Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2018:2907-1
Rating:	important
References:	bsc#1057199 bsc#1087081 bsc#1092903 bsc#1102517 bsc#1103119 bsc#1104367 bsc#1104684 bsc#1104818 bsc#1105100 bsc#1105296 bsc#1105322 bsc#1105323 bsc#1105536 bsc#1106369 bsc#1106509 bsc#1106511 bsc#1107001 bsc#1107689 bsc#1108912
Cross-References:	CVE-2018-10902 CVE-2018-10940 CVE-2018-14634 CVE-2018-14734 CVE-2018-15572 CVE-2018-16658 CVE-2018-6554 CVE-2018-6555
CVSS scores:	CVE-2018-10902 ( SUSE ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-10902 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-10940 ( SUSE ): 6.2 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2018-10940 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-14634 ( SUSE ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-14634 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-14734 ( SUSE ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-14734 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2018-15572 ( SUSE ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2018-15572 ( NVD ): 6.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE-2018-16658 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2018-16658 ( NVD ): 6.1 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVE-2018-6554 ( SUSE ): 3.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2018-6554 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2018-6555 ( SUSE ): 4.4 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVE-2018-6555 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Point of Service 11 SP3 SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3

An update that solves eight vulnerabilities and has 11 security fixes can now be installed.

Description:

The SUSE Linux Enterprise 11 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2018-14634: Prevent integer overflow in create_elf_tables that allowed a local attacker to exploit this vulnerability via a SUID-root binary and obtain full root privileges (bsc#1108912).
• CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903)
• CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689)
• CVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511)
• CVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509)
• CVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517)
• CVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322).
• CVE-2018-14734: ucma_leave_multicast accessed a certain data structure after a cleanup step in ucma_process_join, which allowed attackers to cause a denial of service (use-after-free) (bsc#1103119).

The following non-security bugs were fixed:

• KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state' (bsc#1106369).
• KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369).
• KVM: x86: Free vmx_msr_bitmap_longmode while kvm_init failed (bsc#1104367).
• Refresh patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes.patch (bsc#1105100).
• kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536).
• kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536).
• ptrace: fix PTRACE_LISTEN race corrupting task->state (bnc#1107001).
• rpm/kernel-docs.spec.in: Expand kernel tree directly from sources (bsc#1057199)
• x86, l1tf: Protect PROT_NONE PTEs against speculation fixup (bnc#1104684, bnc#1104818).
• x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536).
• x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1087081).
• x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536).
• x86/speculation/l1tf: Suggest what to do on systems with too much RAM (bnc#1105536).
• xen x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM (bnc#1105536).
• xen x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+ (bnc#1105536).
• xen, x86, l1tf: Protect PROT_NONE PTEs against speculation fixup (bnc#1104684, bnc#1104818).
• xen: x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit (bnc#1087081).

Special Instructions and Notes:

• Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Point of Service 11 SP3
  zypper in -t patch sleposp3-kernel-13799=1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3
  zypper in -t patch slessp3-kernel-13799=1

Package List:

