Security update for Linux Kernel Live Patch 10 for SLE 12

Announcement ID: SUSE-SU-2017:0247-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2016-8632 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2016-8632 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2016-9576 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2016-9576 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2016-9794 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2016-9794 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2016-9794 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2016-9806 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2016-9806 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2016-9806 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise Live Patching 12
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Server 12 LTSS 12
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server for SAP Applications 12
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP2

An update that solves four vulnerabilities and has one security fix can now be installed.

Description:

This update for the Linux Kernel 3.12.51-52_34 fixes several issues.

The following security bugs were fixed: - CVE-2016-9806: Race condition in the netlink_dump function in net/netlink/af_netlink.c in the Linux kernel allowed local users to cause a denial of service (double free) or possibly have unspecified other impact via a crafted application that made sendmsg system calls, leading to a free operation associated with a new dump that started earlier than anticipated (bsc#1017589). - CVE-2016-9794: Race condition in the snd_pcm_period_elapsed function in sound/core/pcm_lib.c in the ALSA subsystem in the Linux kernel allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted SNDRV_PCM_TRIGGER_START command (bsc#1013543). - CVE-2016-8632: The tipc_msg_build function in net/tipc/msg.c in the Linux kernel did not validate the relationship between the minimum fragment length and the maximum packet size, which allowed local users to gain privileges or cause a denial of service (heap-based buffer overflow) by leveraging the CAP_NET_ADMIN capability (bsc#1012852). - CVE-2016-9576: The blk_rq_map_user_iov function in block/blk-map.c in the Linux kernel did not properly restrict the type of iterator, which allowed local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device (bsc#1014271).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Server for SAP Applications 12
    zypper in -t patch SUSE-SLE-SAP-12-2017-131=1 SUSE-SLE-SAP-12-2017-141=1 SUSE-SLE-SAP-12-2017-130=1 SUSE-SLE-SAP-12-2017-129=1 SUSE-SLE-SAP-12-2017-128=1 SUSE-SLE-SAP-12-2017-127=1 SUSE-SLE-SAP-12-2017-126=1
  • SUSE Linux Enterprise Server 12 LTSS 12
    zypper in -t patch SUSE-SLE-SERVER-12-2017-131=1 SUSE-SLE-SERVER-12-2017-141=1 SUSE-SLE-SERVER-12-2017-130=1 SUSE-SLE-SERVER-12-2017-129=1 SUSE-SLE-SERVER-12-2017-128=1 SUSE-SLE-SERVER-12-2017-127=1 SUSE-SLE-SERVER-12-2017-126=1
  • SUSE Linux Enterprise Live Patching 12
    zypper in -t patch SUSE-SLE-Live-Patching-12-2017-117=1 SUSE-SLE-Live-Patching-12-2017-115=1 SUSE-SLE-Live-Patching-12-2017-114=1 SUSE-SLE-Live-Patching-12-2017-113=1 SUSE-SLE-Live-Patching-12-2017-116=1

Package List:

  • SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
    • kgraft-patch-3_12_60-52_49-default-5-2.1
    • kgraft-patch-3_12_51-52_34-default-8-2.1
    • kgraft-patch-3_12_55-52_42-xen-5-2.1
    • kgraft-patch-3_12_60-52_54-default-5-2.1
    • kgraft-patch-3_12_60-52_57-default-3-2.1
    • kgraft-patch-3_12_60-52_57-xen-3-2.1
    • kgraft-patch-3_12_60-52_54-xen-5-2.1
    • kgraft-patch-3_12_51-52_39-xen-7-2.1
    • kgraft-patch-3_12_55-52_45-default-5-2.1
    • kgraft-patch-3_12_60-52_49-xen-5-2.1
    • kgraft-patch-3_12_51-52_39-default-7-2.1
    • kgraft-patch-3_12_55-52_45-xen-5-2.1
    • kgraft-patch-3_12_51-52_34-xen-8-2.1
    • kgraft-patch-3_12_55-52_42-default-5-2.1
  • SUSE Linux Enterprise Server 12 LTSS 12 (x86_64)
    • kgraft-patch-3_12_60-52_49-default-5-2.1
    • kgraft-patch-3_12_51-52_34-default-8-2.1
    • kgraft-patch-3_12_55-52_42-xen-5-2.1
    • kgraft-patch-3_12_60-52_54-default-5-2.1
    • kgraft-patch-3_12_60-52_57-default-3-2.1
    • kgraft-patch-3_12_60-52_57-xen-3-2.1
    • kgraft-patch-3_12_60-52_54-xen-5-2.1
    • kgraft-patch-3_12_51-52_39-xen-7-2.1
    • kgraft-patch-3_12_55-52_45-default-5-2.1
    • kgraft-patch-3_12_60-52_49-xen-5-2.1
    • kgraft-patch-3_12_51-52_39-default-7-2.1
    • kgraft-patch-3_12_55-52_45-xen-5-2.1
    • kgraft-patch-3_12_51-52_34-xen-8-2.1
    • kgraft-patch-3_12_55-52_42-default-5-2.1
  • SUSE Linux Enterprise Live Patching 12 (x86_64)
    • kgraft-patch-3_12_51-60_25-xen-8-2.1
    • kgraft-patch-3_12_59-60_45-xen-6-2.1
    • kgraft-patch-3_12_51-60_25-default-8-2.1
    • kgraft-patch-3_12_59-60_41-xen-6-2.1
    • kgraft-patch-3_12_57-60_35-xen-6-2.1
    • kgraft-patch-3_12_59-60_45-default-6-2.1
    • kgraft-patch-3_12_53-60_30-default-7-2.1
    • kgraft-patch-3_12_53-60_30-xen-7-2.1
    • kgraft-patch-3_12_57-60_35-default-6-2.1
    • kgraft-patch-3_12_59-60_41-default-6-2.1

References: