Linux Security
    Linux Security
    Linux Security

    SUSE: 2020:2106-1 important: the Linux Kernel

    Date
    296
    Posted By
    An update that solves 14 vulnerabilities and has 15 fixes is now available.
    
       SUSE Security Update: Security update for the Linux Kernel
    ______________________________________________________________________________
    
    Announcement ID:    SUSE-SU-2020:2106-1
    Rating:             important
    References:         #1051510 #1065729 #1071995 #1104967 #1152107 
                        #1158755 #1162002 #1170011 #1171078 #1171673 
                        #1171732 #1171868 #1172257 #1172775 #1172781 
                        #1172782 #1172783 #1172999 #1173265 #1173280 
                        #1173514 #1173567 #1173573 #1173659 #1173999 
                        #1174000 #1174115 #1174462 #1174543 
    Cross-References:   CVE-2019-16746 CVE-2019-20908 CVE-2020-0305
                        CVE-2020-10766 CVE-2020-10767 CVE-2020-10768
                        CVE-2020-10769 CVE-2020-10773 CVE-2020-12771
                        CVE-2020-12888 CVE-2020-13974 CVE-2020-14416
                        CVE-2020-15393 CVE-2020-15780
    Affected Products:
                        SUSE Linux Enterprise Server for SAP 15
                        SUSE Linux Enterprise Server 15-LTSS
                        SUSE Linux Enterprise Module for Live Patching 15
                        SUSE Linux Enterprise High Performance Computing 15-LTSS
                        SUSE Linux Enterprise High Performance Computing 15-ESPOS
                        SUSE Linux Enterprise High Availability 15
    ______________________________________________________________________________
    
       An update that solves 14 vulnerabilities and has 15 fixes
       is now available.
    
    Description:
    
    
    
       The SUSE Linux Enterprise 15 GA LTSS kernel was updated to receive various
       security and bugfixes.
    
       The following security bugs were fixed:
    
       - CVE-2020-0305: In cdev_get of char_dev.c, there is a possible
         use-after-free due to a race condition. This could lead to local
         escalation of privilege with System execution privileges needed. User
         interaction is not needed for exploitation (bnc#1174462).
       - CVE-2019-20908: An issue was discovered in drivers/firmware/efi/efi.c
         where incorrect access permissions for the efivar_ssdt ACPI variable
         could be used by attackers to bypass lockdown or secure boot
         restrictions, aka CID-1957a85b0032 (bnc#1173567).
       - CVE-2020-15780: An issue was discovered in drivers/acpi/acpi_configfs.c
         where injection of malicious ACPI tables via configfs could be used by
         attackers to bypass lockdown and secure boot restrictions, aka
         CID-75b0cea7bf30 (bnc#1173573).
       - CVE-2020-15393: usbtest_disconnect in drivers/usb/misc/usbtest.c had a
         memory leak, aka CID-28ebeb8db770 (bnc#1173514).
       - CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c has a
         deadlock if a coalescing operation fails (bnc#1171732).
       - CVE-2019-16746: An issue was discovered in net/wireless/nl80211.c which
         did not check the length of variable elements in a beacon head, leading
         to a buffer overflow (bnc#1152107 1173659).
       - CVE-2020-12888: The VFIO PCI driver mishandled attempts to access
         disabled memory space (bnc#1171868).
       - CVE-2020-10769: A buffer over-read flaw was found in
         crypto_authenc_extractkeys in crypto/authenc.c in the IPsec
         Cryptographic algorithm's module, authenc. When a payload longer than 4
         bytes, and is not following 4-byte alignment boundary guidelines, it
         causes a buffer over-read threat, leading to a system crash. This flaw
         allowed a local attacker with user privileges to cause a denial of
         service (bnc#1173265).
       - CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed
         (bnc#1172999).
       - CVE-2020-14416: A race condition in tty->disc_data handling in the slip
         and slcan line discipline could lead to a use-after-free, aka
         CID-0ace17d56824. This affects drivers/net/slip/slip.c and
         drivers/net/can/slcan.c (bnc#1162002).
       - CVE-2020-10768: Indirect branch speculation could have been enabled
         after it was force-disabled by the PR_SPEC_FORCE_DISABLE prctl command.
         (bnc#1172783).
       - CVE-2020-10766: Fixed Rogue cross-process SSBD shutdown, where a Linux
         scheduler logical bug allows an attacker to turn off the SSBD
         protection. (bnc#1172781).
       - CVE-2020-10767: Indirect Branch Prediction Barrier was force-disabled
         when STIBP is unavailable or enhanced IBRS is available.  (bnc#1172782).
       - CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if
         k_ascii is called several times in a row, aka CID-b86dab054059
         (bnc#1172775).
    
