SUSE Security Update: Security update for Linux kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2011:1100-1 Rating: important References: #588458 #603804 #632870 #642896 #649625 #650309 #667386 #669378 #688859 #694670 #699354 #699355 #699357 #701443 #701686 #704347 #706557 #707096 #707125 #707737 #708675 #708877 #709412 #711203 #711969 #712456 #712929 #713138 #713430 #714001 #714966 #715235 #715763 #716901 #719117 #719450 Cross-References: CVE-2011-2928 CVE-2011-3191 CVE-2011-3353 Affected Products: SUSE Linux Enterprise Server 11 SP1 for VMware SUSE Linux Enterprise Server 11 SP1 SUSE Linux Enterprise High Availability Extension 11 SP1 SUSE Linux Enterprise Desktop 11 SP1 ______________________________________________________________________________ An update that solves three vulnerabilities and has 33 fixes is now available. It includes one version update. Description: The SUSE Linux Enterprise 11 Service Pack 1 kernel was updated to 2.6.32.46 and fixes various bugs and security issues. Following security issues were fixed: CVE-2011-3191: A signedness issue in CIFS could possibly have lead to to memory corruption, if a malicious server could send crafted replies to the host. CVE-2011-3353: In the fuse filesystem, FUSE_NOTIFY_INVAL_ENTRY did not check the length of the write so the message processing could overrun and result in a BUG_ON() in fuse_copy_fill(). This flaw could be used by local users able to mount FUSE filesystems to crash the system. CVE-2011-2928: The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kernel did not validate the length attribute of long symlinks, which allowed local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem. Also the following non security bugs were fixed: - CONFIG_CGROUP_MEM_RES_CTLR_SWAP enabled - CONFIG_CGROUP_MEM_RES_CTLR_SWAP_ENABLED disabled by default. Swap accounting can be turned on by swapaccount=1 kernel command line parameter (bnc#719450) - Make swap accounting default behavior configurable (bnc#719450, bnc#650309, fate#310471). * Added a missing reset for ioc_reset_in_progress in SoftReset in the mtpsas driver (bnc#711969). * Add support for the Digi/IBM PCIe 2-port Adapter (bnc#708675). * Always enable MSI-X on 5709 (bnc#707737). * sched: fix broken SCHED_RESET_ON_FORK handling (bnc#708877). * sched: Fix rt_rq runtime leakage bug (bnc#707096). * ACPI: allow passing down C1 information if no other C-states exist. * KDB: turn off kdb usb support by default (bnc#694670 bnc#603804). * xfs: Added event tracing support. * xfs: fix xfs_fsblock_t tracing. * igb: extend maximum frame size to receive VLAN tagged frames (bnc#688859). * cfq: Do not allow queue merges for queues that have no process references (bnc#712929). * cfq: break apart merged cfqqs if they stop cooperating (bnc#712929). * cfq: calculate the seek_mean per cfq_queue not per cfq_io_context (bnc#712929). * cfq: change the meaning of the cfqq_coop flag (bnc#712929). * cfq-iosched: get rid of the coop_preempt flag (bnc#712929). * cfq: merge cooperating cfq_queues (bnc#712929). * Fix FDDI and TR config checks in ipv4 arp and LLC (bnc#715235). * writeback: do uninterruptible sleep in balance_dirty_pages() (bnc#699354 bnc#699357). * xfs: fix memory reclaim recursion deadlock on locked inode buffer (bnc#699355 bnc#699354). * xfs: use GFP_NOFS for page cache allocation (bnc#699355 bnc#699354). * virtio-net: init link state correctly (bnc#714966). * cpufreq: pcc-cpufreq: sanity check to prevent a NULL pointer dereference (bnc#709412). * x86: ucode-amd: Do not warn when no ucode is available for a CPU * patches.arch/x86_64-unwind-annotations: Refresh (bnc#588458). * patches.suse/stack-unwind: Refresh (bnc#588458). * splice: direct_splice_actor() should not use pos in sd (bnc#715763). * qdio: 