-8399: An elevation of privilege vulnerability in the kernel networking subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Moderate because it first requires compromising a privileged process and current compiler optimizations restrict access to the vulnerable code. - CVE-2016-9793: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the SO_SNDBUFFORCE or SO_RCVBUFFORCE option . - CVE-2012-6704: The sock_setsockopt function in net/core/sock.c in the Linux kernel mishandled negative values of sk_sndbuf and sk_rcvbuf, which allowed local users to cause a denial of service or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability for a crafted setsockopt system call with the SO_SNDBUF or SO_RCVBUF option . - CVE-2016-9756: arch/x86/kvm/emulate.c in the Linux kernel did not properly initialize Code Segment in certain error cases, which allowed local users to obtain sensitive information from kernel stack memory via a crafted application . - CVE-2016-9685: Multiple memory leaks in error paths in fs/xfs/xfs_attr_list.c in the Linux kernel allowed local users to cause a denial of service via crafted XFS filesystem operations . - CVE-2015-8962: Double free vulnerability in the sg_common_write function in drivers/scsi/sg.c in the Linux kernel allowed local users to gain privileges or cause a denial of service by detaching a device during an SG_IO ioctl call . - CVE-2016-9555: The sctp_sf_ootb function in net/sctp/sm_statefuns.c in the Linux kernel lacked chunk-length checking for the first chunk, which allowed remote attackers to cause a denial of service or possibly have unspecified other impact via crafted SCTP data . - CVE-2016-7910: Use-after-free vulnerability in the disk_seqf_stop function in block/genhd.c in the Linux kernel allowed local users to gain privileges by leveraging the execution of a certain stop operation even if the corresponding start operation had failed . - CVE-2016-7911: Race condition in the get_task_ioprio function in block/ioprio.c in the Linux kernel allowed local users to gain privileges or cause a denial of service via a crafted ioprio_get system call . - CVE-2013-6368: The KVM subsystem in the Linux kernel allowed local users to gain privileges or cause a denial of service via a VAPIC synchronization operation involving a page-end address . - CVE-2015-8964: The tty_set_termios_ldisc function in drivers/tty/tty_ldisc.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a tty data structure . - CVE-2016-7916: Race condition in the environ_read function in fs/proc/base.c in the Linux kernel allowed local users to obtain sensitive information from kernel memory by reading a /proc/*/environ file during a process-setup time interval in which environment-variable copying is incomplete . - CVE-2016-8646: The hash_accept function in crypto/algif_hash.c in the Linux kernel allowed local users to cause a denial of service by attempting to trigger use of in-kernel hash algorithms for a socket that has received zero bytes of data . - CVE-2016-8633: drivers/firewire/net.c in the Linux kernel, in certain unusual hardware configurations, allowed remote attackers to execute arbitrary code via crafted fragmented packets . The following non-security bugs were fixed: - 8250_pci: Fix potential use-after-free in error path . - KABI fix . - apparmor: fix IRQ stack overflow during free_profile . - be2net: Do not leak iomapped memory on removal . - block_dev: do not test bdev-bd_contains when it is not stable . - bna: Add synchronization for tx ring . - bnx2x: Correct ringparam estimate when DOWN . - crypto: add ghash-generic in the supported.conf - crypto: aesni - Add support for 192 256 bit keys to AESNI RFC4106 . - dm: do not call dm_sync_table when creating new devices . - drm/mgag200: Added support for the new deviceID for G200eW3 - ext3: Avoid premature failure of ext3_has_free_blocks . - ext4: do not leave i_crtime.tv_sec uninitialized . - ext4: fix reference counting bug on block allocation error . - futex: Acknowledge a new waiter in counter before plist . - futex: Drop refcount if requeue_pi acquired the rtmutex . - hpilo: Add support for iLO5 . - ibmveth: calculate gso_segs for large packets . - ibmveth: set correct gso_size and gso_type . - igb: Enable SR-IOV configuration via PCI sysfs interface . - igb: Fix NULL assignment to incorrect variable in igb_reset_q_vector . - igb: Fix oops caused by missing queue pairing . - igb: Fix oops on changing number of rings . - igb: Remove unnecessary flag setting in igb_set_flag_queue_pairs . - igb: Unpair the queues when changing the number of queues . - kexec: add a kexec_crash_loaded function . - kvm: APIC: avoid instruction emulation for EOI writes . - kvm: Distangle eventfd code from irqchip . - kvm: Iterate over only vcpus that are preempted . - kvm: Record the preemption status of vcpus using preempt notifiers . - kvm: VMX: Pass vcpu to __vmx_complete_interrupts . - kvm: fold kvm_pit_timer into kvm_kpit_state . - kvm: make processes waiting on vcpu mutex killable . - kvm: nVMX: Add preemption timer support . - kvm: remove a wrong hack of delivery PIT intr to vcpu0 . - kvm: use symbolic constant for nr interrupts . - kvm: x86: Remove support for reporting coalesced APIC IRQs . - kvm: x86: Run PIT work in own kthread . - kvm: x86: limit difference between kvmclock updates . - libata: introduce ata_host-n_tags to avoid oops on SAS controllers . - libata: remove n_tags to avoid kABI breakage . - libfc: Do not take rdata-rp_mutex when processing a -FC_EX_CLOSED ELS response . - libfc: Fixup disc_mutex handling . - libfc: Issue PRLI after a PRLO has been received . - libfc: Revisit kref handling . - libfc: Update rport reference counting . - libfc: do not send ABTS when resetting exchanges . - libfc: fixup locking of ptp_setup . - libfc: reset exchange manager during LOGO handling . - libfc: send LOGO for PLOGI failure . - locking/mutex: Explicitly mark task as running after wakeup . - memstick: mspro_block: add missing curly braces . - mlx4: Fix error flow when sending mads under SRIOV . - mlx4: Fix incorrect MC join state bit-masking on SR-IOV . - mlx4: Fix memory leak if QP creation failed . - mlx4: Fix potential deadlock when sending mad to wire . - mlx4: Forbid using sysfs to change RoCE pkeys . - mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV . - mlx4: add missing braces in verify_qp_parameters . - mm/memory_hotplug.c: check for missing sections in test_pages_in_a_zone . - mm: fix crashes from mbind merging vmas . - mpi: Fix NULL ptr dereference in mpi_powm [ver #3] . - mremap: enforce rmap src/dst vma ordering in case of vma_merge succeeding in copy_vma . - net/mlx4: Copy/set only sizeof struct mlx4_eqe bytes . - net/mlx4_core: Allow resetting VF admin mac to zero . - net/mlx4_core: Avoid returning success in case of an error flow . - net/mlx4_core: Do not BUG_ON during reset when PCI is offline . - net/mlx4_core: Do not access comm channel if it has not yet been initialized . - net/mlx4_core: Fix error message deprecation for ConnectX-2 cards . - net/mlx4_core: Fix the resource-type enum in res tracker to conform to FW spec . - net/mlx4_core: Implement pci_resume callback . - net/mlx4_core: Update the HCA core clock frequency after INIT_PORT . - net/mlx4_en: Choose time-stamping shift value according to HW frequency . - net/mlx4_en: Fix HW timestamp init issue upon system startup . - net/mlx4_en: Fix potential deadlock in port statistics flow . - net/mlx4_en: Move filters cleanup to a proper location . - net/mlx4_en: Remove dependency between timestamping capability and service_task . - net/mlx4_en: fix spurious timestamping callbacks . - netfront: do not truncate grant references. - nfsv4: Cap the transport reconnection timer