SUSE-SU-2020:2121-1: important: Security update for the Linux Kernel

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Aug 4 13:32:29 MDT 2020


   SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2020:2121-1
Rating:             important
References:         #1051510 #1065729 #1071995 #1085030 #1104967 
                    #1114279 #1144333 #1148868 #1150660 #1152107 
                    #1152472 #1152624 #1158983 #1159058 #1161016 
                    #1162002 #1162063 #1168081 #1169194 #1169514 
                    #1169795 #1170011 #1170592 #1170618 #1171124 
                    #1171424 #1171558 #1171673 #1171732 #1171761 
                    #1171868 #1171904 #1172257 #1172344 #1172458 
                    #1172484 #1172759 #1172775 #1172781 #1172782 
                    #1172783 #1172999 #1173265 #1173280 #1173428 
                    #1173462 #1173514 #1173567 #1173573 #1174115 
                    #1174462 #1174543 
Cross-References:   CVE-2019-16746 CVE-2019-20810 CVE-2019-20908
                    CVE-2020-0305 CVE-2020-10766 CVE-2020-10767
                    CVE-2020-10768 CVE-2020-10769 CVE-2020-10773
                    CVE-2020-12771 CVE-2020-12888 CVE-2020-13974
                    CVE-2020-14416 CVE-2020-15393 CVE-2020-15780
                   
Affected Products:
                    SUSE OpenStack Cloud Crowbar 9
                    SUSE OpenStack Cloud 9
                    SUSE Linux Enterprise Server for SAP 12-SP4
                    SUSE Linux Enterprise Server 12-SP4-LTSS
                    SUSE Linux Enterprise Live Patching 12-SP4
                    SUSE Linux Enterprise High Availability 12-SP4
______________________________________________________________________________

   An update that solves 15 vulnerabilities and has 37 fixes
   is now available.

Description:



   The SUSE Linux Enterprise 12 SP4 LTSS kernel was updated to receive
   various security and bugfixes.

   The following security bugs were fixed:

   - CVE-2020-0305: In cdev_get of char_dev.c, there is a possible
     use-after-free due to a race condition. This could lead to local
     escalation of privilege with System execution privileges needed. User
     interaction is not needed for exploitation (bnc#1174462).
   - CVE-2019-20908: An issue was discovered in drivers/firmware/efi/efi.c
     where incorrect access permissions for the efivar_ssdt ACPI variable
     could be used by attackers to bypass lockdown or secure boot
     restrictions, aka CID-1957a85b0032 (bnc#1173567).
   - CVE-2020-15780: An issue was discovered in drivers/acpi/acpi_configfs.c
     where injection of malicious ACPI tables via configfs could be used by
     attackers to bypass lockdown and secure boot restrictions, aka
     CID-75b0cea7bf30 (bnc#1173573).
   - CVE-2020-15393: usbtest_disconnect in drivers/usb/misc/usbtest.c has a
     memory leak, aka CID-28ebeb8db770 (bnc#1173514).
   - CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c had a
     deadlock if a coalescing operation fails (bnc#1171732).
   - CVE-2019-16746: net/wireless/nl80211.c did not check the length of
     variable elements in a beacon head, leading to a buffer overflow
     (bnc#1152107).
   - CVE-2020-12888: The VFIO PCI driver mishandled attempts to access
     disabled memory space (bnc#1171868).
   - CVE-2020-10769: A buffer over-read flaw was found in
     crypto_authenc_extractkeys in crypto/authenc.c in the IPsec
     Cryptographic algorithm's module, authenc. When a payload longer than 4
     bytes, and is not following 4-byte alignment boundary guidelines, it
     causes a buffer over-read threat, leading to a system crash. This flaw
     allowed a local attacker with user privileges to cause a denial of
     service (bnc#1173265).
   - CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed
     (bnc#1172999).
   - CVE-2020-14416: A race condition in tty->disc_data handling in the slip
     and slcan line discipline could lead to a use-after-free, aka
     CID-0ace17d56824. This affects drivers/net/slip/slip.c and
     drivers/net/can/slcan.c (bnc#1162002).
   - CVE-2020-10768: Indirect branch speculation could have been enabled
     after it was force-disabled by the PR_SPEC_FORCE_DISABLE prctl command.
     (bnc#1172783).
   - CVE-2020-10766: Fixed Rogue cross-process SSBD shutdown, where a Linux
     scheduler logical bug allows an attacker to turn off the SSBD
     protection. (bnc#1172781).
   - CVE-2020-10767: Indirect Branch Prediction Barrier was force-disabled
     when STIBP is unavailable or enhanced IBRS is available. (bnc#1172782).
   - CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if
     k_ascii is called several times in a row, aka CID-b86dab054059.
     (bnc#1172775).
   - CVE-2019-20810: go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c
     in the Linux kernel did not call snd_card_free for a failure path, which
     causes a memory leak, aka CID-9453264ef586 (bnc#1172458).

   The following non-security bugs were fixed:

   - ACPI: PM: Avoid using power resources if there are none for D0
     (bsc#1051510).
   - ALSA: es1688: Add the missed snd_card_free() (bsc#1051510).
   - bcache: Fix an error code in bch_dump_read() (git fixes (block drivers)).
   - block, bfq: add requeue-request hook (bsc#1104967 bsc#1171673).
   - block, bfq: postpone rq preparation to insert or merge (bsc#1104967
     bsc#1171673).
   - block: remove QUEUE_FLAG_STACKABLE (git fixes (block drivers)).
   - block: sed-opal: fix sparse warning: convert __be64 data (git fixes
     (block drivers)).
   - btrfs: always wait on ordered extents at fsync time (bsc#1171761).
   - btrfs: clean up the left over logged_list usage (bsc#1171761).
   - btrfs: do not zero f_bavail if we have available space (bsc#1168081).
   - btrfs: fix list_add corruption and soft lockups in fsync (bsc#1171761).
   - btrfs: fix missing data checksums after a ranged fsync (msync)
     (bsc#1171761).
   - btrfs: fix missing file extent item for hole after ranged fsync
     (bsc#1171761).
   - btrfs: fix missing hole after hole punching and fsync when using
     NO_HOLES (bsc#1171761).
   - btrfs: fix missing semaphore unlock in btrfs_sync_file (bsc#1171761).
   - btrfs: fix rare chances for data loss when doing a fast fsync
     (bsc#1171761).
   - btrfs: Remove extra parentheses from condition in copy_items()
     (bsc#1171761).
   - btrfs: remove no longer used io_err from btrfs_log_ctx (bsc#1171761).
   - btrfs: remove no longer used logged range variables when logging extents
     (bsc#1171761).
   - btrfs: remove no longer used 'sync' member from transaction handle
     (bsc#1171761).
   - btrfs: remove remaing full_sync logic from btrfs_sync_file (bsc#1171761).
   - btrfs: remove the logged extents infrastructure (bsc#1171761).
   - btrfs: remove the wait ordered logic in the log_one_extent path
     (bsc#1171761).
   - btrfs: volumes: Remove ENOSPC-prone btrfs_can_relocate() (bsc#1171124).
   - CDC-ACM: heed quirk also in error handling (git-fixes).
   - cifs: get rid of unused parameter in reconn_setup_dfs_targets()
     (bsc#1144333).
   - cifs: handle hostnames that resolve to same ip in failover (bsc#1144333
     bsc#1161016).
   - cifs: set up next DFS target before generic_ip_connect() (bsc#1144333
     bsc#1161016).
   - clk: bcm2835: Fix return type of bcm2835_register_gate (bsc#1051510).
   - clk: clk-flexgen: fix clock-critical handling (bsc#1051510).
   - clk: sunxi: Fix incorrect usage of round_down() (bsc#1051510).
   - compat_ioctl: block: handle BLKREPORTZONE/BLKRESETZONE (git fixes (block
     drivers)).
   - compat_ioctl: block: handle Persistent Reservations (git fixes (block
     drivers)).
   - copy_{to,from}_user(): consolidate object size checks (git fixes).
   - crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is
     fully iterated (git-fixes).
   - dm btree: increase rebalance threshold in __rebalance2() (git fixes
     (block drivers)).
   - dm cache: fix a crash due to incorrect work item cancelling (git fixes
     (block drivers)).
   - dm crypt: fix benbi IV constructor crash if used in authenticated mode
     (git fixes (block drivers)).
   - dm: fix potential for q->make_request_fn NULL pointer (git fixes (block
     drivers)).
   - dm space map common: fix to ensure new block isn't already in use (git
     fixes (block drivers)).
