opensuse-security@opensuse.org wrote:
An update that solves 6 vulnerabilities and has 28 fixes is now available. It includes one version update.
Description:
The SUSE Linux Enterprise 11 Service Pack 3 kernel was updated to fix various bugs and security issues.
------------------------------------------------------------ ------------ WARNING: If you are running KVM with PCI pass-through on a system with one of the following Intel chipsets: 5500 (revision 0x13), 5520 (revision 0x13) or X58 (revisions 0x12, 0x13, 0x22), please make sure to read the following support document before installing this update: https://www.suse.com/support/kb/doc.php?id=7014344 <https://www.suse.com/support/kb/doc.php?id=7014344> . You will have to update your KVM setup to no longer make use of PCI pass-through before rebooting to the updated kernel. ------------------------------------------------------------
The above doesn't seem to be a security update as a rare hw problem. The listed test on the linked page doesn't seem to work correctly. It doesn't echo that my system is 'affected', (even though it is). It seems the "-q" option is at fault. w/-q: # /sbin/lspci -nn | grep -qE '8086:(340[36].*rev 13|3405.*rev (12|13|22))' && echo "Interrupt remapping is broken" # w/o -q: # /sbin/lspci -nn | grep -E '8086:(340[36].*rev 13|3405.*rev (12|13|22))' && echo "Interrupt remapping is broken" 00:00.0 Host bridge [0600]: Intel Corporation 5520 I/O Hub to ESI Port [8086:3406] (rev 13) Interrupt remapping is broken looks like it has something to do with the pipefail section in bash, as this works: # grep -qE '8086:(340[36].*rev 13|3405.*rev (12|13|22))' < <(lspci -nn) && echo "Interrupt remapping is broken" Interrupt remapping is broken FWIW, having run this HW for 4+ years, I've never seen any of the warning messages that they indicate are symptoms of this problem, I did see the warning in the kernel about the problem and that my kernel was then marked tainted -- EVEN THOUGH, interrupt remapping had been turned off! ... Why implement a workaround that taints your kernel? I.e. isn't the workaround supposed to protect your kernel from becoming tainted? -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org