       The following non-security bugs were fixed:
    
       - Merge ibmvnic reset fixes (bsc#1158755 ltc#182094).
       - block, bfq: add requeue-request hook (bsc#1104967 bsc#1171673).
       - block, bfq: postpone rq preparation to insert or merge (bsc#1104967
         bsc#1171673).
       - ibmvnic: Do not process device remove during device reset (bsc#1065729).
       - ibmvnic: Flush existing work items before device removal (bsc#1065729).
       - ibmvnic: Harden device login requests (bsc#1170011 ltc#183538).
       - ibmvnic: Skip fatal error reset after passive init (bsc#1171078
         ltc#184239).
       - ibmvnic: continue to init in CRQ reset returns H_CLOSED (bsc#1173280
         ltc#185369).
       - intel_idle: Graceful probe failure when MWAIT is disabled (bsc#1174115).
       - livepatch: Apply vmlinux-specific KLP relocations early (bsc#1071995).
       - livepatch: Disallow vmlinux.ko (bsc#1071995).
       - livepatch: Make klp_apply_object_relocs static (bsc#1071995).
       - livepatch: Prevent module-specific KLP rela sections from referencing
         vmlinux symbols (bsc#1071995).
       - livepatch: Remove .klp.arch (bsc#1071995).
       - vfio/pci: Fix SR-IOV VF handling with MMIO blocking (bsc#1051510).
       - vfio/pci: Fix SR-IOV VF handling with MMIO blocking (bsc#1174000).
       - vfio/pci: Mask buggy SR-IOV VF INTx support (bsc#1051510).
       - vfio/pci: Mask buggy SR-IOV VF INTx support (bsc#1173999).
       - x86/{mce,mm}: Unmap the entire page if the whole page is affected and
         poisoned (bsc#1172257).
    
    
    Special Instructions and Notes:
    
       Please reboot the system after installing this update.
    
    Patch Instructions:
    
       To install this SUSE Security Update use the SUSE recommended installation methods
       like YaST online_update or "zypper patch".
    
       Alternatively you can run the command listed for your product:
    
       - SUSE Linux Enterprise Server for SAP 15:
    
          zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-2106=1
    
       - SUSE Linux Enterprise Server 15-LTSS:
    
          zypper in -t patch SUSE-SLE-Product-SLES-15-2020-2106=1
    
       - SUSE Linux Enterprise Module for Live Patching 15:
    
          zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-2106=1
    
       - SUSE Linux Enterprise High Performance Computing 15-LTSS:
    
          zypper in -t patch SUSE-SLE-Product-HPC-15-2020-2106=1
    
       - SUSE Linux Enterprise High Performance Computing 15-ESPOS:
    
          zypper in -t patch SUSE-SLE-Product-HPC-15-2020-2106=1
    
       - SUSE Linux Enterprise High Availability 15:
    
          zypper in -t patch SUSE-SLE-Product-HA-15-2020-2106=1
    
    
    
    Package List:
    
       - SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64):
    
          kernel-default-4.12.14-150.55.1
          kernel-default-base-4.12.14-150.55.1
          kernel-default-debuginfo-4.12.14-150.55.1
          kernel-default-debugsource-4.12.14-150.55.1
          kernel-default-devel-4.12.14-150.55.1
          kernel-default-devel-debuginfo-4.12.14-150.55.1
          kernel-obs-build-4.12.14-150.55.1
          kernel-obs-build-debugsource-4.12.14-150.55.1
          kernel-syms-4.12.14-150.55.1
          kernel-vanilla-base-4.12.14-150.55.1
          kernel-vanilla-base-debuginfo-4.12.14-150.55.1
          kernel-vanilla-debuginfo-4.12.14-150.55.1
          kernel-vanilla-debugsource-4.12.14-150.55.1
          reiserfs-kmp-default-4.12.14-150.55.1
          reiserfs-kmp-default-debuginfo-4.12.14-150.55.1
    
