SUSE-SU-2018:1482-1: important: Security update for the Linux Kernel

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu May 31 16:07:14 MDT 2018


   SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:1482-1
Rating:             important
References:         #1013018 #1070404 #1072689 #1087082 #1088343 
                    #1089386 #1090607 #1091659 #1092497 #1093600 
                    #1093710 #919382 
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 11-SP4
                    SUSE Linux Enterprise Server 11-SP4
                    SUSE Linux Enterprise Server 11-EXTRA
                    SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

   An update that contains security fixes can now be installed.

Description:



   The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various
   security and bugfixes.

   This update main focus is a regression fix in SystemV IPC handling.
   (bsc#1093600)

   The following non-security bugs were fixed:

   - Drop cBPF SSBD as classic BPF does not really have a proper concept of
     pointers, and without eBPF maps the out-of-bounds access in speculative
     execution branch can't be mounted. Moreoever, seccomp BPF uses only such
     a subset of BPF that can only do absolute indexing, and therefore
     seccomp data buffer boundarier can't be crossed. Information condensed
     from Alexei and Kees.
   - ibrs used instead of retpoline on Haswell processor with
     spectre_v2=retpoline (bsc#1092497)
   - ib/mlx4: Convert slave port before building address-handle (bug#919382
     FATE#317529).
   - KABI protect struct _lowcore (bsc#1089386).
   - Update config files, add Spectre mitigation for s390x (bnc#1089386,
     LTC#166572).
   - Update s390 config files (bsc#1089386).
   - fanotify: fix logic of events on child (bsc#1013018).
   - ipc/msg: Fix faulty parsing of msgctl args (bsc#1093600,bsc#1072689).
   - ocfs2/dlm: Fix up kABI in dlm_ctxt (bsc#1070404).
   - ocfs2/dlm: wait for dlm recovery done when migrating all lock resources
     (bsc#1013018).
   - powerpc, KVM: Split HVMODE_206 cpu feature bit into separate HV and
     architecture bits (bsc#1087082).
   - powerpc: Fix /proc/cpuinfo revision for POWER9 DD2 (FATE#325713,
     bsc#1093710).
   - s390/cio: update chpid descriptor after resource accessibility event
     (bnc#1091659, LTC#167429).
   - s390/dasd: fix IO error for newly defined devices (bnc#1091659,
     LTC#167398).
   - s390/qdio: fix access to uninitialized qdio_q fields (bnc#1091659,
     LTC#168037).
   - s390/qeth: on channel error, reject further cmd requests (bnc#1088343,
     LTC#165985).
   - s390: add automatic detection of the spectre defense (bnc#1089386,
     LTC#166572).
   - s390: add optimized array_index_mask_nospec (bnc#1089386, LTC#166572).
   - s390: add sysfs attributes for spectre (bnc#1089386, LTC#166572).
   - s390: correct module section names for expoline code revert
     (bsc#1089386).
   - s390: correct nospec auto detection init order (bnc#1089386, LTC#166572).
   - s390: do not bypass BPENTER for interrupt system calls (bnc#1089386,
     LTC#166572).
   - s390: fix retpoline build on 31bit (bsc#1089386).
   - s390: improve cpu alternative handling for gmb and nobp (bnc#1089386,
     LTC#166572).
   - s390: introduce execute-trampolines for branches (bnc#1089386,
     LTC#166572).
   - s390: move nobp parameter functions to nospec-branch.c (bnc#1089386,
     LTC#166572).
   - s390: report spectre mitigation via syslog (bnc#1089386, LTC#166572).
   - s390: run user space and KVM guests with modified branch prediction
     (bnc#1089386, LTC#166572).
   - s390: scrub registers on kernel entry and KVM exit (bnc#1089386,
     LTC#166572).
   - x86, mce: Fix mce_start_timer semantics (bsc#1090607).
   - x86/kaiser: symbol kaiser_set_shadow_pgd() exported with non GPL


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 11-SP4:

      zypper in -t patch sdksp4-kernel-20180526-13635=1

   - SUSE Linux Enterprise Server 11-SP4:

      zypper in -t patch slessp4-kernel-20180526-13635=1

   - SUSE Linux Enterprise Server 11-EXTRA:

      zypper in -t patch slexsp3-kernel-20180526-13635=1

   - SUSE Linux Enterprise Debuginfo 11-SP4:

      zypper in -t patch dbgsp4-kernel-20180526-13635=1



Package List:

