Security update for Linux Kernel Live Patch 5 for SLE 12 SP1

Announcement ID:	SUSE-SU-2016:2003-1
Rating:	important
References:	bsc#979074 bsc#980856 bsc#980883 bsc#984764
Cross-References:	CVE-2013-7446 CVE-2016-0758 CVE-2016-2053 CVE-2016-4470 CVE-2016-4565
CVSS scores:	CVE-2016-0758 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-0758 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-2053 ( NVD ): 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-4470 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-4565 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-4565 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise Live Patching 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2

An update that solves five vulnerabilities can now be installed.

Description:

This update for the Linux Kernel 3.12.59-60_41 fixes the several issues.

These security issues were fixed: - CVE-2016-4470: The key_reject_and_link function in security/keys/key.c in the Linux kernel did not ensure that a certain data structure is initialized, which allowed local users to cause a denial of service (system crash) via vectors involving a crafted keyctl request2 command (bsc#984764). - CVE-2016-4565: The InfiniBand (aka IB) stack in the Linux kernel incorrectly relied on the write system call, which allowed local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface (bsc#980883). - CVE-2016-0758: Integer overflow in lib/asn1_decoder.c in the Linux kernel allowed local users to gain privileges via crafted ASN.1 data (bsc#980856). - CVE-2016-2053: The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel allowed attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c (bsc#979074).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Live Patching 12
  zypper in -t patch SUSE-SLE-Live-Patching-12-2016-1180=1 SUSE-SLE-Live-Patching-12-2016-1178=1

Package List:

• SUSE Linux Enterprise Live Patching 12 (x86_64)
  • kgraft-patch-3_12_59-60_45-xen-2-2.2
  • kgraft-patch-3_12_59-60_41-xen-2-2.1
  • kgraft-patch-3_12_59-60_41-default-2-2.1
  • kgraft-patch-3_12_59-60_45-default-2-2.2

References:

• https://www.suse.com/security/cve/CVE-2013-7446.html
• https://www.suse.com/security/cve/CVE-2016-0758.html
• https://www.suse.com/security/cve/CVE-2016-2053.html
• https://www.suse.com/security/cve/CVE-2016-4470.html
• https://www.suse.com/security/cve/CVE-2016-4565.html
• https://bugzilla.suse.com/show_bug.cgi?id=979074
• https://bugzilla.suse.com/show_bug.cgi?id=980856
• https://bugzilla.suse.com/show_bug.cgi?id=980883
• https://bugzilla.suse.com/show_bug.cgi?id=984764