Jump to content
Compatible Support Forums
Sign in to follow this  
news

[security-announce] SUSE-SU-2016:0380-1: important: Security update for kernel live patch 3

Recommended Posts

SUSE Security Update: Security update for kernel live patch 3

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2016:0380-1

Rating: important

References: #916225 #940342 #951542 #951625 #953052 #954005

#958601

Cross-References: CVE-2015-2925 CVE-2015-6937 CVE-2015-7872

CVE-2015-7990 CVE-2015-8539

Affected Products:

SUSE Linux Enterprise Live Patching 12

______________________________________________________________________________

 

An update that solves 5 vulnerabilities and has two fixes

is now available.

 

Description:

 

 

This kernel live patch for Linux Kernel 3.12.38-44.1 fixes security issues

and bugs:

 

Security issues fixed:

- CVE-2015-8539: A negatively instantiated user key could have been used

by a local user to leverage privileges (bnc#958601).

 

- CVE-2015-6937: A NULL pointer dereference flaw was found in the Reliable

Datagram Sockets (RDS) implementation allowing a local user to cause

system DoS. A verification was missing that the underlying transport

exists when a connection was created. (bsc#953052)

 

- CVE-2015-7990: RDS: Verify the underlying transport exists before

creating a connection, preventing possible DoS (bsc#953052).

 

- CVE-2015-7872: Possible crash when trying to garbage collect an

uninstantiated keyring (bsc#951542).

 

- CVE-2015-2925: The prepend_path function in fs/dcache.c in the Linux

kernel did not properly handle rename actions inside a bind mount, which

allowed local users to bypass an intended container protection mechanism

by renaming a directory, related to a "double-chroot attack (bnc#951625).

 

Non-security bugfix were also done:

- xfs: Fix lost direct IO write in the last block (bsc#954005).

- simple fix in kallsyms initialization (bsc#940342 bsc#916225)

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Live Patching 12:

 

zypper in -t patch SUSE-SLE-Live-Patching-12-2016-221=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Live Patching 12 (x86_64):

 

kgraft-patch-3_12_38-44-default-4-2.1

kgraft-patch-3_12_38-44-xen-4-2.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2015-2925.html

https://www.suse.com/security/cve/CVE-2015-6937.html

https://www.suse.com/security/cve/CVE-2015-7872.html

https://www.suse.com/security/cve/CVE-2015-7990.html

https://www.suse.com/security/cve/CVE-2015-8539.html

https://bugzilla.suse.com/916225

https://bugzilla.suse.com/940342

https://bugzilla.suse.com/951542

https://bugzilla.suse.com/951625

https://bugzilla.suse.com/953052

https://bugzilla.suse.com/954005

https://bugzilla.suse.com/958601

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×