ESB-2018.3060 - [SUSE] linux kernel: Multiple vulnerabilities 2018-10-10

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3060
                   Security update for the Linux Kernel
                              10 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           linux kernel
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Root Compromise        -- Existing Account
                   Access Privileged Data -- Existing Account
                   Denial of Service      -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-17182 CVE-2018-16658 CVE-2018-16276
                   CVE-2018-15594 CVE-2018-15572 CVE-2018-14734
                   CVE-2018-14678 CVE-2018-14634 CVE-2018-14617
                   CVE-2018-13095 CVE-2018-13094 CVE-2018-13093
                   CVE-2018-12896 CVE-2018-10940 CVE-2018-10938
                   CVE-2018-10902 CVE-2018-10883 CVE-2018-10882
                   CVE-2018-10881 CVE-2018-10880 CVE-2018-10879
                   CVE-2018-10878 CVE-2018-10877 CVE-2018-10876
                   CVE-2018-10853 CVE-2018-9363 CVE-2018-7757
                   CVE-2018-7480 CVE-2018-6555 CVE-2018-6554

Reference:         ASB-2018.0124
                   ESB-2018.3020
                   ESB-2018.3010
                   ESB-2018.2981
                   ESB-2018.2974
                   ESB-2018.2958
                   ESB-2018.2955
                   ESB-2018.2930
                   ESB-2018.2885

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2018/suse-su-20183083-1.html
   https://www.suse.com/support/update/announcement/2018/suse-su-20183084-1.html
   https://www.suse.com/support/update/announcement/2018/suse-su-20183088-1.html

Comment: This bulletin contains three (3) security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:3083-1
Rating:             important
References:         #1012382 #1062604 #1064232 #1065999 #1092903 
                    #1093215 #1096547 #1097104 #1099811 #1099813 
                    #1099844 #1099845 #1099846 #1099849 #1099863 
                    #1099864 #1099922 #1100001 #1100089 #1102870 
                    #1103445 #1104319 #1104495 #1104906 #1105322 
                    #1105412 #1106095 #1106369 #1106509 #1106511 
                    #1107689 #1108399 #1108912 
Cross-References:   CVE-2018-10853 CVE-2018-10876 CVE-2018-10877
                    CVE-2018-10878 CVE-2018-10879 CVE-2018-10880
                    CVE-2018-10881 CVE-2018-10882 CVE-2018-10883
                    CVE-2018-10902 CVE-2018-10940 CVE-2018-12896
                    CVE-2018-13093 CVE-2018-14617 CVE-2018-14634
                    CVE-2018-16276 CVE-2018-16658 CVE-2018-17182
                    CVE-2018-6554 CVE-2018-6555
Affected Products:
                    SUSE Linux Enterprise Server 12-LTSS
                    SUSE Linux Enterprise Module for Public Cloud 12
______________________________________________________________________________

   An update that solves 20 vulnerabilities and has 13 fixes
   is now available.

Description:


   The SUSE Linux Enterprise 12 kernel was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2018-14634: Prevent integer overflow in create_elf_tables that
     allowed a local attacker to exploit this vulnerability via a SUID-root
     binary and obtain full root privileges (bsc#1108912)
   - CVE-2018-14617: Prevent NULL pointer dereference and panic in
     hfsplus_lookup() when opening a file (that is purportedly a hard link)
     in an hfs+ filesystem that has malformed catalog data, and is mounted
     read-only without a metadata directory (bsc#1102870)
   - CVE-2018-16276: Incorrect bounds checking in the yurex USB driver in
     yurex_read allowed local attackers to use user access read/writes to
     crash the kernel or potentially escalate privileges (bsc#1106095)
   - CVE-2018-12896: Prevent integer overflow in the POSIX timer code that
     was caused by the way the overrun accounting works. Depending on
     interval and expiry time values, the overrun can be larger than INT_MAX,
     but the accounting is int based. This basically made the accounting
     values, which are visible to user space via timer_getoverrun(2) and
     siginfo::si_overrun, random. This allowed a local user to cause a denial
     of service (signed integer overflow) via crafted mmap, futex,
     timer_create, and timer_settime system calls (bnc#1099922)
   - CVE-2018-13093: Prevent NULL pointer dereference and panic in
     lookup_slow()
     on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs
      image. This occured because of a lack of proper validation that cached
      inodes are free during allocation (bnc#1100001)
   - CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local
     attackers to use a incorrect bounds check in the CDROM driver
     CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903)
   - CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status
     that could have been used by local attackers to read kernel memory
     (bnc#1107689)
   - CVE-2018-6555: The irda_setsockopt function allowed local users to cause
     a denial of service (ias_object use-after-free and system crash) or
     possibly have unspecified other impact via an AF_IRDA socket
     (bnc#1106511)
   - CVE-2018-6554: Prevent memory leak in the irda_bind function that
     allowed local users to cause a denial of service (memory consumption) by
     repeatedly binding an AF_IRDA socket (bnc#1106509)
   - CVE-2018-10853: The KVM hypervisor did not check current privilege(CPL)
     level while emulating unprivileged instructions. An unprivileged guest
     user/process could have used this flaw to potentially escalate
     privileges inside guest (bsc#1097104)
   - CVE-2018-10902: Protect against concurrent access to prevent double
     realloc (double free) in snd_rawmidi_input_params() and
     snd_rawmidi_output_status(). A malicious local attacker could have used
     this for privilege escalation (bnc#1105322).
   - CVE-2018-10879: A local user could have caused a use-after-free in
     ext4_xattr_set_entry function and a denial of service or unspecified
     other impact by renaming a file in a crafted ext4 filesystem image
     (bsc#1099844)
   - CVE-2018-10883: A local user could have caused an out-of-bounds write in
     jbd2_journal_dirty_metadata(), a denial of service, and a system crash
     by mounting and operating on a crafted ext4 filesystem image
     (bsc#1099863)
   - CVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem
     code when mounting and writing to a crafted ext4 image in
     ext4_update_inline_data(). An attacker could have used this to cause a
     system crash and a denial of service (bsc#1099845)
   - CVE-2018-10882: A local user could have caused an out-of-bound write, a
     denial of service, and a system crash by unmounting a crafted ext4
     filesystem image (bsc#1099849)
   - CVE-2018-10881: A local user could have caused an out-of-bound access in
     ext4_get_group_info function, a denial of service, and a system crash by
     mounting and operating on a crafted ext4 filesystem image (bsc#1099864)
   - CVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs()
     function when operating on a crafted ext4 filesystem image (bsc#1099846)
   - CVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space()
     function when mounting and operating a crafted ext4 image (bsc#1099811)
   - CVE-2018-10878: A local user could have caused an out-of-bounds write
     and a denial of service or unspecified other impact by mounting and
     operating a crafted ext4 filesystem image (bsc#1099813)
   - CVE-2018-17182: An issue was discovered in the Linux kernel The
     vmacache_flush_all function in mm/vmacache.c mishandled sequence number
     overflows. An attacker can trigger a use-after-free (and possibly gain
      privileges) via certain thread creation, map, unmap, invalidation, and
      dereference operations (bnc#1108399).

   The following non-security bugs were fixed:

   - bcache: avoid unncessary cache prefetch bch_btree_node_get().
   - bcache: calculate the number of incremental GC nodes according to the
     total of btree nodes.
   - bcache: display rate debug parameters to 0 when writeback is not running.
   - bcache: do not check return value of debugfs_create_dir().
   - bcache: finish incremental GC.
   - bcache: fix error setting writeback_rate through sysfs interface
     (bsc#1064232).
   - bcache: fix I/O significant decline while backend devices registering.
   - bcache: free heap cache_set->flush_btree in bch_journal_free.
   - bcache: make the pr_err statement used for ENOENT only in sysfs_attatch
     section.
   - bcache: release dc->writeback_lock properly in bch_writeback_thread().
   - bcache: set max writeback rate when I/O request is idle (bsc#1064232).
   - bcache: simplify the calculation of the total amount of flash dirty data.
   - Do not report CPU affected by L1TF when ARCH_CAP_RDCL_NO bit is set
     (bsc#1104906).
   - ext4: check for allocation block validity with block group locked
     (bsc#1104495).
   - ext4: do not update checksum of new initialized bitmaps (bnc#1012382).
   - ext4: fix check to prevent initializing reserved inodes (bsc#1104319).
   - ext4: fix false negatives *and* false positives in
     ext4_check_descriptors() (bsc#1103445).
   - kABI: protect struct x86_emulate_ops (kabi).
   - KEYS: prevent creating a different user's keyrings (bnc#1065999).
   - KVM: MMU: always terminate page walks at level 1 (bsc#1062604).
   - KVM: MMU: simplify last_pte_bitmap (bsc#1062604).
   - KVM: nVMX: update last_nonleaf_level when initializing nested EPT
     (bsc#1062604).
   - KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369).
   - KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state'
     (bsc#1106369).
   - updated sssbd handling (bsc#1093215, bsc#1105412).
   - usbip: vhci_sysfs: fix potential Spectre v1 (bsc#1096547).
   - x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry
     (bsc#1106369).
   - sched/sysctl: Check user input value of sysctl_sched_time_avg
     (bsc#1100089).


Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-2018-2185=1

   - SUSE Linux Enterprise Module for Public Cloud 12:

      zypper in -t patch SUSE-SLE-Module-Public-Cloud-12-2018-2185=1



Package List:

   - SUSE Linux Enterprise Server 12-LTSS (ppc64le s390x x86_64):

      kernel-default-3.12.61-52.146.1
      kernel-default-base-3.12.61-52.146.1
      kernel-default-base-debuginfo-3.12.61-52.146.1
      kernel-default-debuginfo-3.12.61-52.146.1
      kernel-default-debugsource-3.12.61-52.146.1
      kernel-default-devel-3.12.61-52.146.1
      kernel-syms-3.12.61-52.146.1

   - SUSE Linux Enterprise Server 12-LTSS (x86_64):

      kernel-xen-3.12.61-52.146.1
      kernel-xen-base-3.12.61-52.146.1
      kernel-xen-base-debuginfo-3.12.61-52.146.1
      kernel-xen-debuginfo-3.12.61-52.146.1
      kernel-xen-debugsource-3.12.61-52.146.1
      kernel-xen-devel-3.12.61-52.146.1
      kgraft-patch-3_12_61-52_146-default-1-1.5.1
      kgraft-patch-3_12_61-52_146-xen-1-1.5.1

   - SUSE Linux Enterprise Server 12-LTSS (noarch):

      kernel-devel-3.12.61-52.146.1
      kernel-macros-3.12.61-52.146.1
      kernel-source-3.12.61-52.146.1

   - SUSE Linux Enterprise Server 12-LTSS (s390x):

      kernel-default-man-3.12.61-52.146.1

   - SUSE Linux Enterprise Module for Public Cloud 12 (x86_64):

      kernel-ec2-3.12.61-52.146.1
      kernel-ec2-debuginfo-3.12.61-52.146.1
      kernel-ec2-debugsource-3.12.61-52.146.1
      kernel-ec2-devel-3.12.61-52.146.1
      kernel-ec2-extra-3.12.61-52.146.1
      kernel-ec2-extra-debuginfo-3.12.61-52.146.1


References:

   https://www.suse.com/security/cve/CVE-2018-10853.html
   https://www.suse.com/security/cve/CVE-2018-10876.html
   https://www.suse.com/security/cve/CVE-2018-10877.html
   https://www.suse.com/security/cve/CVE-2018-10878.html
   https://www.suse.com/security/cve/CVE-2018-10879.html
   https://www.suse.com/security/cve/CVE-2018-10880.html
   https://www.suse.com/security/cve/CVE-2018-10881.html
   https://www.suse.com/security/cve/CVE-2018-10882.html
   https://www.suse.com/security/cve/CVE-2018-10883.html
   https://www.suse.com/security/cve/CVE-2018-10902.html
   https://www.suse.com/security/cve/CVE-2018-10940.html
   https://www.suse.com/security/cve/CVE-2018-12896.html
   https://www.suse.com/security/cve/CVE-2018-13093.html
   https://www.suse.com/security/cve/CVE-2018-14617.html
   https://www.suse.com/security/cve/CVE-2018-14634.html
   https://www.suse.com/security/cve/CVE-2018-16276.html
   https://www.suse.com/security/cve/CVE-2018-16658.html
   https://www.suse.com/security/cve/CVE-2018-17182.html
   https://www.suse.com/security/cve/CVE-2018-6554.html
   https://www.suse.com/security/cve/CVE-2018-6555.html
   https://bugzilla.suse.com/1012382
   https://bugzilla.suse.com/1062604
   https://bugzilla.suse.com/1064232
   https://bugzilla.suse.com/1065999
   https://bugzilla.suse.com/1092903
   https://bugzilla.suse.com/1093215
   https://bugzilla.suse.com/1096547
   https://bugzilla.suse.com/1097104
   https://bugzilla.suse.com/1099811
   https://bugzilla.suse.com/1099813
   https://bugzilla.suse.com/1099844
   https://bugzilla.suse.com/1099845
   https://bugzilla.suse.com/1099846
   https://bugzilla.suse.com/1099849
   https://bugzilla.suse.com/1099863
   https://bugzilla.suse.com/1099864
   https://bugzilla.suse.com/1099922
   https://bugzilla.suse.com/1100001
   https://bugzilla.suse.com/1100089
   https://bugzilla.suse.com/1102870
   https://bugzilla.suse.com/1103445
   https://bugzilla.suse.com/1104319
   https://bugzilla.suse.com/1104495
   https://bugzilla.suse.com/1104906
   https://bugzilla.suse.com/1105322
   https://bugzilla.suse.com/1105412
   https://bugzilla.suse.com/1106095
   https://bugzilla.suse.com/1106369
   https://bugzilla.suse.com/1106509
   https://bugzilla.suse.com/1106511
   https://bugzilla.suse.com/1107689
   https://bugzilla.suse.com/1108399
   https://bugzilla.suse.com/1108912

_______________________________________________

==============================================================================

   SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:3084-1
Rating:             important
References:         #1012382 #1042286 #1062604 #1064232 #1065364 
                    #1082519 #1082863 #1084536 #1085042 #1088810 
                    #1089066 #1092903 #1094466 #1095344 #1096547 
                    #1097104 #1099597 #1099811 #1099813 #1099844 
                    #1099845 #1099846 #1099849 #1099863 #1099864 
                    #1099922 #1099993 #1099999 #1100000 #1100001 
                    #1100152 #1102517 #1102715 #1102870 #1103445 
                    #1104319 #1104495 #1105292 #1105296 #1105322 
                    #1105348 #1105396 #1105536 #1106016 #1106095 
                    #1106369 #1106509 #1106511 #1106512 #1106594 
                    #1107689 #1107735 #1107966 #1108239 #1108399 
                    #1109333 
Cross-References:   CVE-2018-10853 CVE-2018-10876 CVE-2018-10877
                    CVE-2018-10878 CVE-2018-10879 CVE-2018-10880
                    CVE-2018-10881 CVE-2018-10882 CVE-2018-10883
                    CVE-2018-10902 CVE-2018-10938 CVE-2018-10940
                    CVE-2018-12896 CVE-2018-13093 CVE-2018-13094
                    CVE-2018-13095 CVE-2018-14617 CVE-2018-14678
                    CVE-2018-15572 CVE-2018-15594 CVE-2018-16276
                    CVE-2018-16658 CVE-2018-17182 CVE-2018-6554
                    CVE-2018-6555 CVE-2018-7480 CVE-2018-7757
                    CVE-2018-9363
Affected Products:
                    SUSE OpenStack Cloud 7
                    SUSE Linux Enterprise Server for SAP 12-SP2
                    SUSE Linux Enterprise Server 12-SP2-LTSS
                    SUSE Linux Enterprise Server 12-SP2-BCL
                    SUSE Linux Enterprise High Availability 12-SP2
                    SUSE Enterprise Storage 4
                    OpenStack Cloud Magnum Orchestration 7
______________________________________________________________________________

   An update that solves 28 vulnerabilities and has 28 fixes
   is now available.

Description:



   The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive
   various security and bugfixes.

