SUSE-SU-2018:1377-2: important: Security update for the Linux Kernel

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Oct 18 11:51:05 MDT 2018


   SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:1377-2
Rating:             important
References:         #1056427 #1068032 #1075087 #1080157 #1087082 
                    #1090953 #1091041 #1092289 #1093215 #1094019 
                    
Cross-References:   CVE-2018-3639
Affected Products:
                    SUSE Linux Enterprise Server 12-SP2-BCL
______________________________________________________________________________

   An update that solves one vulnerability and has 9 fixes is
   now available.

Description:



   The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive
   various security and bugfixes.

   The following security bug was fixed:

   - CVE-2018-3639: Information leaks using "Memory Disambiguation" feature
     in modern CPUs were mitigated, aka "Spectre Variant 4" (bnc#1087082).

     A new boot commandline option was introduced,
   "spec_store_bypass_disable", which can have following values:

     - auto: Kernel detects whether your CPU model contains an implementation
       of Speculative Store Bypass and picks the most appropriate mitigation.
     - on: disable Speculative Store Bypass
     - off: enable Speculative Store Bypass
     - prctl: Control Speculative Store Bypass per thread via prctl.
       Speculative Store Bypass is enabled for a process by default. The
       state of the control is inherited on fork.
     - seccomp: Same as "prctl" above, but all seccomp threads will disable
       SSB unless they explicitly opt out.

     The default is "seccomp", meaning programs need explicit opt-in into the
   mitigation.

     Status can be queried via the
   /sys/devices/system/cpu/vulnerabilities/spec_store_bypass file, containing:

     - "Vulnerable"
     - "Mitigation: Speculative Store Bypass disabled"
     - "Mitigation: Speculative Store Bypass disabled via prctl"
     - "Mitigation: Speculative Store Bypass disabled via prctl and seccomp"

   The following related and non-security bugs were fixed:

   - cpuid: Fix cpuid.edx.7.0 propagation to guest
   - ext4: Fix hole length detection in ext4_ind_map_blocks() (bsc#1090953).
   - ibmvnic: Clean actual number of RX or TX pools (bsc#1092289).
   - kvm: Introduce nopvspin kernel parameter (bsc#1056427).
   - kvm: Fix nopvspin static branch init usage (bsc#1056427).
   - powerpc/64: Use barrier_nospec in syscall entry (bsc#1068032,
     bsc#1080157).
   - powerpc/64s: Add barrier_nospec (bsc#1068032, bsc#1080157).
   - powerpc/64s: Add support for ori barrier_nospec patching (bsc#1068032,
     bsc#1080157).
   - powerpc/64s: Enable barrier_nospec based on firmware settings
     (bsc#1068032, bsc#1080157).
   - powerpc/64s: Enhance the information in cpu_show_meltdown()
     (bsc#1068032, bsc#1075087, bsc#1091041).
   - powerpc/64s: Enhance the information in cpu_show_spectre_v1()
     (bsc#1068032).
   - powerpc/64s: Fix section mismatch warnings from setup_rfi_flush()
     (bsc#1068032, bsc#1075087, bsc#1091041).
   - powerpc/64s: Move cpu_show_meltdown() (bsc#1068032, bsc#1075087,
     bsc#1091041).
   - powerpc/64s: Patch barrier_nospec in modules (bsc#1068032, bsc#1080157).
   - powerpc/64s: Wire up cpu_show_spectre_v1() (bsc#1068032, bsc#1075087,
     bsc#1091041).
   - powerpc/64s: Wire up cpu_show_spectre_v2() (bsc#1068032, bsc#1075087,
     bsc#1091041).
   - powerpc/powernv: Set or clear security feature flags (bsc#1068032,
     bsc#1075087, bsc#1091041).
   - powerpc/powernv: Use the security flags in pnv_setup_rfi_flush()
     (bsc#1068032, bsc#1075087, bsc#1091041).
   - powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags (bsc#1068032,
     bsc#1075087, bsc#1091041).
   - powerpc/pseries: Fix clearing of security feature flags (bsc#1068032,
     bsc#1075087, bsc#1091041).
   - powerpc/pseries: Restore default security feature flags on setup
     (bsc#1068032, bsc#1075087, bsc#1091041).
   - powerpc/pseries: Set or clear security feature flags (bsc#1068032,
     bsc#1075087, bsc#1091041).
   - powerpc/pseries: Use the security flags in pseries_setup_rfi_flush()
     (bsc#1068032, bsc#1075087, bsc#1091041).
   - powerpc/rfi-flush: Always enable fallback flush on pseries (bsc#1068032,
     bsc#1075087, bsc#1091041).
   - powerpc/rfi-flush: Differentiate enabled and patched flush types
     (bsc#1068032, bsc#1075087, bsc#1091041).
   - powerpc/rfi-flush: Make it possible to call setup_rfi_flush() again
     (bsc#1068032, bsc#1075087, bsc#1091041).
   - powerpc: Add security feature flags for Spectre/Meltdown (bsc#1068032,
     bsc#1075087, bsc#1091041).
   - powerpc: Move default security feature flags (bsc#1068032, bsc#1075087,
     bsc#1091041).
   - powerpc: Use barrier_nospec in copy_from_user() (bsc#1068032,
     bsc#1080157).


Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12-SP2-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2018-956=1



Package List:

   - SUSE Linux Enterprise Server 12-SP2-BCL (noarch):

      kernel-devel-4.4.121-92.80.1
      kernel-macros-4.4.121-92.80.1
      kernel-source-4.4.121-92.80.1

   - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):

      kernel-default-4.4.121-92.80.1
      kernel-default-base-4.4.121-92.80.1
      kernel-default-base-debuginfo-4.4.121-92.80.1
      kernel-default-debuginfo-4.4.121-92.80.1
      kernel-default-debugsource-4.4.121-92.80.1
      kernel-default-devel-4.4.121-92.80.1
      kernel-syms-4.4.121-92.80.1
      kgraft-patch-4_4_121-92_80-default-1-3.5.2


References:

   https://www.suse.com/security/cve/CVE-2018-3639.html
   https://bugzilla.suse.com/1056427
   https://bugzilla.suse.com/1068032
   https://bugzilla.suse.com/1075087
   https://bugzilla.suse.com/1080157
   https://bugzilla.suse.com/1087082
   https://bugzilla.suse.com/1090953
   https://bugzilla.suse.com/1091041
   https://bugzilla.suse.com/1092289
   https://bugzilla.suse.com/1093215
   https://bugzilla.suse.com/1094019



More information about the sle-security-updates mailing list