Security update for kernel live patch 5

SUSE Security Update: Security update for kernel live patch 5
Announcement ID: SUSE-SU-2016:0383-1
Rating: important
References: #916225 #940342 #951542 #951625 #953052 #954005 #958601
Affected Products:
  • SUSE Linux Enterprise Live Patching 12

  • An update that solves 5 vulnerabilities and has two fixes is now available.

    Description:


    This kernel live patch for Linux Kernel 3.12.43-52.6.1 fixes security
    issues and bugs:

    Security issues fixed:
    - CVE-2015-8539: A negatively instantiated user key could have been used
    by a local user to leverage privileges (bnc#958601).

    - CVE-2015-6937: A NULL pointer dereference flaw was found in the Reliable
    Datagram Sockets (RDS) implementation allowing a local user to cause
    system DoS. A verification was missing that the underlying transport
    exists when a connection was created. (bsc#953052)

    - CVE-2015-7990: RDS: Verify the underlying transport exists before
    creating a connection, preventing possible DoS (bsc#953052).

    - CVE-2015-7872: Possible crash when trying to garbage collect an
    uninstantiated keyring (bsc#951542).

    - CVE-2015-2925: The prepend_path function in fs/dcache.c in the Linux
    kernel did not properly handle rename actions inside a bind mount, which
    allowed local users to bypass an intended container protection mechanism
    by renaming a directory, related to a "double-chroot attack (bnc#951625).

    Non-security bugfix were also done:
    - xfs: Fix lost direct IO write in the last block (bsc#954005).
    - simple fix in kallsyms initialization (bsc#940342 bsc#916225)

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Live Patching 12:
      zypper in -t patch SUSE-SLE-Live-Patching-12-2016-219=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Live Patching 12 (x86_64):
      • kgraft-patch-3_12_43-52_6-default-4-2.1
      • kgraft-patch-3_12_43-52_6-xen-4-2.1

    References: