SUSE Security Update: Security update for Linux kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:0696-1 Rating: important References: #708296 #736697 #746500 #814788 #819351 #831029 #836347 #843185 #844513 #847672 #849364 #851426 #852488 #852553 #852967 #853455 #854025 #855347 #855885 #856083 #857499 #857643 #858280 #858534 #858604 #858869 #858870 #858872 #862429 #863300 #863335 #864025 #864833 #865307 #865310 #865330 #865342 #865783 #866102 #867953 #868528 #868653 #869033 #869563 #870801 #871325 #871561 #871861 #873061 #874108 #875690 #875798 #876102 Cross-References: CVE-2013-4470 CVE-2013-4579 CVE-2013-6382 CVE-2013-6885 CVE-2013-7263 CVE-2013-7264 CVE-2013-7265 CVE-2013-7339 CVE-2014-0069 CVE-2014-0101 CVE-2014-0196 CVE-2014-1444 CVE-2014-1445 CVE-2014-1446 CVE-2014-1737 CVE-2014-1738 CVE-2014-1874 CVE-2014-2039 CVE-2014-2523 CVE-2014-2678 CVE-2014-3122 Affected Products: SUSE Linux Enterprise Server 11 SP2 LTSS SLE 11 SERVER Unsupported Extras ______________________________________________________________________________ An update that solves 21 vulnerabilities and has 32 fixes is now available. It includes one version update. Description: The SUSE Linux Enterprise Server 11 SP2 LTSS kernel received a roll-up update to fix security and non-security issues. The following security bugs have been fixed: * CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation Offload (UFO) is enabled, does not properly initialize certain data structures, which allows local users to cause a denial of service (memory corruption and system crash) or possibly gain privileges via a crafted application that uses the UDP_CORK option in a setsockopt system call and sends both short and long packets, related to the ip_ufo_append_data function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in net/ipv6/ip6_output.c. (bnc#847672) * CVE-2013-4579: The ath9k_htc_set_bssid_mask function in drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through 3.12 uses a BSSID masking approach to determine the set of MAC addresses on which a Wi-Fi device is listening, which allows remote attackers to discover the original MAC address after spoofing by sending a series of packets to MAC addresses with certain bit manipulations. (bnc#851426) * CVE-2013-6382: Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c. (bnc#852553) * CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service (system hang) via a crafted application, aka the errata 793 issue. (bnc#852967) * CVE-2013-7263: The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643) * CVE-2013-7264: The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643) * CVE-2013-7265: The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call. (bnc#857643) * CVE-2013-7339: The rds_ib_laddr_check function in net/rds/ib.c in the Linux kernel before 3.12.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports. (bnc#869563) * CVE-2014-0069: The cifs_iovec_write function in fs/cifs/file.c in the Linux kernel through 3.13.5 does not properly handle uncached write operations that copy fewer than the requested number of bytes, which allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory corruption and system crash), or possibly gain privileges via a writev system call with a crafted pointer. (bnc#864025) * CVE-2014-0101: The sctp_sf_do_5_1D_ce function in net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not validate certain auth_enable and auth_capable fields before making an sctp_sf_authenticate call, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an SCTP handshake with a modified INIT chunk and a crafted AUTH chunk before a COOKIE_ECHO chunk. (bnc#866102) * CVE-2014-0196: The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings. (bnc#875690) * CVE-2014-1444: The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869) * CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an ioctl call. (bnc#858870) * CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call. (bnc#858872) * CVE-2014-1737: The