Security update for the Linux Kernel
| Announcement ID: | SUSE-SU-2022:3408-1 |
|---|---|
| Rating: | important |
| References: |
|
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves 15 vulnerabilities and has 12 security fixes can now be installed.
Description:
The SUSE Linux Enterprise 15 SP1 LTSS kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:
- CVE-2020-36516: Fixed an issue in the mixed IPID assignment method where an attacker was able to inject data into or terminate a victim's TCP session (bnc#1196616).
- CVE-2021-4203: Fixed use-after-free read flaw that was found in sock_getsockopt() in net/core/sock.c due to SO_PEERCRED and SO_PEERGROUPS race with listen() (bnc#1194535).
- CVE-2022-1012: Fixed a memory leak problem that was found in the TCP source port generation algorithm in net/ipv4/tcp.c (bnc#1199482).
- CVE-2022-20368: Fixed slab-out-of-bounds access in packet_recvmsg() (bsc#1202346).
- CVE-2022-20369: Fixed out of bounds write in v4l2_m2m_querybuf of v4l2-mem2mem.c (bnc#1202347).
- CVE-2022-21385: Fixed a flaw in net_rds_alloc_sgs() that allowed unprivileged local users to crash the machine (bnc#1202897).
- CVE-2022-2588: Fixed use-after-free in cls_route (bsc#1202096).
- CVE-2022-26373: Fixed non-transparent sharing of return predictor targets between contexts in some Intel Processors (bnc#1201726).
- CVE-2022-2639: Fixed an integer coercion error that was found in the openvswitch kernel module (bnc#1202154).
- CVE-2022-2663: Fixed an issue that was found in nf_conntrack_irc where the message handling could be confused and incorrectly matches the message (bnc#1202097).
- CVE-2022-29581: Fixed improper update of reference count vulnerability in net/sched that allowed a local attacker to cause privilege escalation to root (bnc#1199665).
- CVE-2022-2977: Fixed reference counting for struct tpm_chip (bsc#1202672).
- CVE-2022-3028: Fixed race condition that was found in the IP framework for transforming packets (XFRM subsystem) (bnc#1202898).
- CVE-2022-36879: Fixed an issue in xfrm_expand_policies in net/xfrm/xfrm_policy.c where a refcount could be dropped twice (bnc#1201948).
- CVE-2022-39188: Fixed race condition in include/asm-generic/tlb.h where a device driver can free a page while it still has stale TLB entries (bnc#1203107).
The following non-security bugs were fixed:
- rpm: Fix parsing of rpm/macros.kernel-source on SLE12 (bsc#1201019).
- cifs: fix error paths in cifs_tree_connect() (bsc#1177440).
- cifs: fix uninitialized pointer in error case in dfs_cache_get_tgt_share (bsc#1188944).
- cifs: report error instead of invalid when revalidating a dentry fails (bsc#1177440).
- cifs: skip trailing separators of prefix paths (bsc#1188944).
- kernel-obs-build: include qemu_fw_cfg (boo#1201705)
- lightnvm: Remove lightnvm implemenation (bsc#1191881 bsc#1201420 ZDI-CAN-17325).
- md/bitmap: do not set sb values if can't pass sanity check (bsc#1197158).
- mm/rmap.c: do not reuse anon_vma if we just want a copy (git-fixes, bsc#1203098).
- mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse (git-fixes, bsc#1203098).
- net_sched: cls_route: disallow handle of 0 (bsc#1202393).
- net_sched: cls_route: disallow handle of 0 (bsc#1202393).
- objtool: Add --backtrace support (bsc#1202396).
- objtool: Add support for intra-function calls (bsc#1202396).
- objtool: Allow no-op CFI ops in alternatives (bsc#1202396).
- objtool: Convert insn type to enum (bsc#1202396).
- objtool: Do not use ignore flag for fake jumps (bsc#1202396).
- objtool: Fix !CFI insn_state propagation (bsc#1202396).
- objtool: Fix ORC vs alternatives (bsc#1202396).
- objtool: Fix sibling call detection (bsc#1202396).
- objtool: Make handle_insn_ops() unconditional (bsc#1202396).
- objtool: Remove INSN_STACK (bsc#1202396).
