Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4219 Security update for the Linux Kernel 30 November 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: linux kernel Publisher: SUSE Operating System: SUSE Impact/Access: Increased Privileges -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-27675 CVE-2020-27673 CVE-2020-26088 CVE-2020-25705 CVE-2020-25704 CVE-2020-25668 CVE-2020-25656 CVE-2020-25645 CVE-2020-25643 CVE-2020-25641 CVE-2020-25285 CVE-2020-25284 CVE-2020-25212 CVE-2020-16120 CVE-2020-14390 CVE-2020-14381 CVE-2020-14351 CVE-2020-12352 CVE-2020-12351 CVE-2020-8694 CVE-2020-2521 CVE-2020-0432 CVE-2020-0431 CVE-2020-0430 CVE-2020-0427 CVE-2020-0404 Reference: ESB-2020.4211 ESB-2020.4191 ESB-2020.4168 ESB-2020.4132 Original Bulletin: https://www.suse.com/support/update/announcement/2020/suse-su-20203532-1 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:3532-1 Rating: important References: #1051510 #1058115 #1065600 #1131277 #1160947 #1161360 #1163524 #1166965 #1170232 #1170415 #1171417 #1172073 #1172366 #1173115 #1173233 #1175306 #1175721 #1175749 #1175882 #1176011 #1176235 #1176278 #1176381 #1176423 #1176482 #1176485 #1176698 #1176721 #1176722 #1176723 #1176725 #1176732 #1176877 #1176907 #1176922 #1176990 #1177027 #1177086 #1177121 #1177165 #1177206 #1177226 #1177410 #1177411 #1177470 #1177511 #1177513 #1177724 #1177725 #1177766 #1178003 #1178123 #1178330 #1178393 #1178622 #1178765 #1178782 #1178838 Cross-References: CVE-2020-0404 CVE-2020-0427 CVE-2020-0430 CVE-2020-0431 CVE-2020-0432 CVE-2020-12351 CVE-2020-12352 CVE-2020-14351 CVE-2020-14381 CVE-2020-14390 CVE-2020-16120 CVE-2020-2521 CVE-2020-25212 CVE-2020-25284 CVE-2020-25285 CVE-2020-25641 CVE-2020-25643 CVE-2020-25645 CVE-2020-25656 CVE-2020-25668 CVE-2020-25704 CVE-2020-25705 CVE-2020-26088 CVE-2020-27673 CVE-2020-27675 CVE-2020-8694 Affected Products: SUSE Linux Enterprise Server for SAP 15 SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Availability 15 ______________________________________________________________________________ An update that solves 26 vulnerabilities and has 32 fixes is now available. Description: The SUSE Linux Enterprise 15 LTSS kernel was updated to receive various security and bug fixes. The following security bugs were fixed: o CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc# 1178782). o CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc# 1178393). o CVE-2020-25668: Fixed a use-after-free in con_font_op() (bnc#1178123). o CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). o CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). o CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723). o CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc# 1177086). o CVE-2020-16120: Fixed permission check to open real file when using overlayfs. It was possible to have a file not readable by an unprivileged user be copied to a mountpoint controlled by that user and then be able to access the file (bsc#1177470). o CVE-2020-8694: Restricted energy meter to root access (bsc#1170415). o CVE-2020-12351: Fixed a type confusion while processing AMP packets aka "BleedingTooth" aka "BadKarma" (bsc#1177724). o CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka "BleedingTooth" (bsc#1177725). o CVE-2020-25212: Fixed getxattr kernel panic and memory overflow (bsc# 1176381). o CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177511). o CVE-2020-2521: Fixed getxattr kernel panic and memory overflow (bsc# 1176381). o CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011). o CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206). o CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121). o CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990). o CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235). o CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc #1176721). o CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc# 1176725). o CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722). o CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423). o CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482). o CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411) o CVE-2020-27675: Fixed a race condition in event handler which may crash dom0 (XSA-331 bsc#1177410). The following non-security bugs were fixed: o btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1131277). o btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366 bsc#1176922). o btrfs: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366 bsc#1176922). o btrfs: remove root usage from can_overcommit (bsc#1131277). o hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306). o hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306). o livepatch: Add -fdump-ipa-clones to build (). Add support for -fdump-ipa-clones GCC option. Update config files accordingly. o livepatch: Test if -fdump-ipa-clones is really available As of now we add -fdump-ipa-clones unconditionally. It does not cause a trouble if the kernel is build with the supported toolchain. Otherwise it could fail easily. Do the correct thing and test for the availability. o powerpc/pseries/cpuidle: add polling idle for shared processor guests (bsc# 1178765 ltc#188968). o scsi: qla2xxx: Do not consume srb greedily (bsc#1173233). o scsi: qla2xxx: Handle incorrect entry_type entries (bsc#1173233). o video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc# 1175306). o video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306). o video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306). o x86/hyperv: Create and use Hyper-V page definitions (bsc#1176877). o x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc# 1175306). o x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1058115 bsc#1176907). o xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). o xen: do not reschedule in preemption off sections (bsc#1175749). o xen/events: add a new "late EOI" evtchn framework (XSA-332 bsc#1177411). o xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc# 1177411). o xen/events: avoid removing an event channel while handling it (XSA-331 bsc# 1177410). o xen/events: block rogue events for some time (XSA-332 bsc#1177411). o xen/events: defer eoi in case of excessive number of events (XSA-332 bsc# 1177411). o xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). o xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). o xen/events: switch user event channels to lateeoi model (XSA-332 bsc# 1177411). o xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc# 1177411). o xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). o xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). o xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Server for SAP 15: zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3532=1 o SUSE Linux Enterprise Server 15-LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-2020-3532=1 o SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2020-3532=1 o SUSE Linux Enterprise High Performance Computing 15-LTSS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3532=1 o SUSE Linux Enterprise High Performance Computing 15-ESPOS: zypper in -t patch SUSE-SLE-Product-HPC-15-2020-3532=1 o SUSE Linux Enterprise High Availability 15: zypper in -t patch SUSE-SLE-Product-HA-15-2020-3532=1 Package List: o SUSE Linux Enterprise Server for SAP 15 (ppc64le x86_64): kernel-default-4.12.14-150.63.1 kernel-default-base-4.12.14-150.63.1 kernel-default-debuginfo-4.12.14-150.63.1 kernel-default-debugsource-4.12.14-150.63.1 kernel-default-devel-4.12.14-150.63.1 kernel-default-devel-debuginfo-4.12.14-150.63.1 kernel-obs-build-4.12.14-150.63.1 kernel-obs-build-debugsource-4.12.14-150.63.1 kernel-syms-4.12.14-150.63.1 kernel-vanilla-base-4.12.14-150.63.1 kernel-vanilla-base-debuginfo-4.12.14-150.63.1 kernel-vanilla-debuginfo-4.12.14-150.63.1 kernel-vanilla-debugsource-4.12.14-150.63.1 