   - CVE-2018-10853: A flaw was found in the way the KVM hypervisor emulated
     instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current
     privilege(CPL) level while emulating unprivileged instructions. An
     unprivileged guest user/process could use this flaw to potentially
     escalate privileges inside guest (bnc#1097104).
   - CVE-2018-10876: A flaw was found in Linux kernel in the ext4 filesystem
     code. A use-after-free is possible in ext4_ext_remove_space() function
     when mounting and operating a crafted ext4 image. (bnc#1099811)
   - CVE-2018-10877: Linux kernel ext4 filesystem is vulnerable to an
     out-of-bound access in the ext4_ext_drop_refs() function when operating
     on a crafted ext4 filesystem image. (bnc#1099846)
   - CVE-2018-10878: A flaw was found in the Linux kernel's ext4 filesystem.
     A local user can cause an out-of-bounds write and a denial of service or
     unspecified other impact is possible by mounting and operating a crafted
     ext4 filesystem image. (bnc#1099813)
   - CVE-2018-10879: A flaw was found in the Linux kernel's ext4 filesystem.
     A local user can cause a use-after-free in ext4_xattr_set_entry function
     and a denial of service or unspecified other impact may occur by
     renaming a file in a crafted ext4 filesystem image. (bnc#1099844)
   - CVE-2018-10880: Linux kernel is vulnerable to a stack-out-of-bounds
     write in the ext4 filesystem code when mounting and writing to a crafted
     ext4 image in ext4_update_inline_data(). An attacker could use this to
     cause a system crash and a denial of service. (bnc#1099845)
   - CVE-2018-10881: A flaw was found in the Linux kernel's ext4 filesystem.
     A local user can cause an out-of-bound access in ext4_get_group_info
     function, a denial of service, and a system crash by mounting and
     operating on a crafted ext4 filesystem image. (bnc#1099864)
   - CVE-2018-10882: A flaw was found in the Linux kernel's ext4 filesystem.
     A local user can cause an out-of-bound write in in fs/jbd2/transaction.c
     code, a denial of service, and a system crash by unmounting a crafted
     ext4 filesystem image. (bnc#1099849)
   - CVE-2018-10883: A flaw was found in the Linux kernel's ext4 filesystem.
     A local user can cause an out-of-bounds write in
     jbd2_journal_dirty_metadata(), a denial of service, and a system crash
     by mounting and operating on a crafted ext4 filesystem image.
     (bnc#1099863)
   - CVE-2018-10902: It was found that the raw midi kernel driver did not
     protect against concurrent access which leads to a double realloc
     (double free) in snd_rawmidi_input_params() and
     snd_rawmidi_output_status() which are part of snd_rawmidi_ioctl()
     handler in rawmidi.c file. A malicious local attacker could possibly use
     this for privilege escalation (bnc#1105322).
   - CVE-2018-10938: A crafted network packet sent remotely by an attacker
     may force the kernel to enter an infinite loop in the cipso_v4_optptr()
     function in net/ipv4/cipso_ipv4.c leading to a denial-of-service. A
     certain non-default configuration of LSM (Linux Security Module) and
     NetLabel should be set up on a system before an attacker could leverage
     this flaw (bnc#1106016).
   - CVE-2018-10940: The cdrom_ioctl_media_changed function in
     drivers/cdrom/cdrom.c allowed local attackers to use a incorrect bounds
     check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel
     memory (bnc#1092903).
   - CVE-2018-12896: An Integer Overflow in kernel/time/posix-timers.c in the
     POSIX timer code is caused by the way the overrun accounting works.
     Depending on interval and expiry time values, the overrun can be larger
     than INT_MAX, but the accounting is int based. This basically made the
     accounting values, which are visible to user space via
     timer_getoverrun(2) and siginfo::si_overrun, random. For example, a
     local user can cause a denial of service (signed integer overflow) via
     crafted mmap, futex, timer_create, and timer_settime system calls
     (bnc#1099922).
   - CVE-2018-13093: There is a NULL pointer dereference and panic in
     lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a
     corrupted xfs image. This occurs because of a lack of proper validation
     that cached inodes are free during allocation (bnc#1100001).
   - CVE-2018-13094: An OOPS may occur for a corrupted xfs image after
     xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000).
   - CVE-2018-13095: A denial of service (memory corruption and BUG) can
     occur for a corrupted xfs image upon encountering an inode that is in
     extent format, but has more extents than fit in the inode fork
     (bnc#1099999).
   - CVE-2018-14617: There is a NULL pointer dereference and panic in
     hfsplus_lookup() in fs/hfsplus/dir.c when opening a file (that is
     purportedly a hard link) in an hfs+ filesystem that has malformed
     catalog data, and is mounted read-only without a metadata directory
     (bnc#1102870).
   - CVE-2018-14678: The xen_failsafe_callback entry point in
     arch/x86/entry/entry_64.S did not properly maintain RBX, which allowed
     local users to cause a denial of service (uninitialized memory usage and
     system crash). Within Xen, 64-bit x86 PV Linux guest OS users can
     trigger a guest OS crash or possibly gain privileges (bnc#1102715).
   - CVE-2018-15572: The spectre_v2_select_mitigation function in
     arch/x86/kernel/cpu/bugs.c did not always fill RSB upon a context
     switch, which made it easier for attackers to conduct
     userspace-userspace spectreRSB attacks (bnc#1102517 bnc#1105296).
   - CVE-2018-15594: arch/x86/kernel/paravirt.c mishandled certain indirect
     calls, which made it easier for attackers to conduct Spectre-v2 attacks
     against paravirtual guests (bnc#1105348).
   - CVE-2018-16276: Local attackers could use user access read/writes with
     incorrect bounds checking in the yurex USB driver to crash the kernel or
     potentially escalate privileges (bnc#1106095).
   - CVE-2018-16658: An information leak in cdrom_ioctl_drive_status in
     drivers/cdrom/cdrom.c could be used by local attackers to read kernel
     memory because a cast from unsigned long to int interferes with bounds
     checking. This is similar to CVE-2018-10940 (bnc#1107689).
   - CVE-2018-17182: The vmacache_flush_all function in mm/vmacache.c
     mishandled sequence number overflows. An attacker can trigger a
     use-after-free (and possibly gain privileges) via certain thread
     creation, map, unmap, invalidation, and dereference operations
     (bnc#1108399).
   - CVE-2018-6554: Memory leak in the irda_bind function in
     net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c
     allowed local users to cause a denial of service (memory consumption) by
     repeatedly binding an AF_IRDA socket (bnc#1106509).
   - CVE-2018-6555: The irda_setsockopt function in net/irda/af_irda.c and
     later in drivers/staging/irda/net/af_irda.c allowed local users to cause
     a denial of service (ias_object use-after-free and system crash) or
     possibly have unspecified other impact via an AF_IRDA socket
     (bnc#1106511).
   - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in
     drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial
     of service (memory consumption) via many read accesses to files in the
     /sys/class/sas_phy directory, as demonstrated by the
     /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536).
   - CVE-2018-9363: A buffer overflow in bluetooth HID report processing
     could be used by malicious bluetooth devices to crash the kernel or
     potentially execute code (bnc#1105292). The following security bugs were
     fixed:
   - CVE-2018-7480: The blkcg_init_queue function in block/blk-cgroup.c
     allowed local users to cause a denial of service (double free) or
     possibly have unspecified other impact by triggering a creation failure
     (bnc#1082863).

   The following non-security bugs were fixed:

