B310s-927 Firmware Release Notes: Huawei Technologies Co., LTD

Product name Confidentiality level
B310s-927 CONFIDENTIAL
Product version
Total 51 pages
V13.0
B310s-927 Firmware Release Notes
Prepared by B310s-927 Team Date 2018-08-22

Reviewed by B310s-927 Team Date 2018-08-22
Approved by B310s-927 Team Date 2018-08-22
Huawei Technologies Co., Ltd.
All rights reserved

Revision Record
Date Revision FW-WebUI/HiLink Change Description Author
version Version
2014-11-9 1.0 FW 21.180.03.00.00 The 1th Version B310s-927
Team
Team
Team
Team
Team
Team
Team
Team
Team
Team
Team
Team
Team
Team
Team
Team
Team
Team
Team
2018-07-18 12.2 FW21.329.07.00.00 The 20th Version B310s-927
Team
2018-08-22 13.0 FW21.333.01.00.00 The 21th Version B310s-927
Team
Table of Contents
1 Main Features .......................................................................................................................... 4
2 Hardware .................................................................................................................................. 5
2.1 Version Description ............................................................................................................ 5
2.2 Hardware Specifications .................................................................................................... 5
2.3 Improvements in the Previous Version .............................................................................. 6
2.4 Known Limitations and Issues ........................................................................................... 7
3 Firmware .................................................................................................................................. 7
3.2 Firmware Specifications ..................................................................................................... 7
3.3 Improvement in the Previous Version ................................................................................ 8
4 WebUI....................................................................................................................................... 9
4.2 WebUI/HiLink Specifications .............................................................................................. 9
4.3 Improvement in the Previous Version ................................................................................ 9
5 Software Vulnerabilities Fixes .................................................................................................. 9
B310s-927 Firmware Release Notes V13.0 CONFIDENTIAL
B310s-927 Firmware Release Notes

Abbreviations description
NA NA
1 Main Features
The B310s-927 mainly supports the following features:
 LTE FDD (DL) data service of up to 150 Mbit/s
 LTE FDD (UL) data service of up to 50 Mbit/s
 LTE TDD (DL) data service of up to 112 Mbit/s
 LTE TDD (UL) data service of up to 10 Mbit/s
 DC-HSPA+ (DL) data service of up to 42 Mbit/s
 HSPA+ (DL) data service of up to 21.6 Mbit/s
 HSDPA (DL) data service of up to 14.4 Mbit/s
 HSUPA (UL) data service of up to 5.76 Mbit/s
 UMTS data service of up to 384 kbit/s
 EDGE data service of up to 236.8 kbit/s
 EDGE data service of download to 296 kbit/s
 GPRS data service of up to 85.6 kbit/s
 PS domain data service based on LTE/UMTS/GSM
 SMS based on CS/PS domain of GSM and UMTS, CS domain of LTE
 Wi-Fi
 Support for HUAWEI Mobile WiFi App
 Press and Play
 IPv6v4 /IPv4 dual stack
 Built-in DHCP Server, DNS RELAY and NAT
 Online software upgrade
 Traffic statistic
 LED indicators
 Built-in UMTS and WLAN high gain antenna LTE/GSM
 Windows XP SP3, Windows Vista SP1/SP2, Windows 7, Windows 8, Windows 8.1 (does not
support Windows RT), MAC OS X 10.7, 10.8 and 10.9 with latest upgrades
Page 4
2 Hardware
2.1 Version Description
WL2B310TM (B310s-927 new PA)

Hardware Version:
WL1B310TM (B310s-927 old PA)
Platform & Chipset: Balong Hi6921 & AR 8035
2.2 Hardware Specifications
Item Specifications
Technical WAN: LTE/ DC-HSPA+/HSPA+/HSPA/UMTS/EDGE/GPRS/GSM
standard
WLAN: IEEE 802.11b/g/n
Operating LTE: B3/B40

frequency HSPA+/HSPA/UMTS: B1(2100) /B8(900) MHz
EDGE/GPRS/GSM: 1900/1800/900/850 MHz
WLAN: 2.4 GHz
Internal memory 512 MB Flash,256 MB Memory
Maximum UMTS: 24 (+1/-3) dBm

transmitter power
WLAN 802.11b: 19 dBm
802.11g: 17 dBm
802.11n: 17 dBm
Receiver UMTS: Confirm to 3GPP Requirements

sensitivity
WLAN 802.11b -76 dBm@11 Mbit/s
-82 dBm@1 Mbit/s
WLAN 802.11g: -65 dBm@54 Mbit/s
WLAN 802.11n: -64 dBm@65 Mbit/s

WLAN speed 802.11b: Up to 11 Mbit/s
802.11g: Up to 54 Mbit/s
802.11n: HT40 MCS15(300Mbit/s),

HT20 MCS15(144.4Mbit/s)
Maximum power 12 W
consumption
Power supply AC: 100–240 V
DC: 12 V, 1 A
External WAN/LAN: 1 RJ45,GE

interfaces
FXS:1 RJ11
SIM card interface: standard 6-pin SIM card interface
Page 5
Item Specifications
Indicators Mode: cyan: 4G mode
blue: 3G mode
yellow: 2G mode
green:WAN mode
Red: No SIM/USIM card is found, the PIN is not
verified, or the SIM/USIM card is not working
properly.
Failed to connect to a mobile network
Signal One to three: Weak to Strong signal

Off: out signal
WPS/WIFI White Blink: WPS open

White Steady
On: 2.4G WiFi is opened
Off: 2.4G WiFi is closed
LAN On/Off
Power On/Off
Button Power switch, Reset switch, WPS switch
Antenna  Built-in GSM/UMTS/LTE main diversity antenna
 Built-in GSM/UMTS/LTE diversity antenna
 Built-in WLAN antenna

Dimensions 180 mm x126 mm x38mm
(D × W × H)
Weight about 226 g (Does not contain the power adapter)
Temperature Operating: 0℃ to +40℃
Storage: -20℃ to +70℃
Humidity 5% to 95% ( non-condensing)
2.3 Improvements in the Previous Version
Index Case ID Issue Description

NA NA NA
Page 6
2.4 Known Limitations and Issues

NA NA NA
3 Firmware
Firmware Version: 21.333.01.00.00

Baseline information : BalongV700R110C30B333
OS VxWorks 6.8+linux 3.4.5
3.2 Firmware Specifications
Item Description
SMS  Writing/Sending/Receiving
 Sending/Receiving extra-long messages

 Storage: Up to 500 messages can be saved in the
internal memory
 New message prompt

Network connection  APN management: create, delete and edit.
setup
 Set up network connection
WLAN setup  SSID broadcasting and hiding
 Open system and shared key authentication
 ASCII and HEX keys

 64/128-bit WEP encryption
 256-bit WPA-PSK and WPA2-PSK encryption
 AES encryption algorithm

 TKIP and AES integrated encryption algorithm
 Automatic adjustment of ratios
 Display STA status

 WLAN MAC filter
Firewall setup  Firewall Switch
 LAN IP Filter
 Virtual Server
 DMZ Service
Page 7
Item Description
NAT setup  CONE NAT
 Symmetric NAT
 ALG
 VPN passthrough
DHCP setup  DHCP server enabling and disabling
 Address pool of the DHCP server setup
 DHCP lease time setup

IPv6v4/IPv4 dual stack DHCPv6/v4 server and client
DNSv6/v4 server and client
Display IPv6/v4 WAN address
Other Network connection settings:
 Automatic network selection and registration
 Manual network selection and registration

Network status display: signal, operator name, system
mode, and so on.
Selection of network connection types, for example:
 Support LTE networks ON/OFF

PIN management: activate/deactivate PIN, PIN lock,
changing PIN, unblocking by using the PUK.
System requirement  Windows XP SP3, Windows Vista SP1/SP2, Windows

7, Windows 8 (does not support Windows RT)
 Mac OS X 10.6, 10.7 and 10.8 with latest upgrades
 Your computer’s hardware system should meet or

exceed the recommended system requirements for the
installed version of OS
3.3 Improvement in the Previous Version

NA NA NA

NA NA NA
Page 8
4 WebUI
WebUI Version: 17.100.09.00.03
4.2 WebUI/HiLink Specifications
Item Specifications
NA NA
4.3 Improvement in the Previous Version
NA NA NA
NA NA NA
5 Software Vulnerabilities Fixes
[Software Vulnerabilities include Android Vulnerabilites,Third-party software Vulnerabilites, and Huawei

Vulnerabilities]
[Android Vulnerabilites is form Goolge, which reported publicly.]
[Third-party software is type of computer software that is sold together with of provided for free in Huawei
products or soutions with the ownership of intellectual prperty rights(IPR) held by the original contributors.
Third-party software can be but is not limited to: Purchased software, Software that is built in or attached to
purchased hardware, Software in products of the original euipment manufactureer(OEM) or original design
manufacturer(ODM), Software that is developed with technical contribution from partners(owenership of IRP
all or partially held bu the partners.),Software that is legally abtained free of charge.
The data of third-party software vuluerabilities fixes can be exported from PDM.
If the table is excessivvely long, you can divide it into multiple ones by product version, or deliover it in an excel
file with patch relesase notes and provide reference information in this section.]
[Huawei Vulnerabilty is Huawei own software'Vulnerability, which found by outside]
Vulnerabilites information is available through CVE IDs in NVD(National Vulneratility Database) website:
http://web.nvd.nist.gov/view/vuln/search
Softwar Versi CVE ID Vulnerability Description Solution

e/Modul on
e name
Portable LibUP CVE-20 Stack-based buffer overflow in the Add memory
Page 9
UPnP nP 12-5960 unique_service_name function in protection check

SDK 1.6.12 ssdp/ssdp_server.c in the SSDP for errors .Refer
parser in the portable SDK for to:
UPnP Devices (aka libupnp, https://cve.mitre.o
formerly the Intel SDK for UPnP rg/cgi-bin/cvenam
devices) before 1.6.18 allows e.cgi?name=CVE
remote attackers to execute -2012-5960
arbitrary code via a long UDN (aka
upnp:rootdevice) field in a UDP
packet.
arbitrary code via a long UDN (aka
uuid) field within a string that
contains a :: (colon colon) in a UDP
packet.
arbitrary code via a UDP packet
with a crafted string that is not
properly handled after a certain
pointer subtraction.
Samba 3.0.37 CVE-20 Samba 3.2.x through 3.6.x before Don’t involve
13-4475 3.6.20, 4.0.x before 4.0.11, and closing.Refer to
4.1.x before 4.1.1, when the Samba
vfs_streams_depot or website
vfs_streams_xattr is enabled, corresponding
allows remote attackers to bypass vulnerability, the
intended file restrictions by problems in the
leveraging ACL differences Samba3.2.0
between a file and an associated version, the
alternate data stream (ADS). current version is
3.0.37,refer：
http://www.samba
.org/samba/securi
ty/CVE-2013-447
5
Samba 3.0.37 CVE-20 Integer overflow in the https://ftp.samba.
13-4124 read_nttrans_ea_list function in org/pub/samba/p
nttrans.c in smbd in Samba 3.x atches/security/s
before 3.5.22, 3.6.x before 3.6.17, amba-4.0.7-CVE-
and 4.x before 4.0.8 allows remote 2013-4124.patch
attackers to cause a denial of
service (memory consumption) via
Page 10
a malformed packet.
Samba 3.0.37 CVE-20 The SMB2 implementation in https://ftp.samba.
13-0454 Samba 3.6.x before 3.6.6, as used org/pub/samba/p
on the IBM Storwize V7000 Unified atches/security/s
1.3 before 1.3.2.3 and 1.4 before amba-3.6-CVE-2
1.4.0.1 and possibly other products, 013-0454.patch
does not properly enforce CIFS
share attributes, which allows
remote authenticated users to (1)
write to a read-only share; (2)
trigger data-integrity problems
related to the oplock, locking,
coherency, or leases attribute; or
(3) have an unspecified impact by
leveraging incorrect handling of the
browseable or "hide unreadable"
parameter.
Samba 3.0.37 CVE-20 Cross-site request forgery (CSRF) https://download.
13-0214 vulnerability in the Samba Web samba.org/pub/s
Administration Tool (SWAT) in amba/patches/se
Samba 3.x before 3.5.21, 3.6.x curity/samba-3.5.
before 3.6.12, and 4.x before 4.0.2 20-CVE-2013-02
allows remote attackers to hijack 13-CVE-2013-02
the authentication of arbitrary users 14.patch
by leveraging knowledge of a
password and composing requests
that perform SWAT actions.
Samba 3.0.37 CVE-20 The Samba Web Administration https://download.
13-0213 Tool (SWAT) in Samba 3.x before samba.org/pub/s
3.5.21, 3.6.x before 3.6.12, and 4.x amba/patches/se
before 4.0.2 allows remote curity/samba-3.5.
attackers to conduct clickjacking 20-CVE-2013-02
attacks via a (1) FRAME or (2) 13-CVE-2013-02
IFRAME element. 14.patch
Samba 3.0.37 CVE-20 The RPC code generator in Samba https://download.
12-1182 3.x before 3.4.16, 3.5.x before samba.org/pub/s
3.5.14, and 3.6.x before 3.6.4 does amba/patches/se
not implement validation of an array curity/samba-3.0.
length in a manner consistent with 37-CVE-2012-11
validation of array memory 82.patch
allocation, which allows remote
attackers to execute arbitrary code
via a crafted RPC call.
Samba 3.0.37 CVE-20 The check_mtab function in Don’t involve
11-2724 client/mount.cifs.c in mount.cifs in closing.Refer to：
smbfs in Samba 3.5.10 and earlier
https://cve.mitre.o
does not properly verify that the (1)
rg/cgi-bin/cvenam
device name and (2) mountpoint
e.cgi?name=CVE
strings are composed of valid
-2011-2724
characters, which allows local
users to cause a denial of service
(mtab corruption) via a crafted
string. NOTE: this vulnerability
exists because of an incorrect fix
for CVE-2010-0547.
Samba 3.0.37 CVE-20 Cross-site scripting (XSS) https://download.
11-2694 vulnerability in the chg_passwd samba.org/pub/s
Page 11
function in web/swat.c in the amba/patches/se

Samba Web Administration Tool curity/samba-3.3.
(SWAT) in Samba 3.x before 3.5.10 15-CVE-2011-26
allows remote authenticated 94.patch
administrators to inject arbitrary
web script or HTML via the
username parameter to the passwd
program (aka the user field to the
Change Password page).
Samba 3.0.37 CVE-20 Multiple cross-site request forgery https://download.
11-2522 (CSRF) vulnerabilities in the samba.org/pub/s
Samba Web Administration Tool amba/patches/se
(SWAT) in Samba 3.x before 3.5.10 curity/samba-3.3.
allow remote attackers to hijack the 15-CVE-2011-25
authentication of administrators for 22.patch
requests that (1) shut down
daemons, (2) start daemons, (3)
add shares, (4) remove shares, (5)
add printers, (6) remove printers,
(7) add user accounts, or (8)
remove user accounts, as
demonstrated by certain start, stop,
and restart parameters to the status
program.
Samba 3.0.37 CVE-20 smbfs in Samba 3.5.8 and earlier Don’t involve
11-1678 attempts to use (1) mount.cifs to closing.,/etc is a
append to the /etc/mtab file and (2) read-only file can
umount.cifs to append to the not be tampered
/etc/mtab.tmp file without first with. Refer to：
checking whether resource limits
https://cve.mitre.o
would interfere, which allows local
rg/cgi-bin/cvenam
users to trigger corruption of the
e.cgi?name=CVE
/etc/mtab file via a process with a
-2011-1678
small RLIMIT_FSIZE value, a
related issue to CVE-2011-1089.
Samba 3.0.37 CVE-20 Samba 3.x before 3.3.15, 3.4.x https://download.
11-0719 before 3.4.12, and 3.5.x before samba.org/pub/s
3.5.7 does not perform range amba/patches/se
checks for file descriptors before curity/samba-3.3.
use of the FD_SET macro, which 14-CVE-2011-07
allows remote attackers to cause a 19.patch
denial of service (stack memory
corruption, and infinite loop or
daemon crash) by opening a large
number of files, related to (1)
Winbind or (2) smbd.
Samba 3.0.37 CVE-20 Stack-based buffer overflow in the https://download.
10-3069 (1) sid_parse and (2) samba.org/pub/s
dom_sid_parse functions in Samba amba/patches/se
before 3.5.5 allows remote curity/samba-3.3.
attackers to cause a denial of 13-CVE-2010-30
service (crash) and possibly 69.patch
execute arbitrary code via a crafted
Windows Security ID (SID) on a file
share.
Samba 3.0.37 CVE-20 Buffer overflow in the SMB1 packet https://download.
10-2063 chaining implementation in the samba.org/pub/s
Page 12
chain_reply function in process.c in amba/patches/se

smbd in Samba 3.0.x before 3.3.13 curity/samba-3.0.
allows remote attackers to cause a 37-CVE-2010-20
denial of service (memory 63.patch
corruption and daemon crash) or
possibly execute arbitrary code via
a crafted field in a packet.
Samba 3.0.37 CVE-20 The https://git.samba.
10-1642 reply_sesssetup_and_X_spnego org/?p=samba.git
function in sesssetup.c in smbd in ;a=commit;h=928
Samba before 3.4.8 and 3.5.x 0051bfba337458
before 3.5.2 allows remote 722fb157f3082f9
attackers to trigger an 3cbd9f2b
out-of-bounds read, and cause a
denial of service (process crash),
via a \xff\xff security blob length in a
Session Setup AndX request.
Samba 3.0.37 CVE-20 The chain_reply function in Don’t involve
10-1635 process.c in smbd in Samba before closing.There is
3.4.8 and 3.5.x before 3.5.2 allows no problem of
remote attackers to cause a denial output has been
of service (NULL pointer done to
dereference and process crash) via determine.Refer
a Negotiate Protocol request with a to:
certain 0x0003 field value followed https://cve.mitre.o
by a Session Setup AndX request rg/cgi-bin/cvenam
with a certain 0x8003 field value. e.cgi?name=CVE
-2010-1635
Samba 3.0.37 CVE-20 client/mount.cifs.c in mount.cifs in Don’t involve
10-0547 smbfs in Samba 3.4.5 and earlier closing .Function
does not verify that the (1) device problems do not
name and (2) mountpoint strings exist without
are composed of valid characters, treatment. Refer
which allows local users to cause a to
denial of service (mtab corruption) https://cve.mitre.o
via a crafted string. rg/cgi-bin/cvenam
e.cgi?name=CVE
-2010-0547
Samba 3.0.37 CVE-20 The Don’t involve
12-6150 winbind_name_list_to_sid_string_li closing .Refer to
st function in the Samba
nsswitch/pam_winbind.c in Samba website
through 4.1.2 handles invalid corresponding
require_membership_of group vulnerability to
names by accepting authentication explain the
by any user, which allows remote problem, in the
authenticated users to bypass 3.3.10, 3.4.3,
intended access restrictions in 3.5.0 and later
opportunistic circumstances by
leveraging an administrator's Later, the current
pam_winbind configuration-file version is 3.0.37,
mistake. the specific
reference：
http://www.samba
.org/samba/securi
ty/CVE-2012-615
Page 13
0
Samba 3.0.37 CVE-20 Heap-based buffer overflow in the Don’t involve
13-4408 dcerpc_read_ncacn_packet_done closing.The
function in librpc/rpc/dcerpc_util.c in current version
winbindd in Samba 3.x before does not have
3.6.22, 4.0.x before 4.0.13, and this function, do
4.1.x before 4.1.3 allows remote not need to deal
AD domain controllers to execute with. Refer to
arbitrary code via an invalid https://cve.mitre.o
fragment length in a DCE-RPC rg/cgi-bin/cvenam
packet. e.cgi?name=CVE
-2013-4408
Openssl 1.0.1e CVE-20 The https://git.openssl
14-3470 ssl3_send_client_key_exchange .org/gitweb/?p=op
function in s3_clnt.c in OpenSSL enssl.git;a=comm
before 0.9.8za, 1.0.0 before it;h=8011cd56e39
1.0.0m, and 1.0.1 before 1.0.1h, a433b183746525
when an anonymous ECDH cipher 9a9bd24a38727f
suite is used, allows remote b
service (NULL pointer dereference
and client crash) by triggering a
NULL certificate value.
1.0.0m, and 1.0.1 before 1.0.1h, a433b183746525
1.0.0m, and 1.0.1 before 1.0.1h, a433b183746525
Openssl 1.0.1e CVE-20 OpenSSL before 0.9.8za, 1.0.0 https://git.openssl
14-0224 before 1.0.0m, and 1.0.1 before .org/gitweb/?p=op
1.0.1h does not properly restrict enssl.git;a=comm
processing of ChangeCipherSpec it;h=bc8923b1ec9
messages, which allows c467755cd86f784
man-in-the-middle attackers to 8c50ee8812e441
trigger use of a zero-length master
key in certain
OpenSSL-to-OpenSSL
communications, and consequently
hijack sessions or obtain sensitive
information, via a crafted TLS
Page 14
handshake, aka the "CCS Injection"

vulnerability.
key in certain
OpenSSL-to-OpenSSL
vulnerability.
key in certain
OpenSSL-to-OpenSSL
vulnerability.
Openssl 1.0.1e CVE-20 The dtls1_get_message_fragment https://git.openssl
14-0221 function in d1_both.c in OpenSSL .org/gitweb/?p=op
before 0.9.8za, 1.0.0 before enssl.git;a=comm
1.0.0m, and 1.0.1 before 1.0.1h it;h=d3152655d5
allows remote attackers to cause a 319ce883c8e3ac
denial of service (recursion and 4b99f8de4c59d8
client crash) via a DTLS hello 46
message in an invalid DTLS
handshake.
Openssl 1.0.0a CVE-20 The dtls1_get_message_fragment https://git.openssl
handshake.
Openssl 1.0.1e CVE-20 The dtls1_get_message_fragment https://git.openssl
handshake.
Page 15
Openssl 1.0.1e CVE-20 The do_ssl3_write function in http://people.cano

14-0198 s3_pkt.c in OpenSSL 1.x through nical.com/~ubunt
1.0.1g, when u-security/cve/20
SSL_MODE_RELEASE_BUFFERS 14/CVE-2014-01
is enabled, does not properly 98.html
manage a buffer pointer during
certain recursive calls, which allows
remote attackers to cause a denial
of service (NULL pointer
dereference and application crash)
via vectors that trigger an alert
condition.
Openssl 1.0.0a CVE-20 The do_ssl3_write function in http://people.cano
condition.
Openssl 1.0.1e CVE-20 The do_ssl3_write function in http://people.cano
condition.
Openssl 1.0.1e CVE-20 The dtls1_reassemble_fragment https://git.openssl
1.0.0m, and 1.0.1 before 1.0.1h it;h=1632ef74487
does not properly validate fragment 2edc2aa2a53d48
lengths in DTLS ClientHello 7d3e79c965a4ad
messages, which allows remote 3
or cause a denial of service (buffer
overflow and application crash) via
a long non-initial fragment.
Openssl 1.0.0a CVE-20 The dtls1_reassemble_fragment https://git.openssl
Page 16

Openssl 1.0.1e CVE-20 The dtls1_reassemble_fragment https://git.openssl
Openssl 1.0.1e CVE-20 The Montgomery ladder http://git.openssl.
14-0076 implementation in OpenSSL org/gitweb/?p=op
through 1.0.0l does not ensure that enssl.git;a=comm
certain swap operations have a it;h=2198be3483
constant-time behavior, which 259de374f91e57
makes it easier for local users to d247d0fc667aef2
obtain ECDSA nonces via a 9
FLUSH+RELOAD cache
side-channel attack.
Openssl 1.0.1e CVE-20 Multiple buffer overflows in https://git.openssl
14-3512 crypto/srp/srp_lib.c in the SRP .org/gitweb/?p=op
implementation in OpenSSL 1.0.1 enssl.git;a=comm
before 1.0.1i allow remote attackers it;h=4a23b12a03
to cause a denial of service 1860253b58d503
(application crash) or possibly have f296377ca07642
unspecified other impact via an 7b
invalid SRP (1) g, (2) A, or (3) B
parameter.
Openssl 1.0.1e CVE-20 The DTLS retransmission http://git.openssl.
13-6450 implementation in OpenSSL 1.0.0 org/gitweb/?p=op
before 1.0.0l and 1.0.1 before enssl.git;a=comm
1.0.1f does not properly maintain it;h=34628967f1e
data structures for digest and 65dc8f34e000f0f
encryption contexts, which might 5518e21afbfc7b
allow man-in-the-middle attackers
to trigger the use of a different
context and cause a denial of
service (application crash) by
interfering with packet delivery,
related to ssl/d1_both.c and
ssl/t1_enc.c.
Samba 3.0.37 CVE-20 Samba 3.x before 3.6.23, 4.0.x Don’t involve
13-4496 before 4.0.16, and 4.1.x before closing .CVE-201
4.1.6 does not enforce the 3-4496
password-guessing protection vulnerability
mechanism for all interfaces, which exists in the 3.4.0
makes it easier for remote version, the
attackers to obtain access via version is 3.0.37,
brute-force ChangePasswordUser2 without the need
(1) SAMR or (2) RAP attempts. to merge.
Https://www.sam
ba.org/samba/sec
urity/CVE-2013-4
496
Later, the current
Page 17
version is 3.0.37,
the specific
reference:http://w
ww.samba.org/sa
mba/security/CV
E-2012-6150
iptables 1.4.0 CVE-20 extensions/libxt_tcp.c in iptables Don’t involve
12-2663 through 1.4.21 does not match TCP closing .he
SYN+FIN packets in --syn rules, influence of
which might allow remote attackers CVE-2012-2663
to bypass intended firewall kernel version of
restrictions via crafted packets. the Linux kernel
NOTE: the CVE-2012-6638 fix 2.6.x, the official
makes this issue less relevant. website address
access to modify
the kernel code,
the EUAP code of
Linux kernel
code, and do not
call `iptables -m
TCP --syn
command
parameter, so no
need to merge.
Specific
reference:http://gi
t.kernel.org/cgit/li
nux/kernel/git/dav
em/net-next.git/co
mmit/?id=fdf5af0d
af8019cec2396cd
ef8fb042d80fe71f
a
CUPS 1.6.1 CVE-20 Cross-site scripting (XSS) http://www.cups.o
14-2856 vulnerability in scheduler/client.c in rg/strfiles.php/326
Common Unix Printing System 8/str4356.patch
(CUPS) before 1.7.2 allows remote
attackers to inject arbitrary web
script or HTML via the URL path,
related to the is_path_absolute
function.
Openssl 0.98y CVE-20 Race condition in the http://ftp.openbsd
10-5298 ssl3_read_bytes function in .org/pub/OpenBS
s3_pkt.c in OpenSSL through D/patches/5.5/co
1.0.1g, when mmon/004_open
SSL_MODE_RELEASE_BUFFERS ssl.patch.sig
is enabled, allows remote attackers
to inject data across sessions or
cause a denial of service
(use-after-free and parsing error)
via an SSL connection in a
multithreaded environment.
Openssl 1.0.1e CVE- The dtls1_reassemble_fragment https://git.openssl
95 before 0.9.8za, 1.0.0 before enssl.git;a=comm
Page 18