reiserfs-kmp-default-4.12.14-150.63.1 reiserfs-kmp-default-debuginfo-4.12.14-150.63.1 o SUSE Linux Enterprise Server for SAP 15 (noarch): kernel-devel-4.12.14-150.63.1 kernel-docs-4.12.14-150.63.1 kernel-macros-4.12.14-150.63.1 kernel-source-4.12.14-150.63.1 o SUSE Linux Enterprise Server 15-LTSS (aarch64 s390x): kernel-default-4.12.14-150.63.1 kernel-default-base-4.12.14-150.63.1 kernel-default-debuginfo-4.12.14-150.63.1 kernel-default-debugsource-4.12.14-150.63.1 kernel-default-devel-4.12.14-150.63.1 kernel-default-devel-debuginfo-4.12.14-150.63.1 kernel-obs-build-4.12.14-150.63.1 kernel-obs-build-debugsource-4.12.14-150.63.1 kernel-syms-4.12.14-150.63.1 kernel-vanilla-base-4.12.14-150.63.1 kernel-vanilla-base-debuginfo-4.12.14-150.63.1 kernel-vanilla-debuginfo-4.12.14-150.63.1 kernel-vanilla-debugsource-4.12.14-150.63.1 reiserfs-kmp-default-4.12.14-150.63.1 reiserfs-kmp-default-debuginfo-4.12.14-150.63.1 o SUSE Linux Enterprise Server 15-LTSS (noarch): kernel-devel-4.12.14-150.63.1 kernel-docs-4.12.14-150.63.1 kernel-macros-4.12.14-150.63.1 kernel-source-4.12.14-150.63.1 o SUSE Linux Enterprise Server 15-LTSS (s390x): kernel-default-man-4.12.14-150.63.1 kernel-zfcpdump-debuginfo-4.12.14-150.63.1 kernel-zfcpdump-debugsource-4.12.14-150.63.1 o SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-default-debuginfo-4.12.14-150.63.1 kernel-default-debugsource-4.12.14-150.63.1 kernel-default-livepatch-4.12.14-150.63.1 kernel-livepatch-4_12_14-150_63-default-1-1.5.1 kernel-livepatch-4_12_14-150_63-default-debuginfo-1-1.5.1 o SUSE Linux Enterprise High Performance Computing 15-LTSS (aarch64 x86_64): kernel-default-4.12.14-150.63.1 kernel-default-base-4.12.14-150.63.1 kernel-default-debuginfo-4.12.14-150.63.1 kernel-default-debugsource-4.12.14-150.63.1 kernel-default-devel-4.12.14-150.63.1 kernel-default-devel-debuginfo-4.12.14-150.63.1 kernel-obs-build-4.12.14-150.63.1 kernel-obs-build-debugsource-4.12.14-150.63.1 kernel-syms-4.12.14-150.63.1 kernel-vanilla-base-4.12.14-150.63.1 kernel-vanilla-base-debuginfo-4.12.14-150.63.1 kernel-vanilla-debuginfo-4.12.14-150.63.1 kernel-vanilla-debugsource-4.12.14-150.63.1 o SUSE Linux Enterprise High Performance Computing 15-LTSS (noarch): kernel-devel-4.12.14-150.63.1 kernel-docs-4.12.14-150.63.1 kernel-macros-4.12.14-150.63.1 kernel-source-4.12.14-150.63.1 o SUSE Linux Enterprise High Performance Computing 15-ESPOS (aarch64 x86_64): kernel-default-4.12.14-150.63.1 kernel-default-base-4.12.14-150.63.1 kernel-default-debuginfo-4.12.14-150.63.1 kernel-default-debugsource-4.12.14-150.63.1 kernel-default-devel-4.12.14-150.63.1 kernel-default-devel-debuginfo-4.12.14-150.63.1 kernel-obs-build-4.12.14-150.63.1 kernel-obs-build-debugsource-4.12.14-150.63.1 kernel-syms-4.12.14-150.63.1 kernel-vanilla-base-4.12.14-150.63.1 kernel-vanilla-base-debuginfo-4.12.14-150.63.1 kernel-vanilla-debuginfo-4.12.14-150.63.1 kernel-vanilla-debugsource-4.12.14-150.63.1 o SUSE Linux Enterprise High Performance Computing 15-ESPOS (noarch): kernel-devel-4.12.14-150.63.1 kernel-docs-4.12.14-150.63.1 kernel-macros-4.12.14-150.63.1 kernel-source-4.12.14-150.63.1 o SUSE Linux Enterprise High Availability 15 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-4.12.14-150.63.1 cluster-md-kmp-default-debuginfo-4.12.14-150.63.1 dlm-kmp-default-4.12.14-150.63.1 dlm-kmp-default-debuginfo-4.12.14-150.63.1 gfs2-kmp-default-4.12.14-150.63.1 gfs2-kmp-default-debuginfo-4.12.14-150.63.1 kernel-default-debuginfo-4.12.14-150.63.1 kernel-default-debugsource-4.12.14-150.63.1 ocfs2-kmp-default-4.12.14-150.63.1 ocfs2-kmp-default-debuginfo-4.12.14-150.63.1 References: o https://www.suse.com/security/cve/CVE-2020-0404.html o https://www.suse.com/security/cve/CVE-2020-0427.html o https://www.suse.com/security/cve/CVE-2020-0430.html o https://www.suse.com/security/cve/CVE-2020-0431.html o https://www.suse.com/security/cve/CVE-2020-0432.html o https://www.suse.com/security/cve/CVE-2020-12351.html o https://www.suse.com/security/cve/CVE-2020-12352.html