   - dm: various cleanups to md->queue initialization code (git fixes).
   - dm verity fec: fix hash block number in verity_fec_decode (git fixes
     (block drivers)).
   - dm verity fec: fix memory leak in verity_fec_dtr (git fixes (block
     drivers)).
   - Drivers: hv: Change flag to write log level in panic msg to false
     (bsc#1170618).
   - drivers: soc: ti: knav_qmss_queue: Make knav_gp_range_ops static
     (bsc#1051510).
   - drm/dp_mst: Increase ACT retry timeout to 3s (bsc#1152472)  * context
     changes
   - drm: encoder_slave: fix refcouting error for modules (bsc#1114279)
   - drm/mediatek: Check plane visibility in atomic_update (bsc#1152472)  *
     context changes
   - drm/qxl: Use correct notify port address when creating cursor ring
     (bsc#1152472)
   - drm/radeon: fix double free (bsc#1152472)
   - drm/radeon: fix fb_div check in ni_init_smc_spll_table() (bsc#1152472)
   - e1000e: Disable TSO for buffer overrun workaround (bsc#1051510).
   - e1000e: Do not wake up the system via WOL if device wakeup is disabled
     (bsc#1051510).
   - EDAC/amd64: Read back the scrub rate PCI register on F15h (bsc#1114279).
   - evm: Check also if *tfm is an error pointer in init_desc() (bsc#1051510).
   - evm: Fix a small race in init_desc() (bsc#1051510).
   - extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()'
     (bsc#1051510).
   - gpiolib: Document that GPIO line names are not globally unique
     (bsc#1051510).
   - HID: sony: Fix for broken buttons on DS3 USB dongles (bsc#1051510).
   - ibmveth: Fix max MTU limit (bsc#1173428 ltc#186397).
   - ibmvnic: continue to init in CRQ reset returns H_CLOSED (bsc#1173280
     ltc#185369).
   - ibmvnic: Flush existing work items before device removal (bsc#1065729).
   - ibmvnic: Harden device login requests (bsc#1170011 ltc#183538).
   - iio: buffer: Do not allow buffers without any channels enabled to be
     activated (bsc#1051510).
   - iio: pressure: bmp280: Tolerate IRQ before registering (bsc#1051510).
   - ima: Directly assign the ima_default_policy pointer to ima_rules
     (bsc#1051510).
   - ima: Fix ima digest hash table key calculation (bsc#1051510).
   - include/asm-generic/topology.h: guard cpumask_of_node() macro argument
     (bsc#1148868).
   - intel_idle: Graceful probe failure when MWAIT is disabled (bsc#1174115).
   - KVM: nVMX: Do not reread VMCS-agnostic state when switching VMCS
     (bsc#1114279).
   - KVM: nVMX: Skip IBPB when switching between vmcs01 and vmcs02
     (bsc#1114279).
   - kvm: x86: Fix L1TF mitigation for shadow MMU (bsc#1171904).
   - KVM: x86/mmu: Set mmio_value to '0' if reserved #PF can't be generated
     (bsc#1171904).
   - KVM: x86: only do L1TF workaround on affected processors (bsc#1171904).
   - libceph: do not omit recovery_deletes in target_copy() (bsc#1173462).
   - livepatch: Apply vmlinux-specific KLP relocations early (bsc#1071995).
   - livepatch: Disallow vmlinux.ko (bsc#1071995).
   - livepatch: Make klp_apply_object_relocs static (bsc#1071995).
   - livepatch: Prevent module-specific KLP rela sections from referencing
     vmlinux symbols (bsc#1071995).
   - livepatch: Remove .klp.arch (bsc#1071995).
   - md: Avoid namespace collision with bitmap API (git fixes (block
     drivers)).
   - md: use memalloc scope APIs in mddev_suspend()/mddev_resume() (git fixes
     (block drivers)).
   - mmc: fix compilation of user API (bsc#1051510).
   - netfilter: connlabels: prefer static lock initialiser (git-fixes).
   - netfilter: ctnetlink: netns exit must wait for callbacks (bsc#1169795).
   - netfilter: not mark a spinlock as __read_mostly (git-fixes).
   - net: vmxnet3: fix possible buffer overflow caused by bad DMA value in
     vmxnet3_get_rss() (bsc#1172484).
   - NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid()
     (bsc#1170592).
   - NFSv4: Retry CLOSE and DELEGRETURN on NFS4ERR_OLD_STATEID (bsc#1170592).
   - nvme: check for NVME_CTRL_LIVE in nvme_report_ns_ids() (bcs#1171558
     bsc#1159058).
   - nvme: do not update multipath disk information if the controller is down
     (bcs#1171558 bsc#1159058).
   - objtool: Clean instruction state before each function validation
     (bsc#1169514).
   - objtool: Ignore empty alternatives (bsc#1169514).
   - overflow: Fix -Wtype-limits compilation warnings (git fixes).
   - overflow.h: Add arithmetic shift helper (git fixes).
   - p54usb: add AirVasT USB stick device-id (bsc#1051510).
   - PCI: Allow pci_resize_resource() for devices on root bus (bsc#1051510).
   - PCI: Fix pci_register_host_bridge() device_register() error handling
     (bsc#1051510).
   - PCI: Program MPS for RCiEP devices (bsc#1051510).
   - PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream Port
     (bsc#1051510).
   - perf: Allocate context task_ctx_data for child event (git-fixes).
   - perf/cgroup: Fix perf cgroup hierarchy support (git-fixes).
   - perf: Copy parent's address filter offsets on clone (git-fixes).
   - perf/core: Add sanity check to deal with pinned event failure
     (git-fixes).
   - perf/core: Avoid freeing static PMU contexts when PMU is unregistered
     (git-fixes).
   - perf/core: Correct event creation with PERF_FORMAT_GROUP (git-fixes).
   - perf/core: Do not WARN() for impossible ring-buffer sizes (git-fixes).
   - perf/core: Fix bad use of igrab() (git fixes (dependent patch)).
   - perf/core: Fix crash when using HW tracing kernel filters (git-fixes).
   - perf/core: Fix ctx_event_type in ctx_resched() (git-fixes).
   - perf/core: Fix error handling in perf_event_alloc() (git-fixes).
   - perf/core: Fix exclusive events' grouping (git-fixes).
   - perf/core: Fix group scheduling with mixed hw and sw events (git-fixes).
   - perf/core: Fix impossible ring-buffer sizes warning (git-fixes).
   - perf/core: Fix locking for children siblings group read (git-fixes).
   - perf/core: Fix lock inversion between perf,trace,cpuhp (git-fixes
     (dependent patch for 18736eef1213)).
   - perf/core: Fix perf_event_read_value() locking (git-fixes).
   - perf/core: Fix perf_pmu_unregister() locking (git-fixes).
   - perf/core: Fix __perf_read_group_add() locking (git-fixes (dependent
     patch)).
   - perf/core: Fix perf_sample_regs_user() mm check (git-fixes).
   - perf/core: Fix possible Spectre-v1 indexing for ->aux_pages (git-fixes).
   - perf/core: Fix race between close() and fork() (git-fixes).
   - perf/core: Fix the address filtering fix (git-fixes).
   - perf/core: Fix use-after-free in uprobe_perf_close() (git-fixes).
   - perf/core: Force USER_DS when recording user stack data (git-fixes).
   - perf/core: Restore mmap record type correctly (git-fixes).
   - perf: Fix header.size for namespace events (git-fixes).
   - perf/ioctl: Add check for the sample_period value (git-fixes).
   - perf, pt, coresight: Fix address filters for vmas with non-zero offset
     (git-fixes).
   - perf: Return proper values for user stack errors (git-fixes).
   - perf/x86/amd: Constrain Large Increment per Cycle events (git-fixes).
   - perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus
     precise RIP validity (git-fixes).
   - perf/x86/amd/ibs: Fix sample bias for dispatched micro-ops (git-fixes).
   - perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family
     (10h) (git-fixes).
   - perf/x86/amd/iommu: Make the 'amd_iommu_attr_groups' symbol static
     (git-fixes).
   - perf/x86/amd/uncore: Do not set 'ThreadMask' and 'SliceMask' for non-L3
     PMCs (git-fixes stable).
   - perf/x86/amd/uncore: Set the thread mask for F17h L3 PMCs (git-fixes).
   - perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf
     events (git-fixes stable).
   - perf/x86: Enable free running PEBS for REGS_USER/INTR (git-fixes).
   - perf/x86: Fix incorrect PEBS_REGS (git-fixes).
   - perf/x86/intel: Add generic branch tracing check to intel_pmu_has_bts()
     (git-fixes).
   - perf/x86/intel: Add proper condition to run sched_task callbacks
     (git-fixes).
   - perf/x86/intel/bts: Fix the use of page_private() (git-fixes).
   - perf/x86/intel: Fix PT PMI handling (git-fixes).
   - perf/x86/intel: Move branch tracing setup to the Intel-specific source
     file (git-fixes).
   - perf/x86/intel/uncore: Add Node ID mask (git-fixes).
   - perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX (git-fixes).
   - perf/x86/pt, coresight: Clean up address filter structure (git fixes
     (dependent patch)).
   - perf/x86/uncore: Fix event group support (git-fixes).
   - pid: Improve the comment about waiting in zap_pid_ns_processes (git
     fixes)).
   - pinctrl: freescale: imx: Fix an error handling path in
     'imx_pinctrl_probe()' (bsc#1051510).
   - pinctrl: imxl: Fix an error handling path in 'imx1_pinctrl_core_probe()'
     (bsc#1051510).
   - pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE
     GPIOs (bsc#1051510).
   - pnp: Use list_for_each_entry() instead of open coding (git fixes).
   - powerpc/64s: Do not let DT CPU features set FSCR_DSCR (bsc#1065729).
   - powerpc/64s: Save FSCR to init_task.thread.fscr after feature init
     (bsc#1065729).
   - powerpc/xive: Clear the page tables for the ESB IO mapping (bsc#1085030).
   - power: supply: bq24257_charger: Replace depends on REGMAP_I2C with
     select (bsc#1051510).
   - power: supply: lp8788: Fix an error handling path in
     'lp8788_charger_probe()' (bsc#1051510).
   - power: supply: smb347-charger: IRQSTAT_D is volatile (bsc#1051510).
   - raid5: remove gfp flags from scribble_alloc() (git fixes (block
     drivers)).
   - resolve KABI warning for perf-pt-coresight (git-fixes).
   - Revert "bcache: ignore pending signals when creating gc and allocator
     thread" (git fixes (block drivers)).
   - Revert "dm crypt: use WQ_HIGHPRI for the IO and crypt workqueues" (git
     fixes (block drivers)).
   - Revert "tools lib traceevent: Remove unneeded qsort and uses memmove"
   - rpm/kernel-docs.spec.in: Require python-packaging for build.
   - s390/bpf: Maintain 8-byte stack alignment (bsc#1169194).
   - s390: fix syscall_get_error for compat processes (git-fixes).
   - s390/qdio: consistently restore the IRQ handler (git-fixes).
   - s390/qdio: lock device while installing IRQ handler (git-fixes).
   - s390/qdio: put thinint indicator after early error (git-fixes).
   - s390/qdio: tear down thinint indicator after early error (git-fixes).
   - s390/qeth: fix error handling for isolation mode cmds (git-fixes).
   - scsi: ibmvscsi: Do not send host info in adapter info MAD after LPM
     (bsc#1172759 ltc#184814).
   - scsi: qedf: Add port_id getter (bsc#1150660).
   - scsi: qla2xxx: Set NVMe status code for failed NVMe FCP request
     (bsc#1158983).
   - spi: dw: use "smp_mb()" to avoid sending spi data error (bsc#1051510).
   - staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK (bsc#1051510).
   - staging: sm750fb: add missing case while setting FB_VISUAL (bsc#1051510).
   - SUNRPC: The TCP back channel mustn't disappear while requests are
     outstanding (bsc#1152624).
   - tracing: Fix event trigger to accept redundant spaces (git-fixes).
   - tty: n_gsm: Fix bogus i++ in gsm_data_kick (bsc#1051510).
   - tty: n_gsm: Fix SOF skipping (bsc#1051510).
   - tty: n_gsm: Fix waking up upper tty layer when room available
     (bsc#1051510).
   - usb: dwc2: gadget: move gadget resume after the core is in L0 state
     (bsc#1051510).
   - usb: gadget: lpc32xx_udc: do not dereference ep pointer before null
     check (bsc#1051510).
   - usb: gadget: udc: s3c2410_udc: Remove pointless NULL check in
     s3c2410_udc_nuke (bsc#1051510).
   - usb: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe()
     (bsc#1051510).
   - usb: musb: Fix runtime PM imbalance on error (bsc#1051510).
   - usb: musb: start session in resume for host port (bsc#1051510).
   - usb: serial: option: add Telit LE910C1-EUX compositions (bsc#1051510).
   - usb: serial: qcserial: add DW5816e QDL support (bsc#1051510).
   - usb: serial: usb_wwan: do not resubmit rx urb on fatal errors
     (bsc#1051510).
   - usb: serial: usb_wwan: do not resubmit rx urb on fatal errors
     (git-fixes).
   - virtio-blk: handle block_device_operations callbacks after hot unplug
     (git fixes (block drivers)).
   - vmxnet3: add geneve and vxlan tunnel offload support (bsc#1172484).
   - vmxnet3: add support to get/set rx flow hash (bsc#1172484).
   - vmxnet3: allow rx flow hash ops only when rss is enabled (bsc#1172484).
   - vmxnet3: avoid format strint overflow warning (bsc#1172484).
   - vmxnet3: prepare for version 4 changes (bsc#1172484).
   - vmxnet3: Remove always false conditional statement (bsc#1172484).
   - vmxnet3: remove redundant initialization of pointer 'rq' (bsc#1172484).
   - vmxnet3: remove unused flag "rxcsum" from struct vmxnet3_adapter
     (bsc#1172484).
   - vmxnet3: Replace msleep(1) with usleep_range() (bsc#1172484).
   - vmxnet3: update to version 4 (bsc#1172484).
   - vmxnet3: use correct hdr reference when packet is encapsulated
     (bsc#1172484).
   - w1: omap-hdq: cleanup to add missing newline for some dev_dbg
     (bsc#1051510).
   - work around mvfs bug (bsc#1162063).
   - x86/cpu/amd: Make erratum #1054 a legacy erratum (bsc#1114279).
   - x86/events/intel/ds: Add PERF_SAMPLE_PERIOD into PEBS_FREERUNNING_FLAGS
     (git-fixes).
   - x86: Fix early boot crash on gcc-10, third try (bsc#1114279).
   - x86/{mce,mm}: Unmap the entire page if the whole page is affected and
     poisoned (bsc#1172257).
   - x86/reboot/quirks: Add MacBook6,1 reboot quirk (bsc#1114279).
   - xfrm: fix error in comment (git fixes).


Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 9:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2020-2121=1

   - SUSE OpenStack Cloud 9:

      zypper in -t patch SUSE-OpenStack-Cloud-9-2020-2121=1

   - SUSE Linux Enterprise Server for SAP 12-SP4:

      zypper in -t patch SUSE-SLE-SAP-12-SP4-2020-2121=1

   - SUSE Linux Enterprise Server 12-SP4-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2020-2121=1

   - SUSE Linux Enterprise Live Patching 12-SP4:

      zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2020-2121=1

   - SUSE Linux Enterprise High Availability 12-SP4:

      zypper in -t patch SUSE-SLE-HA-12-SP4-2020-2121=1



Package List:

   - SUSE OpenStack Cloud Crowbar 9 (x86_64):

      kernel-default-4.12.14-95.57.1
      kernel-default-base-4.12.14-95.57.1
      kernel-default-base-debuginfo-4.12.14-95.57.1
      kernel-default-debuginfo-4.12.14-95.57.1
      kernel-default-debugsource-4.12.14-95.57.1
      kernel-default-devel-4.12.14-95.57.1
      kernel-default-devel-debuginfo-4.12.14-95.57.1
      kernel-syms-4.12.14-95.57.1

   - SUSE OpenStack Cloud Crowbar 9 (noarch):

      kernel-devel-4.12.14-95.57.1
      kernel-macros-4.12.14-95.57.1
      kernel-source-4.12.14-95.57.1

   - SUSE OpenStack Cloud 9 (noarch):

      kernel-devel-4.12.14-95.57.1
      kernel-macros-4.12.14-95.57.1
      kernel-source-4.12.14-95.57.1

   - SUSE OpenStack Cloud 9 (x86_64):

      kernel-default-4.12.14-95.57.1
      kernel-default-base-4.12.14-95.57.1
      kernel-default-base-debuginfo-4.12.14-95.57.1
      kernel-default-debuginfo-4.12.14-95.57.1
      kernel-default-debugsource-4.12.14-95.57.1
      kernel-default-devel-4.12.14-95.57.1
      kernel-default-devel-debuginfo-4.12.14-95.57.1
      kernel-syms-4.12.14-95.57.1

   - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):

      kernel-default-4.12.14-95.57.1
      kernel-default-base-4.12.14-95.57.1
      kernel-default-base-debuginfo-4.12.14-95.57.1
      kernel-default-debuginfo-4.12.14-95.57.1
      kernel-default-debugsource-4.12.14-95.57.1
      kernel-default-devel-4.12.14-95.57.1
      kernel-syms-4.12.14-95.57.1

   - SUSE Linux Enterprise Server for SAP 12-SP4 (noarch):

      kernel-devel-4.12.14-95.57.1
      kernel-macros-4.12.14-95.57.1
      kernel-source-4.12.14-95.57.1

   - SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64):

      kernel-default-devel-debuginfo-4.12.14-95.57.1

   - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):

      kernel-default-4.12.14-95.57.1
      kernel-default-base-4.12.14-95.57.1
      kernel-default-base-debuginfo-4.12.14-95.57.1
      kernel-default-debuginfo-4.12.14-95.57.1
      kernel-default-debugsource-4.12.14-95.57.1
      kernel-default-devel-4.12.14-95.57.1
      kernel-syms-4.12.14-95.57.1

   - SUSE Linux Enterprise Server 12-SP4-LTSS (x86_64):

      kernel-default-devel-debuginfo-4.12.14-95.57.1

   - SUSE Linux Enterprise Server 12-SP4-LTSS (noarch):

      kernel-devel-4.12.14-95.57.1
      kernel-macros-4.12.14-95.57.1
      kernel-source-4.12.14-95.57.1

   - SUSE Linux Enterprise Server 12-SP4-LTSS (s390x):

      kernel-default-man-4.12.14-95.57.1

   - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64):

      kernel-default-kgraft-4.12.14-95.57.1
      kernel-default-kgraft-devel-4.12.14-95.57.1
      kgraft-patch-4_12_14-95_57-default-1-6.3.1