Openssl 1.0.1e CVE-20 Race condition in the http://ftp.openbsd
10-5298 ssl3_read_bytes function in .org/pub/OpenBS
s3_pkt.c in OpenSSL through D/patches/5.5/co
1.0.1g, when mmon/004_open
SSL_MODE_RELEASE_BUFFERS ssl.patch.sig
is enabled, allows remote attackers
to inject data across sessions or
(use-after-free and parsing error)
via an SSL connection in a
multithreaded environment.
Openssl 1.0.1e CVE-20 The Montgomery ladder https://git.openssl
14-0076 implementation in OpenSSL .org/gitweb/?p=op
through 1.0.0l does not ensure that enssl.git;a=comm
certain swap operations have a it;h=2198be3483
constant-time behavior, which 259de374f91e57
makes it easier for local users to d247d0fc667aef2
obtain ECDSA nonces via a 9
FLUSH+RELOAD cache
side-channel attack.
Openssl 1.0.1e CVE-20 Double free vulnerability in https://git.openssl
14-3505 d1_both.c in the DTLS .org/gitweb/?p=op
before 0.9.8zb, 1.0.0 before 1.0.0n, it;h=bff1ce4e6a1c
and 1.0.1 before 1.0.1i allows 57c3d0a5f9e4f85
remote attackers to cause a denial ba6385fccfe8b
of service (application crash) via
crafted DTLS packets that trigger
an error condition.
Openssl 1.0.1e CVE-20 d1_both.c in the DTLS https://git.openssl
14-3506 implementation in OpenSSL 0.9.8 .org/gitweb/?p=op
before 0.9.8zb, 1.0.0 before 1.0.0n, enssl.git;a=comm
and 1.0.1 before 1.0.1i allows it;h=1250f12613b
remote attackers to cause a denial 61758675848f66
of service (memory consumption) 00ebd914ccd763
via crafted DTLS handshake 6
messages that trigger memory
allocations corresponding to large
length values.
Openssl 1.0.1e CVE-20 Memory leak in d1_both.c in the https://git.openssl
14-3507 DTLS implementation in OpenSSL .org/gitweb/?p=op
0.9.8 before 0.9.8zb, 1.0.0 before enssl.git;a=comm
1.0.0n, and 1.0.1 before 1.0.1i it;h=d0a4b7d1a2
allows remote attackers to cause a 948fce38515b8d
denial of service (memory 862f43e7ba0ebf7
consumption) via zero-length DTLS 4
fragments that trigger improper
handling of the return value of a
certain insert function.
Openssl 1.0.1e CVE-20 The OBJ_obj2txt function in https://git.openssl
14-3508 crypto/objects/obj_dat.c in .org/gitweb/?p=op
Page 19
OpenSSL 0.9.8 before 0.9.8zb, enssl.git;a=comm

1.0.0 before 1.0.0n, and 1.0.1 it;h=0042fb5fd1c9
before 1.0.1i, when pretty printing is d257d713b15a1f
used, does not ensure the 45da05cf5c1c87
presence of '\0' characters, which
allows context-dependent attackers
to obtain sensitive information from
process stack memory by reading
output from X509_name_oneline,
X509_name_print_ex, and
unspecified other functions.
0.9.8 before 0.9.8zb, 1.0.0 before it;h=1716003376
1.0.0n, and 1.0.1 before 1.0.1i 5480453be0a413
allows remote DTLS servers to 35fa6b833691c0
cause a denial of service (NULL 49
pointer dereference and client
application crash) via a crafted
handshake message in conjunction
with a (1) anonymous DH or (2)
anonymous ECDH ciphersuite.
Openssl 1.0.1e CVE-20 The ssl_set_client_disabled https://git.openssl
14-5139 function in t1_lib.c in OpenSSL .org/gitweb/?p=op
1.0.1 before 1.0.1i allows remote enssl.git;a=comm
SSL servers to cause a denial of it;h=80bd7b41b3
service (NULL pointer dereference 0af6ee96f519e62
and client application crash) via a 9463583318de3b
ServerHello message that includes 0
an SRP ciphersuite without the
required negotiation of that
ciphersuite with the client.
Openssl 1.0.1e CVE-20 Multiple buffer overflows in https://git.openssl
14-3512 crypto/srp/srp_lib.c in the SRP .org/gitweb/?p=op
before 1.0.1i allow remote attackers it;h=4a23b12a03
to cause a denial of service 1860253b58d503
(application crash) or possibly have f296377ca07642
unspecified other impact via an 7b
invalid SRP (1) g, (2) A, or (3) B
parameter.
Openssl 1.0.1e CVE-20 The ssl23_get_client_hello function https://git.openssl
14-3511 in s23_srvr.c in OpenSSL 1.0.1 .org/gitweb/?p=op
before 1.0.1i allows enssl.git;a=comm
man-in-the-middle attackers to it;h=280b1f1ad12
force the use of TLS 1.0 by 131defcd986676
triggering ClientHello message a8fc9717aaa601
fragmentation in communication b
between a client and server that
both support later TLS versions,
related to a "protocol downgrade"
issue.
Openssl 1.0.1e CVE-20 Memory leak in d1_srtp.c in the https://git.openssl
14-3513 DTLS SRTP extension in OpenSSL .org/gitweb/?p=op
1.0.1 before 1.0.1j allows remote enssl.git;a=comm
attackers to cause a denial of it;h=2b0532f3984
Page 20
service (memory consumption) via 324ebe1236a63d

a crafted handshake message. 15893792384328
d
Openssl 1.0.1e CVE-20 The SSL protocol 3.0, as used in Update Openssl
14-3566 OpenSSL through 1.0.1i and other version to 1.0.1j.
products, uses nondeterministic
CBC padding, which makes it
easier for man-in-the-middle
attackers to obtain cleartext data
via a padding-oracle attack, aka the
"POODLE" issue.
Openssl 1.0.1e CVE-20 Memory leak in the https://git.openssl
14-3567 tls_decrypt_ticket function in .org/gitweb/?p=op
t1_lib.c in OpenSSL before 0.9.8zc, enssl.git;a=comm
1.0.0 before 1.0.0o, and 1.0.1 it;h=7fd4ce6a997
before 1.0.1j allows remote be5f5c9e744ac52
attackers to cause a denial of 7725c2850de203
a crafted session ticket that triggers
an integrity-check failure.
Openssl 1.0.1e CVE-20 OpenSSL before 0.9.8zc, 1.0.0 https://git.openssl
14-3568 before 1.0.0o, and 1.0.1 before .org/gitweb/?p=op
1.0.1j does not properly enforce the enssl.git;a=comm
no-ssl3 build option, which allows it;h=26a59d9b46
remote attackers to bypass 574e457870197d
intended access restrictions via an ffa802871b4c8fc7
SSL 3.0 handshake, related to
s23_clnt.c and s23_srvr.c.
d
"POODLE" issue.
Page 21

"POODLE" issue.
d
Openssl 1.0.1e CVE-20 Integer overflow in the https://git.kernel.o
14-2851 ping_init_sock function in rg/cgit/linux/kerne
net/ipv4/ping.c in the Linux kernel l/git/davem/net.git
through 3.14.1 allows local users to /commit/?id=b04c
cause a denial of service 46190219a4f845
(use-after-free and system crash) e46a459e310213
or possibly gain privileges via a 7b7f6cac
crafted application that leverages
an improperly managed reference
counter.
Openssl 1.0.1e CVE-20 Array index error in the http://git.kernel.or
13-1763 __sock_diag_rcv_msg function in g/cgit/linux/kernel
net/core/sock_diag.c in the Linux /git/torvalds/linux.
kernel before 3.7.10 allows local git/commit/?id=6e
users to gain privileges via a large 601a53566d84e1
family value in a Netlink message. ffd25e7b6fe0b68
94ffd79c0
Openssl 1.0.1e CVE-20 The PPPoL2TP feature in http://git.kernel.or
14-4943 net/l2tp/l2tp_ppp.c in the Linux g/cgit/linux/kernel
kernel through 3.15.6 allows local /git/torvalds/linux.
users to gain privileges by git/commit/?id=3c
leveraging data-structure f521f7dc87c0316
Page 22
differences between an l2tp socket 17fd47e4b7aa25

and an inet socket. 93c2f3daf
Samba 3.0.37 CVE-20 vfs.c in smbd in Samba 3.x and 4.x https://git.samba.
15-5252 before 4.1.22, 4.2.x before 4.2.7, org/?p=samba.git
and 4.3.x before 4.3.3, when share ;a=commit;h=427
names with certain substring 8ef25f64d5fdbf43
relationships exist, allows remote 2ff1534e275416e
attackers to bypass intended c9561e
file-access restrictions via a symlink
that points outside of a share.
linux 3.4.5 CVE-20 The (1) pipe_read and (2) http://git.kernel.or
kernel 15-1805 pipe_write implementations in g/cgit/linux/kernel
fs/pipe.c in the Linux kernel before /git/torvalds/linux.
3.16 do not properly consider the git/commit/?id=63
side effects of failed 7b58c2887e5e57
__copy_to_user_inatomic and 850865839cc75f5
__copy_from_user_inatomic calls, 9184b23d1
which allows local users to cause a
denial of service (system crash) or
possibly gain privileges via a
crafted application, aka an "I/O
vector array overrun."
Android 4.4_r1 CVE-20 Back in June of 2015, Merge the
16-0774 CVE-2015-1805 a kernel patch was patches. Refer to
released to implement a fix for https://cve.mitre.o
vectored pipe read and write rg/cgi-bin/cvenam
functionality which could potentially e.cgi?name=CVE
result in memory corruption. A -2016-0774
local, unprivileged user could use
the flaw in an unpatched kernel to
crash the system or escalate their
privileges on the system.
Recently it was found that the fix for

this issue incorrectly kept buffer
offset/length in sync on a failed
atomic read. This could result in a
pipe buffer state corruption – and a
local, unprivileged user could use
this to crash the system / leak
kernel memory to the user space.
Android 4.4_r1 CVE-20 ** REJECT ** DO NOT USE THIS Merge the
16-2438 CANDIDATE NUMBER. Google 2016-4#
ConsultIDs: CVE-2016-2547, patch
CVE-2016-2548. Reason: This
candidate is a duplicate of
CVE-2016-2547 and
CVE-2016-2548. Notes: All CVE
users should reference
CVE-2016-2547 and/or
CVE-2016-2548 instead of this
candidate. All references and
descriptions in this candidate have
been removed to prevent
accidental usage.
Openssl 1.0.1e CVE-20 Integer overflow in the https://git.openssl
16-2105 EVP_EncodeUpdate function in .org/?p=openssl.g
Page 23
crypto/evp/encode.c in OpenSSL it;a=commit;h=5b