   - atm: Preserve value of skb->truesize when accounting to vcc
     (bsc#1089066).
   - bcache: avoid unncessary cache prefetch bch_btree_node_get()
     (bsc#1064232).
   - bcache: calculate the number of incremental GC nodes according to the
     total of btree nodes (bsc#1064232).
   - bcache: display rate debug parameters to 0 when writeback is not running
     (bsc#1064232).
   - bcache: do not check return value of debugfs_create_dir() (bsc#1064232).
   - bcache: finish incremental GC (bsc#1064232).
   - bcache: fix error setting writeback_rate through sysfs interface
     (bsc#1064232).
   - bcache: fix I/O significant decline while backend devices registering
     (bsc#1064232).
   - bcache: free heap cache_set->flush_btree in bch_journal_free
     (bsc#1064232).
   - bcache: make the pr_err statement used for ENOENT only in sysfs_attatch
     section (bsc#1064232).
   - bcache: release dc->writeback_lock properly in bch_writeback_thread()
     (bsc#1064232).
   - bcache: set max writeback rate when I/O request is idle (bsc#1064232).
   - bcache: simplify the calculation of the total amount of flash dirty data
     (bsc#1064232).
   - ext4: check for allocation block validity with block group locked
     (bsc#1104495).
   - ext4: do not update checksum of new initialized bitmaps (bnc#1012382).
   - ext4: fix check to prevent initializing reserved inodes (bsc#1104319).
   - ext4: fix false negatives *and* false positives in
     ext4_check_descriptors() (bsc#1103445).
   - ibmvnic: Include missing return code checks in reset function
     (bnc#1107966).
   - kABI: protect struct x86_emulate_ops (kabi).
   - kabi/severities: Ignore missing cpu_tss_tramp (bsc#1099597)
   - kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
     (bnc#1105536).
   - kvm: MMU: always terminate page walks at level 1 (bsc#1062604).
   - kvm: MMU: simplify last_pte_bitmap (bsc#1062604).
   - kvm: nVMX: update last_nonleaf_level when initializing nested EPT
     (bsc#1062604).
   - kvm: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369).
   - kvm: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state'
     (bsc#1106369).
   - net: add skb_condense() helper (bsc#1089066).
   - net: adjust skb->truesize in pskb_expand_head() (bsc#1089066).
   - net: adjust skb->truesize in ___pskb_trim() (bsc#1089066).
   - net: ena: Eliminate duplicate barriers on weakly-ordered archs
     (bsc#1108239).
   - net: ena: fix device destruction to gracefully free resources
     (bsc#1108239).
   - net: ena: fix driver when PAGE_SIZE == 64kB (bsc#1108239).
   - net: ena: fix incorrect usage of memory barriers (bsc#1108239).
   - net: ena: fix missing calls to READ_ONCE (bsc#1108239).
   - net: ena: fix missing lock during device destruction (bsc#1108239).
   - net: ena: fix potential double ena_destroy_device() (bsc#1108239).
   - net: ena: fix surprise unplug NULL dereference kernel crash
     (bsc#1108239).
   - net: ena: Fix use of uninitialized DMA address bits field (bsc#1108239).
   - netfilter: xt_CT: fix refcnt leak on error path (bnc#1012382
     bsc#1100152).
   - netlink: do not enter direct reclaim from netlink_trim() (bsc#1042286).
   - nfs: Use an appropriate work queue for direct-write completion
     (bsc#1082519).
   - ovl: fix random return value on mount (bsc#1099993).
   - ovl: fix uid/gid when creating over whiteout (bsc#1099993).
   - ovl: modify ovl_permission() to do checks on two inodes (bsc#1106512).
   - ovl: override creds with the ones from the superblock mounter
     (bsc#1099993).
   - powerpc: Avoid code patching freed init sections (bnc#1107735).
   - powerpc/livepatch: Fix livepatch stack access (bsc#1094466).
   - powerpc/modules: Do not try to restore r2 after a sibling call
     (bsc#1094466).
   - powerpc/tm: Avoid possible userspace r1 corruption on reclaim
     (bsc#1109333).
   - powerpc/tm: Fix userspace r13 corruption (bsc#1109333).
   - provide special timeout module parameters for EC2 (bsc#1065364).
   - stop_machine: Atomically queue and wake stopper threads (git-fixes).
   - stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock
     (bsc#1088810).
   - usbip: vhci_sysfs: fix potential Spectre v1 (bsc#1096547).
   - x86/entry/64: Remove %ebx handling from error_entry/exit (bnc#1102715).
   - x86/speculation/l1tf: Fix off-by-one error when warning that system has
     too much RAM (bnc#1105536).
   - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
     (bnc#1105536).
   - x86/speculation/l1tf: Suggest what to do on systems with too much RAM
     (bnc#1105536).
   - x86/speculation: Use ARCH_CAPABILITIES to skip L1D flush on vmentry
     (bsc#1106369).
   - x86: Drop kernel trampoline stack. It is involved in breaking
     kdump/kexec infrastucture. (bsc#1099597)
   - xen: avoid crash in disable_hotplug_cpu (bsc#1106594).
   - xen/blkback: do not keep persistent grants too long (bsc#1085042).
   - xen/blkback: move persistent grants flags to bool (bsc#1085042).
   - xen/blkfront: cleanup stale persistent grants (bsc#1085042).
   - xen/blkfront: reorder tests in xlblk_init() (bsc#1085042).
   - xfs: add a new xfs_iext_lookup_extent_before helper (bsc#1095344).
   - xfs: add asserts for the mmap lock in xfs_{insert,collapse}_file_space
     (bsc#1095344).
   - xfs: add a xfs_bmap_fork_to_state helper (bsc#1095344).
   - xfs: add a xfs_iext_update_extent helper (bsc#1095344).
   - xfs: add comments documenting the rebalance algorithm (bsc#1095344).
   - xfs: add some comments to xfs_iext_insert/xfs_iext_insert_node
     (bsc#1095344).
   - xfs: add xfs_trim_extent (bsc#1095344).
   - xfs: allow unaligned extent records in xfs_bmbt_disk_set_all
     (bsc#1095344).
   - xfs: borrow indirect blocks from freed extent when available
     (bsc#1095344).
   - xfs: cleanup xfs_bmap_last_before (bsc#1095344).
   - xfs: do not create overlapping extents in xfs_bmap_add_extent_delay_real
     (bsc#1095344).
   - xfs: do not rely on extent indices in xfs_bmap_collapse_extents
     (bsc#1095344).
   - xfs: do not rely on extent indices in xfs_bmap_insert_extents
     (bsc#1095344).
   - xfs: do not set XFS_BTCUR_BPRV_WASDEL in xfs_bunmapi (bsc#1095344).
   - xfs: during btree split, save new block key & ptr for future insertion
     (bsc#1095344).
   - xfs: factor out a helper to initialize a local format inode fork
     (bsc#1095344).
   - xfs: fix memory leak in xfs_iext_free_last_leaf (bsc#1095344).
   - xfs: fix number of records handling in xfs_iext_split_leaf (bsc#1095344).
   - xfs: handle indlen shortage on delalloc extent merge (bsc#1095344).
   - xfs: handle zero entries case in xfs_iext_rebalance_leaf (bsc#1095344).
   - xfs: improve kmem_realloc (bsc#1095344).
   - xfs: inline xfs_shift_file_space into callers (bsc#1095344).
   - xfs: introduce the xfs_iext_cursor abstraction (bsc#1095344).
   - xfs: iterate over extents in xfs_bmap_extents_to_btree (bsc#1095344).
   - xfs: iterate over extents in xfs_iextents_copy (bsc#1095344).
   - xfs: make better use of the 'state' variable in xfs_bmap_del_extent_real
     (bsc#1095344).
   - xfs: merge xfs_bmap_read_extents into xfs_iread_extents (bsc#1095344).
   - xfs: move pre/post-bmap tracing into xfs_iext_update_extent
     (bsc#1095344).
   - xfs: move some code around inside xfs_bmap_shift_extents (bsc#1095344).
   - xfs: move some more code into xfs_bmap_del_extent_real (bsc#1095344).
   - xfs: move xfs_bmbt_irec and xfs_exntst_t to xfs_types.h (bsc#1095344).
   - xfs: move xfs_iext_insert tracepoint to report useful information
     (bsc#1095344).
   - xfs: new inode extent list lookup helpers (bsc#1095344).
   - xfs: pass an on-disk extent to xfs_bmbt_validate_extent (bsc#1095344).
   - xfs: pass a struct xfs_bmbt_irec to xfs_bmbt_lookup_eq (bsc#1095344).
   - xfs: pass a struct xfs_bmbt_irec to xfs_bmbt_update (bsc#1095344).
   - xfs: pass struct xfs_bmbt_irec to xfs_bmbt_validate_extent (bsc#1095344).
   - xfs: provide helper for counting extents from if_bytes (bsc#1095344).
   - xfs: refactor delalloc accounting in xfs_bmap_add_extent_delay_real
     (bsc#1095344).
   - xfs: refactor delalloc indlen reservation split into helper
     (bsc#1095344).
   - xfs: refactor dir2 leaf readahead shadow buffer cleverness (bsc#1095344).
   - xfs: refactor xfs_bmap_add_extent_delay_real (bsc#1095344).
   - xfs: refactor xfs_bmap_add_extent_hole_delay (bsc#1095344).
   - xfs: refactor xfs_bmap_add_extent_hole_real (bsc#1095344).
   - xfs: refactor xfs_bmap_add_extent_unwritten_real (bsc#1095344).
   - xfs: refactor xfs_bunmapi_cow (bsc#1095344).
   - xfs: refactor xfs_del_extent_real (bsc#1095344).
   - xfs: remove a duplicate assignment in xfs_bmap_add_extent_delay_real
     (bsc#1095344).
   - xfs: remove all xfs_bmbt_set_* helpers except for xfs_bmbt_set_all
     (bsc#1095344).
   - xfs: remove a superflous assignment in xfs_iext_remove_node
     (bsc#1095344).
   - xfs: Remove dead code from inode recover function (bsc#1105396).
   - xfs: remove if_rdev (bsc#1095344).
   - xfs: remove prev argument to xfs_bmapi_reserve_delalloc (bsc#1095344).
   - xfs: remove support for inlining data/extents into the inode fork
     (bsc#1095344).
   - xfs: remove the never fully implemented UUID fork format (bsc#1095344).
   - xfs: remove the nr_extents argument to xfs_iext_insert (bsc#1095344).
   - xfs: remove the nr_extents argument to xfs_iext_remove (bsc#1095344).
   - xfs: remove XFS_BMAP_MAX_SHIFT_EXTENTS (bsc#1095344).
   - xfs: remove XFS_BMAP_TRACE_EXLIST (bsc#1095344).
   - xfs: remove xfs_bmbt_get_state (bsc#1095344).
   - xfs: remove xfs_bmse_shift_one (bsc#1095344).
   - xfs: rename bno to end in __xfs_bunmapi (bsc#1095344).
   - xfs: repair malformed inode items during log recovery (bsc#1105396).
   - xfs: replace xfs_bmbt_lookup_ge with xfs_bmbt_lookup_first (bsc#1095344).
   - xfs: replace xfs_qm_get_rtblks with a direct call to
     xfs_bmap_count_leaves (bsc#1095344).
   - xfs: rewrite getbmap using the xfs_iext_* helpers (bsc#1095344).
   - xfs: rewrite xfs_bmap_count_leaves using xfs_iext_get_extent
     (bsc#1095344).
   - xfs: rewrite xfs_bmap_first_unused to make better use of
     xfs_iext_get_extent (bsc#1095344).
   - xfs: simplify the xfs_getbmap interface (bsc#1095344).
   - xfs: simplify validation of the unwritten extent bit (bsc#1095344).
   - xfs: split indlen reservations fairly when under reserved (bsc#1095344).
   - xfs: split xfs_bmap_shift_extents (bsc#1095344).
   - xfs: switch xfs_bmap_local_to_extents to use xfs_iext_insert
     (bsc#1095344).
   - xfs: treat idx as a cursor in xfs_bmap_add_extent_delay_real
     (bsc#1095344).
   - xfs: treat idx as a cursor in xfs_bmap_add_extent_hole_delay
     (bsc#1095344).
   - xfs: treat idx as a cursor in xfs_bmap_add_extent_hole_real
     (bsc#1095344).
   - xfs: treat idx as a cursor in xfs_bmap_add_extent_unwritten_real
     (bsc#1095344).
   - xfs: treat idx as a cursor in xfs_bmap_collapse_extents (bsc#1095344).
   - xfs: treat idx as a cursor in xfs_bmap_del_extent_* (bsc#1095344).
   - xfs: update freeblocks counter after extent deletion (bsc#1095344).
   - xfs: update got in xfs_bmap_shift_update_extent (bsc#1095344).
   - xfs: use a b+tree for the in-core extent list (bsc#1095344).
   - xfs: use correct state defines in xfs_bmap_del_extent_{cow,delay}
     (bsc#1095344).
   - xfs: use new extent lookup helpers in xfs_bmapi_read (bsc#1095344).
   - xfs: use new extent lookup helpers in xfs_bmapi_write (bsc#1095344).
   - xfs: use new extent lookup helpers in __xfs_bunmapi (bsc#1095344).
   - xfs: use the state defines in xfs_bmap_del_extent_real (bsc#1095344).
   - xfs: use xfs_bmap_del_extent_delay for the data fork as well
     (bsc#1095344).
   - xfs: use xfs_iext_*_extent helpers in xfs_bmap_shift_extents
     (bsc#1095344).
   - xfs: use xfs_iext_*_extent helpers in xfs_bmap_split_extent_at
     (bsc#1095344).
   - xfs: use xfs_iext_get_extent instead of open coding it (bsc#1095344).
   - xfs: use xfs_iext_get_extent in xfs_bmap_first_unused (bsc#1095344).


Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud 7:

      zypper in -t patch SUSE-OpenStack-Cloud-7-2018-2188=1

   - SUSE Linux Enterprise Server for SAP 12-SP2:

      zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-2188=1

   - SUSE Linux Enterprise Server 12-SP2-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-2188=1

   - SUSE Linux Enterprise Server 12-SP2-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2018-2188=1

   - SUSE Linux Enterprise High Availability 12-SP2:

      zypper in -t patch SUSE-SLE-HA-12-SP2-2018-2188=1

   - SUSE Enterprise Storage 4:

      zypper in -t patch SUSE-Storage-4-2018-2188=1

   - OpenStack Cloud Magnum Orchestration 7:

      zypper in -t patch SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2018-2188=1



Package List:

   - SUSE OpenStack Cloud 7 (s390x x86_64):

      kernel-default-4.4.121-92.95.1
      kernel-default-base-4.4.121-92.95.1
      kernel-default-base-debuginfo-4.4.121-92.95.1
      kernel-default-debuginfo-4.4.121-92.95.1
      kernel-default-debugsource-4.4.121-92.95.1
      kernel-default-devel-4.4.121-92.95.1
      kernel-syms-4.4.121-92.95.1

   - SUSE OpenStack Cloud 7 (x86_64):

      kgraft-patch-4_4_121-92_95-default-1-3.4.1
      lttng-modules-2.7.1-9.6.1
      lttng-modules-debugsource-2.7.1-9.6.1
      lttng-modules-kmp-default-2.7.1_k4.4.121_92.95-9.6.1
      lttng-modules-kmp-default-debuginfo-2.7.1_k4.4.121_92.95-9.6.1

   - SUSE OpenStack Cloud 7 (noarch):

      kernel-devel-4.4.121-92.95.1
      kernel-macros-4.4.121-92.95.1
      kernel-source-4.4.121-92.95.1

   - SUSE OpenStack Cloud 7 (s390x):

      kernel-default-man-4.4.121-92.95.1

   - SUSE Linux Enterprise Server for SAP 12-SP2 (ppc64le x86_64):

      kernel-default-4.4.121-92.95.1
      kernel-default-base-4.4.121-92.95.1
      kernel-default-base-debuginfo-4.4.121-92.95.1
      kernel-default-debuginfo-4.4.121-92.95.1
      kernel-default-debugsource-4.4.121-92.95.1
      kernel-default-devel-4.4.121-92.95.1
      kernel-syms-4.4.121-92.95.1
      kgraft-patch-4_4_121-92_95-default-1-3.4.1

   - SUSE Linux Enterprise Server for SAP 12-SP2 (noarch):

      kernel-devel-4.4.121-92.95.1
      kernel-macros-4.4.121-92.95.1
      kernel-source-4.4.121-92.95.1

   - SUSE Linux Enterprise Server for SAP 12-SP2 (x86_64):

      lttng-modules-2.7.1-9.6.1
      lttng-modules-debugsource-2.7.1-9.6.1
      lttng-modules-kmp-default-2.7.1_k4.4.121_92.95-9.6.1
      lttng-modules-kmp-default-debuginfo-2.7.1_k4.4.121_92.95-9.6.1

   - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le s390x x86_64):

      kernel-default-4.4.121-92.95.1
      kernel-default-base-4.4.121-92.95.1
      kernel-default-base-debuginfo-4.4.121-92.95.1
      kernel-default-debuginfo-4.4.121-92.95.1
      kernel-default-debugsource-4.4.121-92.95.1
      kernel-default-devel-4.4.121-92.95.1
      kernel-syms-4.4.121-92.95.1

   - SUSE Linux Enterprise Server 12-SP2-LTSS (ppc64le x86_64):

      kgraft-patch-4_4_121-92_95-default-1-3.4.1

   - SUSE Linux Enterprise Server 12-SP2-LTSS (x86_64):

      lttng-modules-2.7.1-9.6.1
      lttng-modules-debugsource-2.7.1-9.6.1
      lttng-modules-kmp-default-2.7.1_k4.4.121_92.95-9.6.1
      lttng-modules-kmp-default-debuginfo-2.7.1_k4.4.121_92.95-9.6.1

   - SUSE Linux Enterprise Server 12-SP2-LTSS (noarch):

      kernel-devel-4.4.121-92.95.1
      kernel-macros-4.4.121-92.95.1
      kernel-source-4.4.121-92.95.1

   - SUSE Linux Enterprise Server 12-SP2-LTSS (s390x):

      kernel-default-man-4.4.121-92.95.1

   - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):

      kernel-default-4.4.121-92.95.1
      kernel-default-base-4.4.121-92.95.1
      kernel-default-base-debuginfo-4.4.121-92.95.1
      kernel-default-debuginfo-4.4.121-92.95.1
      kernel-default-debugsource-4.4.121-92.95.1
      kernel-default-devel-4.4.121-92.95.1
      kernel-syms-4.4.121-92.95.1
      lttng-modules-2.7.1-9.6.1
      lttng-modules-debugsource-2.7.1-9.6.1
      lttng-modules-kmp-default-2.7.1_k4.4.121_92.95-9.6.1
      lttng-modules-kmp-default-debuginfo-2.7.1_k4.4.121_92.95-9.6.1

