Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2018:2150-1
Rating:	important
References:	bsc#1012382 bsc#1068032 bsc#1074562 bsc#1074578 bsc#1074701 bsc#1075006 bsc#1075419 bsc#1075748 bsc#1075876 bsc#1080039 bsc#1085185 bsc#1085657 bsc#1087084 bsc#1087939 bsc#1089525 bsc#1090435 bsc#1090888 bsc#1091171 bsc#1092207 bsc#1094244 bsc#1094248 bsc#1094643 bsc#1095453 bsc#1096790 bsc#1097034 bsc#1097140 bsc#1097492 bsc#1097501 bsc#1097551 bsc#1097808 bsc#1097931 bsc#1097961 bsc#1098016 bsc#1098236 bsc#1098425 bsc#1098435 bsc#1098527 bsc#1099042 bsc#1099183 bsc#1099279 bsc#1099713 bsc#1099732 bsc#1099810 bsc#1099918 bsc#1099924 bsc#1099966 bsc#1099993 bsc#1100089 bsc#1100340 bsc#1100416 bsc#1100418 bsc#1100491
Cross-References:	CVE-2017-5753 CVE-2018-13053 CVE-2018-13405 CVE-2018-13406 CVE-2018-9385
CVSS scores:	CVE-2017-5753 ( SUSE ): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2017-5753 ( SUSE ): 7.1 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVE-2017-5753 ( NVD ): 5.6 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2017-5753 ( NVD ): 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2018-13053 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2018-13053 ( NVD ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2018-13405 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVE-2018-13405 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-13405 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-13406 ( SUSE ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-13406 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-13406 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-9385 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2018-9385 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise Real Time 12 SP3 SUSE Linux Enterprise Server 12 SP3

An update that solves five vulnerabilities and has 47 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 12 SP3 RT kernel was updated to 4.4.139 to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2018-13053: The alarm_timer_nsleep function had an integer overflow via a large relative timeout because ktime_add_safe was not used (bnc#1099924)
• CVE-2018-9385: Prevent overread of the "driver_override" buffer (bsc#1100491)
• CVE-2018-13405: The inode_init_owner function allowed local users to create files with an unintended group ownership allowing attackers to escalate privileges by making a plain file executable and SGID (bnc#1100416)
• CVE-2018-13406: An integer overflow in the uvesafb_setcmap function could have result in local attackers being able to crash the kernel or potentially elevate privileges because kmalloc_array is not used (bnc#1100418)
• CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may have allowed unauthorized disclosure of information to an attacker with local user access via a side-channel analysis (bsc#1068032)

The following non-security bugs were fixed:

• 1wire: family module autoload fails because of upper/lower case mismatch (bnc#1012382).
• ALSA: hda - Clean up ALC299 init code (bsc#1099810).
• ALSA: hda - Enable power_save_node for CX20722 (bsc#1099810).
• ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines (bsc#1099810).
• ALSA: hda - Fix incorrect usage of IS_REACHABLE() (bsc#1099810).
• ALSA: hda - Fix pincfg at resume on Lenovo T470 dock (bsc#1099810).
• ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() (bnc#1012382).
• ALSA: hda - Use acpi_dev_present() (bsc#1099810).
• ALSA: hda - add a new condition to check if it is thinkpad (bsc#1099810).
• ALSA: hda - silence uninitialized variable warning in activate_amp_in() (bsc#1099810).
• ALSA: hda/patch_sigmatel: Add AmigaOne X1000 pinconfigs (bsc#1099810).
• ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210 (bsc#1099810).
• ALSA: hda/realtek - Add headset mode support for Dell laptop (bsc#1099810).
• ALSA: hda/realtek - Add support headset mode for DELL WYSE (bsc#1099810).
• ALSA: hda/realtek - Clevo P950ER ALC1220 Fixup (bsc#1099810).
• ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform (bsc#1099810).
• ALSA: hda/realtek - Enable mic-mute hotkey for several Lenovo AIOs (bsc#1099810).
• ALSA: hda/realtek - Fix Dell headset Mic can't record (bsc#1099810).
• ALSA: hda/realtek - Fix pop noise on Lenovo P50 and co (bsc#1099810).
• ALSA: hda/realtek - Fix the problem of two front mics on more machines (bsc#1099810).
• ALSA: hda/realtek - Fixup for HP x360 laptops with B and O speakers (bsc#1099810).
• ALSA: hda/realtek - Fixup mute led on HP Spectre x360 (bsc#1099810).
• ALSA: hda/realtek - Make dock sound work on ThinkPad L570 (bsc#1099810).
• ALSA: hda/realtek - Refactor alc269_fixup_hp_mute_led_mic*() (bsc#1099810).
• ALSA: hda/realtek - Reorder ALC269 ASUS quirk entries (bsc#1099810).
• ALSA: hda/realtek - Support headset mode for ALC215/ALC285/ALC289 (bsc#1099810).
• ALSA: hda/realtek - Update ALC255 depop optimize (bsc#1099810).
• ALSA: hda/realtek - adjust the location of one mic (bsc#1099810).
• ALSA: hda/realtek - change the location for one of two front mics (bsc#1099810).
• ALSA: hda/realtek - set PINCFG_HEADSET_MIC to parse_flags (bsc#1099810).
• ALSA: hda/realtek - update ALC215 depop optimize (bsc#1099810).
• ALSA: hda/realtek - update ALC225 depop optimize (bsc#1099810).
• ALSA: hda/realtek: Fix mic and headset jack sense on Asus X705UD (bsc#1099810).
• ALSA: hda/realtek: Limit mic boost on T480 (bsc#1099810).
• ALSA: hda: Fix forget to free resource in error handling code path in hda_codec_driver_probe (bsc#1099810).
• ALSA: hda: add dock and led support for HP EliteBook 830 G5 (bsc#1099810).
• ALSA: hda: add dock and led support for HP ProBook 640 G4 (bsc#1099810).
• ALSA: hda: fix some klockwork scan warnings (bsc#1099810).
• ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size (bnc#1012382).
• ASoC: cirrus: i2s: Fix LRCLK configuration (bnc#1012382).
• ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup (bnc#1012382).
• ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it (bnc#1012382).
• Bluetooth: Fix connection if directed advertising and privacy is used (bnc#1012382).
• Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader (bnc#1012382).
• Btrfs: fix clone vs chattr NODATASUM race (bnc#1012382).
• Btrfs: fix unexpected cow in run_delalloc_nocow (bnc#1012382).
• Btrfs: make raid6 rebuild retry more (bnc#1012382).
• Btrfs: scrub: Do not use inode pages for device replace (bnc#1012382).
• Correct the arguments to verbose() (bsc#1098425)
• Hang/soft lockup in d_invalidate with simultaneous calls (bsc#1094248, bsc@1097140).
• IB/qib: Fix DMA api warning with debug kernel (bnc#1012382).
• Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID (bnc#1012382).
• Input: elan_i2c_smbus - fix more potential stack buffer overflows (bnc#1012382).
• Input: elantech - enable middle button of touchpads on ThinkPad P52 (bnc#1012382).
• Input: elantech - fix V4 report decoding for module with middle key (bnc#1012382).
• MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum (bnc#1012382).
• MIPS: io: Add barrier after register read in inX() (bnc#1012382).
• NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message (bnc#1012382).
• PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume (bnc#1012382).
• RDMA/mlx4: Discard unknown SQP work requests (bnc#1012382).
• Refresh with upstream commit:62290a5c194b since the typo fix has been merged in upstream. (bsc#1085185)
• Revert "Btrfs: fix scrub to repair raid6 corruption" (bnc#1012382).
• Revert "kvm: nVMX: Enforce cpl=0 for VMX instructions (bsc#1099183)." This turned out to be superfluous for 4.4.x kernels.
• Revert "scsi: lpfc: Fix 16gb hbas failing cq create (bsc#1089525)." This reverts commit b054499f7615e2ffa7571ac0d05c7d5c9a8c0327.
• UBIFS: Fix potential integer overflow in allocation (bnc#1012382).
• Update patches.fixes/nvme-expand-nvmf_check_if_ready-checks.patch (bsc#1098527).
• atm: zatm: fix memcmp casting (bnc#1012382).
• backlight: as3711_bl: Fix Device Tree node lookup (bnc#1012382).
• backlight: max8925_bl: Fix Device Tree node lookup (bnc#1012382).
• backlight: tps65217_bl: Fix Device Tree node lookup (bnc#1012382).
• block: Fix transfer when chunk sectors exceeds max (bnc#1012382).
• bonding: re-evaluate force_primary when the primary slave name changes (bnc#1012382).
• bpf: properly enforce index mask to prevent out-of-bounds speculation (bsc#1098425).
• branch-check: fix long->int truncation when profiling branches (bnc#1012382).
• cdc_ncm: avoid padding beyond end of skb (bnc#1012382).
• ceph: fix dentry leak in splice_dentry() (bsc#1098236).
• ceph: fix use-after-free in ceph_statfs() (bsc#1098236).
• ceph: fix wrong check for the case of updating link count (bsc#1098236).
• ceph: prevent i_version from going back (bsc#1098236).
• ceph: support file lock on directory (bsc#1098236).
• cifs: Check for timeout on Negotiate stage (bsc#1091171).
• cpufreq: Fix new policy initialization during limits updates via sysfs (bnc#1012382).
• cpuidle: powernv: Fix promotion from snooze if next state disabled (bnc#1012382).
• dm thin: handle running out of data space vs concurrent discard (bnc#1012382).
• dm: convert DM printk macros to pr_level macros (bsc#1099918).
• dm: fix printk() rate limiting code (bsc#1099918).
• driver core: Do not ignore class_dir_create_and_add() failure (bnc#1012382).
• e1000e: Ignore TSYNCRXCTL when getting I219 clock attributes (bsc#1075876).
• ext4: fix fencepost error in check for inode count overflow during resize (bnc#1012382).
• ext4: fix unsupported feature message formatting (bsc#1098435).
• ext4: update mtime in ext4_punch_hole even if no blocks are released (bnc#1012382).
• fs/binfmt_misc.c: do not allow offset overflow (bsc#1099279).
• fuse: atomic_o_trunc should truncate pagecache (bnc#1012382).
• fuse: do not keep dead fuse_conn at fuse_fill_super() (bnc#1012382).
• fuse: fix control dir setup and teardown (bnc#1012382).
• hv_netvsc: avoid repeated updates of packet filter (bsc#1097492).
• hv_netvsc: defer queue selection to VF (bsc#1097492).
• hv_netvsc: enable multicast if necessary (bsc#1097492).
• hv_netvsc: filter multicast/broadcast (bsc#1097492).
• hv_netvsc: fix filter flags (bsc#1097492).
• hv_netvsc: fix locking during VF setup (bsc#1097492).
• hv_netvsc: fix locking for rx_mode (bsc#1097492).
• hv_netvsc: propagate rx filters to VF (bsc#1097492).
• iio:buffer: make length types match kfifo types (bnc#1012382).
• iommu/vt-d: Fix race condition in add_unmap() (bsc#1096790, bsc#1097034).
• ipmi:bt: Set the timeout before doing a capabilities check (bnc#1012382).
• ipvs: fix buffer overflow with sync daemon and service (bnc#1012382).
• iwlmvm: tdls: Check TDLS channel switch support (bsc#1099810).
• iwlwifi: fix non_shared_ant for 9000 devices (bsc#1099810).
• kvm: nVMX: Enforce cpl=0 for VMX instructions (bsc#1099183).
