SUSE-SU-2019:1287-1: important: Security update for the Linux Kernel

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Fri May 17 13:08:57 MDT 2019


   SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:1287-1
Rating:             important
References:         #1012382 #1024908 #1034113 #1043485 #1068032 
                    #1073311 #1080157 #1080533 #1082632 #1087231 
                    #1087659 #1087906 #1093158 #1094268 #1096748 
                    #1100152 #1103186 #1106913 #1109772 #1111331 
                    #1112178 #1113399 #1116841 #1118338 #1119019 
                    #1122822 #1124832 #1125580 #1129279 #1131416 
                    #1131427 #1131587 #1132673 #1132828 #1133188 
                    
Cross-References:   CVE-2016-8636 CVE-2017-17741 CVE-2017-18174
                    CVE-2018-1091 CVE-2018-1120 CVE-2018-1128
                    CVE-2018-1129 CVE-2018-12126 CVE-2018-12127
                    CVE-2018-12130 CVE-2018-19407 CVE-2019-11091
                    CVE-2019-11486 CVE-2019-3882 CVE-2019-8564
                    CVE-2019-9503
Affected Products:
                    SUSE OpenStack Cloud 7
                    SUSE Linux Enterprise Server for SAP 12-SP2
                    SUSE Linux Enterprise Server 12-SP2-LTSS
                    SUSE Linux Enterprise Server 12-SP2-BCL
                    SUSE Linux Enterprise High Availability 12-SP2
                    SUSE Enterprise Storage 4
                    OpenStack Cloud Magnum Orchestration 7
______________________________________________________________________________

   An update that solves 16 vulnerabilities and has 19 fixes
   is now available.

Description:

   The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various
   security and bugfixes.

   Four new speculative execution information leak issues have been
   identified in Intel CPUs. (bsc#1111331)

   - CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
   - CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
   - CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
   - CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory
     (MDSUM)

   This kernel update contains software mitigations for these issues, which
   also utilize CPU microcode updates shipped in parallel.

   For more information on this set of information leaks, check out
   https://www.suse.com/support/kb/doc/?id=7023736

   The following security bugs were fixed:

   - CVE-2018-1128: It was found that cephx authentication protocol did not
     verify ceph clients correctly and was vulnerable to replay attack. Any
     attacker having access to ceph cluster network who is able to sniff
     packets on network could use this vulnerability to authenticate with
     ceph service and perform actions allowed by ceph service. (bnc#1096748).
   - CVE-2018-1129: A flaw was found in the way signature calculation was
     handled by cephx authentication protocol. An attacker having access to
     ceph cluster network who is able to alter the message payload was able
     to bypass signature checks done by cephx protocol. (bnc#1096748).
   - CVE-2016-8636: Integer overflow in the mem_check_range function in
     drivers/infiniband/sw/rxe/rxe_mr.c allowed local users to cause a denial
     of service (memory corruption), obtain sensitive information or possibly
     have unspecified other impact via a write or read request involving the
     "RDMA protocol over infiniband" (aka Soft RoCE) technology (bnc#1024908).
   - CVE-2017-18174: In the amd_gpio_remove function in
     drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function,
     leading to a double free (bnc#1080533).
   - CVE-2018-1091: In the flush_tmregs_to_thread function in
     arch/powerpc/kernel/ptrace.c, a guest kernel crash can be triggered from
     unprivileged userspace during a core dump on a POWER host due to a
     missing processor feature check and an erroneous use of transactional
     memory (TM) instructions in the core dump path, leading to a denial of
     service (bnc#1087231).
   - CVE-2018-1120: By mmap()ing a FUSE-backed file onto a process's memory
     containing command line arguments (or environment strings), an attacker
     can cause utilities from psutils or procps (such as ps, w) or any other
     program which made a read() call to the /proc/<pid>/cmdline (or
     /proc/<pid>/environ) files to block indefinitely (denial of service) or
     for some controlled time (as a synchronization primitive for other
     attacks) (bnc#1093158).
   - CVE-2019-11486: The Siemens R3964 line discipline driver in
     drivers/tty/n_r3964.c has multiple race conditions (bnc#1133188).
   - CVE-2019-3882: A flaw was found in the vfio interface implementation
     that permits violation of the user's locked memory limit. If a device is
     bound to a vfio driver, such as vfio-pci, and the local attacker is
     administratively granted ownership of the device, it may cause a system
     memory exhaustion and thus a denial of service (DoS) (bsc#1131427).
   - CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c
     allowed local users to cause a denial of service (NULL pointer
     dereference and BUG) via crafted system calls that reach a situation
     where ioapic is uninitialized (bnc#1116841).
   - CVE-2017-17741: The KVM implementation allowed attackers to obtain
     potentially sensitive information from kernel memory, aka a write_mmio
     stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and
     include/trace/events/kvm.h (bnc#1073311).
   - CVE-2019-9503, CVE-2019-8564: Multiple brcmfmac frame validation
     bypasses have been fixed (bnc#1132828, bnc#1132673).