o https://www.suse.com/security/cve/CVE-2020-14351.html o https://www.suse.com/security/cve/CVE-2020-14381.html o https://www.suse.com/security/cve/CVE-2020-14390.html o https://www.suse.com/security/cve/CVE-2020-16120.html o https://www.suse.com/security/cve/CVE-2020-2521.html o https://www.suse.com/security/cve/CVE-2020-25212.html o https://www.suse.com/security/cve/CVE-2020-25284.html o https://www.suse.com/security/cve/CVE-2020-25285.html o https://www.suse.com/security/cve/CVE-2020-25641.html o https://www.suse.com/security/cve/CVE-2020-25643.html o https://www.suse.com/security/cve/CVE-2020-25645.html o https://www.suse.com/security/cve/CVE-2020-25656.html o https://www.suse.com/security/cve/CVE-2020-25668.html o https://www.suse.com/security/cve/CVE-2020-25704.html o https://www.suse.com/security/cve/CVE-2020-25705.html o https://www.suse.com/security/cve/CVE-2020-26088.html o https://www.suse.com/security/cve/CVE-2020-27673.html o https://www.suse.com/security/cve/CVE-2020-27675.html o https://www.suse.com/security/cve/CVE-2020-8694.html o https://bugzilla.suse.com/1051510 o https://bugzilla.suse.com/1058115 o https://bugzilla.suse.com/1065600 o https://bugzilla.suse.com/1131277 o https://bugzilla.suse.com/1160947 o https://bugzilla.suse.com/1161360 o https://bugzilla.suse.com/1163524 o https://bugzilla.suse.com/1166965 o https://bugzilla.suse.com/1170232 o https://bugzilla.suse.com/1170415 o https://bugzilla.suse.com/1171417 o https://bugzilla.suse.com/1172073 o https://bugzilla.suse.com/1172366 o https://bugzilla.suse.com/1173115 o https://bugzilla.suse.com/1173233 o https://bugzilla.suse.com/1175306 o https://bugzilla.suse.com/1175721 o https://bugzilla.suse.com/1175749 o https://bugzilla.suse.com/1175882 o https://bugzilla.suse.com/1176011 o https://bugzilla.suse.com/1176235 o https://bugzilla.suse.com/1176278 o https://bugzilla.suse.com/1176381 o https://bugzilla.suse.com/1176423 o https://bugzilla.suse.com/1176482 o https://bugzilla.suse.com/1176485 o https://bugzilla.suse.com/1176698 o https://bugzilla.suse.com/1176721 o https://bugzilla.suse.com/1176722 o https://bugzilla.suse.com/1176723 o https://bugzilla.suse.com/1176725 o https://bugzilla.suse.com/1176732 o https://bugzilla.suse.com/1176877 o https://bugzilla.suse.com/1176907 o https://bugzilla.suse.com/1176922 o https://bugzilla.suse.com/1176990 o https://bugzilla.suse.com/1177027 o https://bugzilla.suse.com/1177086 o https://bugzilla.suse.com/1177121 o https://bugzilla.suse.com/1177165 o https://bugzilla.suse.com/1177206 o https://bugzilla.suse.com/1177226 o https://bugzilla.suse.com/1177410 o https://bugzilla.suse.com/1177411 o https://bugzilla.suse.com/1177470 o https://bugzilla.suse.com/1177511 o https://bugzilla.suse.com/1177513 o https://bugzilla.suse.com/1177724 o https://bugzilla.suse.com/1177725 o https://bugzilla.suse.com/1177766 o https://bugzilla.suse.com/1178003 o https://bugzilla.suse.com/1178123 o https://bugzilla.suse.com/1178330 o https://bugzilla.suse.com/1178393 o https://bugzilla.suse.com/1178622 o https://bugzilla.suse.com/1178765 o https://bugzilla.suse.com/1178782 o https://bugzilla.suse.com/1178838 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX8RLH+NLKJtyKPYoAQiCvA//YD+nzyEXg8V494kwjl+DLTRmEfpcYL2U TDAMs6QFcY+HPGdaEYnYvPHGousshRjup4tS6xbgqng04xpMzTtgh6mI9Mn99nEk J7WSe3rpunwwRyegukCMtZKHa9RRlqM12ZmBcw0MaBiScYtdlc67fZfF9RbnWWG7 D2tmb9v9/0/7mPJT6somBdHNlWcXGzri4o0u1jye6ox9F1dhMxNcD/vWsY2TI4qm Pny8Cuy3wqbn3ywXxGSIqfj534p4yuM/UKssmymd2BmcsbKjquHCs3NX4l1/FU/N gwcjMIKRhxO5hNRNQEZD5LcmbViAWbYI6dAUhDzE9i1z388EQaOPrm+nCHDs67yL pqgq2y4I7mqnDn3ujt/3wkgkpT2EJNb3wGp9vcu0P/PRte6X2IINfCye82sQakGu Nht04yjJA5wHxq/zhanO8ep2mXzar8XoNbVqNOmsv6gtOMnwPCuxeMIgrV1hhaUR 0mmLWNPc5/Ajl83DodQf9T9vL4PuKg9N1Zh4tDfbNAQoGtxU7AeS0Rs3CG0P2MsA wm0ypWs3i7fGaHwGHW4s9NxF99sfe+fAhLE2LCd0cqoeFplRMSooIiZrW2wqX7yb kpqOM/9QhUpVl7Z51GtoQcUbaKdXzr+tmdc3Iq1zC/es1O13uhiZStC1PGoTTByf gMapiIvQpEg= =XrEd -----END PGP SIGNATURE-----