• lib/vsprintf: Remove atomic-unsafe support for %pCr (bnc#1012382).
• libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk (bnc#1012382).
• libata: zpodd: make arrays cdb static, reduces object code size (bnc#1012382).
• libata: zpodd: small read overflow in eject_tray() (bnc#1012382).
• linvdimm, pmem: Preserve read-only setting for pmem devices (bnc#1012382).
• m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap() (bnc#1012382).
• mac80211: Fix condition validating WMM IE (bsc#1099810,bsc#1099732).
• media: cx231xx: Add support for AverMedia DVD EZMaker 7 (bnc#1012382).
• media: dvb_frontend: fix locking issues at dvb_frontend_get_event() (bnc#1012382).
• media: smiapp: fix timeout checking in smiapp_read_nvm (bsc#1099918).
• media: v4l2-compat-ioctl32: prevent go past max size (bnc#1012382).
• mfd: intel-lpss: Program REMAP register in PIO mode (bnc#1012382).
• mips: ftrace: fix static function graph tracing (bnc#1012382).
• mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking (bnc#1012382).
• mtd: cfi_cmdset_0002: Change write buffer to check correct value (bnc#1012382).
• mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary (bnc#1012382).
• mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() (bnc#1012382).
• mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips (bnc#1012382).
• mtd: cmdlinepart: Update comment for introduction of OFFSET_CONTINUOUS (bsc#1099918).
• mtd: partitions: add helper for deleting partition (bsc#1099918).
• mtd: partitions: remove sysfs files when deleting all master's partitions (bsc#1099918).
• net/sonic: Use dma_mapping_error() (bnc#1012382).
• net: qmi_wwan: Add Netgear Aircard 779S (bnc#1012382).
• netfilter: ebtables: handle string from userspace with care (bnc#1012382).
• nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir (bnc#1012382).
• nvme-fabrics: allow duplicate connections to the discovery controller (bsc#1098527).
• nvme-fabrics: allow internal passthrough command on deleting controllers (bsc#1098527).
• nvme-fabrics: centralize discovery controller defaults (bsc#1098527).
• nvme-fabrics: fix and refine state checks in __nvmf_check_ready (bsc#1098527).
• nvme-fabrics: refactor queue ready check (bsc#1098527).
• nvme-fc: change controllers first connect to use reconnect path (bsc#1098527).
• nvme-fc: fix nulling of queue data on reconnect (bsc#1098527).
• nvme-fc: remove reinit_request routine (bsc#1098527).
• nvme-fc: remove setting DNR on exception conditions (bsc#1098527).
• nvme: allow duplicate controller if prior controller being deleted (bsc#1098527).
• nvme: move init of keep_alive work item to controller initialization (bsc#1098527).
• nvme: reimplement nvmf_check_if_ready() to avoid kabi breakage (bsc#1098527).
• nvmet-fc: increase LS buffer count per fc port (bsc#1098527).
• nvmet: switch loopback target state to connecting when resetting (bsc#1098527).
• of: unittest: for strings, account for trailing \0 in property length field (bnc#1012382).
• ovl: fix random return value on mount (bsc#1099993).
• ovl: fix uid/gid when creating over whiteout (bsc#1099993).
• ovl: override creds with the ones from the superblock mounter (bsc#1099993).
• perf intel-pt: Fix "Unexpected indirect branch" error (bnc#1012382).
• perf intel-pt: Fix MTC timing after overflow (bnc#1012382).
• perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP (bnc#1012382).
• perf intel-pt: Fix packet decoding of CYC packets (bnc#1012382).
• perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING (bnc#1012382).
• perf tools: Fix symbol and object code resolution for vdso32 and vdsox32 (bnc#1012382).
• platform/x86: thinkpad_acpi: Adding new hotkey ID for Lenovo thinkpad (bsc#1099810).
• powerpc/64s: Exception macro for stack frame and initial register save (bsc#1094244).
