Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2024:3567-1
Release Date:	2024-10-09T09:46:04Z
Rating:	important
References:	bsc#1226666 bsc#1227487 bsc#1229633 bsc#1230015 bsc#1230245 bsc#1230326 bsc#1230398 bsc#1230434 bsc#1230519 bsc#1230767
Cross-References:	CVE-2022-48911 CVE-2022-48945 CVE-2024-44946 CVE-2024-45003 CVE-2024-45021 CVE-2024-46695 CVE-2024-46774
CVSS scores:	CVE-2022-48911 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-48911 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-44946 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2024-44946 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-45003 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-45021 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-45021 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-46695 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-46695 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVE-2024-46774 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Micro 5.1 SUSE Linux Enterprise Micro 5.2 SUSE Linux Enterprise Micro for Rancher 5.2

An update that solves seven vulnerabilities and has three security fixes can now be installed.

Description:

The SUSE Linux Enterprise 15 SP3 RT kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

• CVE-2022-48945: media: vivid: fix compose size exceed boundary (bsc#1230398).
• CVE-2022-48911: kabi: add __nf_queue_get_refs() for kabi compliance. (bsc#1229633).
• CVE-2024-44946: kcm: Serialise kcm_sendmsg() for the same socket (bsc#1230015).
• CVE-2024-46695: selinux,smack: do not bypass permissions check in inode_setsecctx hook (bsc#1230519).
• CVE-2024-45021: memcg_write_event_control(): fix a user-triggerable oops (bsc#1230434).
• CVE-2024-45003: Don't evict inode under the inode lru traversing context (bsc#1230245).

The following non-security bugs were fixed:

• ext4: add check to prevent attempting to resize an fs with sparse_super2 (bsc#1230326).
• ext4: add reserved GDT blocks check (bsc#1230326).
• ext4: consolidate checks for resize of bigalloc into ext4_resize_begin (bsc#1230326).
• ext4: fix bug_on ext4_mb_use_inode_pa (bsc#1230326).
• kabi: add __nf_queue_get_refs() for kabi compliance.
• No -rt specific changes this merge.
• PKCS#7: Check codeSigning EKU of certificates in PKCS#7 (bsc#1226666).
• Revert "ext4: consolidate checks for resize of bigalloc into ext4_resize_begin" (bsc#1230326).

Special Instructions and Notes:

• Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Micro 5.2
  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-3567=1
• SUSE Linux Enterprise Micro for Rancher 5.2
  zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-3567=1
• SUSE Linux Enterprise Micro 5.1
  zypper in -t patch SUSE-SUSE-MicroOS-5.1-2024-3567=1

Package List:

• SUSE Linux Enterprise Micro 5.2 (nosrc x86_64)
  • kernel-rt-5.3.18-150300.187.1
• SUSE Linux Enterprise Micro 5.2 (x86_64)
  • kernel-rt-debuginfo-5.3.18-150300.187.1
  • kernel-rt-debugsource-5.3.18-150300.187.1
• SUSE Linux Enterprise Micro 5.2 (noarch)
  • kernel-source-rt-5.3.18-150300.187.1
• SUSE Linux Enterprise Micro for Rancher 5.2 (nosrc x86_64)
  • kernel-rt-5.3.18-150300.187.1
• SUSE Linux Enterprise Micro for Rancher 5.2 (x86_64)
  • kernel-rt-debuginfo-5.3.18-150300.187.1
  • kernel-rt-debugsource-5.3.18-150300.187.1
• SUSE Linux Enterprise Micro for Rancher 5.2 (noarch)
  • kernel-source-rt-5.3.18-150300.187.1
• SUSE Linux Enterprise Micro 5.1 (nosrc x86_64)
  • kernel-rt-5.3.18-150300.187.1
• SUSE Linux Enterprise Micro 5.1 (x86_64)
  • kernel-rt-debuginfo-5.3.18-150300.187.1
  • kernel-rt-debugsource-5.3.18-150300.187.1
• SUSE Linux Enterprise Micro 5.1 (noarch)
  • kernel-source-rt-5.3.18-150300.187.1

References:

• https://www.suse.com/security/cve/CVE-2022-48911.html
• https://www.suse.com/security/cve/CVE-2022-48945.html
• https://www.suse.com/security/cve/CVE-2024-44946.html
• https://www.suse.com/security/cve/CVE-2024-45003.html
• https://www.suse.com/security/cve/CVE-2024-45021.html
• https://www.suse.com/security/cve/CVE-2024-46695.html
• https://www.suse.com/security/cve/CVE-2024-46774.html
• https://bugzilla.suse.com/show_bug.cgi?id=1226666
• https://bugzilla.suse.com/show_bug.cgi?id=1227487
• https://bugzilla.suse.com/show_bug.cgi?id=1229633
• https://bugzilla.suse.com/show_bug.cgi?id=1230015
• https://bugzilla.suse.com/show_bug.cgi?id=1230245
• https://bugzilla.suse.com/show_bug.cgi?id=1230326
• https://bugzilla.suse.com/show_bug.cgi?id=1230398
• https://bugzilla.suse.com/show_bug.cgi?id=1230434
• https://bugzilla.suse.com/show_bug.cgi?id=1230519
• https://bugzilla.suse.com/show_bug.cgi?id=1230767