SUSE-SU-2019:1287-1: important: Security update for the Linux Kernel
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Fri May 17 13:08:57 MDT 2019
SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________
Announcement ID: SUSE-SU-2019:1287-1
Rating: important
References: #1012382 #1024908 #1034113 #1043485 #1068032
#1073311 #1080157 #1080533 #1082632 #1087231
#1087659 #1087906 #1093158 #1094268 #1096748
#1100152 #1103186 #1106913 #1109772 #1111331
#1112178 #1113399 #1116841 #1118338 #1119019
#1122822 #1124832 #1125580 #1129279 #1131416
#1131427 #1131587 #1132673 #1132828 #1133188
Cross-References: CVE-2016-8636 CVE-2017-17741 CVE-2017-18174
CVE-2018-1091 CVE-2018-1120 CVE-2018-1128
CVE-2018-1129 CVE-2018-12126 CVE-2018-12127
CVE-2018-12130 CVE-2018-19407 CVE-2019-11091
CVE-2019-11486 CVE-2019-3882 CVE-2019-8564
CVE-2019-9503
Affected Products:
SUSE OpenStack Cloud 7
SUSE Linux Enterprise Server for SAP 12-SP2
SUSE Linux Enterprise Server 12-SP2-LTSS
SUSE Linux Enterprise Server 12-SP2-BCL
SUSE Linux Enterprise High Availability 12-SP2
SUSE Enterprise Storage 4
OpenStack Cloud Magnum Orchestration 7
______________________________________________________________________________
An update that solves 16 vulnerabilities and has 19 fixes
is now available.
Description:
The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various
security and bugfixes.
Four new speculative execution information leak issues have been
identified in Intel CPUs. (bsc#1111331)
- CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
- CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)
- CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)
- CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory
(MDSUM)
This kernel update contains software mitigations for these issues, which
also utilize CPU microcode updates shipped in parallel.
For more information on this set of information leaks, check out
https://www.suse.com/support/kb/doc/?id=7023736
The following security bugs were fixed:
- CVE-2018-1128: It was found that cephx authentication protocol did not
verify ceph clients correctly and was vulnerable to replay attack. Any
attacker having access to ceph cluster network who is able to sniff
packets on network could use this vulnerability to authenticate with
ceph service and perform actions allowed by ceph service. (bnc#1096748).
- CVE-2018-1129: A flaw was found in the way signature calculation was
handled by cephx authentication protocol. An attacker having access to
ceph cluster network who is able to alter the message payload was able
to bypass signature checks done by cephx protocol. (bnc#1096748).
- CVE-2016-8636: Integer overflow in the mem_check_range function in
drivers/infiniband/sw/rxe/rxe_mr.c allowed local users to cause a denial
of service (memory corruption), obtain sensitive information or possibly
have unspecified other impact via a write or read request involving the
"RDMA protocol over infiniband" (aka Soft RoCE) technology (bnc#1024908).
- CVE-2017-18174: In the amd_gpio_remove function in
drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function,
leading to a double free (bnc#1080533).
- CVE-2018-1091: In the flush_tmregs_to_thread function in
arch/powerpc/kernel/ptrace.c, a guest kernel crash can be triggered from
unprivileged userspace during a core dump on a POWER host due to a
missing processor feature check and an erroneous use of transactional
memory (TM) instructions in the core dump path, leading to a denial of
service (bnc#1087231).
- CVE-2018-1120: By mmap()ing a FUSE-backed file onto a process's memory
containing command line arguments (or environment strings), an attacker
can cause utilities from psutils or procps (such as ps, w) or any other
program which made a read() call to the /proc/<pid>/cmdline (or
/proc/<pid>/environ) files to block indefinitely (denial of service) or
for some controlled time (as a synchronization primitive for other
attacks) (bnc#1093158).
- CVE-2019-11486: The Siemens R3964 line discipline driver in
drivers/tty/n_r3964.c has multiple race conditions (bnc#1133188).
- CVE-2019-3882: A flaw was found in the vfio interface implementation
that permits violation of the user's locked memory limit. If a device is
bound to a vfio driver, such as vfio-pci, and the local attacker is
administratively granted ownership of the device, it may cause a system
memory exhaustion and thus a denial of service (DoS) (bsc#1131427).
- CVE-2018-19407: The vcpu_scan_ioapic function in arch/x86/kvm/x86.c
allowed local users to cause a denial of service (NULL pointer
dereference and BUG) via crafted system calls that reach a situation
where ioapic is uninitialized (bnc#1116841).