raw_cmd_copyin function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly handle error conditions during processing of an FDRAWCMD ioctl call, which allows local users to trigger kfree operations and gain privileges by leveraging write access to a /dev/fd device. (bnc#875798) * CVE-2014-1738: The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allows local users to obtain sensitive information from kernel heap memory by leveraging write access to a /dev/fd device. (bnc#875798) * CVE-2014-1874: The security_context_to_sid_core function in security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows local users to cause a denial of service (system crash) by leveraging the CAP_MAC_ADMIN capability to set a zero-length security context. (bnc#863335) * CVE-2014-2039: arch/s390/kernel/head64.S in the Linux kernel before 3.13.5 on the s390 platform does not properly handle attempted use of the linkage stack, which allows local users to cause a denial of service (system crash) by executing a crafted instruction. (bnc#865307) * CVE-2014-2523: net/netfilter/nf_conntrack_proto_dccp.c in the Linux kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows remote attackers to cause a denial of service (system crash) or possibly execute arbitrary code via a DCCP packet that triggers a call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function. (bnc#868653) * CVE-2014-2678: The rds_iw_laddr_check function in net/rds/iw.c in the Linux kernel through 3.14 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a bind system call for an RDS socket on a system that lacks RDS transports. (bnc#871561) * CVE-2014-3122: The try_to_unmap_cluster function in mm/rmap.c in the Linux kernel before 3.14.3 does not properly consider which pages must be locked, which allows local users to cause a denial of service (system crash) by triggering a memory-usage pattern that requires removal of page-table mappings. (bnc#876102) Also the following non-security bugs have been fixed: * kabi: protect symbols modified by bnc#864833 fix (bnc#864833). * arch: Fix incorrect config symbol in #ifdef (bnc#844513). * ACPICA: Add a lock to the internal object reference count mechanism (bnc#857499). * x86/PCI: reduce severity of host bridge window conflict warnings (bnc#858534). * ia64: Change default PSR.ac from "1" to "0" (Fix erratum #237) (bnc#874108). * timer: Prevent overflow in apply_slack (bnc#873061). * xen: Close a race condition in Xen nested spinlock (bnc#858280, bnc#819351). * storvsc: NULL pointer dereference fix (bnc#865330). * sched: Make scale_rt_power() deal with backward clocks (bnc#865310). * sched: Use CPUPRI_NR_PRIORITIES instead of MAX_RT_PRIO in cpupri check (bnc#871861). * sched: update_rq_clock() must skip ONE update (bnc#868528, bnc#869033). * md: Change handling of save_raid_disk and metadata update during recovery (bnc#849364). * dm-mpath: Fixup race condition in activate_path() (bnc#708296). * dm-mpath: do not detach stale hardware handler (bnc#708296). * dm-multipath: Improve logging (bnc#708296). * scsi_dh_alua: Simplify state machine (bnc#854025). * scsi_dh_alua: endless STPG retries for a failed LUN (bnc#865342). * scsi_dh_alua: fixup RTPG retry delay miscalculation (bnc#854025). * vfs,proc: guarantee unique inodes in /proc. * FS-Cache: Handle removal of unadded object to the fscache_object_list rb tree (bnc#855885). * NFSD/sunrpc: avoid deadlock on TCP connection due to memory pressure (bnc#853455). * NFS: Avoid occasional hang with NFS (bnc#852488). * NFS: do not try to use lock state when we hold a delegation (bnc#831029) - add to series.conf * btrfs: do not loop on large offsets in readdir (bnc#863300). * btrfs: restrict snapshotting to own subvolumes (bnc#736697). * btrfs: fix extent boundary check in bio_readpage_error. * btrfs: fix extent_map block_len after merging. * net: add missing bh_unlock_sock() calls (bnc#862429). * inet: Pass inetpeer root into inet_getpeer*() interfaces (bnc#864833). * inet: Hide route peer accesses behind helpers (bnc#864833). * inet: Avoid potential NULL peer dereference (bnc#864833). * inet: handle rt{,6}_bind_peer() failure correctly (bnc#870801). * inetpeer: prevent unlinking from unused list twice (bnc#867953). * net/mlx4_en: Fix pages never dma unmapped on rx (bnc#858604). * tcp: clear xmit timers in tcp_v4_syn_recv_sock() (bnc#862429). * ipv6: fix race condition regarding dst->expires and dst->from (bnc#843185). * ipv6 routing, NLM_F_* flag support: REPLACE and EXCL flags support, warn about missing CREATE flag (bnc#865783). * mpt2sas: Do not check DIF for unwritten blocks (bnc#746500, bnc#836347). * mpt2sas: Add a module parameter that permits overriding protection capabilities (bnc#746500). * mpt2sas: Return the correct sense key for DIF errors (bnc#746500). * s390/cio: Delay scan for newly available I/O devices (bnc#855347, bnc#814788, bnc#856083). * s390/cio: More efficient handling of CHPID availability events (bnc#855347, bnc#814788, bnc#856083). * s390/cio: Relax subchannel scan loop (bnc#855347, bnc#814788, bnc#856083). * s390/css: stop stsch loop after cc 3 (bnc#855347, bnc#814788, bnc#856083). * supported.conf: Driver corgi_bl was renamed to generic_bl in kernel 2.6.29. * supported.conf: Add drivers/of/of_mdio That was a missing dependency for mdio-gpio on ppc64. * supported.conf: Fix mdio-gpio module name Module mdio-ofgpio was renamed to mdio-gpio in kernel 2.6.29, this should have been reflected in supported.conf. * supported.conf: Adjust radio-si470x module names * Update config files: re-enable twofish crypto support. (bnc#871325) Security Issue references: * CVE-2013-4470 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4470> * CVE-2013-4579 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4579> * CVE-2013-6382 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6382> * CVE-2013-6885 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6885> * CVE-2013-7263 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7263> * CVE-2013-7264 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7264> * CVE-2013-7265 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7265> * CVE-2013-7339 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7339> * CVE-2014-0069 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0069> * CVE-2014-0101 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0101> * CVE-2014-0196 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196> * CVE-2014-1444 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1444> * CVE-2014-1445 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1445> * CVE-2014-1446 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1446> * CVE-2014-1737 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1737> * CVE-2014-1738 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1738> * CVE-2014-1874 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1874> * CVE-2014-2039 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2039> * CVE-2014-2523 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2523> * CVE-2014-2678 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2678> * CVE-2014-3122 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3122> Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-kernel-9248 slessp2-kernel-9249 slessp2-kernel-9254 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 3.0.101]: kernel-default-3.0.101-0.7.19.1 kernel-default-base-3.0.101-0.7.19.1 kernel-default-devel-3.0.101-0.7.19.1 kernel-source-3.0.101-0.7.19.1 kernel-syms-3.0.101-0.7.19.1 kernel-trace-3.0.101-0.7.19.1 kernel-trace-base-3.0.101-0.7.19.1 kernel-trace-devel-3.0.101-0.7.19.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64) [New Version: 3.0.101]: kernel-ec2-3.0.101-0.7.19.1 kernel-ec2-base-3.0.101-0.7.19.1 kernel-ec2-devel-3.0.101-0.7.19.1 kernel-xen-3.0.101-0.7.19.1 kernel-xen-base-3.0.101-0.7.19.1 kernel-xen-devel-3.0.101-0.7.19.