2nd stage retry on SIGA-W busy conditions (bnc#713138,LTC#74402). * TTY: pty, fix pty counting (bnc#711203). * Avoid deadlock in GFP_IO/GFP_FS allocation (bnc#632870). * novfs: fix some DirCache locking issues (bnc#669378). * novfs: fix some kmalloc/kfree issues (bnc#669378). * novfs: fix off-by-one allocation error (bnc#669378). * novfs: unlink directory after unmap (bnc#649625). * novfs: last modification time not reliable (bnc#642896). * x86 / IO APIC: Reset IRR in clear_IO_APIC_pin() (bnc#701686, bnc#667386). * mptfusion : Added check for SILI bit in READ_6 CDB for DATA UNDERRUN ERRATA (bnc #712456). * xfs: serialise unaligned direct IOs (bnc#707125). * NFS: Ensure that we handle NFS4ERR_STALE_STATEID correctly (bnc#701443). * NFSv4: Do not call nfs4_state_mark_reclaim_reboot() from error handlers (bnc#701443). * NFSv4: Fix open recovery (bnc#701443). * NFSv4.1: Do not call nfs4_schedule_state_recovery() unnecessarily (bnc#701443). Security Issues: * CVE-2011-3191 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3191

* CVE-2011-3353 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3353

* CVE-2011-2928 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2928

Indications: Everyone using the Linux Kernel on x86_64 architecture should update. Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 11 SP1 for VMware: zypper in -t patch slessp1-kernel-5219 slessp1-kernel-5223 - SUSE Linux Enterprise Server 11 SP1: zypper in -t patch slessp1-kernel-5219 slessp1-kernel-5220 slessp1-kernel-5221 slessp1-kernel-5222 slessp1-kernel-5223 - SUSE Linux Enterprise High Availability Extension 11 SP1: zypper in -t patch sleshasp1-kernel-5219 sleshasp1-kernel-5220 sleshasp1-kernel-5221 sleshasp1-kernel-5222 sleshasp1-kernel-5223 - SUSE Linux Enterprise Desktop 11 SP1: zypper in -t patch sledsp1-kernel-5219 sledsp1-kernel-5223 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 2.6.32.46]: btrfs-kmp-default-0_2.6.32.46_0.3-0.3.57 ext4dev-kmp-default-0_2.6.32.46_0.3-7.9.24 hyper-v-kmp-default-0_2.6.32.46_0.3-0.14.11 kernel-default-2.6.32.46-0.3.1 kernel-default-base-2.6.32.46-0.3.1 kernel-default-devel-2.6.32.46-0.3.1 kernel-source-2.6.32.46-0.3.1 kernel-syms-2.6.32.46-0.3.1 kernel-trace-2.6.32.46-0.3.1 kernel-trace-base-2.6.32.46-0.3.1 kernel-trace-devel-2.6.32.46-0.3.1 - SUSE Linux Enterprise Server 11 SP1 for VMware (i586) [New Version: 2.6.32.46]: btrfs-kmp-pae-0_2.6.32.46_0.3-0.3.57 ext4dev-kmp-pae-0_2.6.32.46_0.3-7.9.24 hyper-v-kmp-pae-0_2.6.32.46_0.3-0.14.11 kernel-pae-2.6.32.46-0.3.1 kernel-pae-base-2.6.32.46-0.3.1 kernel-pae-devel-2.6.32.46-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 2.6.32.46]: btrfs-kmp-default-0_2.6.32.46_0.3-0.3.57 ext4dev-kmp-default-0_2.6.32.46_0.3-7.9.24 kernel-default-2.6.32.46-0.3.1 kernel-default-base-2.6.32.46-0.3.1 kernel-default-devel-2.6.32.46-0.3.1 kernel-source-2.6.32.46-0.3.1 kernel-syms-2.6.32.46-0.3.1 kernel-trace-2.6.32.46-0.3.1 kernel-trace-base-2.6.32.46-0.3.1 kernel-trace-devel-2.6.32.46-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (i586 x86_64) [New Version: 2.6.32.46]: btrfs-kmp-xen-0_2.6.32.46_0.3-0.3.57 ext4dev-kmp-xen-0_2.6.32.46_0.3-7.9.24 hyper-v-kmp-default-0_2.6.32.46_0.3-0.14.11 kernel-ec2-2.6.32.46-0.3.1 kernel-ec2-base-2.6.32.46-0.3.1 kernel-xen-2.6.32.46-0.3.1 kernel-xen-base-2.6.32.46-0.3.1 kernel-xen-devel-2.6.32.46-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (s390x) [New Version: 2.6.32.46]: kernel-default-man-2.6.32.46-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (ppc64) [New Version: 2.6.32.46]: ext4dev-kmp-ppc64-0_2.6.32.46_0.3-7.9.24 kernel-ppc64-2.6.32.46-0.3.1 kernel-ppc64-base-2.6.32.46-0.3.1 kernel-ppc64-devel-2.6.32.46-0.3.1 - SUSE Linux Enterprise Server 11 SP1 (i586) [New Version: 