• powerpc/64s: Fix mce accounting for powernv (bsc#1094244).
• powerpc/fadump: Unregister fadump on kexec down path (bnc#1012382).
• powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch (bnc#1012382).
• powerpc/ptrace: Fix enforcement of DAWR constraints (bnc#1012382).
• powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG (bnc#1012382).
• powerpc: Machine check interrupt is a non-maskable interrupt (bsc#1094244).
• procfs: add tunable for fd/fdinfo dentry retention (bsc#10866542).
• qla2xxx: Fix NULL pointer derefrence for fcport search (bsc#1085657).
• qla2xxx: Fix inconsistent DMA mem alloc/free (bsc#1085657).
• qla2xxx: Fix kernel crash due to late workqueue allocation (bsc#1085657).
• regulator: Do not return or expect -errno from of_map_mode() (bsc#1099042).
• rmdir(),rename(): do shrink_dcache_parent() only on success (bsc#1100340).
• s390/dasd: configurable IFCC handling (bsc#1097808).
• sbitmap: check for valid bitmap in sbitmap_for_each (bsc#1090435).
• sched/sysctl: Check user input value of sysctl_sched_time_avg (bsc#1100089).
• scsi: ipr: Format HCAM overlay ID 0x41 (bsc#1097961).
• scsi: ipr: new IOASC update (bsc#1097961).
• scsi: lpfc: Change IO submit return to EBUSY if remote port is recovering (bsc#1092207).
• scsi: lpfc: Driver NVME load fails when CPU cnt > WQ resource cnt (bsc#1092207).
• scsi: lpfc: Fix 16gb hbas failing cq create (bsc#1089525).
• scsi: lpfc: Fix 16gb hbas failing cq create (bsc#1095453).
• scsi: lpfc: Fix MDS diagnostics failure (Rx lower than Tx) (bsc#1095453).
• scsi: lpfc: Fix crash in blk_mq layer when executing modprobe -r lpfc (bsc#1095453).
• scsi: lpfc: Fix port initialization failure (bsc#1095453).
• scsi: lpfc: Fix up log messages and stats counters in IO submit code path (bsc#1092207).
• scsi: lpfc: Handle new link fault code returned by adapter firmware (bsc#1092207).
• scsi: lpfc: correct oversubscription of nvme io requests for an adapter (bsc#1095453).
• scsi: lpfc: update driver version to 11.4.0.7-3 (bsc#1092207).
• scsi: lpfc: update driver version to 11.4.0.7-4 (bsc#1095453).
• scsi: qedi: Fix truncation of CHAP name and secret (bsc#1097931)
• scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails (bnc#1012382).
• scsi: qla2xxx: Spinlock recursion in qla_target (bsc#1097501)
• scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed (LTC#168765 bnc#1012382 bnc#1099713).
• scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed (bnc#1099713, LTC#168765).
• scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED (LTC#168765 bnc#1012382 bnc#1099713).
• scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED (bnc#1099713, LTC#168765).
• scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread (LTC#168765 bnc#1012382 bnc#1099713).
• scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread (bnc#1099713, LTC#168765).
• scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return (LTC#168765 bnc#1012382 bnc#1099713).
• scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return (bnc#1099713, LTC#168765).
• scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED (LTC#168765 bnc#1012382 bnc#1099713).
• scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED (bnc#1099713, LTC#168765).
• scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler (LTC#168765 bnc#1012382 bnc#1099713).
• scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler (bnc#1099713, LTC#168765).
• scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF (LTC#168765 bnc#1012382 bnc#1099713).
• scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF (bnc#1099713, LTC#168765).
• serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version (bnc#1012382).
• signal/xtensa: Consistenly use SIGBUS in do_unaligned_user (bnc#1012382).
• sort and rename various hyperv patches
• spi: Fix scatterlist elements size in spi_map_buf (bnc#1012382).