   The following non-security bugs were fixed:

   - ACPI: acpi_pad: Do not launch acpi_pad threads on idle cpus
     (bsc#1113399).
   - add mainline tags to four hyperv patches
   - cpu/speculation: Add 'mitigations=' cmdline option (bsc#1112178).
   - Drivers: hv: vmbus: Define an API to retrieve virtual processor index
     (bsc#1122822).
   - Drivers: hv: vmbus: Define APIs to manipulate the event page
     (bsc#1122822).
   - Drivers: hv: vmbus: Define APIs to manipulate the message page
     (bsc#1122822).++ kernel-source.spec (revision 4)Release:
     <RELEASE>.gbd4498d
   - Drivers: hv: vmbus: Define APIs to manipulate the synthetic interrupt
     controller (bsc#1122822).
   - hv: v4.12 API for hyperv-iommu (bsc#1122822).
   - iommu/hyper-v: Add Hyper-V stub IOMMU driver (bsc#1122822).
   - jump_label: remove bug.h, atomic.h dependencies for HAVE_JUMP_LABEL
     (bsc#1111331).
   - kvm: x86: Report STIBP on GET_SUPPORTED_CPUID (bsc#1111331).
   - locking/atomics, asm-generic: Move some macros from <linux/bitops.h> to
     a new <linux/bits.h> file (bsc#1111331).
   - MDS: Add CVE refs
   - net: ena: add functions for handling Low Latency Queues in ena_com
     (bsc#1129279).
   - net: ena: add functions for handling Low Latency Queues in ena_netdev
     (bsc#1129279).
   - net: ena: change rx copybreak default to reduce kernel memory pressure
     (bsc#1129279).
   - net: ena: complete host info to match latest ENA spec (bsc#1129279).
   - net: ena: enable Low Latency Queues (bsc#1129279).
   - net: ena: explicit casting and initialization, and clearer error
     handling (bsc#1129279).
   - net: ena: fix auto casting to boolean (bsc#1129279).
   - net: ena: fix compilation error in xtensa architecture (bsc#1129279).
   - net: ena: fix crash during ena_remove() (bsc#1129279).
   - net: ena: fix crash during failed resume from hibernation (bsc#1129279).
   - net: ena: fix indentations in ena_defs for better readability
     (bsc#1129279).
   - net: ena: Fix Kconfig dependency on X86 (bsc#1129279).
   - net: ena: fix NULL dereference due to untimely napi initialization
     (bsc#1129279).
   - net: ena: fix race between link up and device initalization
     (bsc#1129279).
   - net: ena: fix rare bug when failed restart/resume is followed by driver
     removal (bsc#1129279).
   - net: ena: fix warning in rmmod caused by double iounmap (bsc#1129279).
   - net: ena: introduce Low Latency Queues data structures according to ENA
     spec (bsc#1129279).
   - net: ena: limit refill Rx threshold to 256 to avoid latency issues
     (bsc#1129279).
   - net: ena: minor performance improvement (bsc#1129279).
   - net: ena: remove ndo_poll_controller (bsc#1129279).
   - net: ena: remove redundant parameter in ena_com_admin_init()
     (bsc#1129279).
   - net: ena: update driver version from 2.0.1 to 2.0.2 (bsc#1129279).
   - net: ena: update driver version from 2.0.2 to 2.0.3 (bsc#1129279).
   - net: ena: update driver version to 2.0.1 (bsc#1129279).
   - net: ena: use CSUM_CHECKED device indication to report skb's checksum
     status (bsc#1129279).
   - PCI: hv: Add vPCI version protocol negotiation (bnc#1043485,
     bsc#1122822).
   - PCI: hv: Allocate interrupt descriptors with GFP_ATOMIC (bnc#1034113,
     bsc#1122822).
   - PCI: hv: Disable/enable IRQs rather than BH in hv_compose_msi_msg()
     (bnc#1094268, bsc#1122822).
   - PCI: hv: Do not sleep in compose_msi_msg() (bsc#1082632, bsc#1122822).
   - PCI: hv: Fix 2 hang issues in hv_compose_msi_msg() (bsc#1087659,
     bsc#1087906, bsc#1122822).
   - PCI: hv: Fix a comment typo in _hv_pcifront_read_config() (bsc#1087659,
     bsc#1122822).
   - PCI: hv: Fix comment formatting and use proper integer fields
     (bnc#1043485, bsc#1122822).
   - PCI: hv: Only queue new work items in hv_pci_devices_present() if
     necessary (bsc#1087659, bsc#1122822).
   - PCI: hv: Remove the bogus test in hv_eject_device_work() (bsc#1087659,
     bsc#1122822).
   - PCI: hv: Serialize the present and eject work items (bsc#1087659,
     bsc#1122822).
   - PCI: hv: Specify CPU_AFFINITY_ALL for MSI affinity when >= 32 CPUs
     (bnc#1043485, bsc#1122822).
   - PCI: hv: Temporary own CPU-number-to-vCPU-number infra (bnc#1043485,