2.6.32.46]: btrfs-kmp-pae-0_2.6.32.46_0.3-0.3.57 ext4dev-kmp-pae-0_2.6.32.46_0.3-7.9.24 hyper-v-kmp-pae-0_2.6.32.46_0.3-0.14.11 kernel-pae-2.6.32.46-0.3.1 kernel-pae-base-2.6.32.46-0.3.1 kernel-pae-devel-2.6.32.46-0.3.1 - SUSE Linux Enterprise High Availability Extension 11 SP1 (i586 ia64 ppc64 s390x x86_64): cluster-network-kmp-default-1.4_2.6.32.46_0.3-2.5.9 gfs2-kmp-default-2_2.6.32.46_0.3-0.2.56 ocfs2-kmp-default-1.6_2.6.32.46_0.3-0.4.2.9 - SUSE Linux Enterprise High Availability Extension 11 SP1 (i586 x86_64): cluster-network-kmp-xen-1.4_2.6.32.46_0.3-2.5.9 gfs2-kmp-xen-2_2.6.32.46_0.3-0.2.56 ocfs2-kmp-xen-1.6_2.6.32.46_0.3-0.4.2.9 - SUSE Linux Enterprise High Availability Extension 11 SP1 (ppc64): cluster-network-kmp-ppc64-1.4_2.6.32.46_0.3-2.5.9 gfs2-kmp-ppc64-2_2.6.32.46_0.3-0.2.56 ocfs2-kmp-ppc64-1.6_2.6.32.46_0.3-0.4.2.9 - SUSE Linux Enterprise High Availability Extension 11 SP1 (i586): cluster-network-kmp-pae-1.4_2.6.32.46_0.3-2.5.9 gfs2-kmp-pae-2_2.6.32.46_0.3-0.2.56 ocfs2-kmp-pae-1.6_2.6.32.46_0.3-0.4.2.9 - SUSE Linux Enterprise Desktop 11 SP1 (i586 x86_64) [New Version: 2.6.32.46]: btrfs-kmp-default-0_2.6.32.46_0.3-0.3.57 btrfs-kmp-xen-0_2.6.32.46_0.3-0.3.57 hyper-v-kmp-default-0_2.6.32.46_0.3-0.14.11 kernel-default-2.6.32.46-0.3.1 kernel-default-base-2.6.32.46-0.3.1 kernel-default-devel-2.6.32.46-0.3.1 kernel-default-extra-2.6.32.46-0.3.1 kernel-desktop-devel-2.6.32.46-0.3.1 kernel-source-2.6.32.46-0.3.1 kernel-syms-2.6.32.46-0.3.1 kernel-xen-2.6.32.46-0.3.1 kernel-xen-base-2.6.32.46-0.3.1 kernel-xen-devel-2.6.32.46-0.3.1 kernel-xen-extra-2.6.32.46-0.3.1 - SUSE Linux Enterprise Desktop 11 SP1 (i586) [New Version: 2.6.32.46]: btrfs-kmp-pae-0_2.6.32.46_0.3-0.3.57 hyper-v-kmp-pae-0_2.6.32.46_0.3-0.14.11 kernel-pae-2.6.32.46-0.3.1 kernel-pae-base-2.6.32.46-0.3.1 kernel-pae-devel-2.6.32.46-0.3.1 kernel-pae-extra-2.6.32.46-0.3.1 References: http://support.novell.com/security/cve/CVE-2011-2928.html http://support.novell.com/security/cve/CVE-2011-3191.html http://support.novell.com/security/cve/CVE-2011-3353.html https://bugzilla.novell.com/588458 https://bugzilla.novell.com/603804 https://bugzilla.novell.com/632870 https://bugzilla.novell.com/642896 https://bugzilla.novell.com/649625 https://bugzilla.novell.com/650309 https://bugzilla.novell.com/667386 https://bugzilla.novell.com/669378 https://bugzilla.novell.com/688859 https://bugzilla.novell.com/694670 https://bugzilla.novell.com/699354 https://bugzilla.novell.com/699355 https://bugzilla.novell.com/699357 https://bugzilla.novell.com/701443 https://bugzilla.novell.com/701686 https://bugzilla.novell.com/704347 https://bugzilla.novell.com/706557 https://bugzilla.novell.com/707096 https://bugzilla.novell.com/707125 https://bugzilla.novell.com/707737 https://bugzilla.novell.com/708675 https://bugzilla.novell.com/708877 https://bugzilla.novell.com/709412 https://bugzilla.novell.com/711203 https://bugzilla.novell.com/711969 https://bugzilla.novell.com/712456 https://bugzilla.novell.com/712929 https://bugzilla.novell.com/713138 https://bugzilla.novell.com/713430 https://bugzilla.novell.com/714001 https://bugzilla.novell.com/714966 https://bugzilla.novell.com/715235 https://bugzilla.novell.com/715763 https://bugzilla.novell.com/716901 https://bugzilla.novell.com/719117 https://bugzilla.novell.com/719450 http://download.novell.com/patch/finder/?keywords=20cb09e23614f5f5085f698cc5... http://download.novell.com/patch/finder/?keywords=56d0712d83970cf6fe7492bf33... http://download.novell.com/patch/finder/?keywords=94fa14c210d027059a56ea1e31... http://download.novell.com/patch/finder/?keywords=959314df0926c9887f7057c56f... http://download.novell.com/patch/finder/?keywords=9a7f6196af0af6d69bc4d0f12e... -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org