• SUSE Linux Enterprise Point of Service 11 SP3 (i586)
  • kernel-trace-base-3.0.101-0.47.106.50.1
  • kernel-pae-devel-3.0.101-0.47.106.50.1
  • kernel-pae-base-3.0.101-0.47.106.50.1
  • kernel-trace-devel-3.0.101-0.47.106.50.1
  • kernel-ec2-devel-3.0.101-0.47.106.50.1
  • kernel-xen-devel-3.0.101-0.47.106.50.1
  • kernel-ec2-base-3.0.101-0.47.106.50.1
  • kernel-default-devel-3.0.101-0.47.106.50.1
  • kernel-xen-base-3.0.101-0.47.106.50.1
  • kernel-source-3.0.101-0.47.106.50.1
  • kernel-syms-3.0.101-0.47.106.50.1
  • kernel-default-base-3.0.101-0.47.106.50.1
• SUSE Linux Enterprise Point of Service 11 SP3 (nosrc i586)
  • kernel-trace-3.0.101-0.47.106.50.1
  • kernel-pae-3.0.101-0.47.106.50.1
  • kernel-default-3.0.101-0.47.106.50.1
  • kernel-xen-3.0.101-0.47.106.50.1
  • kernel-ec2-3.0.101-0.47.106.50.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (nosrc s390x x86_64 i586)
  • kernel-default-3.0.101-0.47.106.50.1
  • kernel-trace-3.0.101-0.47.106.50.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (s390x x86_64 i586)
  • kernel-trace-base-3.0.101-0.47.106.50.1
  • kernel-trace-devel-3.0.101-0.47.106.50.1
  • kernel-default-devel-3.0.101-0.47.106.50.1
  • kernel-source-3.0.101-0.47.106.50.1
  • kernel-syms-3.0.101-0.47.106.50.1
  • kernel-default-base-3.0.101-0.47.106.50.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (nosrc x86_64 i586)
  • kernel-xen-3.0.101-0.47.106.50.1
  • kernel-ec2-3.0.101-0.47.106.50.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (x86_64 i586)
  • kernel-xen-devel-3.0.101-0.47.106.50.1
  • kernel-ec2-base-3.0.101-0.47.106.50.1
  • kernel-ec2-devel-3.0.101-0.47.106.50.1
  • kernel-xen-base-3.0.101-0.47.106.50.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (nosrc i586)
  • kernel-pae-3.0.101-0.47.106.50.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (i586)
  • kernel-pae-devel-3.0.101-0.47.106.50.1
  • kernel-pae-base-3.0.101-0.47.106.50.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (s390x)
  • kernel-default-man-3.0.101-0.47.106.50.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (nosrc x86_64)
  • kernel-bigsmp-3.0.101-0.47.106.50.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (x86_64)
  • kernel-bigsmp-devel-3.0.101-0.47.106.50.1
  • kernel-bigsmp-base-3.0.101-0.47.106.50.1

References:

• https://www.suse.com/security/cve/CVE-2018-10902.html
• https://www.suse.com/security/cve/CVE-2018-10940.html
• https://www.suse.com/security/cve/CVE-2018-14634.html
• https://www.suse.com/security/cve/CVE-2018-14734.html
• https://www.suse.com/security/cve/CVE-2018-15572.html
• https://www.suse.com/security/cve/CVE-2018-16658.html
• https://www.suse.com/security/cve/CVE-2018-6554.html
• https://www.suse.com/security/cve/CVE-2018-6555.html
• https://bugzilla.suse.com/show_bug.cgi?id=1057199
• https://bugzilla.suse.com/show_bug.cgi?id=1087081
• https://bugzilla.suse.com/show_bug.cgi?id=1092903
• https://bugzilla.suse.com/show_bug.cgi?id=1102517
• https://bugzilla.suse.com/show_bug.cgi?id=1103119
• https://bugzilla.suse.com/show_bug.cgi?id=1104367
• https://bugzilla.suse.com/show_bug.cgi?id=1104684
• https://bugzilla.suse.com/show_bug.cgi?id=1104818
• https://bugzilla.suse.com/show_bug.cgi?id=1105100
• https://bugzilla.suse.com/show_bug.cgi?id=1105296
• https://bugzilla.suse.com/show_bug.cgi?id=1105322
• https://bugzilla.suse.com/show_bug.cgi?id=1105323
• https://bugzilla.suse.com/show_bug.cgi?id=1105536
• https://bugzilla.suse.com/show_bug.cgi?id=1106369
• https://bugzilla.suse.com/show_bug.cgi?id=1106509
• https://bugzilla.suse.com/show_bug.cgi?id=1106511
• https://bugzilla.suse.com/show_bug.cgi?id=1107001
• https://bugzilla.suse.com/show_bug.cgi?id=1107689
• https://bugzilla.suse.com/show_bug.cgi?id=1108912