   - SUSE Linux Enterprise Server 12-SP2-BCL (noarch):

      kernel-devel-4.4.121-92.95.1
      kernel-macros-4.4.121-92.95.1
      kernel-source-4.4.121-92.95.1

   - SUSE Linux Enterprise High Availability 12-SP2 (ppc64le s390x x86_64):

      cluster-md-kmp-default-4.4.121-92.95.1
      cluster-md-kmp-default-debuginfo-4.4.121-92.95.1
      cluster-network-kmp-default-4.4.121-92.95.1
      cluster-network-kmp-default-debuginfo-4.4.121-92.95.1
      dlm-kmp-default-4.4.121-92.95.1
      dlm-kmp-default-debuginfo-4.4.121-92.95.1
      gfs2-kmp-default-4.4.121-92.95.1
      gfs2-kmp-default-debuginfo-4.4.121-92.95.1
      kernel-default-debuginfo-4.4.121-92.95.1
      kernel-default-debugsource-4.4.121-92.95.1
      ocfs2-kmp-default-4.4.121-92.95.1
      ocfs2-kmp-default-debuginfo-4.4.121-92.95.1

   - SUSE Enterprise Storage 4 (noarch):

      kernel-devel-4.4.121-92.95.1
      kernel-macros-4.4.121-92.95.1
      kernel-source-4.4.121-92.95.1

   - SUSE Enterprise Storage 4 (x86_64):

      kernel-default-4.4.121-92.95.1
      kernel-default-base-4.4.121-92.95.1
      kernel-default-base-debuginfo-4.4.121-92.95.1
      kernel-default-debuginfo-4.4.121-92.95.1
      kernel-default-debugsource-4.4.121-92.95.1
      kernel-default-devel-4.4.121-92.95.1
      kernel-syms-4.4.121-92.95.1
      kgraft-patch-4_4_121-92_95-default-1-3.4.1
      lttng-modules-2.7.1-9.6.1
      lttng-modules-debugsource-2.7.1-9.6.1
      lttng-modules-kmp-default-2.7.1_k4.4.121_92.95-9.6.1
      lttng-modules-kmp-default-debuginfo-2.7.1_k4.4.121_92.95-9.6.1

   - OpenStack Cloud Magnum Orchestration 7 (x86_64):

      kernel-default-4.4.121-92.95.1
      kernel-default-debuginfo-4.4.121-92.95.1
      kernel-default-debugsource-4.4.121-92.95.1


References:

   https://www.suse.com/security/cve/CVE-2018-10853.html
   https://www.suse.com/security/cve/CVE-2018-10876.html
   https://www.suse.com/security/cve/CVE-2018-10877.html
   https://www.suse.com/security/cve/CVE-2018-10878.html
   https://www.suse.com/security/cve/CVE-2018-10879.html
   https://www.suse.com/security/cve/CVE-2018-10880.html
   https://www.suse.com/security/cve/CVE-2018-10881.html
   https://www.suse.com/security/cve/CVE-2018-10882.html
   https://www.suse.com/security/cve/CVE-2018-10883.html
   https://www.suse.com/security/cve/CVE-2018-10902.html
   https://www.suse.com/security/cve/CVE-2018-10938.html
   https://www.suse.com/security/cve/CVE-2018-10940.html
   https://www.suse.com/security/cve/CVE-2018-12896.html
   https://www.suse.com/security/cve/CVE-2018-13093.html
   https://www.suse.com/security/cve/CVE-2018-13094.html
   https://www.suse.com/security/cve/CVE-2018-13095.html
   https://www.suse.com/security/cve/CVE-2018-14617.html
   https://www.suse.com/security/cve/CVE-2018-14678.html
   https://www.suse.com/security/cve/CVE-2018-15572.html
   https://www.suse.com/security/cve/CVE-2018-15594.html
   https://www.suse.com/security/cve/CVE-2018-16276.html
   https://www.suse.com/security/cve/CVE-2018-16658.html
   https://www.suse.com/security/cve/CVE-2018-17182.html
   https://www.suse.com/security/cve/CVE-2018-6554.html
   https://www.suse.com/security/cve/CVE-2018-6555.html
   https://www.suse.com/security/cve/CVE-2018-7480.html
   https://www.suse.com/security/cve/CVE-2018-7757.html
   https://www.suse.com/security/cve/CVE-2018-9363.html
   https://bugzilla.suse.com/1012382
   https://bugzilla.suse.com/1042286
   https://bugzilla.suse.com/1062604
   https://bugzilla.suse.com/1064232
   https://bugzilla.suse.com/1065364
   https://bugzilla.suse.com/1082519
   https://bugzilla.suse.com/1082863
   https://bugzilla.suse.com/1084536
   https://bugzilla.suse.com/1085042
   https://bugzilla.suse.com/1088810
   https://bugzilla.suse.com/1089066
   https://bugzilla.suse.com/1092903
   https://bugzilla.suse.com/1094466
   https://bugzilla.suse.com/1095344
   https://bugzilla.suse.com/1096547
   https://bugzilla.suse.com/1097104
   https://bugzilla.suse.com/1099597
   https://bugzilla.suse.com/1099811
   https://bugzilla.suse.com/1099813
   https://bugzilla.suse.com/1099844
   https://bugzilla.suse.com/1099845
   https://bugzilla.suse.com/1099846
   https://bugzilla.suse.com/1099849
   https://bugzilla.suse.com/1099863
   https://bugzilla.suse.com/1099864
   https://bugzilla.suse.com/1099922
   https://bugzilla.suse.com/1099993
   https://bugzilla.suse.com/1099999
   https://bugzilla.suse.com/1100000
   https://bugzilla.suse.com/1100001
   https://bugzilla.suse.com/1100152
   https://bugzilla.suse.com/1102517
   https://bugzilla.suse.com/1102715
   https://bugzilla.suse.com/1102870
   https://bugzilla.suse.com/1103445
   https://bugzilla.suse.com/1104319
   https://bugzilla.suse.com/1104495
   https://bugzilla.suse.com/1105292
   https://bugzilla.suse.com/1105296
   https://bugzilla.suse.com/1105322
   https://bugzilla.suse.com/1105348
   https://bugzilla.suse.com/1105396
   https://bugzilla.suse.com/1105536
   https://bugzilla.suse.com/1106016
   https://bugzilla.suse.com/1106095
   https://bugzilla.suse.com/1106369
   https://bugzilla.suse.com/1106509
   https://bugzilla.suse.com/1106511
   https://bugzilla.suse.com/1106512
   https://bugzilla.suse.com/1106594
   https://bugzilla.suse.com/1107689
   https://bugzilla.suse.com/1107735
   https://bugzilla.suse.com/1107966
   https://bugzilla.suse.com/1108239
   https://bugzilla.suse.com/1108399
   https://bugzilla.suse.com/1109333

_______________________________________________

==============================================================================

   SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID:    SUSE-SU-2018:3088-1
Rating:             important
References:         #1045538 #1048185 #1050381 #1050431 #1057199 
                    #1060245 #1064861 #1068032 #1080157 #1087081 
                    #1092772 #1092903 #1093666 #1096547 #1098822 
                    #1099922 #1100132 #1100705 #1102517 #1102870 
                    #1103119 #1104481 #1104684 #1104818 #1104901 
                    #1105100 #1105322 #1105348 #1105536 #1105723 
                    #1106095 #1106105 #1106199 #1106202 #1106206 
                    #1106209 #1106212 #1106369 #1106509 #1106511 
                    #1106609 #1106886 #1106930 #1106995 #1107001 
                    #1107064 #1107071 #1107650 #1107689 #1107735 
                    #1107949 #1108096 #1108170 #1108823 #1108912 
                    
Cross-References:   CVE-2018-10902 CVE-2018-10940 CVE-2018-12896
                    CVE-2018-14617 CVE-2018-14634 CVE-2018-14734
                    CVE-2018-15572 CVE-2018-15594 CVE-2018-16276
                    CVE-2018-16658 CVE-2018-6554 CVE-2018-6555
                   
Affected Products:
                    SUSE Linux Enterprise Real Time Extension 11-SP4
                    SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

   An update that solves 12 vulnerabilities and has 43 fixes
   is now available.

Description:


   The SUSE Linux Enterprise 11 SP4 RT kernel was updated to receive various
   security and bugfixes.