before 1.0.1t and 1.0.2 before 814481f3573fa96
1.0.2h allows remote attackers to 77f3a31ee51322
cause a denial of service (heap e2a22ee6a
memory corruption) via a large
amount of binary data.
Openssl 1.0.1e CVE-20 Integer overflow in the https://git.openssl
16-2106 EVP_EncryptUpdate function in .org/?p=openssl.g
crypto/evp/evp_enc.c in OpenSSL it;a=commit;h=3f3
before 1.0.1t and 1.0.2 before 582139fbb259a1
1.0.2h allows remote attackers to c3cbb0a2523650
cause a denial of service (heap 0a409bf26
memory corruption) via a large
amount of data.
Openssl 1.0.1e CVE-20 The AES-NI implementation in https://git.openssl
16-2107 OpenSSL before 1.0.1t and 1.0.2 .org/?p=openssl.g
before 1.0.2h does not consider it;a=commit;h=68
memory allocation during a certain 595c0c2886e794
padding check, which allows 2a14f98c17a55a
remote attackers to obtain sensitive 88afb6c292
cleartext information via a
padding-oracle attack against an
AES CBC session, NOTE: this
vulnerability exists because of an
incorrect fix for CVE-2013-0169.
Openssl 1.0.1e CVE-20 The ASN.1 implementation in https://git.openssl
16-2108 OpenSSL before 1.0.1o and 1.0.2 .org/?p=openssl.g
before 1.0.2c allows remote it;a=commit;h=36
attackers to execute arbitrary code 61bb4e7934668b
or cause a denial of service (buffer d99ca777ea8b30
underflow and memory corruption) eedfafa871
via an ANY field in crafted
serialized data, aka the "negative
zero" issue.
Openssl 1.0.1e CVE-20 The asn1_d2i_read_bio function in https://git.openssl
16-2109 crypto/asn1/a_d2i_fp.c in the .org/?p=openssl.g
ASN.1 BIO implementation in it;a=commit;h=c6
OpenSSL before 1.0.1t and 1.0.2 2981390d6cf9e3
before 1.0.2h allows remote d612c489b8b77c
attackers to cause a denial of 2913b25807
a short invalid encoding.
Openssl 1.0.1e CVE-20 The X509_NAME_oneline function https://git.openssl
16-2176 in crypto/x509/x509_obj.c in .org/?p=openssl.g
OpenSSL before 1.0.1t and 1.0.2 it;a=commit;h=29
before 1.0.2h allows remote 19516136a4227d
attackers to obtain sensitive 9e6d8f2fe66ef97
information from process stack 6aaf8c561
memory or cause a denial of
service (buffer over-read) via
crafted EBCDIC ASN.1 data.
Wifi CVE-20 The Broadcom Wi-Fi driver in the Merge the *.ko
16-0801 kernel in Android 4.x before 4.4.4, patches from
5.x before 5.1.1 LMY49G, and 6.x Broadcom.
before 2016-02-01 allows remote
or cause a denial of service
Page 24
(memory corruption) via crafted

wireless control message packets,
aka internal bug 25662029.
Wifi CVE-20 The Broadcom Wi-Fi driver in the Merge the *.ko
16-0802 kernel in Android 4.x before 4.4.4, patches from
5.x before 5.1.1 LMY49G, and 6.x Broadcom.
before 2016-02-01 allows remote
or cause a denial of service
(memory corruption) via crafted
wireless control message packets,
aka internal bug 25306181.
Openssl 1.0.1e CVE-20 The hub_activate function in http://git.kernel.or
15-8816 drivers/usb/core/hub.c in the Linux g/cgit/linux/kernel
kernel before 4.3.5 does not /git/torvalds/linux.
properly maintain a hub-interface git/commit/?id=e5
data structure, which allows 0293ef9775c5f1cf
physically proximate attackers to 3fcc093037dd6a8
cause a denial of service (invalid c5684ea
memory access and system crash)
or possibly have unspecified other
impact by unplugging a USB hub
device.
Openssl 1.0.1e CVE-20 Race condition in the tty_ioctl http://git.kernel.or
16-0723 function in drivers/tty/tty_io.c in the g/cgit/linux/kernel
Linux kernel through 4.4.1 allows /git/torvalds/linux.
local users to obtain sensitive git/commit/?id=5c
information from kernel memory or 17c861a357e945
cause a denial of service 8001f021a7afa7a
(use-after-free and system crash) ab9937439
by making a TIOCGETD ioctl call
during processing of a TIOCSETD
ioctl call
Openssl CVE-20 The print_maps function in http://git.kernel.or
16-3757 toolbox/lsof.c in Android 4.x before g/cgit/linux/kernel
4.4.4, 5.0.x before 5.0.2, 5.1.x /git/torvalds/linux.
before 5.1.1, and 6.x before git/commit/?id=5c
2016-07-01 allows user-assisted 17c861a357e945
attackers to gain privileges via a 8001f021a7afa7a
crafted application that attempts to ab9937439
list a long name of a
memory-mapped file, aka internal
bug 28175237. NOTE: print_maps
is not related to the Vic Abell lsof
product.
CVE-20 The doapr_outch function in https://git.openssl
16-2842 crypto/bio/b_print.c in OpenSSL .org/?p=openssl.g
1.0.1 before 1.0.1s and 1.0.2 it;a=commit;h=57
before 1.0.2g does not verify that a 8b956fe741bf8e8
certain memory allocation 4055547b1e83c2
succeeds, which allows remote 8dd902c73
service (out-of-bounds write or
memory consumption) or possibly
have unspecified other impact via a
long string, as demonstrated by a
large amount of ASN.1 data, a
Page 25
different vulnerability than

CVE-2016-0799.
CVE-20 net/socket.c in the Linux kernel http://git.kernel.or
15-2686 3.19 before 3.19.3 does not g/cgit/linux/kernel
validate certain range data for (1) /git/torvalds/linux.
sendto and (2) recvfrom system git/commit/?id=4d
calls, which allows local users to e930efc23b92ddf
gain privileges by leveraging a 88ce91c405ee64
subsystem that uses the 5fe6e27ea
copy_from_iter function in the
iov_iter interface, as demonstrated
by the Bluetooth subsystem.
CVE-20 The IPv6 stack in the Linux kernel http://git.kernel.or
16-3841 before 4.3.3 mishandles options g/cgit/linux/kernel
data, which allows local users to /git/torvalds/linux.
gain privileges or cause a denial of git/commit/?id=45
service (use-after-free and system f6fad84cc305103
crash) via a crafted sendmsg b28d73482b344d
system call. 7f5b76f39
CVE-20 The proc_connectinfo function in http://git.kernel.or
16-4482 drivers/usb/core/devio.c in the g/cgit/linux/kernel
Linux kernel through 4.6 does not /git/torvalds/linux.
initialize a certain data structure, git/commit/?id=68
which allows local users to obtain 1fef8380eb818c0
sensitive information from kernel b845fca5d2ab1dc
stack memory via a crafted bab114ee
USBDEVFS_CONNECTINFO ioctl
call.
Iptables CVE-20 Race condition in the http://git.kernel.or
14-9529 key_gc_unused_keys function in g/?p=linux/kernel/
security/keys/gc.c in the Linux git/torvalds/linux-
kernel through 3.18.2 allows local 2.6.git;a=commit;
users to cause a denial of service h=a3a878445469
(memory corruption or panic) or 2dd72e5d5d34dc
possibly have unspecified other dab17b4420e74c
impact via keyctl commands that
trigger access to a key structure
member during garbage collection
of a key.
Iptables CVE-20 The (1) udp_recvmsg and (2) http://git.kernel.or
15-5364 udpv6_recvmsg functions in the g/cgit/linux/kernel
Linux kernel before 4.0.6 do not /git/torvalds/linux.
properly consider yielding a git/commit/?id=be
processor, which allows remote b39db59d14990e
attackers to cause a denial of 401e235faf66a6b
service (system hang) via incorrect 9b31240b0
checksums within a UDP packet
flood.
Iptables CVE-20 The key_reject_and_link function in http://git.kernel.or
16-4470 security/keys/key.c in the Linux g/cgit/linux/kernel
kernel through 4.6.3 does not /git/torvalds/linux.
ensure that a certain data structure git/commit/?id=38
is initialized, which allows local 327424b40bcebe
users to cause a denial of service 2de92d07312c89
(system crash) via vectors involving 360ac9229a
a crafted keyctl request2 command.
Iptables CVE-20 The IPT_SO_SET_REPLACE http://git.kernel.or
Page 26
16-4998 setsockopt implementation in the g/cgit/linux/kernel

netfilter subsystem in the Linux /git/torvalds/linux.
kernel before 4.6 allows local users git/commit/?id=6e
to cause a denial of service 94e0cfb0887e40
(out-of-bounds read) or possibly 13b3b930fa6ab1f
obtain sensitive information from e6bb6ba91
kernel heap memory by leveraging
in-container root access to provide
a crafted offset value that leads to
crossing a ruleset blob boundary.
Iptables CVE-20 The ndisc_router_discovery http://git.kernel.or
15-2922 function in net/ipv6/ndisc.c in the g/cgit/linux/kernel
Neighbor Discovery (ND) protocol /git/torvalds/linux.
implementation in the IPv6 stack in git/commit/?id=6f
the Linux kernel before 3.19.6 d99094de2b83d1
allows remote attackers to d4c8457f2c83483
reconfigure a hop-limit setting via a b2828e75a
small hop_limit value in a Router
Advertisement (RA) message.
Iptables CVE-20 An elevation of privilege Merge the
16-6700 vulnerability in libzipfile could Google 10# patch
enable a local malicious application
to execute arbitrary code within the
context of a privileged process.
This issue is rated as Critical due to
the possibility of a local permanent
device compromise, which may
require reflashing the operating
system to repair the device.
Iptables CVE-20 An elevation of privilege https://git.kernel.o

16-6828 vulnerability in the kernel rg/cgit/linux/kerne
networking subsystem could enable l/git/torvalds/linux.
a local malicious application to git/commit/includ
execute arbitrary code within the e/net/tcp.h?id=bb
context of the kernel. This issue is 1fceca22492109b
rated as Critical due to the e12640d49f5ea5
possibility of a local permanent a544c6bb4
16-7910 vulnerability in the kernel file rg/cgit/linux/kerne
system could enable a local l/git/stable/linux-st
malicious application to execute able.git/commit/?i
arbitrary code within the context of d=77da160530dd
the kernel. This issue is rated as 1dc94f6ae15a98
Critical due to the possibility of a 1f24e5f0021e84
local permanent device
compromise, which may require
reflashing the operating system to
repair the device.
16-7911 vulnerability in the kernel file rg/cgit/linux/kerne
system could enable a local l/git/stable/linux-st
malicious application to execute able.git/commit/?i
arbitrary code within the context of d=8ba8682107ee
Page 27
the kernel. This issue is rated as 2ca3347354e018

Critical due to the possibility of a 865d8e1967c5f4
local permanent device
compromise, which may require
reflashing the operating system to
repair the device.
Iptables CVE-20 An information disclosure https://git.kernel.o

15-8964 vulnerability in kernel components rg/cgit/linux/kerne
including the human interface l/git/stable/linux-st
device driver, file system, and able.git/commit/?i
Teletype driver, could enable a d=dd42bf119714
local malicious application to 4ede075a9d4793
access data outside of its 123f7689e164bc
permission levels. This issue is
rated as High because it could be
used to access sensitive data
without explicit user permission.
Iptables CVE-20 An information disclosure Merge the
16-6753 vulnerability in kernel components, Google 10# patch
including the process-grouping
subsystem and the networking
subsystem, could enable a local
malicious application to access
data outside of its permission
levels. This issue is rated as
Moderate because it first requires
compromising a privileged process
Linux 3.4.5 CVE-20 The proc_keys_show function in https://bugzilla.re
kernel 16-7042 security/keys/proc.c in the Linux dhat.com/attachm
kernel through 4.8.2, when the ent.cgi?id=12002
GNU Compiler Collection (gcc) 12
stack protector is enabled, uses an
incorrect buffer size for certain
timeout data, which allows local
users to cause a denial of service
(stack memory corruption and
panic) by reading the /proc/keys
file.
Linux 3.4.5 CVE-20 When perf_group_detach is called Merge the
kernel 17-0403 on a group leader, it should empty Google 12# patch
its sibling list. Otherwise, when a
sibling is later deallocated,
list_del_event() removes the
sibling's group_entry from its
current list, which could be the
now-deallocated group leader's
sibling list, leading to a potential
use-after-free vulnerability.
The fix is designed to deallocate
the group_entry on the sibling list
properly to prevent the potential
use-after-free vulnerability.
Linux 3.4.5 The tcp_check_send_head function http://git.kernel.or
kernel CVE-20 in include/net/tcp.h in the Linux g/cgit/linux/kernel
16-6828 kernel before 4.7.5 does not /git/torvalds/linux.
properly maintain certain SACK git/commit/?id=bb
Page 28
state after a failed data copy, which 1fceca22492109b

