[security-announce] SUSE-SU-2014:0537-1: important: Security update for Linux kernel

[news 28]

SUSE Security Update: Security update for Linux kernel

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2014:0537-1

Rating: important

References: #599263 #769035 #769644 #793727 #798050 #805114

#805740 #820434 #823618 #827670 #833968 #844513

#845378 #845621 #846654 #846790 #846984 #847672

#848055 #849364 #849855 #851603 #852153 #852488

#852967 #853052 #853162 #853166 #853455 #854025

#854445 #854516 #855825 #855885 #856848 #857358

#857643 #857919 #858534 #858604 #858831 #859225

#859342 #861093 #862796 #862957 #863178 #863526

#864025 #864058 #864833 #864880 #865342 #865783

#866253 #866428 #870801

Cross-References: CVE-2013-4470 CVE-2013-6368 CVE-2013-6885

CVE-2013-7263 CVE-2013-7264 CVE-2013-7265

CVE-2014-0069

Affected Products:

SUSE Linux Enterprise Real Time Extension 11 SP3

______________________________________________________________________________

 

An update that solves 7 vulnerabilities and has 50 fixes is

now available. It includes one version update.

 

Description:

 

 

The SUSE Linux Enterprise 11 Service Pack 3 RealTime

Extension kernel has been updated to fix various bugs and

security issues.

 

------------------------------------------------------------

------------ WARNING: If you are running KVM with PCI

pass-through on a system with one of the following Intel

chipsets: 5500 (revision 0x13), 5520 (revision 0x13) or

X58 (revisions 0x12, 0x13, 0x22), please make sure to read

the following support document before installing this

update: https://www.suse.com/support/kb/doc.php?id=7014344

You

will have to update your KVM setup to no longer make use

of PCI pass-through before rebooting to the updated

kernel.

------------------------------------------------------------

------------

 

The following security bugs have been fixed:

 

*

 

CVE-2013-4470: The Linux kernel before 3.12, when UDP

Fragmentation Offload (UFO) is enabled, does not properly

initialize certain data structures, which allows local

users to cause a denial of service (memory corruption and

system crash) or possibly gain privileges via a crafted

application that uses the UDP_CORK option in a setsockopt

system call and sends both short and long packets, related

to the ip_ufo_append_data function in net/ipv4/ip_output.c

and the ip6_ufo_append_data function in

net/ipv6/ip6_output.c. (bnc#847672)

 

*

 

CVE-2013-6368: The KVM subsystem in the Linux kernel

through 3.12.5 allows local users to gain privileges or

cause a denial of service (system crash) via a VAPIC

synchronization operation involving a page-end address.

(bnc#853052)

 

*

 

CVE-2013-6885: The microcode on AMD 16h 00h through

0Fh processors does not properly handle the interaction

between locked instructions and write-combined memory

types, which allows local users to cause a denial of

service (system hang) via a crafted application, aka the

errata 793 issue. (bnc#852967)

 

*

 

CVE-2013-7263: The Linux kernel before 3.12.4 updates

certain length values before ensuring that associated data

structures have been initialized, which allows local users

to obtain sensitive information from kernel stack memory

via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system

call, related to net/ipv4/ping.c, net/ipv4/raw.c,

net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c.

(bnc#857643)

 

*

 

CVE-2013-7264: The l2tp_ip_recvmsg function in

net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4

updates a certain length value before ensuring that an

associated data structure has been initialized, which

allows local users to obtain sensitive information from

kernel stack memory via a (1) recvfrom, (2) recvmmsg, or

(3) recvmsg system call. (bnc#857643)

 

*

 

CVE-2013-7265: The pn_recvmsg function in

net/phonet/datagram.c in the Linux kernel before 3.12.4

updates a certain length value before ensuring that an

associated data structure has been initialized, which

allows local users to obtain sensitive information from

kernel stack memory via a (1) recvfrom, (2) recvmmsg, or

(3) recvmsg system call. (bnc#857643)

 

*

 

CVE-2014-0069: The cifs_iovec_write function in

fs/cifs/file.c in the Linux kernel through 3.13.5 does not

properly handle uncached write operations that copy fewer

than the requested number of bytes, which allows local

users to obtain sensitive information from kernel memory,

cause a denial of service (memory corruption and system

crash), or possibly gain privileges via a writev system

call with a crafted pointer. (bnc#864025)

 

Also the following non-security bugs have been fixed:

 

* sched/rt: Fix rqs cpupri leak while enqueue/dequeue

child RT entities.

* sched/rt: Use root_domain of rt_rq not current

processor (bnc#857919).

* kernel: oops due to linkage stack instructions

(bnc#862796, LTC#103860).

* kabi: protect symbols modified by bnc#864833 fix

(bnc#864833).

* kabi: protect bind_conflict callback in struct

inet_connection_sock_af_ops (bnc#823618).