   The following security bugs were fixed:

   - CVE-2018-14634: Prevent integer overflow in create_elf_tables that
     allowed a local attacker to exploit this vulnerability via a SUID-root
     binary and obtain full root privileges (bsc#1108912)
   - CVE-2018-14617: Prevent NULL pointer dereference and panic in
     hfsplus_lookup() when opening a file (that is purportedly a hard link)
     in an hfs+ filesystem that has malformed catalog data, and is mounted
     read-only without a metadata directory (bsc#1102870)
   - CVE-2018-16276: Incorrect bounds checking in the yurex USB driver in
     yurex_read allowed local attackers to use user access read/writes to
     crash the kernel or potentially escalate privileges (bsc#1106095)
   - CVE-2018-12896: Prevent integer overflow in the POSIX timer code that
     was caused by the way the overrun accounting works. Depending on
     interval and expiry time values, the overrun can be larger than INT_MAX,
     but the accounting is int based. This basically made the accounting
     values, which are visible to user space via timer_getoverrun(2) and
     siginfo::si_overrun, random. This allowed a local user to cause a denial
     of service (signed integer overflow) via crafted mmap, futex,
     timer_create, and timer_settime system calls (bnc#1099922)
   - CVE-2018-10940: The cdrom_ioctl_media_changed function allowed local
     attackers to use a incorrect bounds check in the CDROM driver
     CDROM_MEDIA_CHANGED ioctl to read out kernel memory (bsc#1092903)
   - CVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status
     that could have been used by local attackers to read kernel memory
     (bnc#1107689)
   - CVE-2018-6555: The irda_setsockopt function allowed local users to cause
     a denial of service (ias_object use-after-free and system crash) or
     possibly have unspecified other impact via an AF_IRDA socket
     (bnc#1106511)
   - CVE-2018-6554: Prevent memory leak in the irda_bind function that
     allowed local users to cause a denial of service (memory consumption) by
     repeatedly binding an AF_IRDA socket (bnc#1106509)
   - CVE-2018-15594: Ensure correct handling of indirect calls, to prevent
     attackers for conducting Spectre-v2 attacks against paravirtual guests
     (bsc#1105348)
   - CVE-2018-15572: The spectre_v2_select_mitigation function did not always
     fill RSB upon a context switch, which made it easier for attackers to
     conduct userspace-userspace spectreRSB attacks (bnc#1102517)
   - CVE-2018-10902: Protect against concurrent access to prevent double
     realloc (double free) in snd_rawmidi_input_params() and
     snd_rawmidi_output_status(). A malicious local attacker could have used
     this for privilege escalation (bnc#1105322).
   - CVE-2018-14734: ucma_leave_multicast accessed a certain data structure
     after a cleanup step in ucma_process_join, which allowed attackers to
     cause a denial
     of service (use-after-free) (bsc#1103119)

   The following non-security bugs were fixed:

   - ACPI: APEI / ERST: Fix missing error handling in erst_reader()
     (bsc#1045538).
   - ALSA: fm801: propagate TUNER_ONLY bit when autodetected (bsc#1045538).
   - ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode
     (bsc#1045538).
   - ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
     (bsc#1045538).
   - ALSA: pcm: fix fifo_size frame calculation (bsc#1045538).
   - ALSA: snd-aoa: add of_node_put() in error path (bsc#1045538).
   - ALSA: usb-audio: Add sanity checks in v2 clock parsers (bsc#1045538).
   - ALSA: usb-audio: Add sanity checks to FE parser (bsc#1045538).
   - ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute
     (bsc#1045538).
   - ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream()
     (bsc#1045538).
   - ALSA: usb-audio: Fix parameter block size for UAC2 control requests
     (bsc#1045538).
   - ALSA: usb-audio: Fix parsing descriptor of UAC2 processing unit
     (bsc#1045538).
   - ALSA: usb-audio: Fix potential out-of-bound access at parsing SU
     (bsc#1045538).
   - ALSA: usb-audio: Set correct type for some UAC2 mixer controls
     (bsc#1045538).
   - ASoC: blackfin: Fix missing break (bsc#1045538).
   - Enforce module signatures if the kernel is locked down (bsc#1093666).
   - KVM: VMX: Work around kABI breakage in 'enum vmx_l1d_flush_state'
     (bsc#1106369).
   - KVM: VMX: fixes for vmentry_l1d_flush module parameter (bsc#1106369).
   - PCI: Fix TI816X class code quirk (bsc#1050431).
   - Refresh patches.xen/xen3-x86-l1tf-04-protect-PROT_NONE-ptes.patch
     (bsc#1105100).
   - TPM: Zero buffer whole after copying to userspace (bsc#1050381).
   - USB: serial: io_ti: fix NULL-deref in interrupt callback (bsc#1106609).
   - USB: serial: sierra: fix potential deadlock at close (bsc#1100132).
   - applicom: dereferencing NULL on error path (git-fixes).
   - ath5k: Change led pin configuration for compaq c700 laptop (bsc#1048185).
   - base: make module_create_drivers_dir race-free (git-fixes).
   - block: fix an error code in add_partition() (bsc#1106209).
   - btrfs: scrub: Do not use inode page cache in
     scrub_handle_errored_block() (bsc#1108096).
   - btrfs: scrub: Do not use inode pages for device replace (bsc#1107949).
   - dasd: Add IFCC notice message (bnc#1104481, LTC#170484).
   - drm/i915: Remove bogus __init annotation from DMI callbacks
     (bsc#1106886).
   - drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()
     (bsc#1106886).
   - drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve()
     (bsc#1106886).
   - drm: crtc: integer overflow in drm_property_create_blob() (bsc#1106886).
   - fbdev: omapfb: off by one in omapfb_register_client() (bsc#1106886).
   - iommu/amd: Finish TLB flush in amd_iommu_unmap() (bsc#1106105).
   - iommu/amd: Fix the left value check of cmd buffer (bsc#1106105).
   - iommu/amd: Free domain id when free a domain of struct dma_ops_domain
     (bsc#1106105).
   - iommu/amd: Update Alias-DTE in update_device_table() (bsc#1106105).
   - iommu/vt-d: Do not over-free page table directories (bsc#1106105).
   - iommu/vt-d: Ratelimit each dmar fault printing (bsc#1106105).
   - ipv6: Regenerate host route according to node pointer upon loopback up
     (bsc#1100705).
   - ipv6: correctly add local routes when lo goes up (bsc#1100705).
   - ipv6: introduce ip6_rt_put() (bsc#1100705).
   - ipv6: reallocate addrconf router for ipv6 address when lo device up
     (bsc#1100705).
   - kabi: x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
     (bnc#1105536).
   - mm/hugetlb: add migration/hwpoisoned entry check in
     hugetlb_change_protection (bnc#1107071).
   - mm/mempolicy.c: avoid use uninitialized preferred_node (bnc#1107064).
   - modsign: log module name in the event of an error (bsc#1093666).
   - modsign: print module name along with error message (bsc#1093666).
   - module: make it clear when we're handling the module copy in info->hdr
     (bsc#1093666).
   - module: setup load info before module_sig_check() (bsc#1093666).
   - nbd: ratelimit error msgs after socket close (bsc#1106206).
   - ncpfs: return proper error from NCP_IOC_SETROOT ioctl (bsc#1106199).
   - perf/x86/intel: Add cpu_(prepare|starting|dying) for core_pmu
     (bsc#1104901).
   - powerpc/64s: Default l1d_size to 64K in RFI fallback flush (bsc#1068032,
     git-fixes).
   - powerpc/fadump: Do not use hugepages when fadump is active (bsc#1092772,
     bsc#1107650).
   - powerpc/fadump: exclude memory holes while reserving memory in second
     kernel (bsc#1092772, bsc#1107650).
   - powerpc/fadump: re-register firmware-assisted dump if already registered
     (bsc#1108170, bsc#1108823).
   - powerpc/lib: Fix off-by-one in alternate feature patching (bsc#1064861).
   - powerpc/lib: Fix the feature fixup tests to actually work (bsc#1064861).
   - powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2
     (bsc#1068032, bsc#1080157, git-fixes).
   - powerpc: Avoid code patching freed init sections (bnc#1107735).
   - powerpc: make feature-fixup tests fortify-safe (bsc#1064861).
   - ptrace: fix PTRACE_LISTEN race corrupting task->state (bnc#1107001).
   - qlge: Fix netdev features configuration (bsc#1098822).
   - resource: fix integer overflow at reallocation (bsc#1045538).
   - rpm/kernel-docs.spec.in: Expand kernel tree directly from sources
     (bsc#1057199)
   - s390/ftrace: use expoline for indirect branches (bnc#1106930,
     LTC#171029).
   - s390/kernel: use expoline for indirect branches (bnc#1106930,
     LTC#171029).
   - s390/qeth: do not clobber buffer on async TX completion (bnc#1060245,
     LTC#170349).
   - s390: Correct register corruption in critical section cleanup
     (bnc#1106930, LTC#171029).
   - s390: add assembler macros for CPU alternatives (bnc#1106930,
     LTC#171029).
   - s390: detect etoken facility (bnc#1106930, LTC#171029).
   - s390: move expoline assembler macros to a header (bnc#1106930,
     LTC#171029).
   - s390: move spectre sysfs attribute code (bnc#1106930, LTC#171029).
   - s390: remove indirect branch from do_softirq_own_stack (bnc#1106930,
     LTC#171029).
   - sys: do not hold uts_sem while accessing userspace memory (bnc#1106995).
   - tpm: fix race condition in tpm_common_write() (bsc#1050381).
   - tracing/blktrace: Fix to allow setting same value (bsc#1106212).
   - tty: vt, fix bogus division in csi_J (git-fixes).
   - tty: vt, return error when con_startup fails (git-fixes).
   - uml: fix hostfs mknod() (bsc#1106202).
   - usb: audio-v2: Correct the comment for struct
     uac_clock_selector_descriptor (bsc#1045538).
   - usbip: vhci_sysfs: fix potential Spectre v1 (bsc#1096547).
   - x86, l1tf: Protect PROT_NONE PTEs against speculation fixup
     (bnc#1104684, bnc#1104818).
   - x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
     (bnc#1087081).
   - x86/init: fix build with CONFIG_SWAP=n (bsc#1105723).
   - x86/mm: Prevent kernel Oops in PTDUMP code with HIGHPTE=y (bsc#1106105).
   - x86/speculation/l1tf: Fix off-by-one error when warning that system has
     too much RAM (bnc#1105536).
   - x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
     (bnc#1105536).
   - x86/speculation/l1tf: Suggest what to do on systems with too much RAM
     (bnc#1105536).
   - x86/vdso: Fix vDSO build if a retpoline is emitted (git-fixes).
   - xen x86/speculation/l1tf: Fix off-by-one error when warning that system
     has too much RAM (bnc#1105536).
   - xen x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
     (bnc#1105536).
   - xen, x86, l1tf: Protect PROT_NONE PTEs against speculation fixup
     (bnc#1104684, bnc#1104818).
   - xen: x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
     (bnc#1087081).


Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Real Time Extension 11-SP4:

      zypper in -t patch slertesp4-linux-kernel-13810=1

   - SUSE Linux Enterprise Debuginfo 11-SP4:

      zypper in -t patch dbgsp4-linux-kernel-13810=1



Package List:

   - SUSE Linux Enterprise Real Time Extension 11-SP4 (x86_64):

      kernel-rt-3.0.101.rt130-69.36.1
      kernel-rt-base-3.0.101.rt130-69.36.1
      kernel-rt-devel-3.0.101.rt130-69.36.1
      kernel-rt_trace-3.0.101.rt130-69.36.1
      kernel-rt_trace-base-3.0.101.rt130-69.36.1
      kernel-rt_trace-devel-3.0.101.rt130-69.36.1
      kernel-source-rt-3.0.101.rt130-69.36.1
      kernel-syms-rt-3.0.101.rt130-69.36.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64):

      kernel-rt-debuginfo-3.0.101.rt130-69.36.1
      kernel-rt-debugsource-3.0.101.rt130-69.36.1
      kernel-rt_debug-debuginfo-3.0.101.rt130-69.36.1
      kernel-rt_debug-debugsource-3.0.101.rt130-69.36.1
      kernel-rt_trace-debuginfo-3.0.101.rt130-69.36.1
      kernel-rt_trace-debugsource-3.0.101.rt130-69.36.1


References:

   https://www.suse.com/security/cve/CVE-2018-10902.html
   https://www.suse.com/security/cve/CVE-2018-10940.html
   https://www.suse.com/security/cve/CVE-2018-12896.html
   https://www.suse.com/security/cve/CVE-2018-14617.html
   https://www.suse.com/security/cve/CVE-2018-14634.html
   https://www.suse.com/security/cve/CVE-2018-14734.html
   https://www.suse.com/security/cve/CVE-2018-15572.html
   https://www.suse.com/security/cve/CVE-2018-15594.html
   https://www.suse.com/security/cve/CVE-2018-16276.html
   https://www.suse.com/security/cve/CVE-2018-16658.html
   https://www.suse.com/security/cve/CVE-2018-6554.html
   https://www.suse.com/security/cve/CVE-2018-6555.html
   https://bugzilla.suse.com/1045538
   https://bugzilla.suse.com/1048185
   https://bugzilla.suse.com/1050381
   https://bugzilla.suse.com/1050431
   https://bugzilla.suse.com/1057199
   https://bugzilla.suse.com/1060245
   https://bugzilla.suse.com/1064861
   https://bugzilla.suse.com/1068032
   https://bugzilla.suse.com/1080157
   https://bugzilla.suse.com/1087081
   https://bugzilla.suse.com/1092772
   https://bugzilla.suse.com/1092903
   https://bugzilla.suse.com/1093666
   https://bugzilla.suse.com/1096547
   https://bugzilla.suse.com/1098822
   https://bugzilla.suse.com/1099922
   https://bugzilla.suse.com/1100132
   https://bugzilla.suse.com/1100705
   https://bugzilla.suse.com/1102517
   https://bugzilla.suse.com/1102870
   https://bugzilla.suse.com/1103119
   https://bugzilla.suse.com/1104481
   https://bugzilla.suse.com/1104684
   https://bugzilla.suse.com/1104818
   https://bugzilla.suse.com/1104901
   https://bugzilla.suse.com/1105100
   https://bugzilla.suse.com/1105322
   https://bugzilla.suse.com/1105348
   https://bugzilla.suse.com/1105536
   https://bugzilla.suse.com/1105723
   https://bugzilla.suse.com/1106095
   https://bugzilla.suse.com/1106105
   https://bugzilla.suse.com/1106199
   https://bugzilla.suse.com/1106202
   https://bugzilla.suse.com/1106206
   https://bugzilla.suse.com/1106209
   https://bugzilla.suse.com/1106212
   https://bugzilla.suse.com/1106369
   https://bugzilla.suse.com/1106509
   https://bugzilla.suse.com/1106511
   https://bugzilla.suse.com/1106609
   https://bugzilla.suse.com/1106886
   https://bugzilla.suse.com/1106930
   https://bugzilla.suse.com/1106995
   https://bugzilla.suse.com/1107001
   https://bugzilla.suse.com/1107064
   https://bugzilla.suse.com/1107071
   https://bugzilla.suse.com/1107650
   https://bugzilla.suse.com/1107689
   https://bugzilla.suse.com/1107735
   https://bugzilla.suse.com/1107949
   https://bugzilla.suse.com/1108096
   https://bugzilla.suse.com/1108170
   https://bugzilla.suse.com/1108823
   https://bugzilla.suse.com/1108912

_______________________________________________

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW71/02aOgq3Tt24GAQi98A/+MGODYN/GPjuXvkhebXX/I7jQ52bqcCH8
3SYQvmsyAGL3ZzEF+7Lrq1KXsg4o/daHZWYU7kVqegAeTFdJn9AREpHad2Im4Huj
Q0q4Wn0acbLLmCywvua1jbJ+SQiIpk4iyRt/y1cxhuy74TzBYx5g2NMEF9nsuEZy
6dbOemHsBEYlqtR/ra07iOwkPNuY5sUtXIteAPSXmUBQ+MjZj7le6fN8x4cV0UlH
LL+/UWIES+N3dgxqAWX/ko+9vxrPVKsE9mcDusrKWkkqcOsHika4hWjJLj8gALYo
xqMOm3o7CFXJORTj4bK/levrrDEsG3MV6ciyFl1MyPb8WveqXXt7qxiXUDUJ67D0
umY2jvA7aEycV8DdXUALwTNgsabxPIfJMLbd5BB2MaXS28+b9O5w8iYNsrujXKFY
4zQve5k2G2B7QUKM7YsxVqvkwy7bF4NPraSRbcdTKHxRHaMcqJRXTa19MMM1Mzpo
U9U03WrvX/2ZGKPV5AWneDOekzyV6QQDap77x+5q1RYMKLoY0hu1mYa3w/OYrfAr
DBGd2N7A7G7MrJgn3fhcnbL2rf8YdS0HPD/pOXoq9ML1n+9/PuLi0K2IxlNB8iXY
vZDFKP1YsbuFM+t0dmLFxaPqPhHC00OxYsWPAinV34K5CXw2mt12X3aT4TZdVM36
7rEbfBIJr4c=
=oq9c
-----END PGP SIGNATURE-----

« Back to bulletins