allows local users to cause a denial e12640d49f5ea5
of service a544c6bb4
(tcp_xmit_retransmit_queue
use-after-free and system crash)
via a crafted SACK option.
Linux 3.4.5 Use-after-free vulnerability in the http://git.kernel.or
kernel disk_seqf_stop function in g/cgit/linux/kernel
block/genhd.c in the Linux kernel /git/torvalds/linux.
CVE-20 before 4.7.1 allows local users to git/commit/?id=77
16-7910 gain privileges by leveraging the da160530dd1dc9
execution of a certain stop 4f6ae15a981f24e
operation even if the corresponding 5f0021e84
start operation had failed.
Linux 3.4.5 Race condition in the http://git.kernel.or
kernel get_task_ioprio function in g/cgit/linux/kernel
block/ioprio.c in the Linux kernel /git/torvalds/linux.
CVE-20
before 4.6.6 allows local users to git/commit/?id=8b
16-7911
gain privileges or cause a denial of a8682107ee2ca3
service (use-after-free) via a crafted 347354e018865d
ioprio_get system call. 8e1967c5f4
Linux 3.4.5 The tty_set_termios_ldisc function http://git.kernel.or
kernel in drivers/tty/tty_ldisc.c in the Linux g/cgit/linux/kernel
kernel before 4.5 allows local users /git/torvalds/linux.
CVE-20
to obtain sensitive information from git/commit/?id=dd
15-8964
kernel memory by reading a tty 42bf1197144ede
data structure. 075a9d4793123f
7689e164bc
Linux 3.4.5 An information disclosure
kernel vulnerability in kernel components,
including the process-grouping
subsystem and the networking
subsystem, in Android before
2016-11-05 could enable a local
malicious application to access
data outside of its permission
levels. This issue is rated as
Moderate because it first requires
CVE-20 compromising a privileged process.
16-6753 Android ID: A-30149174.
zlib 1.2.3 CVE-20 An elevation of privilege Merge the
16-6700 vulnerability in libzipfile in Android Google 10# patch
4.x before 4.4.4, 5.0.x before 5.0.2,
and 5.1.x before 5.1.1 could enable
a local malicious application to
execute arbitrary code within the
context of a privileged process.
This issue is rated as Critical due to
the possibility of a local permanent
Android ID: A-30916186.
openssl 1.0.1e CVE-20 The dtls1_clear_queues function in https://github.com
14-8176 ssl/d1_lib.c in OpenSSL before /openssl/openssl/
0.9.8za, 1.0.0 before 1.0.0m, and commit/470990fe
1.0.1 before 1.0.1h frees data e0182566d439ef
Page 29
structures without considering that 7e82d1abf18b70

application data can arrive between 85d7
a ChangeCipherSpec message and
a Finished message, which allows
remote DTLS peers to cause a
denial of service (memory
corruption and application crash) or
possibly have unspecified other
impact via unexpected application
data.
CVE-20 Integer underflow in the https://git.openssl
15-0292 EVP_DecodeUpdate function in .org/gitweb/?p=op
crypto/evp/encode.c in the enssl.git;a=comm
base64-decoding implementation in it;h=d0666f289ac
OpenSSL before 0.9.8za, 1.0.0 013094bbbf547bf
before 1.0.0m, and 1.0.1 before bcd616199b7d2d
1.0.1h allows remote attackers to
cause a denial of service (memory
corruption) or possibly have
unspecified other impact via crafted
base64 data that triggers a buffer
overflow.
kernel 3.4.5 CVE-20 The netlink_sendmsg function in http://git.kernel.or
12-6689 net/netlink/af_netlink.c in the Linux g/cgit/linux/kernel
kernel before 3.5.5 does not /git/torvalds/linux.
validate the dst_pid field, which git/commit/?id=20
allows local users to have an e1db19db5d6b9e
unspecified impact by spoofing 4e83021595eab0
Netlink messages. dc8f107bef
ffmpeg 2.6.6 CVE-20 Integer overflow in the http://git.videolan.
16-6164 mov_build_index function in org/gitweb.cgi/ffm
libavformat/mov.c in FFmpeg peg.git/?a=commi
before 2.8.8, 3.0.x before 3.0.3 and t;h=8a3221cc67a
3.1.x before 3.1.1 allows remote 516dfc1700bdae
attackers to have unspecified 3566ec52c7ee82
impact via vectors involving sample 3
size.
kernel 3.4.5 CVE-20 Remote code execution https://git.kernel.o
16-1022 vulnerability in kernel networking rg/pub/scm/linux/
9 subsystem (device specific) kernel/git/torvalds
/linux.git/commit/
?id=197c949e779
8fbf28cfadc69d9c
a0c2abbf93191
Pppc CVE-20 Integer overflow in the https://github.com
14-3158 getword function in options.c /paulusmack/ppp/
in pppd in Paul's PPP Package commit/7658e825
(ppp) before 2.4.7 allows 7183f062dc01f87
969c140707c7e5
attackers to "access 2cb
privileged options" via a long
word in an options file, which
triggers a heap-based buffer
overflow that "[corrupts]
security-relevant variables."
Upnp 1.6.12 CVE-20 Heap-based buffer overflow https://sourceforg
16-8863 in the create_url_list function e.net/p/pupnp/bu
Page 30
in gena/gena_device.c in gs/133/
Portable UPnP SDK (aka
libupnp) before 1.6.21 allows
remote attackers to cause a
denial of service (crash) or
possibly execute arbitrary
code via a valid URI followed
by an invalid one in the
CALLBACK header of an
SUBSCRIBE request.
Kernel 3.4.5 CVE-20 kernel/events/core.c in the https://git.kernel.o
15-9004 Linux kernel before 3.19 rg/pub/scm/linux/
mishandles counter grouping, kernel/git/torvalds
which allows local users to /linux.git/commit/
?id=c3c87e77045
gain privileges via a crafted
8aa004bd7ed3f2
application, related to the 9945ff436fd6511
perf_pmu_register and
perf_event_open functions
Kernel 3.4.5 CVE-20 Race condition in the https://git.kernel.o
16-9794 snd_pcm_period_elapsed rg/pub/scm/linux/
function in kernel/git/torvalds
sound/core/pcm_lib.c in the /linux.git/commit/
?id=3aa02cb664c
ALSA subsystem in the Linux
5fb1042958c8d1
kernel before 4.7 allows local aa8c35055a2ebc
users to cause a denial of 4
service (use-after-free) or
possibly have unspecified
other impact via a crafted
SNDRV_PCM_TRIGGER_STAR
T command.
Kernel 3.4.5 The xfrm_replay_verify_len https://git.kernel.o
function in rg/pub/scm/linux/
net/xfrm/xfrm_user.c in the kernel/git/torvalds
Linux kernel through 4.10.6 /linux.git/commit/
?id=677e806da4
does not validate certain size
d9160525853017
data after an 85d847c3b3e618
XFRM_MSG_NEWAE update, 6a
which allows local users to
obtain root privileges or
(heap-based out-of-bounds
access) by leveraging the
CAP_NET_ADMIN capability,
as demonstrated during a
Pwn2Own competition at
CanSecWest 2017 for the
Ubuntu 16.10 linux-image-*
package 4.8.0.41.52.
Iptables 1.4.11. CVE-20 extensions/libxt_tcp.c in http://www.spinic
1 12-2663 iptables through 1.4.21 does s.net/lists/netfilter
not match TCP SYN+FIN -devel/msg21248.
html
Page 31
packets in --syn rules, which

might allow remote attackers
to bypass intended firewall
restrictions via crafted
packets. NOTE: the
CVE-2012-6638 fix makes
this issue less relevant.
Kernel 3.4.5 CVE-20 The ipxitf_ioctl function in https://git.kernel.o
17-7487 net/ipx/af_ipx.c in the Linux rg/pub/scm/linux/
kernel through 4.11.1 kernel/git/torvalds
mishandles reference counts, /linux.git/commit/
?id=ee0d8d8482
345ff97a75a7d74
cause a denial of service 7efc309f13b0d80
(use-after-free) or possibly
have unspecified other
impact via a failed
SIOCGIFADDR ioctl call for an
IPX interface.
Kernel 3.4.5 CVE-20 The IPv6 fragmentation https://git.kernel.o
17-9074 implementation in the Linux rg/pub/scm/linux/
kernel through 4.11.1 does kernel/git/torvalds
not consider that the nexthdr /linux.git/commit/
?id=2423496af35
field may be associated with
d94a87156b063e
an invalid option, which a5cedffc10a70a1
allows local users to cause a
denial of service
(out-of-bounds read and
BUG) or possibly have
unspecified other impact via
crafted socket and send
system calls.
Kernel 3.4.5 CVE-20 The __ip6_append_data https://git.kernel.o
17-9242 function in rg/pub/scm/linux/
net/ipv6/ip6_output.c in the kernel/git/torvalds
?id=232cd35d080
is too late in checking
4cc241eb887bb8
whether an overwrite of an d4d9b3b9881c64
skb data structure may a
occur, which allows local
users to cause a denial of
service (system crash) via
crafted system calls.
Kernel 3.4.5 CVE-20 The inet_csk_clone_lock https://git.kernel.o
net/ipv4/inet_connection_soc kernel/git/torvalds
k.c in the Linux kernel /linux.git/commit/
?id=657831ffc38e
through 4.10.15 allows 30092a2d5f03d3
attackers to cause a denial of 85d710eb88b09a
service (double free) or
other impact by leveraging
Page 32
use of the accept system call.

Kernel 3.4.5 CVE-20 The https://git.kernel.o
17-9075 sctp_v6_create_accept_sk rg/pub/scm/linux/
function in net/sctp/ipv6.c in kernel/git/torvalds
the Linux kernel through /linux.git/commit/
?id=fdcee2cbb84
4.11.1 mishandles 38702ea1b328fb
inheritance, which allows 6e0ac5e9a40c7f8
local users to cause a denial
of service or possibly have
crafted system calls, a
related issue to
CVE-2017-8890.
Kernel 3.4.5 CVE-20 The https://git.kernel.o
17-9076 dccp_v6_request_recv_sock rg/pub/scm/linux/
function in net/dccp/ipv6.c in kernel/git/torvalds
the Linux kernel through /linux.git/commit/
?id=83eaddab43
4.11.1 mishandles
78db256d00d295
inheritance, which allows bda6ca997cd13a
local users to cause a denial 52
of service or possibly have
crafted system calls, a
related issue to
CVE-2017-8890.
Kernel 3.4.5 CVE-20 The tcp_v6_syn_recv_sock https://git.kernel.o
net/ipv6/tcp_ipv6.c in the kernel/git/torvalds
/linux.git/commit/
Linux kernel through 4.11.1
?id=83eaddab43
mishandles inheritance,
78db256d00d295
which allows local users to bda6ca997cd13a
cause a denial of service or 52
other impact via crafted
system calls, a related issue
to CVE-2017-8890.
Kernel 3.4.5 CVE-20 Technical details: https://git.kernel.o
17-5970 The ipv4_pktinfo_prepare rg/pub/scm/linux/
net/ipv4/ip_sockglue.c in the /linux.git/commit/
?id=34b2cef20f19
Linux kernel through 4.9.9
c87999fff3da407
allows attackers to cause a 1e66937db9644
denial of service (system
crash) via (1) an application
that makes crafted system
calls or possibly (2) IPv4
traffic with invalid IP options.
This is due to dropping dst
when bad IP options were
present which could lead to a
NULL pointer dereference.
Page 33
Fix details:
The fix is designed to only
drop the dst packet if it's safe
to do so.
Kernel 3.4.5 CVE-20 Technical details: NA
17-0710 A process with
CAP_SYS_RESOURCE
bypasses the permission
check allowing arbitrary
ptrace access.
Fix details:
The fix replaced
CAP_SYS_RESOURCE with
CAP_SYS_PTRACE for
processes needing ptrace
capability, and removed the
CAP_SYS_RESOURCE bypass.
Ffmpeg 2.6.6 CVE-20 FFmpeg before 2017-01-23 https://github.com
17-7866 has an out-of-bounds write /FFmpeg/FFmpe
caused by a stack-based g/commit/e371f03
buffer overflow related to the 1b942d73e02c09
0170975561fabd
decode_zbuf function in
5c264
libavcodec/pngdec.c.
Ffmpeg 2.6.6 CVE-20 Ffmpeg 2.6.6
16-2329
CVE-20 The read_gab2_sub function https://git.ffmpeg.
16-7905 in libavformat/avidec.c in org/gitweb/ffmpeg
FFmpeg before 3.1.4 allows .git/commit/622cc
remote attackers to cause a bd8ab894e3ac6c
df607e3d4f39e40
denial of service (NULL 6786e9
pointer used) via a crafted
AVI file.
Ffmpeg 2.6.6 CVE-20 The avi_read_seek function https://git.ffmpeg.
16-7785 in libavformat/avidec.c in org/gitweb/ffmpeg
FFmpeg before 3.1.4 allows .git/commit/c8c5f
remote attackers to cause a 66b42edc37474b
aa5cb51460cbf6f
denial of service (assert fault)
33075b
via a crafted AVI file.
Ffmpeg 2.6.6 CVE-20 The Linux kernel before 3.12, https://git.kernel.o
13-4470 when UDP Fragmentation rg/pub/scm/linux/
Offload (UFO) is enabled, kernel/git/torvalds
/linux.git/commit/
does not properly initialize
?id=c547dbf55d5f
certain data structures, which
8cf615ccc0e7265
allows local users to cause a e98db27d3fb8b
corruption and system crash)
or possibly gain privileges via
a crafted application that
uses the UDP_CORK option in
a setsockopt system call and
sends both short and long
packets, related to the
Page 34
ip_ufo_append_data function
in net/ipv4/ip_output.c and
the ip6_ufo_append_data
function in
net/ipv6/ip6_output.c.
Ffmpeg 2.6.6 CVE-20 The validate_event function https://git.kernel.o
13-4254 in rg/pub/scm/linux/
arch/arm/kernel/perf_event.c kernel/git/torvalds
in the Linux kernel before /linux.git/commit/
?id=c95eb3184ea
3.10.8 on the ARM platform
1a3a2551df5719
allows local users to gain 0c81da695e2144
privileges or cause a denial of b
service (NULL pointer
dereference and system
crash) by adding a hardware
event to an event group led
by a software event.
Ffmpeg 2.6.6 CVE-20 Integer overflow in the https://git.kernel.o
13-2596 fb_mmap function in rg/pub/scm/linux/
drivers/video/fbmem.c in the kernel/git/torvalds
Linux kernel before 3.8.9, as /linux.git/commit/
?id=b4cbb197c7e
used in a certain Motorola
7a68dbad0d4912
build of Android 4.1.2 and 42e3ca67420c13
other products, allows local e
users to create a read-write
memory mapping for the
entirety of kernel memory,
and consequently gain
privileges, via crafted
/dev/graphics/fb0 mmap2
system calls, as
demonstrated by the
Motochopper pwn program.
Ffmpeg 2.6.6 CVE-20 https://git.kernel.o
14-4653 sound/core/control.c in the rg/pub/scm/linux/
ALSA control kernel/git/torvalds
implementation in the Linux /linux.git/commit/
kernel before 3.15.2 does ?id=fd9f26e4eca5
not ensure possession of a d08a27d12c0933
read/write lock, which fceef76ed9663d
denial of service
(use-after-free) and obtain
sensitive information from
kernel memory by
leveraging
/dev/snd/controlCX access.
Ffmpeg 2.6.6 CVE-20 Use-after-free vulnerability in https://git.kernel.o
13-1767 the shmem_remount_fs rg/pub/scm/linux/
function in mm/shmem.c in kernel/git/torvalds
the Linux kernel before /linux.git/commit/
?id=5f00110f727
Page 35
3.7.10 allows local users to 3f9ff04ac69a5f85

gain privileges or cause a bb535a4fd0987
denial of service (system
crash) by remounting a tmpfs
filesystem without specifying
a required mpol (aka
mempolicy) mount option.
Ffmpeg 2.6.6 CVE-20 The rock_continue function in https://git.kernel.o
14-9420 fs/isofs/rock.c in the Linux rg/pub/scm/linux/
kernel through 3.18.1 does kernel/git/torvalds
not restrict the number of /linux.git/commit/
?id=f54e18f1b83
Rock Ridge continuation
1c92f6512d2eed
entries, which allows local b224cd63d607d3
users to cause a denial of d
service (infinite loop, and
system crash or hang) via a
crafted iso9660 image.
Ffmpeg 2.6.6 CVE-20 The do_umount function in https://git.kernel.o
14-7975 fs/namespace.c in the Linux rg/pub/scm/linux/
kernel through 3.17 does not kernel/git/torvalds
require the CAP_SYS_ADMIN /linux.git/commit/
?id=0ef3a56b1c4
capability for do_remount_sb
66629cd0bf482b
calls that change the root 09c7b0e5a085bb
filesystem to read-only, 5
cause a denial of service (loss
of writability) by making
certain unshare system calls,
clearing the / MNT_LOCKED
flag, and making an
MNT_FORCE umount system
call.
Ffmpeg 2.6.6 CVE-20 The futex_wait_requeue_pi https://git.kernel.o
12-6647 function in kernel/futex.c in rg/pub/scm/linux/
the Linux kernel before 3.5.1 kernel/git/torvalds
does not ensure that calls /linux.git/commit/
?id=6f7b0a2a5c0f
have two different futex
b03be7c25bd174
addresses, which allows local 5baa50582348ef
service (NULL pointer
dereference and system
crash) or possibly have
a crafted
FUTEX_WAIT_REQUEUE_PI
command.
Ffmpeg 2.6.6 CVE-20 The try_to_unmap_cluster https://git.kernel.o
14-3122 function in mm/rmap.c in the rg/pub/scm/linux/
Linux kernel before 3.14.3 kernel/git/torvalds
/linux.git/commit/
does not properly consider
?id=57e68e9cd65
which pages must be locked,
b4b8eb4045a1e0
Page 36
which allows local users to d0746458502554

cause a denial of service c
(system crash) by triggering
a memory-usage pattern that
requires removal of
page-table mappings.
Ffmpeg 2.6.6 CVE-20 The raw_cmd_copyout https://git.kernel.o
drivers/block/floppy.c in the kernel/git/torvalds
?id=2145e15e05
does not properly restrict
57a01b9195d1c7
access to certain pointers 199a1b92cb9be8
during processing of an 1f
FDRAWCMD ioctl call, which
allows local users to obtain
kernel heap memory by
leveraging write access to a
/dev/fd device.
Ffmpeg 2.6.6 CVE-20 The aac_send_raw_srb https://git.kernel.o
drivers/scsi/aacraid/commctrl kernel/git/torvalds
.c in the Linux kernel through /linux.git/commit/
?id=b4789b8e6b
3.12.1 does not properly e3151a955ade74
validate a certain size value, 872822f30e8cd9
which allows local users to 14
(invalid pointer dereference)
or possibly have unspecified
other impact via an
FSACTL_SEND_RAW_SRB
ioctl call that triggers a
crafted SRB command.
Ffmpeg 2.6.6 CVE-20 The https://git.kernel.o
14-5472 parse_rock_ridge_inode_inter rg/pub/scm/linux/
nal function in fs/isofs/rock.c kernel/git/torvalds
in the Linux kernel through /linux.git/commit/
?id=410dd3cf4c9
3.16.1 allows local users to
b36f27ed4542ee
cause a denial of service 18b1af5e68645a
(unkillable mount process) 4
via a crafted iso9660 image
with a self-referential CL
entry.
Ffmpeg 2.6.6 CVE-20 Stack consumption https://git.kernel.o
14-5471 vulnerability in the rg/pub/scm/linux/
parse_rock_ridge_inode_inter kernel/git/torvalds
nal function in fs/isofs/rock.c /linux.git/commit/
?id=410dd3cf4c9
in the Linux kernel through
b36f27ed4542ee
3.16.1 allows local users to 18b1af5e68645a
cause a denial of service 4
(uncontrolled recursion, and
Page 37
system crash or reboot) via a

crafted iso9660 image with a
CL entry referring to a
directory entry that has a CL
entry.
Ffmpeg 2.6.6 CVE-20 The chase_port function in https://git.kernel.o
13-1774 drivers/usb/serial/io_ti.c in rg/pub/scm/linux/
allows local users to cause a /linux.git/commit/
?id=1ee0a224bc9
denial of service (NULL
aad1de496c795f
pointer dereference and 96bc6ba2c39481
system crash) via an 1
attempted /dev/ttyUSB read
or write operation on a
disconnected Edgeport USB
serial converter.
14-9584 parse_rock_ridge_inode_inter rg/pub/scm/linux/
nal function in fs/isofs/rock.c kernel/git/torvalds
in the Linux kernel before /linux.git/commit/
?id=4e2024624e
3.18.2 does not validate a
678f0ebb916e61
length value in the 92bd23c1f9fdf69
Extensions Reference (ER) 6
System Use Field, which
kernel memory via a crafted
iso9660 image.
Ffmpeg 2.6.6 CVE-20 The fill_event_metadata https://lkml.org/lk
13-2148 function in ml/2013/6/3/128
fs/notify/fanotify/fanotify_use
r.c in the Linux kernel
through 3.9.4 does not
initialize a certain structure
member, which allows local
users to obtain sensitive
information from kernel
memory via a read operation
on the fanotify descriptor.
Ffmpeg 2.6.6 CVE-20 The HP Smart Array https://lkml.org/lk
13-2147 controller disk-array driver ml/2013/6/3/131
and Compaq SMART2 https://lkml.org/lk
controller disk-array driver in ml/2013/6/3/127
the Linux kernel through
3.9.4 do not initialize certain
data structures, which allows
local users to obtain sensitive
information from kernel
memory via (1) a crafted
IDAGETPCIINFO command
for a /dev/ida device, related
Page 38
to the ida_locked_ioctl
function in
drivers/block/cpqarray.c or
(2) a crafted
CCISS_PASSTHRU32
command for a /dev/cciss
device, related to the
cciss_ioctl32_passthru
function in
drivers/block/cciss.c.
Ffmpeg 2.6.6 CVE-20 Three errors resulting in https://git.kernel.o
13-2548 kernel memory disclosure: rg/pub/scm/linux/
kernel/git/torvalds
1/ The structures used for /linux.git/commit/
?id=9a5467bf7b6
the netlink based crypto
e9e02ec9c3da4e
algorithm report API 23747c05faeaac6
are located on the stack. As
snprintf() does not fill the
remainder of
the buffer with null bytes,
those stack bytes will be
disclosed to users
of the API. Switch to
strncpy() to fix this.
2/ crypto_report_one() does
not initialize all field of struct
crypto_user_alg. Fix this to
fix the heap info leak.
3/ For the module name we

should copy only as many
bytes as
module_name() returns --
not as much as the
destination buffer could
hold. But the current code
does not and therefore copies
random data
from behind the end of the
module name, as the module
name is always
shorter than
CRYPTO_MAX_ALG_NAME.
Also switch to use strncpy()

to copy the algorithm's name
and
driver_name. They are
strings, after all.
Ffmpeg 2.6.6 CVE-20 The crypto_report_one https://git.kernel.o

Page 39

crypto/crypto_user.c in the kernel/git/torvalds
report API in the crypto user /linux.git/commit/
configuration API in the Linux ?id=9a5467bf7b6
e9e02ec9c3da4e
kernel through 3.8.2 does not
23747c05faeaac6
initialize certain structure
members, which allows local
users to obtain sensitive
information from kernel heap
memory by leveraging the
CAP_NET_ADMIN capability.
Ffmpeg 2.6.6 CVE-20 The report API in the crypto https://git.kernel.o
13-2546 user configuration API in the rg/pub/scm/linux/
Linux kernel through 3.8.2 kernel/git/torvalds
uses an incorrect C library /linux.git/commit/
?id=9a5467bf7b6
function for copying strings,
e9e02ec9c3da4e
which allows local users to 23747c05faeaac6
obtain sensitive information
from kernel stack memory by
leveraging the
CAP_NET_ADMIN capability.
14-1739 media_device_enum_entities rg/pub/scm/linux/
drivers/media/media-device.c /linux.git/commit/
?id=e6a623460e
in the Linux kernel before
5fc960ac3ee9f94
3.14.6 does not initialize a 6d3106233fd28d
certain data structure, which 8
kernel memory by leveraging
/dev/media0 read access for
a
MEDIA_IOC_ENUM_ENTITIES
ioctl call.
Openssl 1.0.1e CVE-20 The ssl23_get_client_hello https://git.openssl
14-3569 function in s23_srvr.c in .org/gitweb/?p=op
OpenSSL 0.9.8zc, 1.0.0o, enssl.git;a=comm
and 1.0.1j does not properly it;h=392fa7a952e
97d82eac6958c8
handle attempts to use 1ed1e256e6b8ca
unsupported protocols, which 5
allows remote attackers to
(NULL pointer dereference
and daemon crash) via an
unexpected handshake, as
demonstrated by an SSLv3
handshake to a no-ssl3
application with certain error
handling. NOTE: this issue
became relevant after the
Page 40
CVE-2014-3568 fix.
linux 3.4.5 CVE-20 The sock_setsockopt function https://git.kernel.o
kernel 12-6704 in net/core/sock.c in the rg/pub/scm/linux/
Linux kernel before 3.5 kernel/git/torvalds
mishandles negative values /linux.git/commit/
?id=8298193012
of sk_sndbuf and sk_rcvbuf, 5abfd39d7c8378
which allows local users to a9cfdf5e1be2002
cause a denial of service b
(memory corruption and
system crash) or possibly
impact by leveraging the
CAP_NET_ADMIN capability
for a crafted setsockopt
system call with the (1)
SO_SNDBUF or (2)
SO_RCVBUF option.
Openssl 1.0.1e CVE-20 Double free vulnerability in https://git.openssl
16-0705 the dsa_priv_decode function .org/?p=openssl.g
in crypto/dsa/dsa_ameth.c in it;a=commit;h=6c
OpenSSL 1.0.1 before 1.0.1s 88c71b4e4825c7
bc0489306d062d
and 1.0.2 before 1.0.2g
017634eb88
(memory corruption) or
other impact via a malformed
DSA private key.
linux 3.4.5 CVE-20 The handling of the https://git.kernel.o
kernel 17-1066 might_cancel queueing is not rg/pub/scm/linux/
1 properly protected, so kernel/git/stable/li
parallel operations on the file nux-stable.git/co
mmit/?id=1e38da
descriptor could race with
300e1e395a1504
each other and lead to list 8b0af1e5305bd9
corruptions or use after free. 1402f6
linux 3.4.5 CVE-20 The KEYS subsystem in the
kernel 17-7472 Linux kernel before 4.10.13
consumption) via a series of
KEY_REQKEY_DEFL_THREAD
_KEYRING
https://git.kernel.org/pub/sc
m/linux/kernel/git/torvalds/li
nux.git/commit/?id=c9f838d1
04fed6f2f61d68164712e3204
bf5271bkeyctl_set_reqkey_k
eyring calls.
linux 3.4.5 CVE-20 The tcp_splice_read function https://git.kernel.o
kernel 17-6214 in net/ipv4/tcp.c in the Linux rg/pub/scm/linux/
kernel before 4.9.11 allows kernel/git/torvalds
/linux.git/commit/
Page 41
remote attackers to cause a ?id=ccf7abb93af0

denial of service (infinite loop 9ad0868ae9033d
and soft lockup) via vectors 1ca8108bdaec82
involving a TCP packet with
the URG flag.
CVE-20 The KEYS subsystem in the https://git.kernel.o
15-8539 Linux kernel before 4.4 rg/pub/scm/linux/
allows local users to gain kernel/git/torvalds
privileges or cause a denial of /linux.git/commit/
?id=096fe9eaea4
service (BUG) via crafted
0a17e125569f9e
keyctl commands that 657e34cdb6d73b
negatively instantiate a key, d
related to
security/keys/encrypted-keys
/encrypted.c,
security/keys/trusted.c, and
security/keys/user_defined.c.
CVE-20 arch/arm/kernel/sys_oabi-co https://git.kernel.o
15-8966 mpat.c in the Linux kernel rg/pub/scm/linux/
before 4.4 allows local users kernel/git/torvalds
to gain privileges via a /linux.git/commit/
?id=76cc404bfdc
crafted (1) F_OFD_GETLK,
0d419c720de4da
(2) F_OFD_SETLK, or (3) af2584542734f42
F_OFD_SETLKW command in
an fcntl64 system call.
CVE-20 The netfilter subsystem in the https://git.kernel.o
16-3134 Linux kernel through 4.5.2 rg/pub/scm/linux/
does not validate certain kernel/git/torvalds
/linux.git/commit/
offset fields, which allows
?id=54d83fc74aa
local users to gain privileges
9ec72794373cb4
or cause a denial of service 7432c5f7fb1a309
(heap memory corruption)
via an IPT_SO_SET_REPLACE
setsockopt call.
CVE-20 The IPv6 stack in the Linux https://git.kernel.o
16-3841 kernel before 4.3.3 rg/pub/scm/linux/
mishandles options data, kernel/git/torvalds
which allows local users to /linux.git/commit/
?id=45f6fad84cc3
gain privileges or cause a
05103b28d73482
denial of service b344d7f5b76f39
(use-after-free and system
crash) via a crafted sendmsg
system call.
CVE-20 Use-after-free vulnerability in https://git.kernel.o
16-4805 drivers/net/ppp/ppp_generic. rg/pub/scm/linux/
c in the Linux kernel before kernel/git/torvalds
4.5.2 allows local users to /linux.git/commit/
?id=1f461dcdd29
6eecedaffffc6bae
(memory corruption and 2bfa90bd7eb89
system crash, or spinlock) or
Page 42
other impact by removing a

network namespace, related
to the
ppp_register_net_channel
and ppp_unregister_channel
functions.
CVE-20 Use-after-free vulnerability in https://git.kernel.o
16-7117 the __sys_recvmmsg rg/pub/scm/linux/
function in net/socket.c in the kernel/git/torvalds
Linux kernel before 4.5.2 /linux.git/commit/
?id=34b88a68f26
a75e4fded796f1a
execute arbitrary code via 49c40f82234b7d
vectors involving a recvmmsg
system call that is
mishandled during error
processing.
CVE-20 The sctp_sf_ootb function in https://git.kernel.o
16-9555 net/sctp/sm_statefuns.c in rg/pub/scm/linux/
lacks chunk-length checking /linux.git/commit/
?id=bf911e985d6
for the first chunk, which
bbaa328c20c3e0
allows remote attackers to 5f4eb03de11fdd6
(out-of-bounds slab access)
or possibly have unspecified
other impact via crafted SCTP
data.
CVE-20 The ring_buffer_resize https://github.com
16-9754 function in /torvalds/linux/co
kernel/trace/ring_buffer.c in mmit/59643d153
the profiling subsystem in the 5eb220668692a5
359de22545af57
Linux kernel before 4.6.1 9f6
mishandles certain integer
calculations, which allows
local users to gain privileges
by writing to the
/sys/kernel/debug/tracing/bu
ffer_size_kb file.
CVE-20 The sock_setsockopt function https://github.com
16-9793 in net/core/sock.c in the /torvalds/linux/co
Linux kernel before 4.8.14 mmit/b98b0bc8c4
mishandles negative values 31e3ceb4b26b0d
fc8db509518fb29
of sk_sndbuf and sk_rcvbuf,
0
(memory corruption and
impact by leveraging the
CAP_NET_ADMIN capability
for a crafted setsockopt
Page 43
system call with the (1)

SO_SNDBUFFORCE or (2)
SO_RCVBUFFORCE option.
CVE-20 The mq_notify function in the https://github.com
17-1117 Linux kernel through 4.11.9 /torvalds/linux/co
6 does not set the sock pointer mmit/f991af3daa
to NULL upon entry into the baecff34684fd51f
ac80319d1baad1
retry logic. During a
user-space close of a Netlink
socket, it allows attackers to
(use-after-free) or possibly
impact.
CVE-20 Race condition in the https://github.com
17-5986 sctp_wait_for_sndbuf /torvalds/linux/co
function in net/sctp/socket.c mmit/2dcab59848
in the Linux kernel before 4185dea7ec2221
9c76dcdd59e3cb
90
(assertion failure and panic)
via a multithreaded
application that peels off an
association in a certain
buffer-full state.
CVE-20 The packet_set_ring function https://patchwork.oz
17-7308 in net/packet/af_packet.c in labs.org/patch/7448
12/
https://patchwork.oz
4.10.6 does not properly labs.org/patch/7448
validate certain block-size 13/
data, which allows local users https://patchwork.oz
to cause a denial of service labs.org/patch/7448
(integer signedness error and 11
out-of-bounds write), or gain
privileges (if the
CAP_NET_RAW capability is
held), via crafted system
calls.
CVE-20 The NFSv2 and NFSv3 server https://github.com
17-7895 implementations in the Linux /torvalds/linux/co
kernel through 4.10.13 lack mmit/13bf9fbff0e
certain checks for the end of 5e099e2b6f003a
0ab8ae14543630
a buffer, which allows remote
9
attackers to trigger
pointer-arithmetic errors or
other impact via crafted
requests, related to
fs/nfsd/nfs3xdr.c and
fs/nfsd/nfsxdr.c.
FFMPEG CVE-20 FFmpeg before 2.8.12, 3.0.x and https://github.com/F
17-9993 3.1.x before 3.1.9, 3.2.x before 3.2.6, Fmpeg/FFmpeg/com
Page 44
and 3.3.x before 3.3.2 does not mit/189ff421964453

properly restrict HTTP Live 2bdfa7bab28dfedaee
Streaming filename extensions and 4d6d4021
demuxer names, which allows https://github.com
attackers to read arbitrary files via /FFmpeg/FFmpe
crafted playlist data. g/commit/a5d849
b149ca67ced2d2
71dc84db0bc95a
548abb
System CVE-20 In the utf16_to_utf8_length A-37723026
17-0841 function of libutils, there
could be an integer overflow
leading to remote code
execution.
kernel CVE-20 If a thread?€?s logd.auditd is A-31495866
17-0427 scheduled while the
group_leader of the
thread?€?s group is killed,
that leader may be freed
before the logging is
completed. This may lead to
use-after-free and memory
corruption in the kernel, and
possible code execution.
Openssl CVE-20 If an SSL/TLS server or client A-63710076
17-3731 is running on a 32-bit host,
and a specific cipher is being
used, then a truncated
packet could cause that
server or client to perform an
out-of-bounds read which
could leak plaintext.
kernel CVE-20 A lack of synchronization in A-36006981
17-0861 the
SNDRV_CTL_IOCTL_PCM_INF
O ioctl may cause memory to
be freed while it is still in use
by another thread. This leads
to kernel memory corruption
and possible code execution.
kernel CVE-20 Race condition in net/sctp/socket.c in the https://git.kernel.o
15-3212 Linux kernel before 4.1.2 allows local rg/pub/scm/linux/
users to cause a denial of service (list kernel/git/torvalds
corruption and panic) via a rapid series /linux.git/commit/
of system calls related to sockets, as ?id=2d45a02d01
demonstrated by setsockopt calls 66caf2627fe9189
7c6ffc3b19514c4
Kernel CVE-20 The hashbin_delete function in https://git.kernel.o
17-6348 net/irda/irqueue.c in the Linux kernel rg/pub/scm/linux/
before 4.9.13 improperly manages lock kernel/git/torvalds
dropping, which allows local users to /linux.git/commit/
cause a denial of service (deadlock) via ?id=4c03b862b12
crafted operations on IrDA devices. f980456f9de92db
6d508a4999b788
Page 45
Kernel CVE-20 The make_response function in https://git.kernel.o

17-1091 drivers/block/xen-blkback/blkback.c in rg/pub/scm/linux/
1 the Linux kernel before 4.11.8 allows kernel/git/torvalds
guest OS users to obtain sensitive /linux.git/commit/
information from host OS (or other guest ?id=089bc0143f4
OS) kernel memory by leveraging the 89bd3a4578bdff5
copying of uninitialized padding fields in f4ca68fb26f341
Xen block-interface response structures,
aka XSA-216.
Kernel CVE-20 The mpi_powm function in https://git.kernel.o
lib/mpi/mpi-pow.c in the Linux kernel rg/pub/scm/linux/
16-865 through 4.8.11 does not ensure that kernel/git/torvalds
memory is allocated for limb data, which /linux.git/commit/
0 allows local users to cause a denial of ?id=f5527fffff3f00
service (stack memory corruption and 2b0a6b37616361
panic) via an add_key system call for an 3b82f69de073
RSA key with a zero exponent.
The last field "flags" of http://git.kernel.or
Kernel CVE-20
object "minfo" is not g/cgit/linux/kernel
16-524 initialized. /git/torvalds/linux.
Copying this object out may git/commit/?id=41
4 leak kernel stack data. 16def2337991b3
Assign 0 to it to avoid leak. 9919f3b448326e
21c40e0dbb
Stack object https://git.kernel.o

Kernel CVE-20
"dte_facilities" is rg/cgit/linux/kerne
16-458 allocated in l/git/torvalds/linux.
x25_rx_call_request(), git/commit/?id=79
0 which is supposed to be e48650320e6fba
initialized in 48369fccf13fd045
x25_negotiate_facilities.
315b19b8
However, 5 fields (8 bytes in
total) are not initialized.
This
object is then copied to
userland via copy_to_user,
thus infoleak
occurs.
Ralf Spenneberg reported that https://git.kernel.o

Kernel CVE-20
he hit a kernel crash when rg/pub/scm/linux/
16-102 mounting a kernel/git/torvalds
modified ext4 image. And it /linux.git/commit/
08 turns out that kernel crashed ?id=3a4b77cd47b
when b837b8557595ec
calculating fs overhead
7425f281f2ca1fe
(ext4_calculate_overhead())
, this is because
the image has very large
s_first_meta_bg (debug code
shows it's
842150400), and ext4 overruns
the memory in
count_overhead() when
setting bitmap buffer, which
is PAGE_SIZE.
Poison pointer values should https://git.kernel.o
Kernel CVE-20
Page 46
be small enough to find a room rg/pub/scm/linux/