- CVE-2017-17741: The KVM implementation allowed attackers to obtain
potentially sensitive information from kernel memory, aka a write_mmio
stack-based out-of-bounds read, related to arch/x86/kvm/x86.c and
include/trace/events/kvm.h (bnc#1073311).
- CVE-2019-9503, CVE-2019-8564: Multiple brcmfmac frame validation
bypasses have been fixed (bnc#1132828, bnc#1132673).
The following non-security bugs were fixed:
- ACPI: acpi_pad: Do not launch acpi_pad threads on idle cpus
(bsc#1113399).
- add mainline tags to four hyperv patches
- cpu/speculation: Add 'mitigations=' cmdline option (bsc#1112178).
- Drivers: hv: vmbus: Define an API to retrieve virtual processor index
(bsc#1122822).
- Drivers: hv: vmbus: Define APIs to manipulate the event page
(bsc#1122822).
- Drivers: hv: vmbus: Define APIs to manipulate the message page
(bsc#1122822).++ kernel-source.spec (revision 4)Release:
<RELEASE>.gbd4498d
- Drivers: hv: vmbus: Define APIs to manipulate the synthetic interrupt
controller (bsc#1122822).
- hv: v4.12 API for hyperv-iommu (bsc#1122822).
- iommu/hyper-v: Add Hyper-V stub IOMMU driver (bsc#1122822).
- jump_label: remove bug.h, atomic.h dependencies for HAVE_JUMP_LABEL
(bsc#1111331).
- kvm: x86: Report STIBP on GET_SUPPORTED_CPUID (bsc#1111331).
- locking/atomics, asm-generic: Move some macros from <linux/bitops.h> to
a new <linux/bits.h> file (bsc#1111331).
- MDS: Add CVE refs
- net: ena: add functions for handling Low Latency Queues in ena_com
(bsc#1129279).
- net: ena: add functions for handling Low Latency Queues in ena_netdev
(bsc#1129279).
- net: ena: change rx copybreak default to reduce kernel memory pressure
(bsc#1129279).
- net: ena: complete host info to match latest ENA spec (bsc#1129279).
- net: ena: enable Low Latency Queues (bsc#1129279).
- net: ena: explicit casting and initialization, and clearer error
handling (bsc#1129279).
- net: ena: fix auto casting to boolean (bsc#1129279).
- net: ena: fix compilation error in xtensa architecture (bsc#1129279).
- net: ena: fix crash during ena_remove() (bsc#1129279).
- net: ena: fix crash during failed resume from hibernation (bsc#1129279).
- net: ena: fix indentations in ena_defs for better readability
(bsc#1129279).
- net: ena: Fix Kconfig dependency on X86 (bsc#1129279).
- net: ena: fix NULL dereference due to untimely napi initialization
(bsc#1129279).
- net: ena: fix race between link up and device initalization
(bsc#1129279).
- net: ena: fix rare bug when failed restart/resume is followed by driver
removal (bsc#1129279).
- net: ena: fix warning in rmmod caused by double iounmap (bsc#1129279).
- net: ena: introduce Low Latency Queues data structures according to ENA
spec (bsc#1129279).
- net: ena: limit refill Rx threshold to 256 to avoid latency issues
(bsc#1129279).
- net: ena: minor performance improvement (bsc#1129279).
- net: ena: remove ndo_poll_controller (bsc#1129279).
- net: ena: remove redundant parameter in ena_com_admin_init()
(bsc#1129279).
- net: ena: update driver version from 2.0.1 to 2.0.2 (bsc#1129279).
- net: ena: update driver version from 2.0.2 to 2.0.3 (bsc#1129279).
- net: ena: update driver version to 2.0.1 (bsc#1129279).
- net: ena: use CSUM_CHECKED device indication to report skb's checksum
status (bsc#1129279).
- PCI: hv: Add vPCI version protocol negotiation (bnc#1043485,
bsc#1122822).
- PCI: hv: Allocate interrupt descriptors with GFP_ATOMIC (bnc#1034113,
bsc#1122822).
- PCI: hv: Disable/enable IRQs rather than BH in hv_compose_msi_msg()
(bnc#1094268, bsc#1122822).
- PCI: hv: Do not sleep in compose_msi_msg() (bsc#1082632, bsc#1122822).
- PCI: hv: Fix 2 hang issues in hv_compose_msi_msg() (bsc#1087659,
bsc#1087906, bsc#1122822).
- PCI: hv: Fix a comment typo in _hv_pcifront_read_config() (bsc#1087659,
bsc#1122822).