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (s390x) [New Version: 3.0.101]: kernel-default-man-3.0.101-0.7.19.1 - SUSE Linux Enterprise Server 11 SP2 LTSS (i586) [New Version: 3.0.101]: kernel-pae-3.0.101-0.7.19.1 kernel-pae-base-3.0.101-0.7.19.1 kernel-pae-devel-3.0.101-0.7.19.1 - SLE 11 SERVER Unsupported Extras (i586 s390x x86_64): kernel-default-extra-3.0.101-0.7.19.1 - SLE 11 SERVER Unsupported Extras (i586 x86_64): kernel-xen-extra-3.0.101-0.7.19.1 - SLE 11 SERVER Unsupported Extras (i586): kernel-pae-extra-3.0.101-0.7.19.1 References: http://support.novell.com/security/cve/CVE-2013-4470.html http://support.novell.com/security/cve/CVE-2013-4579.html http://support.novell.com/security/cve/CVE-2013-6382.html http://support.novell.com/security/cve/CVE-2013-6885.html http://support.novell.com/security/cve/CVE-2013-7263.html http://support.novell.com/security/cve/CVE-2013-7264.html http://support.novell.com/security/cve/CVE-2013-7265.html http://support.novell.com/security/cve/CVE-2013-7339.html http://support.novell.com/security/cve/CVE-2014-0069.html http://support.novell.com/security/cve/CVE-2014-0101.html http://support.novell.com/security/cve/CVE-2014-0196.html http://support.novell.com/security/cve/CVE-2014-1444.html http://support.novell.com/security/cve/CVE-2014-1445.html http://support.novell.com/security/cve/CVE-2014-1446.html http://support.novell.com/security/cve/CVE-2014-1737.html http://support.novell.com/security/cve/CVE-2014-1738.html http://support.novell.com/security/cve/CVE-2014-1874.html http://support.novell.com/security/cve/CVE-2014-2039.html http://support.novell.com/security/cve/CVE-2014-2523.html http://support.novell.com/security/cve/CVE-2014-2678.html http://support.novell.com/security/cve/CVE-2014-3122.html https://bugzilla.novell.com/708296 https://bugzilla.novell.com/736697 https://bugzilla.novell.com/746500 https://bugzilla.novell.com/814788 https://bugzilla.novell.com/819351 https://bugzilla.novell.com/831029 https://bugzilla.novell.com/836347 https://bugzilla.novell.com/843185 https://bugzilla.novell.com/844513 https://bugzilla.novell.com/847672 https://bugzilla.novell.com/849364 https://bugzilla.novell.com/851426 https://bugzilla.novell.com/852488 https://bugzilla.novell.com/852553 https://bugzilla.novell.com/852967 https://bugzilla.novell.com/853455 https://bugzilla.novell.com/854025 https://bugzilla.novell.com/855347 https://bugzilla.novell.com/855885 https://bugzilla.novell.com/856083 https://bugzilla.novell.com/857499 https://bugzilla.novell.com/857643 https://bugzilla.novell.com/858280 https://bugzilla.novell.com/858534 https://bugzilla.novell.com/858604 https://bugzilla.novell.com/858869 https://bugzilla.novell.com/858870 https://bugzilla.novell.com/858872 https://bugzilla.novell.com/862429 https://bugzilla.novell.com/863300 https://bugzilla.novell.com/863335 https://bugzilla.novell.com/864025 https://bugzilla.novell.com/864833 https://bugzilla.novell.com/865307 https://bugzilla.novell.com/865310 https://bugzilla.novell.com/865330 https://bugzilla.novell.com/865342 https://bugzilla.novell.com/865783 https://bugzilla.novell.com/866102 https://bugzilla.novell.com/867953 https://bugzilla.novell.com/868528 https://bugzilla.novell.com/868653 https://bugzilla.novell.com/869033 https://bugzilla.novell.com/869563 https://bugzilla.novell.com/870801 https://bugzilla.novell.com/871325 https://bugzilla.novell.com/871561 https://bugzilla.novell.com/871861 https://bugzilla.novell.com/873061 https://bugzilla.novell.com/874108 https://bugzilla.novell.com/875690 https://bugzilla.novell.com/875798 https://bugzilla.novell.com/876102 http://download.suse.com/patch/finder/?keywords=787d82dbb16377714bc927d02557... http://download.suse.com/patch/finder/?keywords=8e83fb23e69fc57ddd82e1ab0aa4... http://download.suse.com/patch/finder/?keywords=be4d02e114cf7bfcc6687ae18820... http://download.suse.com/patch/finder/?keywords=d8a4989ab7c16d4dac2badacf2d0... http://download.suse.com/patch/finder/?keywords=da132fe457db88249d2db18bc5c2... http://download.suse.com/patch/finder/?keywords=ffc3bcce4bbb0dc6b7c0acc2c40f... -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org