16-082
in kernel/git/torvalds
1 non-mmap'able/hardly-mmap'a /linux.git/commit/
ble space. E.g. on x86 ?id=8a5e5e02fc8
"poison pointer space" 3aaf67053ab53b
is located starting from 0x0. 359af08c6c49aaf
Given unprivileged users
cannot mmap
anything below
mmap_min_addr, it should be
safe to use poison pointers
lower than mmap_min_addr.
The current poison pointer

values of LIST_POISON{1,2}
might be too big for
mmap_min_addr values equal or
less than 1 MB (common case,
e.g. Ubuntu
uses only 0x10000). There is
little point to use such a big
value given
the "poison pointer space"
below 1 MB is not yet
exhausted. Changing it
to a smaller value solves the
problem for small
mmap_min_addr setups.
Kernel CVE-20 The KEYS subsystem in the Linux https://github.com

kernel before 4.4 allows local users to /torvalds/linux/co
15-853 gain privileges or cause a denial of mmit/096fe9eaea
service (BUG) via crafted keyctl 40a17e125569f9
9 commands that negatively instantiate a e657e34cdb6d73
key, related to bd
security/keys/encrypted-keys/encrypted.c
, security/keys/trusted.c, and
security/keys/user_defined.c.
Kernel CVE-20 fs/btrfs/inode.c in the Linux kernel https://git.kernel.o
before 4.3.3 mishandles compressed rg/pub/scm/linux/
15-837 inline extents, which allows local users kernel/git/torvalds
to obtain sensitive pre-truncation /linux.git/commit/
4 information from a file via a clone ?id=0305cd5f7fca
action. 85dae392b9ba85
b116896eb7c1c7
Kernel CVE-20 The slhc_init function in

drivers/net/slip/slhc.c in the Linux kernel https://git.kernel.o
15-779 through 4.2.3 does not ensure that certain rg/cgit/linux/kerne
slot numbers are valid, which allows l/git/davem/net.git
9 local users to cause a denial of service /commit/?id=0baa
(NULL pointer dereference and system 57d8dc32db7836
crash) via a crafted PPPIOCSMAXCID 9d8b5176ef56c5
ioctl call. e2e18ab3
https://git.kernel.o
rg/cgit/linux/kerne
l/git/davem/net.git
/commit/?id=4ab4
Page 47
2d78e37a294ac7
bc56901d563c64
2e03c4ae
Kernel CVE-20 The vhost_dev_ioctl function in https://git.kernel.o

drivers/vhost/vhost.c in the Linux kernel rg/pub/scm/linux/
15-625 before 4.1.5 allows local users to cause a kernel/git/torvalds
denial of service (memory consumption) /linux.git/commit/
2 via a VHOST_SET_LOG_FD ioctl call ?id=7932c0bd774
that triggers permanent file-descriptor 0f4cd2aa168d3ce
allocation. 0199e7af7d72d5
Kernel CVE-20 Integer overflow in the sg_start_req https://git.kernel.o

function in drivers/scsi/sg.c in the Linux rg/pub/scm/linux/
15-570 kernel 2.6.x through 4.x before 4.1 kernel/git/torvalds
allows local users to cause a denial of /linux.git/commit/
7 service or possibly have unspecified ?id=451a2886b6
other impact via a large iov_count value bf90e2fb378f7c4
in a write request. 6c655450fb96e8
1
Kernel CVE-20 The get_bitmap_file function in https://git.kernel.o

drivers/md/md.c in the Linux kernel rg/pub/scm/linux/
15-569 before 4.1.6 does not initialize a certain kernel/git/torvalds
bitmap data structure, which allows local /linux.git/commit/
7 users to obtain sensitive information ?id=b6878d9e03
from kernel memory via a 043695dbf3fa1ca
GET_BITMAP_FILE ioctl call. a6dfc09db225b1
6
Kernel CVE-201 The hid_input_field function in http://git.kernel.or

6-7915 drivers/hid/hid-core.c in the Linux kernel g/cgit/linux/kernel
before 4.6 allows physically proximate /git/torvalds/linux.
attackers to obtain sensitive information git/commit/?id=50
from kernel memory or cause a denial of 220dead1650609
service (out-of-bounds read) by 206efe91f0cc116
connecting a device, as demonstrated by 132d59b3f
a Logitech DJ receiver.
Kernel CVE-201 The tcp_disconnect function in http://git.kernel.or
7-14106 net/ipv4/tcp.c in the Linux kernel before g/cgit/linux/kernel
4.12 allows local users to cause a denial /git/torvalds/linux.
of service (__tcp_select_window git/commit/?id=49
divide-by-zero error and system crash) 9350a5a6e7512d
by triggering a disconnect within a 9ed369ed63a424
certain tcp_recvmsg code path. 4b6536f4f8
Kernel CVE-201 sound/core/timer.c in the Linux kernel http://git.kernel.or
6-4578 through 4.6 does not initialize certain r1 g/cgit/linux/kernel
data structures, which allows local users /git/torvalds/linux.
to obtain sensitive information from git/commit/?id=9a
kernel stack memory via crafted use of 47e9cff994f37f7f
the ALSA timer interface, related to the 0dbd9ae23740d0
(1) snd_timer_user_ccallback and (2) f64f9fe6
snd_timer_user_tinterrupt functions. http://git.kernel.or
g/cgit/linux/kernel
/git/torvalds/linux.
git/commit/?id=e4
ec8cc8039a7063
Page 48
e24204299b462b
d1383184a5
Kernel CVE-201 The snd_timer_user_params function in http://git.
6-4569 sound/core/timer.c in the Linux kernel kernel.or
through 4.6 does not initialize a certain g/cgit/lin
data structure, which allows local users ux/kerne
to obtain sensitive information from l/git/torv
kernel stack memory via crafted use of alds/linu
the ALSA timer interface. x.git/co
mmit/?id
=cec8f9
6e49d9b
e372fdb
0c3836d
cf31ec7
1e457e
Kernel CVE-201 The fuse_fill_write_pages function in http://git.kernel.or
5-8785 fs/fuse/file.c in the Linux kernel before g/cgit/linux/kernel
4.4 allows local users to cause a denial of /git/torvalds/linux.
service (infinite loop) via a writev git/commit/?id=3c
system call that triggers a zero length for a8138f014a913f9
the first segment of an iov. 8e6ef40e939868
e1e9ea876
Kernel CVE-201 sound/core/timer.c in the Linux kernel http://git.kernel.or
6-2546 before 4.4.1 uses an incorrect type of g/cgit/linux/kernel
mutex, which allows local users to cause /git/torvalds/linux.
a denial of service (race condition, git/commit/?id=af
use-after-free, and system crash) via a 368027a49a751d
crafted ioctl call. 6ff4ee9e3f9961f3
5bb4fede
Kernel CVE-201 The Linux kernel before 4.5 allows local http://git.kernel.or
6-2550 users to bypass file-descriptor limits and g/cgit/linux/kernel
cause a denial of service (memory /git/torvalds/linux.
consumption) by leveraging incorrect git/commit/?id=41
tracking of descriptor ownership and 5e3d3e90ce9e18
sending each descriptor over a UNIX 727e8843ae343e
socket before closing it. NOTE: this da5a58fad6
vulnerability exists because of an
incorrect fix for CVE-2013-4312.
Kernel CVE-201 fs/pipe.c in the Linux kernel before 4.5 http://git.kernel.or
6-2847 does not limit the amount of unread data g/cgit/linux/kernel
in pipes, which allows local users to /git/torvalds/linux.
cause a denial of service (memory git/commit/?id=75
consumption) by creating many pipes 9c01142a5d0f36
with non-default sizes. 4a462346168a56
de28a80f52
Andriod CVE-20 KEYS: fix dereferencing NULL https://git.kernel.o
17-1527 payload with nonzero length rg/pub/scm/linux/
4 kernel/git/torvalds
/linux.git/commit/
?id=5649645d72
5c73df4302428e
e4e02c869248b4
c5
Andriod CVE-20 KEYS: prevent KEYCTL_READ https://git.kernel.o
17-1219 on negative key rg/pub/scm/linux/
Page 49
/linux.git/commit/
?id=37863c43b2c
6464f252862bf2e
9768264e961678
Andriod CVE-20 packet: fix tp_reserve race in https://git.kernel.o
17-1000 packet_set_ring rg/pub/scm/linux/
/linux.git/commit/
?id=c27927e372f
0785f3303e8fad9
4b85945e2c97b7
Kernel CVE-201 The futex_requeue function in http://git.kernel.org/
8-6927 kernel/futex.c in the Linux kernel cgit/linux/kernel/git/
before 4.14.15 might allow torvalds/linux.git/co
mmit/?id=fbe0e839d
1e22d88810f3ee3e2
service (integer overflow) or f1479be4c0aa4a
possibly have unspecified other
impact by triggering a negative
wake or requeue value.
Kernel 3.4.5 CVE-201 A flaw was found in the Linux https://github.com/to
8-1068 rvalds/linux/commit/
4.x kernel's implementation b71812168571fa55e
of 32-bit syscall interface for 44cdd0254471331b
bridging. This allowed a 9c4c4c6
privileged user to arbitrarily
write to a limited range of
kernel memory.
Kernel 3.4.5 CVE-201 The
7-17558
usb_destroy_configuration
function in
drivers/usb/core/config.c in
the USB core subsystem in
4.14.5 does not consider the
maximum number of
configurations and interfaces
before attempting to release
resources, which allows local
service (out-of-bounds write
access) or possibly have
a crafted USB device.
Kernel 3.4.5 CVE-201 The raw_sendmsg() function CONFIRM:http://git
7-17712
in net/ipv4/raw.c in the Linux .kernel.org/cgit/linu
x/kernel/git/torvalds/
kernel through 4.14.6 has a
linux.git/commit/?id
race condition in =8f659a03a0ba9289
inet->hdrincl that leads to b9aeb9b4470e6fb26
uninitialized stack pointer 3d6f483
usage; this allows a local
user to execute code and
gain privileges.
Kernel 3.4.5 CVE-201 drivers/usb/core/config.c in MISC:https://github.
7-16531
the Linux kernel before com/torvalds/linux/c
Page 50
4.13.6 allows local users to ommit/bd7a3fe770e

cause a denial of service bd8391d1c7d072ff8
8e9e76d063eb
impact via a crafted USB
device, related to the
USB_DT_INTERFACE_ASSOCI
ATION descriptor.
Kernel 3.4.5 CVE-201 The usb_get_bos_descriptor MISC:https://github.
7-16535
function in com/torvalds/linux/c
ommit/1c0edc3633b
drivers/usb/core/config.c in
56000e18d82fc241e
the Linux kernel before 3995ca18a69e
impact via a crafted USB
device.
Kernel 3.4.5 CVE-201 The futex_requeue function MISC:http://git.kern
8-6927
in kernel/futex.c in the Linux el.org/cgit/linux/ker
nel/git/torvalds/linux
kernel before 4.14.15 might
.git/commit/?id=fbe
allow attackers to cause a 0e839d1e22d88810f
denial of service (integer 3ee3e2f1479be4c0a
overflow) or possibly have a4a
unspecified other impact by
triggering a negative wake or
requeue value.
Page 51

B310s-927 Firmware Release Notes: Huawei Technologies Co., LTD

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

B310s-927 Firmware Release Notes: Huawei Technologies Co., LTD

Uploaded by

Copyright:

Available Formats

Product name Confidentiality level

B310s-927 Firmware Release Notes

Prepared by B310s-927 Team Date 2018-08-22

Huawei Technologies Co., Ltd.

All rights reserved

B310s-927 Firmware Release Notes

2.1 Version Description

WL2B310TM (B310s-927 new PA)

2.2 Hardware Specifications

Operating LTE: B3/B40

Maximum UMTS: 24 (+1/-3) dBm

Receiver UMTS: Confirm to 3GPP Requirements

-82 dBm@1 Mbit/s

WLAN 802.11g: -65 dBm@54 Mbit/s

WLAN 802.11n: -64 dBm@65 Mbit/s

802.11n: HT40 MCS15(300Mbit/s),

Power supply AC: 100–240 V

External WAN/LAN: 1 RJ45,GE

SIM card interface: standard 6-pin SIM card interface

Signal One to three: Weak to Strong signal

WPS/WIFI White Blink: WPS open

Button Power switch, Reset switch, WPS switch

Antenna  Built-in GSM/UMTS/LTE main diversity antenna

 Built-in GSM/UMTS/LTE diversity antenna

 Built-in WLAN antenna

Weight about 226 g (Does not contain the power adapter)

Temperature Operating: 0℃ to +40℃

Storage: -20℃ to +70℃

Humidity 5% to 95% ( non-condensing)

2.3 Improvements in the Previous Version

Index Case ID Issue Description

2.4 Known Limitations and Issues

Index Case ID Issue Description

3.1 Version Description

Firmware Version: 21.333.01.00.00

3.2 Firmware Specifications

 Sending/Receiving extra-long messages

 New message prompt

 Open system and shared key authentication

 ASCII and HEX keys

 256-bit WPA-PSK and WPA2-PSK encryption

 AES encryption algorithm

 Automatic adjustment of ratios

 Display STA status

 Address pool of the DHCP server setup

 DHCP lease time setup

 Automatic network selection and registration

 Manual network selection and registration

Selection of network connection types, for example:

 Support LTE networks ON/OFF

System requirement  Windows XP SP3, Windows Vista SP1/SP2, Windows

 Mac OS X 10.6, 10.7 and 10.8 with latest upgrades

 Your computer’s hardware system should meet or

3.3 Improvement in the Previous Version

Index Case ID Issue Description

3.4 Known Limitations and Issues

Index Case ID Issue Description

4.1 Version Description

WebUI Version: 17.100.09.00.03

4.2 WebUI/HiLink Specifications

4.3 Improvement in the Previous Version

Index Case ID Issue Description