Security update for the Linux Kernel

SUSE Security Update: Security update for the Linux Kernel
Announcement ID: SUSE-SU-2015:1478-1
Rating: important
References: #798406 #821931 #860593 #879878 #891087 #897995 #898693 #900881 #904671 #908870 #909477 #912916 #914742 #915200 #915517 #915577 #916010 #917093 #917830 #918333 #919007 #919018 #919463 #921769 #922583 #923245 #926240 #927257 #928801 #929148 #929283 #929360 #929525 #930284 #930934 #931474 #933429 #935705 #936831 #937032 #937986 #940338 #940398
Affected Products:
  • SUSE Linux Enterprise Server 11-SP2-LTSS
  • SUSE Linux Enterprise Debuginfo 11-SP2
    		•

    An update that solves 18 vulnerabilities and has 25 fixes is now available.

    Description:


    The SUSE Linux Enterprise Server 11 SP2 LTSS kernel was updated to receive
    various security and bugfixes.

    The following security bugs were fixed:
    - CVE-2015-5707: An integer overflow in the SCSI generic driver could be
    potentially used by local attackers to crash the kernel or execute code.
    - CVE-2015-2830: arch/x86/kernel/entry_64.S in the Linux kernel did not
    prevent the TS_COMPAT flag from reaching a user-mode task, which might
    have allowed local users to bypass the seccomp or audit protection
    mechanism via a crafted application that uses the (1) fork or (2) close
    system call, as demonstrated by an attack against seccomp before 3.16
    (bnc#926240).
    - CVE-2015-0777: drivers/xen/usbback/usbback.c in the Linux kernel allowed
    guest OS users to obtain sensitive information from uninitialized
    locations in host OS kernel memory via unspecified vectors (bnc#917830).
    - CVE-2015-2150: Xen and the Linux kernel did not properly restrict access
    to PCI command registers, which might have allowed local guest users to
    cause a denial of service (non-maskable interrupt and host crash) by
    disabling the (1) memory or (2) I/O decoding for a PCI Express device
    and then accessing the device, which triggers an Unsupported Request
    (UR) response (bnc#919463).
    - CVE-2015-5364: A remote denial of service (hang) via UDP flood with
    incorrect package checksums was fixed. (bsc#936831).
    - CVE-2015-5366: A remote denial of service (unexpected error returns) via
    UDP flood with incorrect package checksums was fixed. (bsc#936831).
    - CVE-2015-1420: CVE-2015-1420: Race condition in the handle_to_path
    function in fs/fhandle.c in the Linux kernel allowed local users to
    bypass intended size restrictions and trigger read operations on
    additional memory locations by changing the handle_bytes value of a file
    handle during the execution of this function (bnc#915517).
    - CVE-2015-4700: A local user could have created a bad instruction in the
    JIT processed BPF code, leading to a kernel crash (bnc#935705).
    - CVE-2015-1805: The (1) pipe_read and (2) pipe_write implementations in
    fs/pipe.c in the Linux kernel did not properly consider the side effects
    of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls,
    which allowed local users to cause a denial of service (system crash)
    or possibly gain privileges via a crafted application, aka an "I/O
    vector array overrun" (bnc#933429).
    - CVE-2015-3331: The __driver_rfc4106_decrypt function in
    arch/x86/crypto/aesni-intel_glue.c in the Linux kernel did not properly
    determine the memory locations used for encrypted data, which allowed
    context-dependent attackers to cause a denial of service (buffer
    overflow and system crash) or possibly execute arbitrary code by
    triggering a crypto API call, as demonstrated by use of a libkcapi test
    program with an AF_ALG(aead) socket (bnc#927257).
    - CVE-2015-2922: The ndisc_router_discovery function in net/ipv6/ndisc.c
    in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack
    in the Linux kernel allowed remote attackers to reconfigure a hop-limit
    setting via a small hop_limit value in a Router Advertisement (RA)
    message (bnc#922583).
    - CVE-2015-2041: net/llc/sysctl_net_llc.c in the Linux kernel used an
    incorrect data type in a sysctl table, which allowed local users to
    obtain potentially sensitive information from kernel memory or possibly
    have unspecified other impact by accessing a sysctl entry (bnc#919007).
    - CVE-2015-3636: The ping_unhash function in net/ipv4/ping.c in the Linux
    kernel did not initialize a certain list data structure during an unhash
    operation, which allowed local users to gain privileges or cause a
    denial of service (use-after-free and system crash) by leveraging the
    ability to make a SOCK_DGRAM socket system call for the IPPROTO_ICMP or
    IPPROTO_ICMPV6 protocol, and then making a connect system call after a
    disconnect (bnc#929525).
    - CVE-2014-8086: Race condition in the ext4_file_write_iter function in
    fs/ext4/file.c in the Linux kernel allowed local users to cause a denial
    of service (file unavailability) via a combination of a write action and
    an F_SETFL fcntl operation for the O_DIRECT flag (bnc#900881).
    - CVE-2014-8159: The InfiniBand (IB) implementation in the Linux kernel
    did not properly restrict use of User Verbs for registration of memory
    regions, which allowed local users to access arbitrary physical memory
    locations, and consequently cause a denial of service (system crash)
    or gain privileges, by leveraging permissions on a uverbs device under
    /dev/infiniband/ (bnc#914742).
    - CVE-2014-9683: Off-by-one error in the ecryptfs_decode_from_filename
    function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux
    kernel allowed local users to cause a denial of service (buffer overflow
    and system crash) or possibly gain privileges via a crafted filename
    (bnc#918333).
    - CVE-2015-2042: net/rds/sysctl.c in the Linux kernel used an incorrect
    data type in a sysctl table, which allowed local users to obtain
    potentially sensitive information from kernel memory or possibly have
    unspecified other impact by accessing a sysctl entry (bnc#919018).
    - CVE-2015-1421: Use-after-free vulnerability in the sctp_assoc_update
    function in net/sctp/associola.c in the Linux kernel allowed remote
    attackers to cause a denial of service (slab corruption and panic) or
    possibly have unspecified other impact by triggering an INIT collision
    that leads to improper handling of shared-key data (bnc#915577).