* mm: mempolicy: fix mbind_range() && vma_adjust()

interaction (VM Functionality (bnc#866428)).

* mm: merging memory blocks resets mempolicy (VM

Functionality (bnc#866428)).

* mm/page-writeback.c: do not count anon pages as

dirtyable memory (High memory utilisation performance

(bnc#859225)).

* mm: vmscan: Do not force reclaim file pages until it

exceeds anon (High memory utilisation performance

(bnc#859225)).

* mm: vmscan: fix endless loop in kswapd balancing

(High memory utilisation performance (bnc#859225)).

* mm: vmscan: Update rotated and scanned when force

reclaimed (High memory utilisation performance

(bnc#859225)).

* mm: fix return type for functions nr_free_*_pages

kabi fixup (bnc#864058).

* mm: fix return type for functions nr_free_*_pages

(bnc#864058).

* mm: swap: Use swapfiles in priority order (Use swap

files in priority order (bnc#862957)).

* mm: exclude memory less nodes from zone_reclaim

(bnc#863526).

*

 

mm: reschedule to avoid RCU stall triggering during

boot of large machines (bnc#820434,bnc#852153).

 

*

 

arch/x86: Fix incorrect config symbol in #ifdef

(bnc#844513).

 

* arch/x86/mm/srat: Skip NUMA_NO_NODE while parsing

SLIT (bnc#863178).

* vmscan: change type of vm_total_pages to unsigned

long (bnc#864058).

* crypto: s390 - fix des and des3_ede ctr concurrency

issue (bnc#862796, LTC#103744).

* crypto: s390 - fix concurrency issue in aes-ctr mode

(bnc#862796, LTC#103742).

* X.509: Fix certificate gathering (bnc#805114).

* dump: Fix dump memory detection

(bnc#862796,LTC#103575).

* lockd: send correct lock when granting a delayed lock

(bnc#859342).

* nohz: Check for nohz active instead of nohz enabled

(bnc#846790).

* nohz: Fix another inconsistency between

CONFIG_NO_HZ=n and nohz=off (bnc#846790).

* futex: move user address verification up to common

code (bnc#851603).

* futexes: Clean up various details (bnc#851603).

* futexes: Increase hash table size for better

performance (bnc#851603).

* futexes: Document multiprocessor ordering guarantees

(bnc#851603).

* futexes: Avoid taking the hb->lock if there is

nothing to wake up (bnc#851603).

* efifb: prevent null-deref when iterating dmi_list

(bnc#848055).

* x86/PCI: reduce severity of host bridge window

conflict warnings (bnc#858534).

*

 

x86/dumpstack: Fix printk_address for direct

addresses (bnc#845621).

 

*

 

ipv6 routing, NLM_F_* flag support: REPLACE and EXCL

flags support, warn about missing CREATE flag (bnc#865783).

 

* ipv6: send router reachability probe if route has an

unreachable gateway (bnc#853162).

* inet: handle rt{,6}_bind_peer() failure correctly

(bnc#870801).

* inet: Avoid potential NULL peer dereference

(bnc#864833).

* inet: Hide route peer accesses behind helpers

(bnc#864833).

* inet: Pass inetpeer root into inet_getpeer*()

interfaces (bnc#864833).

* tcp: syncookies: reduce cookie lifetime to 128

seconds (bnc#833968).

* tcp: syncookies: reduce mss table to four values

(bnc#833968).

* tcp: bind() fix autoselection to share ports

(bnc#823618).

* tcp: bind() use stronger condition for bind_conflict

(bnc#823618).

* tcp: ipv6: bind() use stronger condition for

bind_conflict (bnc#823618).

* net: change type of virtio_chan->p9_max_pages

(bnc#864058).

* sctp: Implement quick failover draft from tsvwg

(bnc#827670).

* ipvs: fix AF assignment in ip_vs_conn_new()

(bnc#856848).

* net: Do not enable tx-nocache-copy by default

(bnc#845378).

* macvlan: introduce IFF_MACVLAN flag and helper

function (bnc#846984).

* macvlan: introduce macvlan_dev_real_dev() helper

function (bnc#846984).

*

 

macvlan: disable LRO on lower device instead of

macvlan (bnc#846984).

 

*

 

dlm: remove get_comm (bnc#827670).

 

* dlm: Avoid LVB truncation (bnc#827670).

* dlm: disable nagle for SCTP (bnc#827670).

* dlm: retry failed SCTP sends (bnc#827670).

* dlm: try other IPs when sctp init assoc fails

(bnc#827670).

* dlm: clear correct bit during sctp init failure

handling (bnc#827670).

* dlm: set sctp assoc id during setup (bnc#827670).

* dlm: clear correct init bit during sctp setup

(bnc#827670).

* dlm: fix deadlock between dlm_send and dlm_controld

(bnc#827670).

*

 

dlm: fix return value from lockspace_busy()

(bnc#827670).

 

*

 

NFSD/sunrpc: avoid deadlock on TCP connection due to

memory pressure (bnc#853455).

 

* ncpfs: fix rmdir returns Device or resource busy

(bnc#864880).

* btrfs: bugfix collection

* fs/fs-cache: Handle removal of unadded object to the

fscache_object_list rb tree (bnc#855885).

* fs/nfsd: change type of max_delegations,

nfsd_drc_max_mem and nfsd_drc_mem_used (bnc#864058).

* fs/nfs: Avoid occasional hang with NFS (bnc#852488).

*

 

fs/buffer.c: change type of max_buffer_heads to

unsigned long (bnc#864058).

 

*

 

dm-multipath: abort all requests when failing a path

(bnc#798050).

 

*

 

dm-multipath: Do not stall on invalid ioctls

(bnc#865342).

 

*

 

scsi: kABI fixes (bnc#798050).

 

* scsi: remove check for "resetting" (bnc#798050).

* scsi: Add "eh_deadline" to limit SCSI EH runtime

(bnc#798050).

* scsi: Allow error handling timeout to be specified

(bnc#798050).

* scsi: Fixup compilation warning (bnc#798050).

* scsi: Retry failfast commands after EH (bnc#798050).

* scsi: Warn on invalid command completion (bnc#798050).

* scsi: cleanup setting task state in

scsi_error_handler() (bnc#798050).

* scsi_dh_alua: fixup misplaced brace in

alua_initialize() (bnc#858831).

* scsi_dh_alua: fixup RTPG retry delay miscalculation

(bnc#854025).

* scsi_dh_alua: Simplify state machine (bnc#854025).

* scsi_dh_alua: endless STPG retries for a failed LUN

(bnc#865342).

*

 

scsi_dh_rdac: Add new IBM 1813 product id to rdac

devlist (bnc#846654).

 

*

 

xhci: Fix resume issues on Renesas chips in Samsung

laptops (bnc#866253).

 

* bonding: disallow enslaving a bond to itself

(bnc#599263).

* net/mlx4_en: Fix pages never dma unmapped on rx

(bnc#858604).

* USB: hub: handle -ETIMEDOUT during enumeration

(bnc#855825).

* powerpc: Add VDSO version of getcpu (fate#316816,

bnc#854445).

* privcmd: allow preempting long running user-mode

originating hypercalls (bnc#861093).

* audit: dynamically allocate audit_names when not

enough space is in the names array (bnc#857358).

* audit: make filetype matching consistent with other

filters (bnc#857358).

* mpt2sas: Fix unsafe using smp_processor_id() in

preemptible (bnc#853166).

* balloon: do not crash in HVM-with-PoD guests.

* hwmon: (coretemp) Fix truncated name of alarm

attributes.

* rtc-cmos: Add an alarm disable quirk (bnc#805740).

*

 

md: Change handling of save_raid_disk and metadata

update during recovery (bnc#849364).

 

*

 

s390: Avoid kabi change due to newly visible

structures.

 

*

 

s390/pci: remove PCI/MSI interruption class

(FATE#83037, LTC#94737).

 

*

 

advansys: Remove "last_reset" references (bnc#798050).

 

* dc395: Move "last_reset" into internal host structure

(bnc#798050).

* dpt_i2o: Remove DPTI_STATE_IOCTL (bnc#798050).

* dpt_i2o: return SCSI_MLQUEUE_HOST_BUSY when in reset

(bnc#798050).

* tmscsim: Move "last_reset" into host structure

(bnc#798050).

*

 

bnx2x: remove false warning regarding interrupt

number (bnc#769035).

 

*

 

block: factor out vector mergeable decision to a

helper function (bnc#769644).

 

*

 

block: modify __bio_add_page check to accept pages

that do not start a new segment (bnc#769644).

 

*

 

HID: multitouch: Add support for NextWindow 0340

touchscreen (bnc#849855).

 

* HID: multitouch: Add support for Qaunta 3027

touchscreen (bnc#854516).

* HID: multitouch: add support for Atmel 212c

touchscreen (bnc#793727).

* HID: multitouch: partial support of win8 devices

(bnc#854516,bnc#793727,bnc#849855).

* HID: hid-multitouch: add support for the IDEACOM 6650

chip (bnc#854516,bnc#793727,bnc#849855).

 

Security Issue references:

 

* CVE-2013-4470

 

* CVE-2013-6368

 

* CVE-2013-6885

 

* CVE-2013-7263

 

* CVE-2013-7264

 

* CVE-2013-7265

 

* CVE-2014-0069

 

 

Indications:

 

Everyone using the Real Time Linux Kernel on x86_64 architecture should update.

 

Special Instructions and Notes:

 

Please reboot the system after installing this update.

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Real Time Extension 11 SP3:

 

zypper in -t patch slertesp3-kernel-9114

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Real Time Extension 11 SP3 (x86_64) [New Version: 3.0.101.rt130]:

 

cluster-network-kmp-rt-1.4_3.0.101_rt130_0.14-2.27.55

cluster-network-kmp-rt_trace-1.4_3.0.101_rt130_0.14-2.27.55

drbd-kmp-rt-8.4.4_3.0.101_rt130_0.14-0.22.21

drbd-kmp-rt_trace-8.4.4_3.0.101_rt130_0.14-0.22.21

iscsitarget-kmp-rt-1.4.20_3.0.101_rt130_0.14-0.38.40

iscsitarget-kmp-rt_trace-1.4.20_3.0.101_rt130_0.14-0.38.40

kernel-rt-3.0.101.rt130-0.14.1

kernel-rt-base-3.0.101.rt130-0.14.1

kernel-rt-devel-3.0.101.rt130-0.14.1

kernel-rt_trace-3.0.101.rt130-0.14.1

kernel-rt_trace-base-3.0.101.rt130-0.14.1

kernel-rt_trace-devel-3.0.101.rt130-0.14.1

kernel-source-rt-3.0.101.rt130-0.14.1

kernel-syms-rt-3.0.101.rt130-0.14.1

lttng-modules-kmp-rt-2.1.1_3.0.101_rt130_0.14-0.11.36

lttng-modules-kmp-rt_trace-2.1.1_3.0.101_rt130_0.14-0.11.36

ocfs2-kmp-rt-1.6_3.0.101_rt130_0.14-0.20.55

ocfs2-kmp-rt_trace-1.6_3.0.101_rt130_0.14-0.20.55

ofed-kmp-rt-1.5.4.1_3.0.101_rt130_0.14-0.13.46

ofed-kmp-rt_trace-1.5.4.1_3.0.101_rt130_0.14-0.13.46

 

 

References:

 

http://support.novell.com/security/cve/CVE-2013-4470.html

http://support.novell.com/security/cve/CVE-2013-6368.html

http://support.novell.com/security/cve/CVE-2013-6885.html

http://support.novell.com/security/cve/CVE-2013-7263.html

http://support.novell.com/security/cve/CVE-2013-7264.html

http://support.novell.com/security/cve/CVE-2013-7265.html

http://support.novell.com/security/cve/CVE-2014-0069.html

https://bugzilla.novell.com/599263

https://bugzilla.novell.com/769035

https://bugzilla.novell.com/769644

https://bugzilla.novell.com/793727

https://bugzilla.novell.com/798050

https://bugzilla.novell.com/805114

https://bugzilla.novell.com/805740

https://bugzilla.novell.com/820434

https://bugzilla.novell.com/823618

https://bugzilla.novell.com/827670

https://bugzilla.novell.com/833968

https://bugzilla.novell.com/844513

https://bugzilla.novell.com/845378

https://bugzilla.novell.com/845621

https://bugzilla.novell.com/846654

https://bugzilla.novell.com/846790

https://bugzilla.novell.com/846984

https://bugzilla.novell.com/847672

https://bugzilla.novell.com/848055

https://bugzilla.novell.com/849364

https://bugzilla.novell.com/849855

https://bugzilla.novell.com/851603

https://bugzilla.novell.com/852153

https://bugzilla.novell.com/852488

https://bugzilla.novell.com/852967

https://bugzilla.novell.com/853052

https://bugzilla.novell.com/853162

https://bugzilla.novell.com/853166

https://bugzilla.novell.com/853455

https://bugzilla.novell.com/854025

https://bugzilla.novell.com/854445

https://bugzilla.novell.com/854516

https://bugzilla.novell.com/855825

https://bugzilla.novell.com/855885

https://bugzilla.novell.com/856848

https://bugzilla.novell.com/857358

https://bugzilla.novell.com/857643

https://bugzilla.novell.com/857919

https://bugzilla.novell.com/858534

https://bugzilla.novell.com/858604

https://bugzilla.novell.com/858831

https://bugzilla.novell.com/859225

https://bugzilla.novell.com/859342

https://bugzilla.novell.com/861093

https://bugzilla.novell.com/862796

https://bugzilla.novell.com/862957

https://bugzilla.novell.com/863178

https://bugzilla.novell.com/863526

https://bugzilla.novell.com/864025

https://bugzilla.novell.com/864058

https://bugzilla.novell.com/864833

https://bugzilla.novell.com/864880

https://bugzilla.novell.com/865342

https://bugzilla.novell.com/865783

https://bugzilla.novell.com/866253

https://bugzilla.novell.com/866428

https://bugzilla.novell.com/870801

http://download.suse.com/patch/finder/?keywords=8d7793c0cc8432bc1d41b3b09abc3f8a

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org