- objtool: Remove check preventing branches within alternative (bsc#1202396).
- objtool: Rename elf_open() to prevent conflict with libelf from elftoolchain (bsc#1202396).
- objtool: Rename struct cfi_state (bsc#1202396).
- objtool: Rework allocating stack_ops on decode (bsc#1202396).
- objtool: Rewrite alt->skip_orig (bsc#1202396).
- objtool: Set insn->func for alternatives (bsc#1202396).
- objtool: Support conditional retpolines (bsc#1202396).
- objtool: Support multiple stack_op per instruction (bsc#1202396).
- objtool: Track original function across branches (bsc#1202396).
- objtool: Uniquely identify alternative instruction groups (bsc#1202396).
- objtool: Use Elf_Scn typedef instead of assuming struct name (bsc#1202396).
- tcp: add some entropy in __inet_hash_connect() (bsc#1180153 bsc#1202335).
- tcp: change source port randomizarion at connect() time (bsc#1180153 bsc#1202335).
Special Instructions and Notes:
- Please reboot the system after installing this update.
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
openSUSE Leap 15.4
zypper in -t patch openSUSE-SLE-15.4-2022-3408=1 -
SUSE Linux Enterprise Live Patching 15-SP1
zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2022-3408=1 -
SUSE Linux Enterprise High Availability Extension 15 SP1
zypper in -t patch SUSE-SLE-Product-HA-15-SP1-2022-3408=1 -
SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS 15-SP1
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-3408=1 -
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-3408=1 -
SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2022-3408=1 -
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-3408=1 -
SUSE Linux Enterprise Server for SAP Applications 15 SP1
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2022-3408=1 -
SUSE Enterprise Storage 6
zypper in -t patch SUSE-Storage-6-2022-3408=1 -
SUSE CaaS Platform 4.0
To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.
Package List:
-
openSUSE Leap 15.4 (nosrc)
- kernel-kvmsmall-4.12.14-150100.197.123.1
- kernel-debug-4.12.14-150100.197.123.1
- kernel-default-4.12.14-150100.197.123.1
- kernel-zfcpdump-4.12.14-150100.197.123.1
-
openSUSE Leap 15.4 (ppc64le x86_64)
- kernel-debug-base-debuginfo-4.12.14-150100.197.123.1
- kernel-debug-base-4.12.14-150100.197.123.1
-
openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
- kernel-vanilla-devel-debuginfo-4.12.14-150100.197.123.1
- kernel-vanilla-livepatch-devel-4.12.14-150100.197.123.1
- kernel-default-base-debuginfo-4.12.14-150100.197.123.1
- kernel-vanilla-base-debuginfo-4.12.14-150100.197.123.1
- kernel-vanilla-debugsource-4.12.14-150100.197.123.1
- kernel-vanilla-base-4.12.14-150100.197.123.1
- kernel-vanilla-devel-4.12.14-150100.197.123.1
- kernel-vanilla-debuginfo-4.12.14-150100.197.123.1
-
openSUSE Leap 15.4 (x86_64)
- kernel-kvmsmall-base-debuginfo-4.12.14-150100.197.123.1
- kernel-kvmsmall-base-4.12.14-150100.197.123.1
-
openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64 nosrc)
- kernel-vanilla-4.12.14-150100.197.123.1
-
openSUSE Leap 15.4 (s390x)
- kernel-default-man-4.12.14-150100.197.123.1
- kernel-zfcpdump-man-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Live Patching 15-SP1 (nosrc)
- kernel-default-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Live Patching 15-SP1 (ppc64le x86_64)
- kernel-default-livepatch-4.12.14-150100.197.123.1
- kernel-default-debugsource-4.12.14-150100.197.123.1
- kernel-default-debuginfo-4.12.14-150100.197.123.1
- kernel-default-livepatch-devel-4.12.14-150100.197.123.1
- kernel-livepatch-4_12_14-150100_197_123-default-1-150100.3.3.1
-
SUSE Linux Enterprise High Availability Extension 15 SP1 (aarch64 ppc64le s390x x86_64)
- dlm-kmp-default-debuginfo-4.12.14-150100.197.123.1
- cluster-md-kmp-default-debuginfo-4.12.14-150100.197.123.1
- cluster-md-kmp-default-4.12.14-150100.197.123.1
- kernel-default-debugsource-4.12.14-150100.197.123.1
- kernel-default-debuginfo-4.12.14-150100.197.123.1
- dlm-kmp-default-4.12.14-150100.197.123.1
- gfs2-kmp-default-debuginfo-4.12.14-150100.197.123.1
- ocfs2-kmp-default-4.12.14-150100.197.123.1
- gfs2-kmp-default-4.12.14-150100.197.123.1
- ocfs2-kmp-default-debuginfo-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise High Availability Extension 15 SP1 (nosrc)
- kernel-default-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS 15-SP1 (aarch64 nosrc x86_64)
- kernel-default-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS 15-SP1 (aarch64 x86_64)
- kernel-obs-build-debugsource-4.12.14-150100.197.123.1
- kernel-default-debugsource-4.12.14-150100.197.123.1
- kernel-default-base-4.12.14-150100.197.123.1
- kernel-default-base-debuginfo-4.12.14-150100.197.123.1
- kernel-default-debuginfo-4.12.14-150100.197.123.1
- kernel-syms-4.12.14-150100.197.123.1
- kernel-default-devel-debuginfo-4.12.14-150100.197.123.1
- kernel-obs-build-4.12.14-150100.197.123.1
- kernel-default-devel-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS 15-SP1 (noarch)
- kernel-source-4.12.14-150100.197.123.1
- kernel-devel-4.12.14-150100.197.123.1
- kernel-macros-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise High Performance Computing 15 SP1 ESPOS 15-SP1 (noarch nosrc)
- kernel-docs-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (aarch64 nosrc x86_64)
- kernel-default-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (aarch64 x86_64)
- kernel-obs-build-debugsource-4.12.14-150100.197.123.1
- kernel-default-debugsource-4.12.14-150100.197.123.1
- kernel-default-base-4.12.14-150100.197.123.1
- kernel-default-base-debuginfo-4.12.14-150100.197.123.1
- kernel-default-debuginfo-4.12.14-150100.197.123.1
- kernel-syms-4.12.14-150100.197.123.1
- kernel-default-devel-debuginfo-4.12.14-150100.197.123.1
- kernel-obs-build-4.12.14-150100.197.123.1
- kernel-default-devel-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (noarch)
- kernel-source-4.12.14-150100.197.123.1
- kernel-devel-4.12.14-150100.197.123.1
- kernel-macros-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (noarch nosrc)
- kernel-docs-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 (nosrc x86_64)
- kernel-default-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 (x86_64)
- kernel-obs-build-debugsource-4.12.14-150100.197.123.1
- kernel-default-debugsource-4.12.14-150100.197.123.1
- kernel-default-base-4.12.14-150100.197.123.1
- kernel-default-base-debuginfo-4.12.14-150100.197.123.1
- reiserfs-kmp-default-debuginfo-4.12.14-150100.197.123.1
- kernel-default-debuginfo-4.12.14-150100.197.123.1
- reiserfs-kmp-default-4.12.14-150100.197.123.1
- kernel-syms-4.12.14-150100.197.123.1
- kernel-default-devel-debuginfo-4.12.14-150100.197.123.1
- kernel-obs-build-4.12.14-150100.197.123.1
- kernel-default-devel-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 (noarch)
- kernel-source-4.12.14-150100.197.123.1
- kernel-devel-4.12.14-150100.197.123.1
- kernel-macros-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Server 15 SP1 Business Critical Linux 15-SP1 (noarch nosrc)
- kernel-docs-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (aarch64 ppc64le s390x x86_64 nosrc)
- kernel-default-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (aarch64 ppc64le s390x x86_64)
- kernel-obs-build-debugsource-4.12.14-150100.197.123.1
