SUSE-SU-2023:1848-1: important: Security update for the Linux Kernel

sle-updates at lists.suse.com sle-updates at lists.suse.com
Fri Apr 14 16:30:52 UTC 2023



# Security update for the Linux Kernel

Announcement ID: SUSE-SU-2023:1848-1  
Rating: important  
References:

  * #1076830
  * #1192273
  * #1194535
  * #1207036
  * #1207125
  * #1207168
  * #1207795
  * #1208179
  * #1208599
  * #1208777
  * #1208811
  * #1208850
  * #1209008
  * #1209052
  * #1209256
  * #1209289
  * #1209291
  * #1209532
  * #1209547
  * #1209549
  * #1209634
  * #1209778
  * #1209845
  * #1209887

  
Cross-References:

  * CVE-2017-5753
  * CVE-2021-3923
  * CVE-2021-4203
  * CVE-2022-20567
  * CVE-2023-0590
  * CVE-2023-1076
  * CVE-2023-1095
  * CVE-2023-1281
  * CVE-2023-1390
  * CVE-2023-1513
  * CVE-2023-23454
  * CVE-2023-23455
  * CVE-2023-28328
  * CVE-2023-28464
  * CVE-2023-28772

  
CVSS scores:

  * CVE-2017-5753 ( SUSE ):  7.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
  * CVE-2017-5753 ( NVD ):  5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
  * CVE-2017-5753 ( NVD ):  5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
  * CVE-2021-3923 ( SUSE ):  3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  * CVE-2021-3923 ( NVD ):  2.3 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
  * CVE-2021-4203 ( SUSE ):  5.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
  * CVE-2021-4203 ( NVD ):  6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H
  * CVE-2022-20567 ( SUSE ):  6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
  * CVE-2022-20567 ( NVD ):  6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
  * CVE-2023-0590 ( SUSE ):  7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2023-0590 ( NVD ):  4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-1076 ( SUSE ):  4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
  * CVE-2023-1076 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  * CVE-2023-1095 ( SUSE ):  5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-1095 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-1281 ( SUSE ):  7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2023-1281 ( NVD ):  7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2023-1390 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-1390 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-1513 ( SUSE ):  3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  * CVE-2023-1513 ( NVD ):  3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  * CVE-2023-23454 ( SUSE ):  7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2023-23454 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-23455 ( SUSE ):  7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2023-23455 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-28464 ( SUSE ):  4.8 CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2023-28464 ( NVD ):  7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  * CVE-2023-28772 ( SUSE ):  3.0 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L
  * CVE-2023-28772 ( NVD ):  7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

  
Affected Products:

  * openSUSE Leap 15.4
  * SUSE CaaS Platform 4.0
  * SUSE Linux Enterprise High Availability Extension 15 SP1
  * SUSE Linux Enterprise High Performance Computing 15 SP1
  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1
  * SUSE Linux Enterprise Live Patching 15-SP1
  * SUSE Linux Enterprise Server 15 SP1
  * SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1
  * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP1
  * SUSE Manager Proxy 4.0
  * SUSE Manager Retail Branch Server 4.0
  * SUSE Manager Server 4.0

  
  
An update that solves 15 vulnerabilities and has nine fixes can now be
installed.

## Description:

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security
and bugfixes.

The following security bugs were fixed:

  * CVE-2017-5753: Fixed spectre V1 vulnerability on netlink (bsc#1209547).
  * CVE-2017-5753: Fixed spectre vulnerability in prlimit (bsc#1209256).
  * CVE-2021-3923: Fixed stack information leak vulnerability that could lead to
    kernel protection bypass in infiniband RDMA (bsc#1209778).
  * CVE-2021-4203: Fixed use-after-free read flaw that was found in
    sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS
    race with listen() (bsc#1194535).
  * CVE-2022-20567: Fixed use after free that could lead to a local privilege
    escalation in pppol2tp_create of l2tp_ppp.c (bsc#1208850).
  * CVE-2023-0590: Fixed race condition in qdisc_graft() (bsc#1207795).
  * CVE-2023-1076: Fixed incorrect UID assigned to tun/tap sockets
    (bsc#1208599).
  * CVE-2023-1095: Fixed a NULL pointer dereference in nf_tables due to zeroed
    list head (bsc#1208777).
  * CVE-2023-1281: Fixed use after free that could lead to privilege escalation
    in tcindex (bsc#1209634).
  * CVE-2023-1390: Fixed remote DoS vulnerability in tipc_link_xmit()
    (bsc#1209289).
  * CVE-2023-1513: Fixed an uninitialized portions of the kvm_debugregs
    structure that could be copied to userspace, causing an information leak
    (bsc#1209532).
  * CVE-2023-23454: Fixed a type-confusion in the CBQ network scheduler
    (bsc#1207036).
  * CVE-2023-23455: Fixed a denial of service inside atm_tc_enqueue in
    net/sched/sch_atm.c because of type confusion (non-negative numbers can
    sometimes indicate a TC_ACT_SHOT condition rather than valid classification
    results) (bsc#1207125).
  * CVE-2023-28328: Fixed a denial of service issue in az6027 driver in
    drivers/media/usb/dev-usb/az6027.c (bsc#1209291).
  * CVE-2023-28464: Fixed user-after-free that could lead to privilege
    escalation in hci_conn_cleanup in net/bluetooth/hci_conn.c (bsc#1209052).
  * CVE-2023-28772: Fixed buffer overflow in seq_buf_putmem_hex in lib/seq_buf.c
    (bsc#1209549).

The following non-security bugs were fixed:

  * Do not sign the vanilla kernel (bsc#1209008).
  * PCI: hv: Add a per-bus mutex state_lock (bsc#1208811).
  * PCI: hv: Fix a race condition in hv_irq_unmask() that can cause panic
    (bsc#1208811).
  * PCI: hv: Remove the useless hv_pcichild_state from struct hv_pci_dev
    (bsc#1208811).
  * PCI: hv: fix a race condition bug in hv_pci_query_relations() (bsc#1208811).
  * Revert "PCI: hv: Fix a timing issue which causes kdump to fail occasionally"
    (bsc#1208811).
  * cifs: fix double free in dfs mounts (bsc#1209845).
  * cifs: fix nodfs mount option (bsc#1209845).
  * cifs: handle reconnect of tcon when there is no cached dfs referral
    (bsc#1209845).
  * cifs: missing null pointer check in cifs_mount (bsc#1209845).
  * cifs: serialize all mount attempts (bsc#1209845).
  * cred: allow get_cred() and put_cred() to be given NULL (bsc#1209887).
  * ibmvnic: Process crqs after enabling interrupts (bsc#1192273 ltc#194629).
  * ibmvnic: do not stop queue in xmit (bsc#1192273 ltc#194629).
  * ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
    (bsc#1207168).
  * kernel-module-subpackage: Fix expansion with -b parameter (bsc#1208179).

## Special Instructions and Notes:

  * Please reboot the system after installing this update.

## Patch Instructions:

To install this SUSE Important update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.4  
    zypper in -t patch openSUSE-SLE-15.4-2023-1848=1

  * SUSE Linux Enterprise Live Patching 15-SP1  
    zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2023-1848=1

  * SUSE Linux Enterprise High Availability Extension 15 SP1  
    zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2023-1848=1

  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2023-1848=1

  * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2023-1848=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP1  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2023-1848=1

  * SUSE CaaS Platform 4.0  
To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform
you if it detects new updates and let you then trigger updating of the complete
cluster in a controlled way.

## Package List:

  * openSUSE Leap 15.4 (nosrc)
    * kernel-zfcpdump-4.12.14-150100.197.142.1
    * kernel-kvmsmall-4.12.14-150100.197.142.1
    * kernel-debug-4.12.14-150100.197.142.1
    * kernel-default-4.12.14-150100.197.142.1
  * openSUSE Leap 15.4 (ppc64le x86_64)
    * kernel-debug-base-debuginfo-4.12.14-150100.197.142.1
    * kernel-debug-base-4.12.14-150100.197.142.1
  * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
    * kernel-vanilla-livepatch-devel-4.12.14-150100.197.142.1
    * kernel-vanilla-devel-4.12.14-150100.197.142.1
    * kernel-vanilla-devel-debuginfo-4.12.14-150100.197.142.1
    * kernel-vanilla-debuginfo-4.12.14-150100.197.142.1
    * kernel-default-base-debuginfo-4.12.14-150100.197.142.1
    * kernel-vanilla-base-debuginfo-4.12.14-150100.197.142.1
    * kernel-vanilla-debugsource-4.12.14-150100.197.142.1
    * kernel-vanilla-base-4.12.14-150100.197.142.1
  * openSUSE Leap 15.4 (x86_64)
    * kernel-kvmsmall-base-debuginfo-4.12.14-150100.197.142.1
    * kernel-kvmsmall-base-4.12.14-150100.197.142.1
  * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 nosrc)
    * kernel-vanilla-4.12.14-150100.197.142.1
  * openSUSE Leap 15.4 (s390x)
    * kernel-default-man-4.12.14-150100.197.142.1
    * kernel-zfcpdump-man-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise Live Patching 15-SP1 (nosrc)
    * kernel-default-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise Live Patching 15-SP1 (ppc64le x86_64)
    * kernel-default-debugsource-4.12.14-150100.197.142.1
    * kernel-default-debuginfo-4.12.14-150100.197.142.1
    * kernel-livepatch-4_12_14-150100_197_142-default-1-150100.3.5.1
    * kernel-default-livepatch-4.12.14-150100.197.142.1
    * kernel-default-livepatch-devel-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise High Availability Extension 15 SP1 (aarch64 ppc64le
    s390x x86_64)
    * kernel-default-debugsource-4.12.14-150100.197.142.1
    * kernel-default-debuginfo-4.12.14-150100.197.142.1
    * gfs2-kmp-default-debuginfo-4.12.14-150100.197.142.1
    * cluster-md-kmp-default-4.12.14-150100.197.142.1
    * cluster-md-kmp-default-debuginfo-4.12.14-150100.197.142.1
    * dlm-kmp-default-4.12.14-150100.197.142.1
    * ocfs2-kmp-default-4.12.14-150100.197.142.1
    * gfs2-kmp-default-4.12.14-150100.197.142.1
    * ocfs2-kmp-default-debuginfo-4.12.14-150100.197.142.1
    * dlm-kmp-default-debuginfo-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise High Availability Extension 15 SP1 (nosrc)
    * kernel-default-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (aarch64
    nosrc x86_64)
    * kernel-default-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (aarch64
    x86_64)
    * kernel-default-devel-4.12.14-150100.197.142.1
    * kernel-obs-build-4.12.14-150100.197.142.1
    * kernel-default-debugsource-4.12.14-150100.197.142.1
    * kernel-default-debuginfo-4.12.14-150100.197.142.1
    * kernel-obs-build-debugsource-4.12.14-150100.197.142.1
    * kernel-default-base-4.12.14-150100.197.142.1
    * kernel-default-base-debuginfo-4.12.14-150100.197.142.1
    * kernel-default-devel-debuginfo-4.12.14-150100.197.142.1
    * kernel-syms-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (noarch)
    * kernel-source-4.12.14-150100.197.142.1
    * kernel-macros-4.12.14-150100.197.142.1
    * kernel-devel-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (noarch
    nosrc)
    * kernel-docs-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (aarch64 ppc64le s390x
    x86_64 nosrc)
    * kernel-default-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (aarch64 ppc64le s390x
    x86_64)
    * kernel-default-devel-4.12.14-150100.197.142.1
    * kernel-obs-build-4.12.14-150100.197.142.1
    * kernel-default-debugsource-4.12.14-150100.197.142.1
    * kernel-default-debuginfo-4.12.14-150100.197.142.1
    * kernel-obs-build-debugsource-4.12.14-150100.197.142.1
    * kernel-default-base-4.12.14-150100.197.142.1
    * kernel-default-base-debuginfo-4.12.14-150100.197.142.1
    * kernel-default-devel-debuginfo-4.12.14-150100.197.142.1
    * reiserfs-kmp-default-4.12.14-150100.197.142.1
    * kernel-syms-4.12.14-150100.197.142.1
    * reiserfs-kmp-default-debuginfo-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (noarch)
    * kernel-source-4.12.14-150100.197.142.1
    * kernel-macros-4.12.14-150100.197.142.1
    * kernel-devel-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (noarch nosrc)
    * kernel-docs-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (s390x)
    * kernel-default-man-4.12.14-150100.197.142.1
    * kernel-zfcpdump-debugsource-4.12.14-150100.197.142.1
    * kernel-zfcpdump-debuginfo-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (nosrc)
    * kernel-zfcpdump-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP1 (nosrc ppc64le
    x86_64)
    * kernel-default-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP1 (ppc64le x86_64)
    * kernel-default-devel-4.12.14-150100.197.142.1
    * kernel-obs-build-4.12.14-150100.197.142.1
    * kernel-default-debugsource-4.12.14-150100.197.142.1
    * kernel-default-debuginfo-4.12.14-150100.197.142.1
    * kernel-obs-build-debugsource-4.12.14-150100.197.142.1
    * kernel-default-base-4.12.14-150100.197.142.1
    * kernel-default-base-debuginfo-4.12.14-150100.197.142.1
    * kernel-default-devel-debuginfo-4.12.14-150100.197.142.1
    * reiserfs-kmp-default-4.12.14-150100.197.142.1
    * kernel-syms-4.12.14-150100.197.142.1
    * reiserfs-kmp-default-debuginfo-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP1 (noarch)
    * kernel-source-4.12.14-150100.197.142.1
    * kernel-macros-4.12.14-150100.197.142.1
    * kernel-devel-4.12.14-150100.197.142.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP1 (noarch nosrc)
    * kernel-docs-4.12.14-150100.197.142.1
  * SUSE CaaS Platform 4.0 (nosrc x86_64)
    * kernel-default-4.12.14-150100.197.142.1
  * SUSE CaaS Platform 4.0 (x86_64)
    * kernel-default-devel-4.12.14-150100.197.142.1
    * kernel-obs-build-4.12.14-150100.197.142.1
    * kernel-default-debugsource-4.12.14-150100.197.142.1
    * kernel-default-debuginfo-4.12.14-150100.197.142.1
    * kernel-obs-build-debugsource-4.12.14-150100.197.142.1
    * kernel-default-base-4.12.14-150100.197.142.1
    * kernel-default-base-debuginfo-4.12.14-150100.197.142.1
    * kernel-default-devel-debuginfo-4.12.14-150100.197.142.1
    * reiserfs-kmp-default-4.12.14-150100.197.142.1
    * kernel-syms-4.12.14-150100.197.142.1
    * reiserfs-kmp-default-debuginfo-4.12.14-150100.197.142.1
  * SUSE CaaS Platform 4.0 (noarch)
    * kernel-source-4.12.14-150100.197.142.1
    * kernel-macros-4.12.14-150100.197.142.1
    * kernel-devel-4.12.14-150100.197.142.1
  * SUSE CaaS Platform 4.0 (noarch nosrc)
    * kernel-docs-4.12.14-150100.197.142.1