   - SUSE Linux Enterprise High Availability 12-SP4 (ppc64le s390x x86_64):

      cluster-md-kmp-default-4.12.14-95.57.1
      cluster-md-kmp-default-debuginfo-4.12.14-95.57.1
      dlm-kmp-default-4.12.14-95.57.1
      dlm-kmp-default-debuginfo-4.12.14-95.57.1
      gfs2-kmp-default-4.12.14-95.57.1
      gfs2-kmp-default-debuginfo-4.12.14-95.57.1
      kernel-default-debuginfo-4.12.14-95.57.1
      kernel-default-debugsource-4.12.14-95.57.1
      ocfs2-kmp-default-4.12.14-95.57.1
      ocfs2-kmp-default-debuginfo-4.12.14-95.57.1


References:

   https://www.suse.com/security/cve/CVE-2019-16746.html
   https://www.suse.com/security/cve/CVE-2019-20810.html
   https://www.suse.com/security/cve/CVE-2019-20908.html
   https://www.suse.com/security/cve/CVE-2020-0305.html
   https://www.suse.com/security/cve/CVE-2020-10766.html
   https://www.suse.com/security/cve/CVE-2020-10767.html
   https://www.suse.com/security/cve/CVE-2020-10768.html
   https://www.suse.com/security/cve/CVE-2020-10769.html
   https://www.suse.com/security/cve/CVE-2020-10773.html
   https://www.suse.com/security/cve/CVE-2020-12771.html
   https://www.suse.com/security/cve/CVE-2020-12888.html
   https://www.suse.com/security/cve/CVE-2020-13974.html
   https://www.suse.com/security/cve/CVE-2020-14416.html
   https://www.suse.com/security/cve/CVE-2020-15393.html
   https://www.suse.com/security/cve/CVE-2020-15780.html
   https://bugzilla.suse.com/1051510
   https://bugzilla.suse.com/1065729
   https://bugzilla.suse.com/1071995
   https://bugzilla.suse.com/1085030
   https://bugzilla.suse.com/1104967
   https://bugzilla.suse.com/1114279
   https://bugzilla.suse.com/1144333
   https://bugzilla.suse.com/1148868
   https://bugzilla.suse.com/1150660
   https://bugzilla.suse.com/1152107
   https://bugzilla.suse.com/1152472
   https://bugzilla.suse.com/1152624
   https://bugzilla.suse.com/1158983
   https://bugzilla.suse.com/1159058
   https://bugzilla.suse.com/1161016
   https://bugzilla.suse.com/1162002
   https://bugzilla.suse.com/1162063
   https://bugzilla.suse.com/1168081
   https://bugzilla.suse.com/1169194
   https://bugzilla.suse.com/1169514
   https://bugzilla.suse.com/1169795
   https://bugzilla.suse.com/1170011
   https://bugzilla.suse.com/1170592
   https://bugzilla.suse.com/1170618
   https://bugzilla.suse.com/1171124
   https://bugzilla.suse.com/1171424
   https://bugzilla.suse.com/1171558
   https://bugzilla.suse.com/1171673
   https://bugzilla.suse.com/1171732
   https://bugzilla.suse.com/1171761
   https://bugzilla.suse.com/1171868
   https://bugzilla.suse.com/1171904
   https://bugzilla.suse.com/1172257
   https://bugzilla.suse.com/1172344
   https://bugzilla.suse.com/1172458
   https://bugzilla.suse.com/1172484
   https://bugzilla.suse.com/1172759
   https://bugzilla.suse.com/1172775
   https://bugzilla.suse.com/1172781
   https://bugzilla.suse.com/1172782
   https://bugzilla.suse.com/1172783
   https://bugzilla.suse.com/1172999
   https://bugzilla.suse.com/1173265
   https://bugzilla.suse.com/1173280
   https://bugzilla.suse.com/1173428
   https://bugzilla.suse.com/1173462
   https://bugzilla.suse.com/1173514
   https://bugzilla.suse.com/1173567
   https://bugzilla.suse.com/1173573
   https://bugzilla.suse.com/1174115
   https://bugzilla.suse.com/1174462
   https://bugzilla.suse.com/1174543



More information about the sle-security-updates mailing list