     bsc#1122822).
   - PCI: hv: Use effective affinity mask (bsc#1109772, bsc#1122822).
   - PCI: hv: Use page allocation for hbus structure (bnc#1043485,
     bsc#1122822).
   - PCI: hv: Use vPCI protocol version 1.2 (bnc#1043485, bsc#1122822).
   - pci-hyperv: increase HV_VP_SET_BANK_COUNT_MAX to handle 1792 vcpus
     (bsc#1122822).
   - powerpc/64: Disable the speculation barrier from the command line
     (bsc#1068032).
   - powerpc/64s: Default l1d_size to 64K in RFI fallback flush (bsc#1068032,
     git-fixes).
   - powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2
     (bsc#1068032, bsc#1080157, git-fixes).
   - powerpc/speculation: Support 'mitigations=' cmdline option (bsc#1112178).
   - powerpc/tm: Add commandline option to disable hardware transactional
     memory (bsc#1118338).
   - powerpc/tm: Add TM Unavailable Exception (bsc#1118338).
   - powerpc/tm: Flip the HTM switch default to disabled (bsc#1125580).
   - powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 (bsc#1131587).
   - powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038
     (bsc#1131587).
   - s390: add explicit <linux/stringify.h> for jump label (bsc#1111331).
   - sched/core: Optimize SCHED_SMT (bsc#1111331).
   - sched/smt: Expose sched_smt_present static key (bsc#1106913).
   - sched/smt: Make sched_smt_present track topology (bsc#1106913).
   - sched/smt: Update sched_smt_present at runtime (bsc#1111331).
   - scripts/git_sort/git_sort.py: Add fixes branch from mkp/scsi.git.
   - scsi: ibmvscsi: Fix empty event pool access during host removal
     (bsc#1119019).
   - scsi: storvsc: Reduce default ring buffer size to 128 Kbytes ().
   - time: Introduce jiffies64_to_nsecs() (bsc#1113399).
   - Use upstream variant of two pci-hyperv patches
   - vti6: flush x-netns xfrm cache when vti interface is removed
     (bnc#1012382 bsc#1100152).
   - x86/apic: Provide apic_ack_irq() (bsc#1122822).
   - x86/bugs: Add AMD's variant of SSB_NO (bsc#1111331).
   - x86/bugs: Rename SSBD_NO to SSB_NO (bsc#1111331).
   - x86/cpu: Rename Merrifield2 to Moorefield (bsc#1111331).
   - x86/cpu: Sanitize FAM6_ATOM naming (bsc#1111331).
   - x86/Hyper-V: Set x2apic destination mode to physical when x2apic is
     available (bsc#1122822).
   - x86/irq: implement irq_data_get_effective_affinity_mask() for v4.12
     (bsc#1109772, bsc#1122822).
   - x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests (bsc#1111331).
   - x86/kvm/vmx: Add MDS protection when L1D Flush is not active
     (bsc#1111331).
   - x86/msr-index: Cleanup bit defines (bsc#1111331).
   - x86/speculation: Consolidate CPU whitelists (bsc#1111331).
   - x86/speculation/mds: Add basic bug infrastructure for MDS (bsc#1111331).
   - x86/speculation/mds: Add BUG_MSBDS_ONLY (bsc#1111331).
   - x86/speculation/mds: Add mds_clear_cpu_buffers() (bsc#1111331).
   - x86/speculation/mds: Add mds=full,nosmt cmdline option (bsc#1111331).
   - x86/speculation/mds: Add mitigation control for MDS (bsc#1111331).
   - x86/speculation/mds: Add mitigation mode VMWERV (bsc#1111331).
   - x86/speculation/mds: Add 'mitigations=' support for MDS (bsc#1111331).
   - x86/speculation/mds: Add SMT warning message (bsc#1111331).
   - x86/speculation/mds: Add sysfs reporting for MDS (bsc#1111331).
   - x86/speculation/mds: Clear CPU buffers on exit to user (bsc#1111331).
   - x86/speculation/mds: Conditionally clear CPU buffers on idle entry
     (bsc#1111331).
   - x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off
     (bsc#1111331).
   - x86/speculation: Move arch_smt_update() call to after mitigation
     decisions (bsc#1111331).
   - x86/speculation: Remove redundant arch_smt_update() invocation
     (bsc#1111331).
   - x86/speculation: Rework SMT state change (bsc#1111331).
   - x86/speculation: Simplify the CPU bug detection logic (bsc#1111331).
   - x86/speculation: Support 'mitigations=' cmdline option (bsc#1112178).
   - x86: stop exporting msr-index.h to userland (bsc#1111331).
   - xfrm6: call kfree_skb when skb is toobig (bnc#1012382 bsc#1100152).
   - xfrm: fix missing dst_release() after policy blocking lbcast and
     multicast (bnc#1012382 bsc#1100152).


Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 7:

      zypper in -t patch SUSE-OpenStack-Cloud-7-2019-1287=1

   - SUSE Linux Enterprise Server for SAP 12-SP2:

      zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-1287=1

   - SUSE Linux Enterprise Server 12-SP2-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-1287=1

   - SUSE Linux Enterprise Server 12-SP2-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-1287=1

   - SUSE Linux Enterprise High Availability 12-SP2:

      zypper in -t patch SUSE-SLE-HA-12-SP2-2019-1287=1

   - SUSE Enterprise Storage 4:

      zypper in -t patch SUSE-Storage-4-2019-1287=1

   - OpenStack Cloud Magnum Orchestration 7:

      zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2019-1287=1



Package List:

   - SUSE OpenStack Cloud 7 (s390x x86_64):

      kernel-default-4.4.121-92.109.2
      kernel-default-base-4.4.121-92.109.2
      kernel-default-base-debuginfo-4.4.121-92.109.2
      kernel-default-debuginfo-4.4.121-92.109.2
      kernel-default-debugsource-4.4.121-92.109.2
      kernel-default-devel-4.4.121-92.109.2
      kernel-syms-4.4.121-92.109.2

   - SUSE OpenStack Cloud 7 (noarch):

      kernel-devel-4.4.121-92.109.2
      kernel-macros-4.4.121-92.109.2
      kernel-source-4.4.121-92.109.2

   - SUSE OpenStack Cloud 7 (x86_64):

      kgraft-patch-4_4_121-92_109-default-1-3.5.2

   - SUSE OpenStack Cloud 7 (s390x):

      kernel-default-man-4.4.121-92.109.2

   - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64):

      kernel-default-4.4.121-92.109.2
      kernel-default-base-4.4.121-92.109.2
      kernel-default-base-debuginfo-4.4.121-92.109.2
      kernel-default-debuginfo-4.4.121-92.109.2
      kernel-default-debugsource-4.4.121-92.109.2
      kernel-default-devel-4.4.121-92.109.2
      kernel-syms-4.4.121-92.109.2
      kgraft-patch-4_4_121-92_109-default-1-3.5.2

   - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch):

      kernel-devel-4.4.121-92.109.2
      kernel-macros-4.4.121-92.109.2
      kernel-source-4.4.121-92.109.2

   - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64):

      kernel-default-4.4.121-92.109.2
      kernel-default-base-4.4.121-92.109.2
      kernel-default-base-debuginfo-4.4.121-92.109.2
      kernel-default-debuginfo-4.4.121-92.109.2
      kernel-default-debugsource-4.4.121-92.109.2
      kernel-default-devel-4.4.121-92.109.2
      kernel-syms-4.4.121-92.109.2

   - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64):

      kgraft-patch-4_4_121-92_109-default-1-3.5.2

   - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch):

      kernel-devel-4.4.121-92.109.2
      kernel-macros-4.4.121-92.109.2
      kernel-source-4.4.121-92.109.2

   - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x):

      kernel-default-man-4.4.121-92.109.2

   - SUSE Linux Enterprise Server 12-SP2-BCL (noarch):

      kernel-devel-4.4.121-92.109.2
      kernel-macros-4.4.121-92.109.2
      kernel-source-4.4.121-92.109.2

   - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):

      kernel-default-4.4.121-92.109.2
      kernel-default-base-4.4.121-92.109.2
      kernel-default-base-debuginfo-4.4.121-92.109.2
      kernel-default-debuginfo-4.4.121-92.109.2
      kernel-default-debugsource-4.4.121-92.109.2
      kernel-default-devel-4.4.121-92.109.2
      kernel-syms-4.4.121-92.109.2

   - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64):

      cluster-md-kmp-default-4.4.121-92.109.2
      cluster-md-kmp-default-debuginfo-4.4.121-92.109.2
      cluster-network-kmp-default-4.4.121-92.109.2
      cluster-network-kmp-default-debuginfo-4.4.121-92.109.2
      dlm-kmp-default-4.4.121-92.109.2
      dlm-kmp-default-debuginfo-4.4.121-92.109.2
      gfs2-kmp-default-4.4.121-92.109.2
      gfs2-kmp-default-debuginfo-4.4.121-92.109.2
      kernel-default-debuginfo-4.4.121-92.109.2
      kernel-default-debugsource-4.4.121-92.109.2
      ocfs2-kmp-default-4.4.121-92.109.2
      ocfs2-kmp-default-debuginfo-4.4.121-92.109.2

   - SUSE Enterprise Storage 4 (noarch):

      kernel-devel-4.4.121-92.109.2
      kernel-macros-4.4.121-92.109.2
      kernel-source-4.4.121-92.109.2

   - SUSE Enterprise Storage 4 (x86_64):

      kernel-default-4.4.121-92.109.2
      kernel-default-base-4.4.121-92.109.2
      kernel-default-base-debuginfo-4.4.121-92.109.2
      kernel-default-debuginfo-4.4.121-92.109.2
      kernel-default-debugsource-4.4.121-92.109.2
      kernel-default-devel-4.4.121-92.109.2
      kernel-syms-4.4.121-92.109.2
      kgraft-patch-4_4_121-92_109-default-1-3.5.2

   - OpenStack Cloud Magnum Orchestration 7 (x86_64):

      kernel-default-4.4.121-92.109.2
      kernel-default-debuginfo-4.4.121-92.109.2
      kernel-default-debugsource-4.4.121-92.109.2


References:

   https://www.suse.com/security/cve/CVE-2016-8636.html
   https://www.suse.com/security/cve/CVE-2017-17741.html
   https://www.suse.com/security/cve/CVE-2017-18174.html
   https://www.suse.com/security/cve/CVE-2018-1091.html
   https://www.suse.com/security/cve/CVE-2018-1120.html
   https://www.suse.com/security/cve/CVE-2018-1128.html
   https://www.suse.com/security/cve/CVE-2018-1129.html
   https://www.suse.com/security/cve/CVE-2018-12126.html
   https://www.suse.com/security/cve/CVE-2018-12127.html
   https://www.suse.com/security/cve/CVE-2018-12130.html
   https://www.suse.com/security/cve/CVE-2018-19407.html
   https://www.suse.com/security/cve/CVE-2019-11091.html
   https://www.suse.com/security/cve/CVE-2019-11486.html
   https://www.suse.com/security/cve/CVE-2019-3882.html
   https://www.suse.com/security/cve/CVE-2019-8564.html
   https://www.suse.com/security/cve/CVE-2019-9503.html
   https://bugzilla.suse.com/1012382
   https://bugzilla.suse.com/1024908
   https://bugzilla.suse.com/1034113
   https://bugzilla.suse.com/1043485
   https://bugzilla.suse.com/1068032
   https://bugzilla.suse.com/1073311
   https://bugzilla.suse.com/1080157
   https://bugzilla.suse.com/1080533
   https://bugzilla.suse.com/1082632
   https://bugzilla.suse.com/1087231
   https://bugzilla.suse.com/1087659
   https://bugzilla.suse.com/1087906
   https://bugzilla.suse.com/1093158
   https://bugzilla.suse.com/1094268
   https://bugzilla.suse.com/1096748
   https://bugzilla.suse.com/1100152
   https://bugzilla.suse.com/1103186
   https://bugzilla.suse.com/1106913
   https://bugzilla.suse.com/1109772
   https://bugzilla.suse.com/1111331
   https://bugzilla.suse.com/1112178
   https://bugzilla.suse.com/1113399
   https://bugzilla.suse.com/1116841
   https://bugzilla.suse.com/1118338
   https://bugzilla.suse.com/1119019
   https://bugzilla.suse.com/1122822
   https://bugzilla.suse.com/1124832
   https://bugzilla.suse.com/1125580
   https://bugzilla.suse.com/1129279
   https://bugzilla.suse.com/1131416
   https://bugzilla.suse.com/1131427
   https://bugzilla.suse.com/1131587
   https://bugzilla.suse.com/1132673
   https://bugzilla.suse.com/1132828
   https://bugzilla.suse.com/1133188



More information about the sle-security-updates mailing list