Description
A flaw was found in the way certain interfaces of the Linux kernel's
Infiniband subsystem used write() as bi-directional ioctl() replacement, which
could lead to insufficient memory security checks when being invoked using the
splice() system call. A local unprivileged user on a system with either
Infiniband hardware present or RDMA Userspace Connection Manager Access module
explicitly loaded, could use this flaw to escalate their privileges on the
system. (CVE-2016-4565, Important)
* It was found that the RFC 5961 challenge ACK rate limiting as implemented in
the Linux kernel's networking subsystem allowed an off-path attacker to leak
certain information about a given connection by creating congestion on the
global challenge ACK rate limit counter and then measuring the changes by
probing packets. An off-path attacker could use this flaw to either terminate
TCP connection and/or inject payload into non-secured TCP connection between two
endpoints on the network. (CVE-2016-5696, Important)