       - SUSE Linux Enterprise Server for SAP 15 (noarch):
    
          kernel-devel-4.12.14-150.55.1
          kernel-docs-4.12.14-150.55.1
          kernel-macros-4.12.14-150.55.1
          kernel-source-4.12.14-150.55.1
    
       - SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x):
    
          kernel-default-4.12.14-150.55.1
          kernel-default-base-4.12.14-150.55.1
          kernel-default-debuginfo-4.12.14-150.55.1
          kernel-default-debugsource-4.12.14-150.55.1
          kernel-default-devel-4.12.14-150.55.1
          kernel-default-devel-debuginfo-4.12.14-150.55.1
          kernel-obs-build-4.12.14-150.55.1
          kernel-obs-build-debugsource-4.12.14-150.55.1
          kernel-syms-4.12.14-150.55.1
          kernel-vanilla-base-4.12.14-150.55.1
          kernel-vanilla-base-debuginfo-4.12.14-150.55.1
          kernel-vanilla-debuginfo-4.12.14-150.55.1
          kernel-vanilla-debugsource-4.12.14-150.55.1
          reiserfs-kmp-default-4.12.14-150.55.1
          reiserfs-kmp-default-debuginfo-4.12.14-150.55.1
    
       - SUSE Linux Enterprise Server 15-LTSS (noarch):
    
          kernel-devel-4.12.14-150.55.1
          kernel-docs-4.12.14-150.55.1
          kernel-macros-4.12.14-150.55.1
          kernel-source-4.12.14-150.55.1
    
       - SUSE Linux Enterprise Server 15-LTSS (s390x):
    
          kernel-default-man-4.12.14-150.55.1
          kernel-zfcpdump-debuginfo-4.12.14-150.55.1
          kernel-zfcpdump-debugsource-4.12.14-150.55.1
    
       - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64):
    
          kernel-default-debuginfo-4.12.14-150.55.1
          kernel-default-debugsource-4.12.14-150.55.1
          kernel-default-livepatch-4.12.14-150.55.1
          kernel-livepatch-4_12_14-150_55-default-1-1.3.1
          kernel-livepatch-4_12_14-150_55-default-debuginfo-1-1.3.1
    
       - SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64):
    
          kernel-default-4.12.14-150.55.1
          kernel-default-base-4.12.14-150.55.1
          kernel-default-debuginfo-4.12.14-150.55.1
          kernel-default-debugsource-4.12.14-150.55.1
          kernel-default-devel-4.12.14-150.55.1
          kernel-default-devel-debuginfo-4.12.14-150.55.1
          kernel-obs-build-4.12.14-150.55.1
          kernel-obs-build-debugsource-4.12.14-150.55.1
          kernel-syms-4.12.14-150.55.1
          kernel-vanilla-base-4.12.14-150.55.1
          kernel-vanilla-base-debuginfo-4.12.14-150.55.1
          kernel-vanilla-debuginfo-4.12.14-150.55.1
          kernel-vanilla-debugsource-4.12.14-150.55.1
    
       - SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch):
    
          kernel-devel-4.12.14-150.55.1
          kernel-docs-4.12.14-150.55.1
          kernel-macros-4.12.14-150.55.1
          kernel-source-4.12.14-150.55.1
    
       - SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64):
    
          kernel-default-4.12.14-150.55.1
          kernel-default-base-4.12.14-150.55.1
          kernel-default-debuginfo-4.12.14-150.55.1
          kernel-default-debugsource-4.12.14-150.55.1
          kernel-default-devel-4.12.14-150.55.1
          kernel-default-devel-debuginfo-4.12.14-150.55.1
          kernel-obs-build-4.12.14-150.55.1
          kernel-obs-build-debugsource-4.12.14-150.55.1
          kernel-syms-4.12.14-150.55.1
          kernel-vanilla-base-4.12.14-150.55.1
          kernel-vanilla-base-debuginfo-4.12.14-150.55.1
          kernel-vanilla-debuginfo-4.12.14-150.55.1
          kernel-vanilla-debugsource-4.12.14-150.55.1
    
       - SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch):
    
          kernel-devel-4.12.14-150.55.1
          kernel-docs-4.12.14-150.55.1
          kernel-macros-4.12.14-150.55.1
          kernel-source-4.12.14-150.55.1
    
       - SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64):
    
          cluster-md-kmp-default-4.12.14-150.55.1
          cluster-md-kmp-default-debuginfo-4.12.14-150.55.1
          dlm-kmp-default-4.12.14-150.55.1
          dlm-kmp-default-debuginfo-4.12.14-150.55.1
          gfs2-kmp-default-4.12.14-150.55.1
          gfs2-kmp-default-debuginfo-4.12.14-150.55.1
          kernel-default-debuginfo-4.12.14-150.55.1
          kernel-default-debugsource-4.12.14-150.55.1
          ocfs2-kmp-default-4.12.14-150.55.1
          ocfs2-kmp-default-debuginfo-4.12.14-150.55.1
    
    
    References:
    
       https://www.suse.com/security/cve/CVE-2019-16746.html
       https://www.suse.com/security/cve/CVE-2019-20908.html
       https://www.suse.com/security/cve/CVE-2020-0305.html
       https://www.suse.com/security/cve/CVE-2020-10766.html
       https://www.suse.com/security/cve/CVE-2020-10767.html
       https://www.suse.com/security/cve/CVE-2020-10768.html
       https://www.suse.com/security/cve/CVE-2020-10769.html
       https://www.suse.com/security/cve/CVE-2020-10773.html
       https://www.suse.com/security/cve/CVE-2020-12771.html
       https://www.suse.com/security/cve/CVE-2020-12888.html
       https://www.suse.com/security/cve/CVE-2020-13974.html
       https://www.suse.com/security/cve/CVE-2020-14416.html
       https://www.suse.com/security/cve/CVE-2020-15393.html
       https://www.suse.com/security/cve/CVE-2020-15780.html
       https://bugzilla.suse.com/1051510
       https://bugzilla.suse.com/1065729
       https://bugzilla.suse.com/1071995
       https://bugzilla.suse.com/1104967
       https://bugzilla.suse.com/1152107
       https://bugzilla.suse.com/1158755
       https://bugzilla.suse.com/1162002
       https://bugzilla.suse.com/1170011
       https://bugzilla.suse.com/1171078
       https://bugzilla.suse.com/1171673
       https://bugzilla.suse.com/1171732
       https://bugzilla.suse.com/1171868
       https://bugzilla.suse.com/1172257
       https://bugzilla.suse.com/1172775
       https://bugzilla.suse.com/1172781
       https://bugzilla.suse.com/1172782
       https://bugzilla.suse.com/1172783
       https://bugzilla.suse.com/1172999
       https://bugzilla.suse.com/1173265
       https://bugzilla.suse.com/1173280
       https://bugzilla.suse.com/1173514
       https://bugzilla.suse.com/1173567
       https://bugzilla.suse.com/1173573
       https://bugzilla.suse.com/1173659
       https://bugzilla.suse.com/1173999
       https://bugzilla.suse.com/1174000
       https://bugzilla.suse.com/1174115
       https://bugzilla.suse.com/1174462
       https://bugzilla.suse.com/1174543
    
    _______________________________________________
    sle-security-updates mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://lists.suse.com/mailman/listinfo/sle-security-updates
    

    Advisories

    LinuxSecurity Poll

    Tails is the most secure Linux distro out there.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /main-polls/41-ubuntu-is-a-more-secure-distro-than-fedora?task=poll.vote&format=json
    41
    radio
    [{"id":"142","title":"Yes - Tails get my vote!","votes":"1","type":"x","order":"1","pct":100,"resources":[]},{"id":"143","title":"Nope - Parrot OS has surpassed Tails in its security and privacy.","votes":"0","type":"x","order":"2","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.