   - SUSE Linux Enterprise Software Development Kit 11-SP4 (noarch):

      kernel-docs-3.0.101-108.52.2

   - SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):

      kernel-default-3.0.101-108.52.1
      kernel-default-base-3.0.101-108.52.1
      kernel-default-devel-3.0.101-108.52.1
      kernel-source-3.0.101-108.52.1
      kernel-syms-3.0.101-108.52.1
      kernel-trace-3.0.101-108.52.1
      kernel-trace-base-3.0.101-108.52.1
      kernel-trace-devel-3.0.101-108.52.1

   - SUSE Linux Enterprise Server 11-SP4 (i586 x86_64):

      kernel-ec2-3.0.101-108.52.1
      kernel-ec2-base-3.0.101-108.52.1
      kernel-ec2-devel-3.0.101-108.52.1
      kernel-xen-3.0.101-108.52.1
      kernel-xen-base-3.0.101-108.52.1
      kernel-xen-devel-3.0.101-108.52.1

   - SUSE Linux Enterprise Server 11-SP4 (ppc64):

      kernel-bigmem-3.0.101-108.52.1
      kernel-bigmem-base-3.0.101-108.52.1
      kernel-bigmem-devel-3.0.101-108.52.1
      kernel-ppc64-3.0.101-108.52.1
      kernel-ppc64-base-3.0.101-108.52.1
      kernel-ppc64-devel-3.0.101-108.52.1

   - SUSE Linux Enterprise Server 11-SP4 (s390x):

      kernel-default-man-3.0.101-108.52.1

   - SUSE Linux Enterprise Server 11-SP4 (i586):

      kernel-pae-3.0.101-108.52.1
      kernel-pae-base-3.0.101-108.52.1
      kernel-pae-devel-3.0.101-108.52.1

   - SUSE Linux Enterprise Server 11-EXTRA (i586 ia64 ppc64 s390x x86_64):

      kernel-default-extra-3.0.101-108.52.1

   - SUSE Linux Enterprise Server 11-EXTRA (i586 x86_64):

      kernel-xen-extra-3.0.101-108.52.1

   - SUSE Linux Enterprise Server 11-EXTRA (x86_64):

      kernel-trace-extra-3.0.101-108.52.1

   - SUSE Linux Enterprise Server 11-EXTRA (ppc64):

      kernel-ppc64-extra-3.0.101-108.52.1

   - SUSE Linux Enterprise Server 11-EXTRA (i586):

      kernel-pae-extra-3.0.101-108.52.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):

      kernel-default-debuginfo-3.0.101-108.52.1
      kernel-default-debugsource-3.0.101-108.52.1
      kernel-trace-debuginfo-3.0.101-108.52.1
      kernel-trace-debugsource-3.0.101-108.52.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 s390x x86_64):

      kernel-default-devel-debuginfo-3.0.101-108.52.1
      kernel-trace-devel-debuginfo-3.0.101-108.52.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64):

      kernel-ec2-debuginfo-3.0.101-108.52.1
      kernel-ec2-debugsource-3.0.101-108.52.1
      kernel-xen-debuginfo-3.0.101-108.52.1
      kernel-xen-debugsource-3.0.101-108.52.1
      kernel-xen-devel-debuginfo-3.0.101-108.52.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64):

      kernel-bigmem-debuginfo-3.0.101-108.52.1
      kernel-bigmem-debugsource-3.0.101-108.52.1
      kernel-ppc64-debuginfo-3.0.101-108.52.1
      kernel-ppc64-debugsource-3.0.101-108.52.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (i586):

      kernel-pae-debuginfo-3.0.101-108.52.1
      kernel-pae-debugsource-3.0.101-108.52.1
      kernel-pae-devel-debuginfo-3.0.101-108.52.1


References:

   https://bugzilla.suse.com/1013018
   https://bugzilla.suse.com/1070404
   https://bugzilla.suse.com/1072689
   https://bugzilla.suse.com/1087082
   https://bugzilla.suse.com/1088343
   https://bugzilla.suse.com/1089386
   https://bugzilla.suse.com/1090607
   https://bugzilla.suse.com/1091659
   https://bugzilla.suse.com/1092497
   https://bugzilla.suse.com/1093600
   https://bugzilla.suse.com/1093710
   https://bugzilla.suse.com/919382



More information about the sle-security-updates mailing list