    The following non-security bugs were fixed:
    - HID: add ALWAYS_POLL quirk for a Logitech 0xc007 (bnc#931474).
    - HID: add HP OEM mouse to quirk ALWAYS_POLL (bnc#931474).
    - HID: add quirk for PIXART OEM mouse used by HP (bnc#931474).
    - HID: usbhid: add always-poll quirk (bnc#931474).
    - HID: usbhid: add another mouse that needs QUIRK_ALWAYS_POLL (bnc#931474).
    - HID: usbhid: enable always-poll quirk for Elan Touchscreen 009b
    (bnc#931474).
    - HID: usbhid: enable always-poll quirk for Elan Touchscreen 0103
    (bnc#931474).
    - HID: usbhid: enable always-poll quirk for Elan Touchscreen 016f
    (bnc#931474).
    - HID: usbhid: enable always-poll quirk for Elan Touchscreen.
    - HID: usbhid: fix PIXART optical mouse (bnc#931474).
    - HID: usbhid: more mice with ALWAYS_POLL (bnc#931474).
    - HID: usbhid: yet another mouse with ALWAYS_POLL (bnc#931474).
    - bnx2x: Fix kdump when iommu=on (bug#921769).
    - cifs: fix use-after-free bug in find_writable_file (bnc#909477).
    - coredump: ensure the fpu state is flushed for proper multi-threaded core
    dump (bsc#904671, bsc#929360).
    - dm: fixed that LVM merge snapshot of root logical volume were not
    working (bsc#928801)
    - deal with deadlock in d_walk fix (bnc#929148, bnc#929283).
    - e1000: do not enable dma receives until after dma address has been setup
    (bsc#821931).
    - fsnotify: Fix handling of renames in audit (bnc#915200).
    - inet: add a redirect generation id in inetpeer (bnc#860593).
    - inetpeer: initialize ->redirect_genid in inet_getpeer() (bnc#860593).
    - kabi: hide bnc#860593 changes of struct inetpeer_addr_base (bnc#860593).
    - kernel: fix data corruption when reading /proc/sysinfo (bsc#891087,
    bsc#937986, LTC#114480).
    - libata: prevent HSM state change race between ISR and PIO (bsc#923245).
    - time, ntp: Do not update time_state in middle of leap second
    (bsc#912916).
    - s390-3215-tty-close-crash.patch: kernel: 3215 tty close crash
    (bsc#916010, LTC#120873).
    - s390-3215-tty-close-race.patch: kernel: 3215 console crash (bsc#916010,
    LTC#94302).
    - s390-3215-tty-hang.patch: Renamed from patches.arch/s390-tty-hang.patch.
    - s390-3215-tty-hang.patch: Update references (bnc#898693, bnc#897995,
    LTC#114562).
    - s390-dasd-retry-partition-detection.patch: s390/dasd: retry partition
    detection (bsc#916010, LTC#94302).
    - s390-dasd-retry-partition-detection.patch: Update references
    (bsc#916010, LTC#120565).
    - s390-sclp-tty-refcount.patch: kernel: sclp console tty reference
    counting (bsc#916010, LTC#115466).
    - scsi: vmw_pvscsi: Fix pvscsi_abort() function (bnc#940398 bsc#930934).
    - scsi/sg: sg_start_req(): make sure that there is not too many elements
    in iovec (bsc#940338).
    - x86, xsave: remove thread_has_fpu() bug check in __sanitize_i387_state()
    (bsc#904671, bsc#929360).
    - x86-mm-send-tlb-flush-ipis-to-online-cpus-only.patch: x86, mm: Send tlb
    flush IPIs to online cpus only (bnc#798406).
    - x86/mm: Improve AMD Bulldozer ASLR workaround (bsc#937032).
    - x86/reboot: Fix a warning message triggered by stop_other_cpus()
    (bnc#930284).
    - xen: Correctly re-enable interrupts in xen_spin_wait() (bsc#879878,
    bsc#908870).
    - xfs: prevent deadlock trying to cover an active log (bsc#917093).

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Server 11-SP2-LTSS:
      zypper in -t patch slessp2-kernel-20150819-12065=1
    • SUSE Linux Enterprise Debuginfo 11-SP2:
      zypper in -t patch dbgsp2-kernel-20150819-12065=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64):
      • kernel-default-3.0.101-0.7.37.1
      • kernel-default-base-3.0.101-0.7.37.1
      • kernel-default-devel-3.0.101-0.7.37.1
      • kernel-source-3.0.101-0.7.37.1
      • kernel-syms-3.0.101-0.7.37.1
      • kernel-trace-3.0.101-0.7.37.1
      • kernel-trace-base-3.0.101-0.7.37.1
      • kernel-trace-devel-3.0.101-0.7.37.1
    • SUSE Linux Enterprise Server 11-SP2-LTSS (i586 x86_64):
      • kernel-ec2-3.0.101-0.7.37.1
      • kernel-ec2-base-3.0.101-0.7.37.1
      • kernel-ec2-devel-3.0.101-0.7.37.1
      • kernel-xen-3.0.101-0.7.37.1
      • kernel-xen-base-3.0.101-0.7.37.1
      • kernel-xen-devel-3.0.101-0.7.37.1
    • SUSE Linux Enterprise Server 11-SP2-LTSS (s390x):
      • kernel-default-man-3.0.101-0.7.37.1
    • SUSE Linux Enterprise Server 11-SP2-LTSS (i586):
      • kernel-pae-3.0.101-0.7.37.1
      • kernel-pae-base-3.0.101-0.7.37.1
      • kernel-pae-devel-3.0.101-0.7.37.1
    • SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64):
      • kernel-default-debuginfo-3.0.101-0.7.37.1
      • kernel-default-debugsource-3.0.101-0.7.37.1
      • kernel-default-devel-debuginfo-3.0.101-0.7.37.1
      • kernel-trace-debuginfo-3.0.101-0.7.37.1
      • kernel-trace-debugsource-3.0.101-0.7.37.1
      • kernel-trace-devel-debuginfo-3.0.101-0.7.37.1
    • SUSE Linux Enterprise Debuginfo 11-SP2 (i586 x86_64):
      • kernel-ec2-debuginfo-3.0.101-0.7.37.1
      • kernel-ec2-debugsource-3.0.101-0.7.37.1
      • kernel-xen-debuginfo-3.0.101-0.7.37.1
      • kernel-xen-debugsource-3.0.101-0.7.37.1
      • kernel-xen-devel-debuginfo-3.0.101-0.7.37.1
    • SUSE Linux Enterprise Debuginfo 11-SP2 (i586):
      • kernel-pae-debuginfo-3.0.101-0.7.37.1
      • kernel-pae-debugsource-3.0.101-0.7.37.1
      • kernel-pae-devel-debuginfo-3.0.101-0.7.37.1

    References: