Security update for the Linux Kernel
Announcement ID: | SUSE-SU-2018:1482-1 |
---|---|
Rating: | important |
References: | |
Affected Products: |
|
An update that has 12 security fixes can now be installed.
Description:
The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various security and bugfixes.
This update main focus is a regression fix in SystemV IPC handling. (bsc#1093600)
The following non-security bugs were fixed:
- Drop cBPF SSBD as classic BPF does not really have a proper concept of pointers, and without eBPF maps the out-of-bounds access in speculative execution branch can't be mounted. Moreoever, seccomp BPF uses only such a subset of BPF that can only do absolute indexing, and therefore seccomp data buffer boundarier can't be crossed. Information condensed from Alexei and Kees.
- ibrs used instead of retpoline on Haswell processor with spectre_v2=retpoline (bsc#1092497)
- ib/mlx4: Convert slave port before building address-handle (bug#919382 FATE#317529).
- KABI protect struct _lowcore (bsc#1089386).
- Update config files, add Spectre mitigation for s390x (bnc#1089386, LTC#166572).
- Update s390 config files (bsc#1089386).
- fanotify: fix logic of events on child (bsc#1013018).
- ipc/msg: Fix faulty parsing of msgctl args (bsc#1093600,bsc#1072689).
- ocfs2/dlm: Fix up kABI in dlm_ctxt (bsc#1070404).
- ocfs2/dlm: wait for dlm recovery done when migrating all lock resources (bsc#1013018).
- powerpc, KVM: Split HVMODE_206 cpu feature bit into separate HV and architecture bits (bsc#1087082).
- powerpc: Fix /proc/cpuinfo revision for POWER9 DD2 (FATE#325713, bsc#1093710).
- s390/cio: update chpid descriptor after resource accessibility event (bnc#1091659, LTC#167429).
- s390/dasd: fix IO error for newly defined devices (bnc#1091659, LTC#167398).
- s390/qdio: fix access to uninitialized qdio_q fields (bnc#1091659, LTC#168037).
- s390/qeth: on channel error, reject further cmd requests (bnc#1088343, LTC#165985).
- s390: add automatic detection of the spectre defense (bnc#1089386, LTC#166572).
- s390: add optimized array_index_mask_nospec (bnc#1089386, LTC#166572).
- s390: add sysfs attributes for spectre (bnc#1089386, LTC#166572).
- s390: correct module section names for expoline code revert (bsc#1089386).
- s390: correct nospec auto detection init order (bnc#1089386, LTC#166572).
- s390: do not bypass BPENTER for interrupt system calls (bnc#1089386, LTC#166572).
- s390: fix retpoline build on 31bit (bsc#1089386).
- s390: improve cpu alternative handling for gmb and nobp (bnc#1089386, LTC#166572).
- s390: introduce execute-trampolines for branches (bnc#1089386, LTC#166572).
- s390: move nobp parameter functions to nospec-branch.c (bnc#1089386, LTC#166572).
- s390: report spectre mitigation via syslog (bnc#1089386, LTC#166572).
- s390: run user space and KVM guests with modified branch prediction (bnc#1089386, LTC#166572).
- s390: scrub registers on kernel entry and KVM exit (bnc#1089386, LTC#166572).
- x86, mce: Fix mce_start_timer semantics (bsc#1090607).
- x86/kaiser: symbol kaiser_set_shadow_pgd() exported with non GPL
Special Instructions and Notes:
- Please reboot the system after installing this update.
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Software Development Kit 11 SP4
zypper in -t patch sdksp4-kernel-20180526-13635=1
-
SUSE Linux Enterprise Server 11 SP4
zypper in -t patch slessp4-kernel-20180526-13635=1
-
SLES for SAP Applications 11-SP4
zypper in -t patch slessp4-kernel-20180526-13635=1
Package List:
-
SUSE Linux Enterprise Software Development Kit 11 SP4 (noarch)
- kernel-docs-3.0.101-108.52.2
-
SUSE Linux Enterprise Server 11 SP4 (s390x x86_64 i586 ppc64 ia64 nosrc)
- kernel-default-3.0.101-108.52.1
- kernel-trace-3.0.101-108.52.1
-
SUSE Linux Enterprise Server 11 SP4 (s390x x86_64 i586 ppc64 ia64)
- kernel-default-devel-3.0.101-108.52.1
- kernel-trace-devel-3.0.101-108.52.1
- kernel-trace-base-3.0.101-108.52.1
- kernel-source-3.0.101-108.52.1
- kernel-default-base-3.0.101-108.52.1
- kernel-syms-3.0.101-108.52.1
-
SUSE Linux Enterprise Server 11 SP4 (nosrc x86_64 i586)
- kernel-ec2-3.0.101-108.52.1
- kernel-xen-3.0.101-108.52.1
-
SUSE Linux Enterprise Server 11 SP4 (x86_64 i586)
- kernel-xen-base-3.0.101-108.52.1
- kernel-ec2-base-3.0.101-108.52.1
- kernel-ec2-devel-3.0.101-108.52.1
- kernel-xen-devel-3.0.101-108.52.1
-
SUSE Linux Enterprise Server 11 SP4 (nosrc i586)
- kernel-pae-3.0.101-108.52.1
-
SUSE Linux Enterprise Server 11 SP4 (i586)
- kernel-pae-base-3.0.101-108.52.1
- kernel-pae-devel-3.0.101-108.52.1
-
SUSE Linux Enterprise Server 11 SP4 (ppc64 nosrc)
- kernel-bigmem-3.0.101-108.52.1
- kernel-ppc64-3.0.101-108.52.1
-
SUSE Linux Enterprise Server 11 SP4 (ppc64)
- kernel-ppc64-devel-3.0.101-108.52.1
- kernel-bigmem-devel-3.0.101-108.52.1
- kernel-ppc64-base-3.0.101-108.52.1
- kernel-bigmem-base-3.0.101-108.52.1
-
SUSE Linux Enterprise Server 11 SP4 (s390x)
- kernel-default-man-3.0.101-108.52.1
-
SLES for SAP Applications 11-SP4 (ppc64 nosrc)
- kernel-bigmem-3.0.101-108.52.1
- kernel-ppc64-3.0.101-108.52.1
-
SLES for SAP Applications 11-SP4 (ppc64)
- kernel-ppc64-devel-3.0.101-108.52.1
- kernel-bigmem-devel-3.0.101-108.52.1
- kernel-ppc64-base-3.0.101-108.52.1
- kernel-bigmem-base-3.0.101-108.52.1
-
SLES for SAP Applications 11-SP4 (ppc64 nosrc x86_64)
- kernel-default-3.0.101-108.52.1
- kernel-trace-3.0.101-108.52.1
-
SLES for SAP Applications 11-SP4 (ppc64 x86_64)
- kernel-default-devel-3.0.101-108.52.1
- kernel-trace-devel-3.0.101-108.52.1
- kernel-trace-base-3.0.101-108.52.1
- kernel-source-3.0.101-108.52.1
- kernel-default-base-3.0.101-108.52.1
- kernel-syms-3.0.101-108.52.1
-
SLES for SAP Applications 11-SP4 (nosrc x86_64)
- kernel-ec2-3.0.101-108.52.1
- kernel-xen-3.0.101-108.52.1
-
SLES for SAP Applications 11-SP4 (x86_64)
- kernel-xen-base-3.0.101-108.52.1
- kernel-ec2-base-3.0.101-108.52.1
- kernel-ec2-devel-3.0.101-108.52.1
- kernel-xen-devel-3.0.101-108.52.1
References:
- https://bugzilla.suse.com/show_bug.cgi?id=1013018
- https://bugzilla.suse.com/show_bug.cgi?id=1070404
- https://bugzilla.suse.com/show_bug.cgi?id=1072689
- https://bugzilla.suse.com/show_bug.cgi?id=1087082
- https://bugzilla.suse.com/show_bug.cgi?id=1088343
- https://bugzilla.suse.com/show_bug.cgi?id=1089386
- https://bugzilla.suse.com/show_bug.cgi?id=1090607
- https://bugzilla.suse.com/show_bug.cgi?id=1091659
- https://bugzilla.suse.com/show_bug.cgi?id=1092497
- https://bugzilla.suse.com/show_bug.cgi?id=1093600
- https://bugzilla.suse.com/show_bug.cgi?id=1093710
- https://bugzilla.suse.com/show_bug.cgi?id=919382