• tcp: do not overshoot window_clamp in tcp_rcv_space_adjust() (bnc#1012382).
• tcp: verify the checksum of the first data segment in a new connection (bnc#1012382).
• thinkpad_acpi: Add support for HKEY version 0x200 (bsc#1099810).
• time: Make sure jiffies_to_msecs() preserves non-zero time periods (bnc#1012382).
• ubi: fastmap: Cancel work upon detach (bnc#1012382).
• udf: Detect incorrect directory size (bnc#1012382).
• usb: do not reset if a low-speed or full-speed device timed out (bnc#1012382).
• usb: musb: fix remote wakeup racing with suspend (bnc#1012382).
• video/fbdev/stifb: Return -ENOMEM after a failed kzalloc() in stifb_init_fb() (bsc#1090888 bsc#1099966).
• video: uvesafb: Fix integer overflow in allocation (bnc#1012382).
• w1: mxc_w1: Enable clock before calling clk_get_rate() on it (bnc#1012382).
• x86/cpu/amd: Derive L3 shared_cpu_map from cpu_llc_shared_mask (bsc#1094643).
• x86/mce: Improve error message when kernel cannot recover (git-fixes b2f9d678e28c).
• x86/pti: do not report XenPV as vulnerable (bsc#1097551).
• xen: Remove unnecessary BUG_ON from __unbind_from_irq() (bnc#1012382).
• xfrm6: avoid potential infinite loop in _decode_session6() (bnc#1012382).
• xfrm: Ignore socket policies when rebuilding hash tables (bnc#1012382).
• xfrm: skip policies marked as dead while rehashing (bnc#1012382).

Special Instructions and Notes:

• Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Real Time 12 SP3
  zypper in -t patch SUSE-SLE-RT-12-SP3-2018-1460=1

Package List:

• SUSE Linux Enterprise Real Time 12 SP3 (x86_64)
  • gfs2-kmp-rt-4.4.139-3.17.1
  • kernel-rt_debug-debugsource-4.4.139-3.17.1
  • kernel-rt-debugsource-4.4.139-3.17.1
  • kernel-rt_debug-debuginfo-4.4.139-3.17.1
  • cluster-md-kmp-rt-debuginfo-4.4.139-3.17.1
  • kernel-rt-base-debuginfo-4.4.139-3.17.1
  • ocfs2-kmp-rt-debuginfo-4.4.139-3.17.1
  • ocfs2-kmp-rt-4.4.139-3.17.1
  • kernel-rt-debuginfo-4.4.139-3.17.1
  • kernel-rt_debug-devel-debuginfo-4.4.139-3.17.1
  • kernel-rt_debug-devel-4.4.139-3.17.1
  • dlm-kmp-rt-debuginfo-4.4.139-3.17.1
  • gfs2-kmp-rt-debuginfo-4.4.139-3.17.1
  • kernel-rt-devel-4.4.139-3.17.1
  • kernel-syms-rt-4.4.139-3.17.1
  • dlm-kmp-rt-4.4.139-3.17.1
  • kernel-rt-base-4.4.139-3.17.1
  • cluster-md-kmp-rt-4.4.139-3.17.1
• SUSE Linux Enterprise Real Time 12 SP3 (noarch)
  • kernel-devel-rt-4.4.139-3.17.1
  • kernel-source-rt-4.4.139-3.17.1
• SUSE Linux Enterprise Real Time 12 SP3 (nosrc x86_64)
  • kernel-rt-4.4.139-3.17.1
• SUSE Linux Enterprise Real Time 12 SP3 (nosrc)
  • kernel-rt_debug-4.4.139-3.17.1

References:

• https://www.suse.com/security/cve/CVE-2017-5753.html
• https://www.suse.com/security/cve/CVE-2018-13053.html
• https://www.suse.com/security/cve/CVE-2018-13405.html
• https://www.suse.com/security/cve/CVE-2018-13406.html
• https://www.suse.com/security/cve/CVE-2018-9385.html
• https://bugzilla.suse.com/show_bug.cgi?id=1012382
• https://bugzilla.suse.com/show_bug.cgi?id=1068032
• https://bugzilla.suse.com/show_bug.cgi?id=1074562
• https://bugzilla.suse.com/show_bug.cgi?id=1074578
• https://bugzilla.suse.com/show_bug.cgi?id=1074701
• https://bugzilla.suse.com/show_bug.cgi?id=1075006
• https://bugzilla.suse.com/show_bug.cgi?id=1075419
• https://bugzilla.suse.com/show_bug.cgi?id=1075748
• https://bugzilla.suse.com/show_bug.cgi?id=1075876
• https://bugzilla.suse.com/show_bug.cgi?id=1080039
• https://bugzilla.suse.com/show_bug.cgi?id=1085185
• https://bugzilla.suse.com/show_bug.cgi?id=1085657
• https://bugzilla.suse.com/show_bug.cgi?id=1087084
• https://bugzilla.suse.com/show_bug.cgi?id=1087939
• https://bugzilla.suse.com/show_bug.cgi?id=1089525
• https://bugzilla.suse.com/show_bug.cgi?id=1090435
• https://bugzilla.suse.com/show_bug.cgi?id=1090888
• https://bugzilla.suse.com/show_bug.cgi?id=1091171
• https://bugzilla.suse.com/show_bug.cgi?id=1092207
• https://bugzilla.suse.com/show_bug.cgi?id=1094244
• https://bugzilla.suse.com/show_bug.cgi?id=1094248
• https://bugzilla.suse.com/show_bug.cgi?id=1094643
• https://bugzilla.suse.com/show_bug.cgi?id=1095453
• https://bugzilla.suse.com/show_bug.cgi?id=1096790
• https://bugzilla.suse.com/show_bug.cgi?id=1097034
• https://bugzilla.suse.com/show_bug.cgi?id=1097140
• https://bugzilla.suse.com/show_bug.cgi?id=1097492
• https://bugzilla.suse.com/show_bug.cgi?id=1097501
• https://bugzilla.suse.com/show_bug.cgi?id=1097551
• https://bugzilla.suse.com/show_bug.cgi?id=1097808
• https://bugzilla.suse.com/show_bug.cgi?id=1097931
• https://bugzilla.suse.com/show_bug.cgi?id=1097961
• https://bugzilla.suse.com/show_bug.cgi?id=1098016
• https://bugzilla.suse.com/show_bug.cgi?id=1098236
• https://bugzilla.suse.com/show_bug.cgi?id=1098425
• https://bugzilla.suse.com/show_bug.cgi?id=1098435
• https://bugzilla.suse.com/show_bug.cgi?id=1098527
• https://bugzilla.suse.com/show_bug.cgi?id=1099042
• https://bugzilla.suse.com/show_bug.cgi?id=1099183
• https://bugzilla.suse.com/show_bug.cgi?id=1099279
• https://bugzilla.suse.com/show_bug.cgi?id=1099713
• https://bugzilla.suse.com/show_bug.cgi?id=1099732
• https://bugzilla.suse.com/show_bug.cgi?id=1099810
• https://bugzilla.suse.com/show_bug.cgi?id=1099918
• https://bugzilla.suse.com/show_bug.cgi?id=1099924
• https://bugzilla.suse.com/show_bug.cgi?id=1099966
• https://bugzilla.suse.com/show_bug.cgi?id=1099993
• https://bugzilla.suse.com/show_bug.cgi?id=1100089
• https://bugzilla.suse.com/show_bug.cgi?id=1100340
• https://bugzilla.suse.com/show_bug.cgi?id=1100416
• https://bugzilla.suse.com/show_bug.cgi?id=1100418
• https://bugzilla.suse.com/show_bug.cgi?id=1100491