- PCI: hv: Fix comment formatting and use proper integer fields
(bnc#1043485, bsc#1122822).
- PCI: hv: Only queue new work items in hv_pci_devices_present() if
necessary (bsc#1087659, bsc#1122822).
- PCI: hv: Remove the bogus test in hv_eject_device_work() (bsc#1087659,
bsc#1122822).
- PCI: hv: Serialize the present and eject work items (bsc#1087659,
bsc#1122822).
- PCI: hv: Specify CPU_AFFINITY_ALL for MSI affinity when >= 32 CPUs
(bnc#1043485, bsc#1122822).
- PCI: hv: Temporary own CPU-number-to-vCPU-number infra (bnc#1043485,
bsc#1122822).
- PCI: hv: Use effective affinity mask (bsc#1109772, bsc#1122822).
- PCI: hv: Use page allocation for hbus structure (bnc#1043485,
bsc#1122822).
- PCI: hv: Use vPCI protocol version 1.2 (bnc#1043485, bsc#1122822).
- pci-hyperv: increase HV_VP_SET_BANK_COUNT_MAX to handle 1792 vcpus
(bsc#1122822).
- powerpc/64: Disable the speculation barrier from the command line
(bsc#1068032).
- powerpc/64s: Default l1d_size to 64K in RFI fallback flush (bsc#1068032,
git-fixes).
- powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2
(bsc#1068032, bsc#1080157, git-fixes).
- powerpc/speculation: Support 'mitigations=' cmdline option (bsc#1112178).
- powerpc/tm: Add commandline option to disable hardware transactional
memory (bsc#1118338).
- powerpc/tm: Add TM Unavailable Exception (bsc#1118338).
- powerpc/tm: Flip the HTM switch default to disabled (bsc#1125580).
- powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 (bsc#1131587).
- powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038
(bsc#1131587).
- s390: add explicit <linux/stringify.h> for jump label (bsc#1111331).
- sched/core: Optimize SCHED_SMT (bsc#1111331).
- sched/smt: Expose sched_smt_present static key (bsc#1106913).
- sched/smt: Make sched_smt_present track topology (bsc#1106913).
- sched/smt: Update sched_smt_present at runtime (bsc#1111331).
- scripts/git_sort/git_sort.py: Add fixes branch from mkp/scsi.git.
- scsi: ibmvscsi: Fix empty event pool access during host removal
(bsc#1119019).
- scsi: storvsc: Reduce default ring buffer size to 128 Kbytes ().
- time: Introduce jiffies64_to_nsecs() (bsc#1113399).
- Use upstream variant of two pci-hyperv patches
- vti6: flush x-netns xfrm cache when vti interface is removed
(bnc#1012382 bsc#1100152).
- x86/apic: Provide apic_ack_irq() (bsc#1122822).
- x86/bugs: Add AMD's variant of SSB_NO (bsc#1111331).
- x86/bugs: Rename SSBD_NO to SSB_NO (bsc#1111331).
- x86/cpu: Rename Merrifield2 to Moorefield (bsc#1111331).
- x86/cpu: Sanitize FAM6_ATOM naming (bsc#1111331).
- x86/Hyper-V: Set x2apic destination mode to physical when x2apic is
available (bsc#1122822).
- x86/irq: implement irq_data_get_effective_affinity_mask() for v4.12
(bsc#1109772, bsc#1122822).
- x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests (bsc#1111331).
- x86/kvm/vmx: Add MDS protection when L1D Flush is not active
(bsc#1111331).
- x86/msr-index: Cleanup bit defines (bsc#1111331).
- x86/speculation: Consolidate CPU whitelists (bsc#1111331).
- x86/speculation/mds: Add basic bug infrastructure for MDS (bsc#1111331).
- x86/speculation/mds: Add BUG_MSBDS_ONLY (bsc#1111331).
- x86/speculation/mds: Add mds_clear_cpu_buffers() (bsc#1111331).
- x86/speculation/mds: Add mds=full,nosmt cmdline option (bsc#1111331).
- x86/speculation/mds: Add mitigation control for MDS (bsc#1111331).
- x86/speculation/mds: Add mitigation mode VMWERV (bsc#1111331).
- x86/speculation/mds: Add 'mitigations=' support for MDS (bsc#1111331).
- x86/speculation/mds: Add SMT warning message (bsc#1111331).
- x86/speculation/mds: Add sysfs reporting for MDS (bsc#1111331).
- x86/speculation/mds: Clear CPU buffers on exit to user (bsc#1111331).
- x86/speculation/mds: Conditionally clear CPU buffers on idle entry
(bsc#1111331).
- x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off
(bsc#1111331).
- x86/speculation: Move arch_smt_update() call to after mitigation
decisions (bsc#1111331).
- x86/speculation: Remove redundant arch_smt_update() invocation
(bsc#1111331).
- x86/speculation: Rework SMT state change (bsc#1111331).
- x86/speculation: Simplify the CPU bug detection logic (bsc#1111331).
- x86/speculation: Support 'mitigations=' cmdline option (bsc#1112178).
- x86: stop exporting msr-index.h to userland (bsc#1111331).
- xfrm6: call kfree_skb when skb is toobig (bnc#1012382 bsc#1100152).
- xfrm: fix missing dst_release() after policy blocking lbcast and
multicast (bnc#1012382 bsc#1100152).
Special Instructions and Notes:
Please reboot the system after installing this update.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud 7:
zypper in -t patch SUSE-OpenStack-Cloud-7-2019-1287=1
- SUSE Linux Enterprise Server for SAP 12-SP2:
zypper in -t patch SUSE-SLE-SAP-12-SP2-2019-1287=1
- SUSE Linux Enterprise Server 12-SP2-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-2019-1287=1
- SUSE Linux Enterprise Server 12-SP2-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2019-1287=1
- SUSE Linux Enterprise High Availability 12-SP2:
zypper in -t patch SUSE-SLE-HA-12-SP2-2019-1287=1
- SUSE Enterprise Storage 4:
zypper in -t patch SUSE-Storage-4-2019-1287=1
- OpenStack Cloud Magnum Orchestration 7:
zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2019-1287=1
Package List:
- SUSE OpenStack Cloud 7 (s390x x86_64):
kernel-default-4.4.121-92.109.2
kernel-default-base-4.4.121-92.109.2
kernel-default-base-debuginfo-4.4.121-92.109.2
kernel-default-debuginfo-4.4.121-92.109.2
kernel-default-debugsource-4.4.121-92.109.2
kernel-default-devel-4.4.121-92.109.2
kernel-syms-4.4.121-92.109.2
- SUSE OpenStack Cloud 7 (noarch):
kernel-devel-4.4.121-92.109.2
kernel-macros-4.4.121-92.109.2
kernel-source-4.4.121-92.109.2
- SUSE OpenStack Cloud 7 (x86_64):
kgraft-patch-4_4_121-92_109-default-1-3.5.2
- SUSE OpenStack Cloud 7 (s390x):
kernel-default-man-4.4.121-92.109.2
- SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64):
kernel-default-4.4.121-92.109.2
kernel-default-base-4.4.121-92.109.2
kernel-default-base-debuginfo-4.4.121-92.109.2
kernel-default-debuginfo-4.4.121-92.109.2
kernel-default-debugsource-4.4.121-92.109.2
kernel-default-devel-4.4.121-92.109.2
kernel-syms-4.4.121-92.109.2
kgraft-patch-4_4_121-92_109-default-1-3.5.2
- SUSE Linux Enterprise Server for SAP 12-SP2 (noarch):
kernel-devel-4.4.121-92.109.2
kernel-macros-4.4.121-92.109.2
kernel-source-4.4.121-92.109.2
- SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64):
kernel-default-4.4.121-92.109.2
kernel-default-base-4.4.121-92.109.2
kernel-default-base-debuginfo-4.4.121-92.109.2
kernel-default-debuginfo-4.4.121-92.109.2
kernel-default-debugsource-4.4.121-92.109.2
kernel-default-devel-4.4.121-92.109.2
kernel-syms-4.4.121-92.109.2
- SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64):
kgraft-patch-4_4_121-92_109-default-1-3.5.2
- SUSE Linux Enterprise Server 12-SP2-LTSS (noarch):
kernel-devel-4.4.121-92.109.2
kernel-macros-4.4.121-92.109.2
kernel-source-4.4.121-92.109.2
- SUSE Linux Enterprise Server 12-SP2-LTSS (s390x):
kernel-default-man-4.4.121-92.109.2
- SUSE Linux Enterprise Server 12-SP2-BCL (noarch):
kernel-devel-4.4.121-92.109.2
kernel-macros-4.4.121-92.109.2
kernel-source-4.4.121-92.109.2
- SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
kernel-default-4.4.121-92.109.2
