Security update for Linux Kernel Live Patch 27 for SLE 12

Announcement ID:	SUSE-SU-2017:2775-1
Rating:	important
References:	bsc#1042892 bsc#1045327 bsc#1046191 bsc#1052311 bsc#1052368
Cross-References:	CVE-2017-1000112 CVE-2017-15274 CVE-2017-7645 CVE-2017-9242
CVSS scores:	CVE-2017-1000112 ( SUSE ): 7.4 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-1000112 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-1000112 ( NVD ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-15274 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-15274 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2017-7645 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-7645 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-7645 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-9242 ( SUSE ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2017-9242 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 LTSS 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves four vulnerabilities and has one security fix can now be installed.

Description:

This update for the Linux Kernel 3.12.61-52_92 fixes several issues.

The following security bugs were fixed:

• CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not consider the case of a NULL payload in conjunction with a nonzero length value, which allowed local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted add_key or keyctl system call (bsc#1045327).
• CVE-2017-1000112: Updated patch for this issue to be in sync with the other livepatches. Description of the issue: Prevent race condition in net-packet code that could have been exploited by unprivileged users to gain root access (bsc#1052368, bsc#1052311).
• CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c was too late in checking whether an overwrite of an skb data structure may occur, which allowed local users to cause a denial of service (system crash) via crafted system calls (bsc#1042892).
• CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem allowed remote attackers to cause a denial of service (system crash) via a long RPC reply (bsc#1046191).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 LTSS 12
  zypper in -t patch SUSE-SLE-SERVER-12-2017-1716=1

Package List:

• SUSE Linux Enterprise Server 12 LTSS 12 (x86_64)
  • kgraft-patch-3_12_61-52_92-xen-2-4.1
  • kgraft-patch-3_12_61-52_92-default-2-4.1

References:

• https://www.suse.com/security/cve/CVE-2017-1000112.html
• https://www.suse.com/security/cve/CVE-2017-15274.html
• https://www.suse.com/security/cve/CVE-2017-7645.html
• https://www.suse.com/security/cve/CVE-2017-9242.html
• https://bugzilla.suse.com/show_bug.cgi?id=1042892
• https://bugzilla.suse.com/show_bug.cgi?id=1045327
• https://bugzilla.suse.com/show_bug.cgi?id=1046191
• https://bugzilla.suse.com/show_bug.cgi?id=1052311
• https://bugzilla.suse.com/show_bug.cgi?id=1052368