- kernel-default-debugsource-4.12.14-150100.197.123.1
- kernel-default-base-4.12.14-150100.197.123.1
- kernel-default-base-debuginfo-4.12.14-150100.197.123.1
- reiserfs-kmp-default-debuginfo-4.12.14-150100.197.123.1
- kernel-default-debuginfo-4.12.14-150100.197.123.1
- reiserfs-kmp-default-4.12.14-150100.197.123.1
- kernel-syms-4.12.14-150100.197.123.1
- kernel-default-devel-debuginfo-4.12.14-150100.197.123.1
- kernel-obs-build-4.12.14-150100.197.123.1
- kernel-default-devel-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (noarch)
- kernel-source-4.12.14-150100.197.123.1
- kernel-devel-4.12.14-150100.197.123.1
- kernel-macros-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (noarch nosrc)
- kernel-docs-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (s390x)
- kernel-zfcpdump-debuginfo-4.12.14-150100.197.123.1
- kernel-default-man-4.12.14-150100.197.123.1
- kernel-zfcpdump-debugsource-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (nosrc)
- kernel-zfcpdump-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (nosrc ppc64le x86_64)
- kernel-default-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (ppc64le x86_64)
- kernel-obs-build-debugsource-4.12.14-150100.197.123.1
- kernel-default-debugsource-4.12.14-150100.197.123.1
- kernel-default-base-4.12.14-150100.197.123.1
- kernel-default-base-debuginfo-4.12.14-150100.197.123.1
- reiserfs-kmp-default-debuginfo-4.12.14-150100.197.123.1
- kernel-default-debuginfo-4.12.14-150100.197.123.1
- reiserfs-kmp-default-4.12.14-150100.197.123.1
- kernel-syms-4.12.14-150100.197.123.1
- kernel-default-devel-debuginfo-4.12.14-150100.197.123.1
- kernel-obs-build-4.12.14-150100.197.123.1
- kernel-default-devel-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (noarch)
- kernel-source-4.12.14-150100.197.123.1
- kernel-devel-4.12.14-150100.197.123.1
- kernel-macros-4.12.14-150100.197.123.1
-
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (noarch nosrc)
- kernel-docs-4.12.14-150100.197.123.1
-
SUSE Enterprise Storage 6 (aarch64 nosrc x86_64)
- kernel-default-4.12.14-150100.197.123.1
-
SUSE Enterprise Storage 6 (aarch64 x86_64)
- kernel-obs-build-debugsource-4.12.14-150100.197.123.1
- kernel-default-debugsource-4.12.14-150100.197.123.1
- kernel-default-base-4.12.14-150100.197.123.1
- kernel-default-base-debuginfo-4.12.14-150100.197.123.1
- reiserfs-kmp-default-debuginfo-4.12.14-150100.197.123.1
- kernel-default-debuginfo-4.12.14-150100.197.123.1
- reiserfs-kmp-default-4.12.14-150100.197.123.1
- kernel-syms-4.12.14-150100.197.123.1
- kernel-default-devel-debuginfo-4.12.14-150100.197.123.1
- kernel-obs-build-4.12.14-150100.197.123.1
- kernel-default-devel-4.12.14-150100.197.123.1
-
SUSE Enterprise Storage 6 (noarch)
- kernel-source-4.12.14-150100.197.123.1
- kernel-devel-4.12.14-150100.197.123.1
- kernel-macros-4.12.14-150100.197.123.1
-
SUSE Enterprise Storage 6 (noarch nosrc)
- kernel-docs-4.12.14-150100.197.123.1
-
SUSE CaaS Platform 4.0 (nosrc x86_64)
- kernel-default-4.12.14-150100.197.123.1
-
SUSE CaaS Platform 4.0 (x86_64)
- kernel-obs-build-debugsource-4.12.14-150100.197.123.1
- kernel-default-debugsource-4.12.14-150100.197.123.1
- kernel-default-base-4.12.14-150100.197.123.1
- kernel-default-base-debuginfo-4.12.14-150100.197.123.1
- reiserfs-kmp-default-debuginfo-4.12.14-150100.197.123.1
- kernel-default-debuginfo-4.12.14-150100.197.123.1
- reiserfs-kmp-default-4.12.14-150100.197.123.1
- kernel-syms-4.12.14-150100.197.123.1
- kernel-default-devel-debuginfo-4.12.14-150100.197.123.1
- kernel-obs-build-4.12.14-150100.197.123.1
- kernel-default-devel-4.12.14-150100.197.123.1
-
SUSE CaaS Platform 4.0 (noarch)
- kernel-source-4.1