Security update for the Linux Kernel

Announcement ID:	SUSE-SU-2023:4377-1
Rating:	important
References:	bsc#1210778 bsc#1210853 bsc#1212051 bsc#1215467 bsc#1215518 bsc#1215745 bsc#1215858 bsc#1215860 bsc#1215861 bsc#1216046 bsc#1216051 bsc#1216134
Cross-References:	CVE-2023-2163 CVE-2023-31085 CVE-2023-3111 CVE-2023-34324 CVE-2023-39189 CVE-2023-39192 CVE-2023-39193 CVE-2023-39194 CVE-2023-42754 CVE-2023-45862
CVSS scores:	CVE-2023-2163 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE-2023-2163 ( NVD ): 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE-2023-31085 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-31085 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-3111 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2023-3111 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2023-34324 ( SUSE ): 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-34324 ( NVD ): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE-2023-39189 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVE-2023-39189 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2023-39192 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2023-39192 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2023-39193 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L CVE-2023-39193 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H CVE-2023-39194 ( SUSE ): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N CVE-2023-39194 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVE-2023-42754 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-42754 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2023-45862 ( SUSE ): 6.4 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2023-45862 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise High Availability Extension 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise Live Patching 15-SP2 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Manager Proxy 4.1 SUSE Manager Retail Branch Server 4.1 SUSE Manager Server 4.1

An update that solves 10 vulnerabilities and has two security fixes can now be installed.

Description:

The SUSE Linux Enterprise 15 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

• CVE-2023-31085: Fixed a divide-by-zero error in do_div(sz,mtd->erasesize) that could cause a local DoS. (bsc#1210778)
• CVE-2023-45862: Fixed an issue in the ENE UB6250 reader driver whwere an object could potentially extend beyond the end of an allocation causing. (bsc#1216051)
• CVE-2023-2163: Fixed an incorrect verifier pruning in BPF that could lead to unsafe code paths being incorrectly marked as safe, resulting in arbitrary read/write in kernel memory, lateral privilege escalation, and container escape. (bsc#1215518)
• CVE-2023-34324: Fixed a possible deadlock in Linux kernel event handling. (bsc#1215745).
• CVE-2023-39189: Fixed a flaw in the Netfilter subsystem that could allow a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure. (bsc#1216046)
• CVE-2023-3111: Fixed a use-after-free vulnerability in prepare_to_relocate in fs/btrfs/relocation.c (bsc#1212051).
• CVE-2023-39194: Fixed an out of bounds read in the XFRM subsystem (bsc#1215861).
• CVE-2023-39193: Fixed an out of bounds read in the xtables subsystem (bsc#1215860).
• CVE-2023-39192: Fixed an out of bounds read in the netfilter (bsc#1215858).
• CVE-2023-42754: Fixed a NULL pointer dereference in the IPv4 stack that could lead to denial of service (bsc#1215467).

The following non-security bugs were fixed:

• KVM: x86: fix sending PV IPI (git-fixes, bsc#1210853, bsc#1216134).
• bpf: propagate precision in ALU/ALU64 operations (git-fixes).

Special Instructions and Notes:

• Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Live Patching 15-SP2
  zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2023-4377=1
• SUSE Linux Enterprise High Availability Extension 15 SP2
  zypper in -t patch SUSE-SLE-Product-HA-15-SP2-2023-4377=1
• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-4377=1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-4377=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2023-4377=1

Package List:

• SUSE Linux Enterprise Live Patching 15-SP2 (nosrc)
  • kernel-default-5.3.18-150200.24.169.1
• SUSE Linux Enterprise Live Patching 15-SP2 (ppc64le s390x x86_64)
  • kernel-livepatch-5_3_18-150200_24_169-default-1-150200.5.3.1
  • kernel-livepatch-5_3_18-150200_24_169-default-debuginfo-1-150200.5.3.1
  • kernel-default-livepatch-5.3.18-150200.24.169.1
  • kernel-livepatch-SLE15-SP2_Update_42-debugsource-1-150200.5.3.1
  • kernel-default-livepatch-devel-5.3.18-150200.24.169.1
  • kernel-default-debuginfo-5.3.18-150200.24.169.1
  • kernel-default-debugsource-5.3.18-150200.24.169.1
• SUSE Linux Enterprise High Availability Extension 15 SP2 (aarch64 ppc64le s390x x86_64)
  • ocfs2-kmp-default-debuginfo-5.3.18-150200.24.169.1
  • gfs2-kmp-default-debuginfo-5.3.18-150200.24.169.1
  • dlm-kmp-default-5.3.18-150200.24.169.1
  • cluster-md-kmp-default-debuginfo-5.3.18-150200.24.169.1
  • dlm-kmp-default-debuginfo-5.3.18-150200.24.169.1
  • cluster-md-kmp-default-5.3.18-150200.24.169.1
  • ocfs2-kmp-default-5.3.18-150200.24.169.1
  • gfs2-kmp-default-5.3.18-150200.24.169.1
  • kernel-default-debuginfo-5.3.18-150200.24.169.1
  • kernel-default-debugsource-5.3.18-150200.24.169.1
• SUSE Linux Enterprise High Availability Extension 15 SP2 (nosrc)
  • kernel-default-5.3.18-150200.24.169.1
• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 nosrc x86_64)
  • kernel-preempt-5.3.18-150200.24.169.1
  • kernel-default-5.3.18-150200.24.169.1
• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64)
  • kernel-preempt-debuginfo-5.3.18-150200.24.169.1
  • kernel-obs-build-debugsource-5.3.18-150200.24.169.1
  • kernel-default-base-5.3.18-150200.24.169.1.150200.9.85.1
  • kernel-default-devel-debuginfo-5.3.18-150200.24.169.1
  • kernel-default-devel-5.3.18-150200.24.169.1
  • kernel-obs-build-5.3.18-150200.24.169.1
  • kernel-preempt-devel-debuginfo-5.3.18-150200.24.169.1
  • kernel-syms-5.3.18-150200.24.169.1
  • kernel-preempt-debugsource-5.3.18-150200.24.169.1
  • kernel-preempt-devel-5.3.18-150200.24.169.1
  • kernel-default-debuginfo-5.3.18-150200.24.169.1
  • kernel-default-debugsource-5.3.18-150200.24.169.1
• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch)
  • kernel-macros-5.3.18-150200.24.169.1
  • kernel-devel-5.3.18-150200.24.169.1
  • kernel-source-5.3.18-150200.24.169.1
• SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch nosrc)
  • kernel-docs-5.3.18-150200.24.169.1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64 nosrc)
  • kernel-default-5.3.18-150200.24.169.1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64)
  • kernel-obs-build-debugsource-5.3.18-150200.24.169.1
  • kernel-default-base-5.3.18-150200.24.169.1.150200.9.85.1
  • kernel-default-devel-debuginfo-5.3.18-150200.24.169.1
  • reiserfs-kmp-default-debuginfo-5.3.18-150200.24.169.1
  • kernel-default-devel-5.3.18-150200.24.169.1
  • kernel-obs-build-5.3.18-150200.24.169.1
  • kernel-syms-5.3.18-150200.24.169.1
  • reiserfs-kmp-default-5.3.18-150200.24.169.1
  • kernel-default-debuginfo-5.3.18-150200.24.169.1
  • kernel-default-debugsource-5.3.18-150200.24.169.1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch)
  • kernel-macros-5.3.18-150200.24.169.1
  • kernel-devel-5.3.18-150200.24.169.1
  • kernel-source-5.3.18-150200.24.169.1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch nosrc)
  • kernel-docs-5.3.18-150200.24.169.1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 nosrc x86_64)
  • kernel-preempt-5.3.18-150200.24.169.1
• SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 x86_64)
  • kernel-preempt-debuginfo-5.3.18-150200.24.169.1
  • kernel-preempt-devel-debuginfo-5.3.18-150200.24.169.1
  • kernel-preempt-debugsource-5.3.18-150200.24.169.1
  • kernel-preempt-devel-5.3.18-150200.24.169.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2 (nosrc ppc64le x86_64)
  • kernel-default-5.3.18-150200.24.169.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64)
  • kernel-obs-build-debugsource-5.3.18-150200.24.169.1
  • kernel-default-base-5.3.18-150200.24.169.1.150200.9.85.1
  • kernel-default-devel-debuginfo-5.3.18-150200.24.169.1
  • reiserfs-kmp-default-debuginfo-5.3.18-150200.24.169.1
  • kernel-default-devel-5.3.18-150200.24.169.1
  • kernel-obs-build-5.3.18-150200.24.169.1
  • kernel-syms-5.3.18-150200.24.169.1
  • reiserfs-kmp-default-5.3.18-150200.24.169.1
  • kernel-default-debuginfo-5.3.18-150200.24.169.1
  • kernel-default-debugsource-5.3.18-150200.24.169.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
  • kernel-macros-5.3.18-150200.24.169.1
  • kernel-devel-5.3.18-150200.24.169.1
  • kernel-source-5.3.18-150200.24.169.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch nosrc)
  • kernel-docs-5.3.18-150200.24.169.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2 (nosrc x86_64)
  • kernel-preempt-5.3.18-150200.24.169.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP2 (x86_64)
  • kernel-preempt-debuginfo-5.3.18-150200.24.169.1
  • kernel-preempt-devel-debuginfo-5.3.18-150200.24.169.1
  • kernel-preempt-debugsource-5.3.18-150200.24.169.1
  • kernel-preempt-devel-5.3.18-150200.24.169.1

References:

• https://www.suse.com/security/cve/CVE-2023-2163.html
• https://www.suse.com/security/cve/CVE-2023-31085.html
• https://www.suse.com/security/cve/CVE-2023-3111.html
• https://www.suse.com/security/cve/CVE-2023-34324.html
• https://www.suse.com/security/cve/CVE-2023-39189.html
• https://www.suse.com/security/cve/CVE-2023-39192.html
• https://www.suse.com/security/cve/CVE-2023-39193.html
• https://www.suse.com/security/cve/CVE-2023-39194.html
• https://www.suse.com/security/cve/CVE-2023-42754.html
• https://www.suse.com/security/cve/CVE-2023-45862.html
• https://bugzilla.suse.com/show_bug.cgi?id=1210778
• https://bugzilla.suse.com/show_bug.cgi?id=1210853
• https://bugzilla.suse.com/show_bug.cgi?id=1212051
• https://bugzilla.suse.com/show_bug.cgi?id=1215467
• https://bugzilla.suse.com/show_bug.cgi?id=1215518
• https://bugzilla.suse.com/show_bug.cgi?id=1215745
• https://bugzilla.suse.com/show_bug.cgi?id=1215858
• https://bugzilla.suse.com/show_bug.cgi?id=1215860
• https://bugzilla.suse.com/show_bug.cgi?id=1215861
• https://bugzilla.suse.com/show_bug.cgi?id=1216046
• https://bugzilla.suse.com/show_bug.cgi?id=1216051
• https://bugzilla.suse.com/show_bug.cgi?id=1216134