at 1/2 lease period . - nfsv4: Cleanup the setting of the nfs4 lease period . - nfsv4: Handle timeouts correctly when probing for lease validity . - nvme: Automatic namespace rescan . - nvme: Metadata format support . - ocfs2: fix BUG_ON in ocfs2_ci_checkpointed . - posix-timers: Remove remaining uses of tasklist_lock . - posix-timers: Use sighand lock instead of tasklist_lock for task clock sample . - posix-timers: Use sighand lock instead of tasklist_lock on timer deletion . - powerpc/MSI: Fix race condition in tearing down MSI interrupts . - powerpc/mm/hash64: Fix subpage protection with 4K HPTE config . - powerpc/numa: Fix multiple bugs in memory_hotplug_max . - powerpc/pseries: Use H_CLEAR_HPT to clear MMU hash table during kexec . - powerpc: fix typo "CONFIG_PPC_CPU" . - powerpc: scan_features updates incorrect bits for REAL_LE . - printk/sched: Introduce special printk_sched for those awkward . - ptrace: __ptrace_may_access should not deny sub-threads . - qlcnic: fix a loop exit condition better . - qlcnic: use the correct ring in qlcnic_83xx_process_rcv_ring_diag . - reiserfs: fix race in prealloc discard . - rpm/constraints.in: Bump ppc64 disk requirements to fix OBS builds again - rpm/kernel-binary.spec.in: Export a make-stderr.log file - rt2x00: fix rfkill regression on rt2500pci . - s390/zcrypt: kernel: Fix invalid domain response handling . - scsi: Fix erratic device offline during EH . - scsi: lpfc: Set elsiocb contexts to NULL after freeing it . - scsi: lpfc: avoid double free of resource identifiers . - scsi_error: count medium access timeout only once per EH run . - scsi_error: fixup crash in scsi_eh_reset - serial: 8250_pci: Detach low-level driver during PCI error recovery . - sunrpc: Enforce an upper limit on the number of cached credentials . - sunrpc: Fix reconnection timeouts . - sunrpc: Fix two issues with drop_caches and the sunrpc auth cache . - sunrpc: Limit the reconnect backoff timer to the max RPC message timeout . - tcp: fix inet6_csk_route_req for link-local addresses . - tcp: pass fl6 to inet6_csk_route_req . - tcp: plug dst leak in tcp_v6_conn_request . - tcp: use inet6_csk_route_req in tcp_v6_send_synack . - tg3: Fix temperature reporting . - usb: console: fix potential use after free . - usb: console: fix uninitialised ldisc semaphore . - usb: cp210x: Corrected USB request type definitions . - usb: cp210x: relocate private data from USB interface to port . - usb: cp210x: work around cp2108 GET_LINE_CTL bug . - usb: ftdi_sio: fix null deref at port probe . - usb: ipaq.c: fix a timeout loop . - usb: opticon: fix non-atomic allocation in write path . - usb: option: fix runtime PM handling . - usb: serial: cp210x: add 16-bit register access functions . - usb: serial: cp210x: add 8-bit and 32-bit register access functions . - usb: serial: cp210x: add new access functions for large registers . - usb: serial: cp210x: fix hardware flow-control disable . - usb: serial: fix potential use-after-free after failed probe . - usb: serial: io_edgeport: fix memory leaks in attach error path . - usb: serial: io_edgeport: fix memory leaks in probe error path . - usb: serial: keyspan: fix use-after-free in probe error path . - usb: sierra: fix AA deadlock in open error path . - usb: sierra: fix remote wakeup . - usb: sierra: fix urb and memory leak in resume error path . - usb: sierra: fix urb and memory leak on disconnect . - usb: sierra: fix use after free at suspend/resume . - usb: usb_wwan: fix potential blocked I/O after resume . - usb: usb_wwan: fix race between write and resume . - usb: usb_wwan: fix urb leak at shutdown . - usb: usb_wwan: fix urb leak in write error path . - usb: usb_wwan: fix write and suspend race . - usbhid: add ATEN CS962 to list of quirky devices . - usblp: do not set TASK_INTERRUPTIBLE before lock . - xenbus: do not invoke is_ready for most device states .