## References:

  * https://www.suse.com/security/cve/CVE-2017-5753.html
  * https://www.suse.com/security/cve/CVE-2021-3923.html
  * https://www.suse.com/security/cve/CVE-2021-4203.html
  * https://www.suse.com/security/cve/CVE-2022-20567.html
  * https://www.suse.com/security/cve/CVE-2023-0590.html
  * https://www.suse.com/security/cve/CVE-2023-1076.html
  * https://www.suse.com/security/cve/CVE-2023-1095.html
  * https://www.suse.com/security/cve/CVE-2023-1281.html
  * https://www.suse.com/security/cve/CVE-2023-1390.html
  * https://www.suse.com/security/cve/CVE-2023-1513.html
  * https://www.suse.com/security/cve/CVE-2023-23454.html
  * https://www.suse.com/security/cve/CVE-2023-23455.html
  * https://www.suse.com/security/cve/CVE-2023-28328.html
  * https://www.suse.com/security/cve/CVE-2023-28464.html
  * https://www.suse.com/security/cve/CVE-2023-28772.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1076830
  * https://bugzilla.suse.com/show_bug.cgi?id=1192273
  * https://bugzilla.suse.com/show_bug.cgi?id=1194535
  * https://bugzilla.suse.com/show_bug.cgi?id=1207036
  * https://bugzilla.suse.com/show_bug.cgi?id=1207125
  * https://bugzilla.suse.com/show_bug.cgi?id=1207168
  * https://bugzilla.suse.com/show_bug.cgi?id=1207795
  * https://bugzilla.suse.com/show_bug.cgi?id=1208179
  * https://bugzilla.suse.com/show_bug.cgi?id=1208599
  * https://bugzilla.suse.com/show_bug.cgi?id=1208777
  * https://bugzilla.suse.com/show_bug.cgi?id=1208811
  * https://bugzilla.suse.com/show_bug.cgi?id=1208850
  * https://bugzilla.suse.com/show_bug.cgi?id=1209008
  * https://bugzilla.suse.com/show_bug.cgi?id=1209052
  * https://bugzilla.suse.com/show_bug.cgi?id=1209256
  * https://bugzilla.suse.com/show_bug.cgi?id=1209289
  * https://bugzilla.suse.com/show_bug.cgi?id=1209291
  * https://bugzilla.suse.com/show_bug.cgi?id=1209532
  * https://bugzilla.suse.com/show_bug.cgi?id=1209547
  * https://bugzilla.suse.com/show_bug.cgi?id=1209549
  * https://bugzilla.suse.com/show_bug.cgi?id=1209634
  * https://bugzilla.suse.com/show_bug.cgi?id=1209778
  * https://bugzilla.suse.com/show_bug.cgi?id=1209845
  * https://bugzilla.suse.com/show_bug.cgi?id=1209887

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20230414/e483c26b/attachment.htm>


More information about the sle-updates mailing list