kernel-default-base-4.4.121-92.109.2
kernel-default-base-debuginfo-4.4.121-92.109.2
kernel-default-debuginfo-4.4.121-92.109.2
kernel-default-debugsource-4.4.121-92.109.2
kernel-default-devel-4.4.121-92.109.2
kernel-syms-4.4.121-92.109.2
- SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64):
cluster-md-kmp-default-4.4.121-92.109.2
cluster-md-kmp-default-debuginfo-4.4.121-92.109.2
cluster-network-kmp-default-4.4.121-92.109.2
cluster-network-kmp-default-debuginfo-4.4.121-92.109.2
dlm-kmp-default-4.4.121-92.109.2
dlm-kmp-default-debuginfo-4.4.121-92.109.2
gfs2-kmp-default-4.4.121-92.109.2
gfs2-kmp-default-debuginfo-4.4.121-92.109.2
kernel-default-debuginfo-4.4.121-92.109.2
kernel-default-debugsource-4.4.121-92.109.2
ocfs2-kmp-default-4.4.121-92.109.2
ocfs2-kmp-default-debuginfo-4.4.121-92.109.2
- SUSE Enterprise Storage 4 (noarch):
kernel-devel-4.4.121-92.109.2
kernel-macros-4.4.121-92.109.2
kernel-source-4.4.121-92.109.2
- SUSE Enterprise Storage 4 (x86_64):
kernel-default-4.4.121-92.109.2
kernel-default-base-4.4.121-92.109.2
kernel-default-base-debuginfo-4.4.121-92.109.2
kernel-default-debuginfo-4.4.121-92.109.2
kernel-default-debugsource-4.4.121-92.109.2
kernel-default-devel-4.4.121-92.109.2
kernel-syms-4.4.121-92.109.2
kgraft-patch-4_4_121-92_109-default-1-3.5.2
- OpenStack Cloud Magnum Orchestration 7 (x86_64):
kernel-default-4.4.121-92.109.2
kernel-default-debuginfo-4.4.121-92.109.2
kernel-default-debugsource-4.4.121-92.109.2
References:
https://www.suse.com/security/cve/CVE-2016-8636.html
https://www.suse.com/security/cve/CVE-2017-17741.html
https://www.suse.com/security/cve/CVE-2017-18174.html
https://www.suse.com/security/cve/CVE-2018-1091.html
https://www.suse.com/security/cve/CVE-2018-1120.html
https://www.suse.com/security/cve/CVE-2018-1128.html
https://www.suse.com/security/cve/CVE-2018-1129.html
https://www.suse.com/security/cve/CVE-2018-12126.html
https://www.suse.com/security/cve/CVE-2018-12127.html
https://www.suse.com/security/cve/CVE-2018-12130.html
https://www.suse.com/security/cve/CVE-2018-19407.html
https://www.suse.com/security/cve/CVE-2019-11091.html
https://www.suse.com/security/cve/CVE-2019-11486.html
https://www.suse.com/security/cve/CVE-2019-3882.html
https://www.suse.com/security/cve/CVE-2019-8564.html
https://www.suse.com/security/cve/CVE-2019-9503.html
https://bugzilla.suse.com/1012382
https://bugzilla.suse.com/1024908
https://bugzilla.suse.com/1034113
https://bugzilla.suse.com/1043485
https://bugzilla.suse.com/1068032
https://bugzilla.suse.com/1073311
https://bugzilla.suse.com/1080157
https://bugzilla.suse.com/1080533
https://bugzilla.suse.com/1082632
https://bugzilla.suse.com/1087231
https://bugzilla.suse.com/1087659
https://bugzilla.suse.com/1087906
https://bugzilla.suse.com/1093158
https://bugzilla.suse.com/1094268
https://bugzilla.suse.com/1096748
https://bugzilla.suse.com/1100152
https://bugzilla.suse.com/1103186
https://bugzilla.suse.com/1106913
https://bugzilla.suse.com/1109772
https://bugzilla.suse.com/1111331
https://bugzilla.suse.com/1112178
https://bugzilla.suse.com/1113399
https://bugzilla.suse.com/1116841
https://bugzilla.suse.com/1118338
https://bugzilla.suse.com/1119019
https://bugzilla.suse.com/1122822
https://bugzilla.suse.com/1124832
https://bugzilla.suse.com/1125580
https://bugzilla.suse.com/1129279
https://bugzilla.suse.com/1131416
https://bugzilla.suse.com/1131427
https://bugzilla.suse.com/1131587
https://bugzilla.suse.com/1132673
https://bugzilla.suse.com/1132828
https://bugzilla.suse.com/1133188
More information about the sle-security-updates
mailing list