Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0215
Security update for the Linux Kernel
18 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Linux Kernel
Publisher: SUSE
Operating System: SUSE
Impact/Access: Increased Privileges -- Existing Account
Denial of Service -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-45486 CVE-2021-45485 CVE-2021-43976
CVE-2021-43975 CVE-2021-33098 CVE-2021-28715
CVE-2021-28714 CVE-2021-28713 CVE-2021-28712
CVE-2021-28711 CVE-2021-4002 CVE-2021-0935
CVE-2021-0920 CVE-2020-27820 CVE-2019-15126
CVE-2019-9503 CVE-2019-9502 CVE-2019-9501
CVE-2019-9500
Reference: ESB-2022.0205
ESB-2022.0187
Original Bulletin:
https://www.suse.com/support/update/announcement/2022/suse-su-20220090-1
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:0090-1
Rating: important
References: #1114648 #1124431 #1167162 #1179599 #1183678 #1183897
#1184804 #1185727 #1185762 #1187167 #1189126 #1189305
#1189841 #1190358 #1191229 #1191384 #1192032 #1192145
#1192267 #1192740 #1192845 #1192847 #1192877 #1192946
#1192974 #1193231 #1193306 #1193318 #1193440 #1193442
#1193731 #1194087 #1194094
Cross-References: CVE-2019-15126 CVE-2020-27820 CVE-2021-0920 CVE-2021-0935
CVE-2021-28711 CVE-2021-28712 CVE-2021-28713 CVE-2021-28714
CVE-2021-28715 CVE-2021-33098 CVE-2021-4002 CVE-2021-43975
CVE-2021-43976 CVE-2021-45485 CVE-2021-45486
Affected Products:
SUSE Linux Enterprise Real Time Extension 12-SP5
______________________________________________________________________________
An update that solves 15 vulnerabilities, contains one feature and has 18 fixes
is now available.
Description:
The SUSE Linux Enterprise 12 SP5 RT kernel was updated to receive various
security and bugfixes.
The following security bugs were fixed:
o CVE-2019-15126: Fixed a vulnerability in Broadcom and Cypress Wi-Fi chips,
used in RPi family of devices aka "Kr00k". (bsc#1167162)
o CVE-2020-27820: Fixed a vulnerability where a use-after-frees in nouveau's
postclose() handler could happen if removing device. (bsc#1179599)
o CVE-2021-0920: Fixed a local privilege escalation due to an use after free
bug in unix_gc. (bsc#1193731)
o CVE-2021-0935: Fixed out of bounds write due to a use after free which
could lead to local escalation of privilege with System execution
privileges needed in ip6_xmit. (bsc#1192032)
o CVE-2021-4002: Added a missing TLB flush that could lead to leak or
corruption of data in hugetlbfs. (bsc#1192946)
o CVE-2021-28711: Fixed a rogue backends that could cause DoS of guests via
high frequency events by hardening blkfront against event channel storms.
(bsc#1193440)
o CVE-2021-28712: Fixed a rogue backends that could cause DoS of guests via
high frequency events by hardening netfront against event channel storms.
(bsc#1193440)
o CVE-2021-28713: Fixed a rogue backends that could cause DoS of guests via
high frequency events by hardening hvc_xen against event channel storms.
(bsc#1193440)
o CVE-2021-28714: Fixed an issue where a guest could force Linux netback
driver to hog large amounts of kernel memory by fixing rx queue stall
detection. (bsc#1193442)
o CVE-2021-28715: Fixed an issue where a guest could force Linux netback
driver to hog large amounts of kernel memory by do not queueing unlimited
number of packages. (bsc#1193442)
o CVE-2021-33098: Fixed a potential denial of service in Intel(R) Ethernet
ixgbe driver due to improper input validation. (bsc#1192877)
o CVE-2021-43975: Fixed a flaw in hw_atl_utils_fw_rpc_wait that could allow
an attacker (who can introduce a crafted device) to trigger an
out-of-bounds write via a crafted length value. (bsc#1192845)
o CVE-2021-43976: Fixed a flaw that could allow an attacker (who can connect
a crafted USB device) to cause a denial of service. (bsc#1192847)
o CVE-2021-45485: Fixed an information leak because of certain use of a hash
table which use IPv6 source addresses. (bsc#1194094)
o CVE-2021-45486: Fixed an information leak because the hash table is very
small in net/ipv4/route.c. (bsc#1194087)
The following non-security bugs were fixed:
o blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762).
o cifs: fix missed refcounting of ipc tcon (git-fixes).
o cifs: nosharesock should be set on new server (git-fixes).
o config: INPUT_EVBUG=n (bsc#1192974). Debug driver unsuitable for
production, only enabled on ppc64.
o constraints: Build aarch64 on recent ARMv8.1 builders. Request asimdrdm
feature which is available only on recent ARMv8.1 CPUs. This should prevent
scheduling the kernel on an older slower builder.
o edac/amd64: Handle three rank interleaving mode (bsc#1114648).
o elfcore: correct reference to CONFIG_UML (git-fixes).
o fuse: release pipe buf after last use (bsc#1193318).
o genirq: Move initial affinity setup to irq_startup() (bsc#1193231).
o genirq: Provide IRQCHIP_AFFINITY_PRE_STARTUP (bsc#1193231).
o genirq: Remove mask argument from setup_affinity() (bsc#1193231).
o genirq: Rename setup_affinity() to irq_setup_affinity() (bsc#1193231).
o genirq: Split out irq_startup() code (bsc#1193231).
o kernel-*-subpackage: Add dependency on kernel scriptlets (bsc#1192740).
o kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#
1190358). The script part for base package case is completely separate from
the part for subpackages. Remove the part for subpackages from the base
package script and use the KMP scripts for subpackages instead.
o kernel-binary.spec.in: add zstd to BuildRequires if used
o kernel-binary.spec.in: make sure zstd is supported by kmod if used
o kernel-binary.spec: Check for no kernel signing certificates. Also remove
unused variable.
o kernel-binary.spec: Define $image as rpm macro (bsc#1189841).
o kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358).
Copy the code from kernel-module-subpackage that deals with empty KMPs.
o kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167).
o kernel-binary.spec: Fix kernel-default-base scriptlets after packaging
merge.
o kernel-binary.spec: Require dwarves for kernel-binary-devel when BTF is
enabled (jsc#SLE-17288). About the pahole version: v1.18 should be bare
mnimum, v1.22 should be fully functional, for now we ship git snapshot with
fixes on top of v1.21.
o kernel-binary.spec: suse-kernel-rpm-scriptlets required for uninstall as
well. Fixes: e98096d5cf85 ("rpm: Abolish scritplet templating (bsc#
1189841).")
o kernel-cert-subpackage: Fix certificate location in scriptlets (bsc#
1189841). Fixes: d9a1357edd73 ("rpm: Define $certs as rpm macro (bsc#
1189841).")
o kernel-source.spec: install-kernel-tools also required on 15.4
o kernel-spec-macros: Since rpm 4.17 %verbose is unusable (bsc#1191229). The
semantic changed in an incompatible way so invoking the macro now causes a
build failure.
o lpfc: Reintroduce old IRQ probe logic (bsc#1183897).
o net: mana: Allow setting the number of queues while the NIC is down (jsc#
SLE-18779, bsc#1185727).
o net: mana: Fix spelling mistake "calledd" -> "called" (jsc#SLE-18779, bsc#
1185727).
o net: mana: Fix the netdev_err()'s vPort argument in mana_init_port() (jsc#
SLE-18779, bsc#1185727).
o net: mana: Improve the HWC error handling (jsc#SLE-18779, bsc#1185727).
o net: mana: Support hibernation and kexec (jsc#SLE-18779, bsc#1185727).
o net: mana: Use kcalloc() instead of kzalloc() (jsc#SLE-18779, bsc#1185727).
o net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no
IRQ is available (git-fixes).
o nvme-fc: avoid race between time out and tear down (bsc#1185762).
o nvme-fc: remove freeze/unfreeze around update_nr_hw_queues (bsc#1185762).
o nvme-fc: update hardware queues before using them (bsc#1185762).
o nvme-fc: wait for queues to freeze before calling update_hr_hw_queues (bsc#
1183678).
o nvme-pci: add NO APST quirk for Kioxia device (git-fixes).
o platform/x86: hp_accel: Fix an error handling path in 'lis3lv02d_probe()'
(git-fixes).
o platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning (git-fixes).
o post.sh: detect /usr mountpoint too
o readme: Modernize build instructions.
o recordmcount.pl: fix typo in s390 mcount regex (bsc#1192267).
o recordmcount.pl: look for jgnop instruction as well as bcrl on s390 (bsc#
1192267).
o rpm/kernel-binary.spec.in: Use kmod-zstd provide. This makes it possible to
use kmod with ZSTD support on non-Tumbleweed.
o rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had
arbitrary values in staging, we can't use it for dependencies. The
filesystem one has to be enough (boo#1184804).
o rpm/kernel-binary.spec.in: do not strip vmlinux again (bsc#1193306) After
usrmerge, vmlinux file is not named vmlinux-<version>, but simply vmlinux.
And this is not reflected in STRIP_KEEP_SYMTAB we set. So fix this by
removing the dash...
o rpm/kernel-binary.spec: Use only non-empty certificates.
o rpm/kernel-obs-build.spec.in: make builds reproducible (bsc#1189305)
o rpm/kernel-source.rpmlintrc: ignore new include/config files In 5.13, since
0e0345b77ac4, config files have no longer .h suffix. Adapt the zero-length
check. Based on Martin Liska's change.
o rpm/kernel-source.spec.in: do some more for vanilla_only Make sure: *
sources are NOT executable * env is not used as interpreter * timestamps
are correct We do all this for normal kernel builds, but not for
vanilla_only kernels (linux-next and vanilla).
o rpm: Abolish image suffix (bsc#1189841). This is used only with vanilla
kernel which is not supported in any way. The only effect is has is that
the image and initrd symlinks are created with this suffix. These symlinks
are not used except on s390 where the unsuffixed symlinks are used by zipl.
There is no reason why a vanilla kernel could not be used with zipl as well
as it's quite unexpected to not be able to boot when only a vanilla kernel
is installed. Finally we now have a backup zipl kernel so if the vanilla
kernel is indeed unsuitable the backup kernel can be used.
o rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary
and KMP scriptlets to suse-module-tools. This allows fixing bugs in the
scriptlets as well as defining initrd regeneration policy independent of
the kernel packages.
o rpm: Define $certs as rpm macro (bsc#1189841). Also pass around only the
shortened hash rather than full filename. As has been discussed in bsc#
1124431 comment 51 https://bugzilla.suse.com/show_bug.cgiid=1124431#c51
the placement of the certificates is an API which cannot be changed unless
we can ensure that no two kernels that use different certificate location
can be built with the same certificate.
o rpm: Fold kernel-devel and kernel-source scriptlets into spec files (bsc#
1189841). These are unchanged since 2011 when they were introduced. No need
to track them separately.
o rpm: fix kmp install path
o rpm: support gz and zst compression methods Extend commit 18fcdff43a00
("rpm: support compressed modules") for compression methods other than xz.
o rpm: use _rpmmacrodir (boo#1191384)
o scsi: core: Fix bad pointer dereference when ehandler kthread is invalid
(git-fixes).
o scsi: core: Put LLD module refcnt after SCSI device is released
(git-fixes).
o scsi: iscsi: Adjust iface sysfs attr detection (git-fixes).
o scsi: lpfc: Add additional debugfs support for CMF (bsc#1192145).
o scsi: lpfc: Adjust CMF total bytes and rxmonitor (bsc#1192145).
o scsi: lpfc: Cap CMF read bytes to MBPI (bsc#1192145).
o scsi: lpfc: Change return code on I/Os received during link bounce (bsc#
1192145).
o scsi: lpfc: Fix NPIV port deletion crash (bsc#1192145).
o scsi: lpfc: Fix leaked lpfc_dmabuf mbox allocations with NPIV (bsc#
1192145).
o scsi: lpfc: Fix lpfc_force_rscn ndlp kref imbalance (bsc#1192145).
o scsi: lpfc: Fix non-recovery of remote ports following an unsolicited LOGO
(bsc#1189126).
o scsi: lpfc: Trigger SLI4 firmware dump before doing driver cleanup (bsc#
1192145).
o scsi: lpfc: Update lpfc version to 14.0.0.4 (bsc#1192145).
o scsi: mpt3sas: Fix kernel panic during drive powercycle test (git-fixes).
o scsi: qla2xxx: Fix gnl list corruption (git-fixes).
o scsi: qla2xxx: Fix mailbox direction flags in qla2xxx_get_adapter_id()
(git-fixes).
o scsi: qla2xxx: Format log strings only if needed (git-fixes).
o scsi: qla2xxx: Relogin during fabric disturbance (git-fixes).
o scsi: qla2xxx: edif: Fix EDIF bsg (git-fixes).
o scsi: qla2xxx: edif: Fix app start delay (git-fixes).
o scsi: qla2xxx: edif: Fix app start fail (git-fixes).
o scsi: qla2xxx: edif: Fix off by one bug in qla_edif_app_getfcinfo()
(git-fixes).
o scsi: qla2xxx: edif: Flush stale events and msgs on session down
(git-fixes).
o scsi: qla2xxx: edif: Increase ELS payload (git-fixes).
o tracing: Check pid filtering when creating events (git-fixes).
o tracing: Fix pid filtering when triggers are attached (git-fixes).
o tty: hvc: replace BUG_ON() with negative return value (git-fixes).
o usb-storage: Add compatibility quirk flags for iODD 2531/2541 (git-fixes).
o usb: dwc2: hcd_queue: Fix use of floating point literal (git-fixes).
o usb: serial: option: add Fibocom FM101-GL variants (git-fixes).
o usb: serial: option: add Quectel EC200S-CN module support (git-fixes).
o usb: serial: option: add Telit LE910Cx composition 0x1204 (git-fixes).
o usb: serial: option: add Telit LE910S1 0x9200 composition (git-fixes).
o usb: serial: option: add prod. id for Quectel EG91 (git-fixes).
o usb: serial: qcserial: add EM9191 QDL support (git-fixes).
o x86/msi: Force affinity setup before startup (bsc#1193231).
o x86/pkey: Fix undefined behaviour with PKRU_WD_BIT (bsc#1114648).
o x86/sme: Explicitly map new EFI memmap table as encrypted (bsc#1114648).
o x86/xen: Add xenpv_restore_regs_and_return_to_usermode() (bsc#1114648).
o xen/blkfront: do not take local copy of a request from the ring page
(git-fixes).
o xen/blkfront: do not trust the backend response data blindly (git-fixes).
o xen/blkfront: read response from backend only once (git-fixes).
o xen/netfront: disentangle tx_skb_freelist (git-fixes).
o xen/netfront: do not read data from request on the ring page (git-fixes).
o xen/netfront: do not trust the backend response data blindly (git-fixes).
o xen/netfront: read response from backend only once (git-fixes).
o xen: sync include/xen/interface/io/ring.h with Xen's newest version
(git-fixes).
Special Instructions and Notes:
Please reboot the system after installing this update.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o SUSE Linux Enterprise Real Time Extension 12-SP5:
zypper in -t patch SUSE-SLE-RT-12-SP5-2022-90=1
Package List:
o SUSE Linux Enterprise Real Time Extension 12-SP5 (x86_64):
cluster-md-kmp-rt-4.12.14-10.73.1
cluster-md-kmp-rt-debuginfo-4.12.14-10.73.1
dlm-kmp-rt-4.12.14-10.73.1
dlm-kmp-rt-debuginfo-4.12.14-10.73.1
gfs2-kmp-rt-4.12.14-10.73.1
gfs2-kmp-rt-debuginfo-4.12.14-10.73.1
kernel-rt-4.12.14-10.73.1
kernel-rt-base-4.12.14-10.73.1
kernel-rt-base-debuginfo-4.12.14-10.73.1
kernel-rt-debuginfo-4.12.14-10.73.1
kernel-rt-debugsource-4.12.14-10.73.1
kernel-rt-devel-4.12.14-10.73.1
kernel-rt-devel-debuginfo-4.12.14-10.73.1
kernel-rt_debug-4.12.14-10.73.1
kernel-rt_debug-debuginfo-4.12.14-10.73.1
kernel-rt_debug-debugsource-4.12.14-10.73.1
kernel-rt_debug-devel-4.12.14-10.73.1
kernel-rt_debug-devel-debuginfo-4.12.14-10.73.1
kernel-syms-rt-4.12.14-10.73.1
ocfs2-kmp-rt-4.12.14-10.73.1
ocfs2-kmp-rt-debuginfo-4.12.14-10.73.1
o SUSE Linux Enterprise Real Time Extension 12-SP5 (noarch):
kernel-devel-rt-4.12.14-10.73.1
kernel-source-rt-4.12.14-10.73.1
References:
o https://www.suse.com/security/cve/CVE-2019-15126.html
o https://www.suse.com/security/cve/CVE-2020-27820.html
o https://www.suse.com/security/cve/CVE-2021-0920.html
o https://www.suse.com/security/cve/CVE-2021-0935.html
o https://www.suse.com/security/cve/CVE-2021-28711.html
o https://www.suse.com/security/cve/CVE-2021-28712.html
o https://www.suse.com/security/cve/CVE-2021-28713.html
o https://www.suse.com/security/cve/CVE-2021-28714.html
o https://www.suse.com/security/cve/CVE-2021-28715.html
o https://www.suse.com/security/cve/CVE-2021-33098.html
o https://www.suse.com/security/cve/CVE-2021-4002.html
o https://www.suse.com/security/cve/CVE-2021-43975.html
o https://www.suse.com/security/cve/CVE-2021-43976.html
o https://www.suse.com/security/cve/CVE-2021-45485.html
o https://www.suse.com/security/cve/CVE-2021-45486.html
o https://bugzilla.suse.com/1114648
o https://bugzilla.suse.com/1124431
o https://bugzilla.suse.com/1167162
o https://bugzilla.suse.com/1179599
o https://bugzilla.suse.com/1183678
o https://bugzilla.suse.com/1183897
o https://bugzilla.suse.com/1184804
o https://bugzilla.suse.com/1185727
o https://bugzilla.suse.com/1185762
o https://bugzilla.suse.com/1187167
o https://bugzilla.suse.com/1189126
o https://bugzilla.suse.com/1189305
o https://bugzilla.suse.com/1189841
o https://bugzilla.suse.com/1190358
o https://bugzilla.suse.com/1191229
o https://bugzilla.suse.com/1191384
o https://bugzilla.suse.com/1192032
o https://bugzilla.suse.com/1192145
o https://bugzilla.suse.com/1192267
o https://bugzilla.suse.com/1192740
o https://bugzilla.suse.com/1192845
o https://bugzilla.suse.com/1192847
o https://bugzilla.suse.com/1192877
o https://bugzilla.suse.com/1192946
o https://bugzilla.suse.com/1192974
o https://bugzilla.suse.com/1193231
o https://bugzilla.suse.com/1193306
o https://bugzilla.suse.com/1193318
o https://bugzilla.suse.com/1193440
o https://bugzilla.suse.com/1193442
o https://bugzilla.suse.com/1193731
o https://bugzilla.suse.com/1194087
o https://bugzilla.suse.com/1194094
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYeX34eNLKJtyKPYoAQjheRAArKL7K5fZxMR16iiIFyqdsthlpW9en69Q
hiyViYkBBoS5nCXJGQxA+00xE72sOVwsQKHJW3Kpj0V2u7weXljEFJL36ADL1WP4
unOaGjSLFKBMOgMVfnQ6dCIXK1HlJFe6QVxfz79fFUuLLIV4SQrlSK/rhp4aqyQn
6nlUjnZGgfWtn0no0Hk5v9FJB8+6MmzvP7eXoJvpWFI4DC9UTsxihi9VbA6Ht1dt
QIJnL9IonO4Zp/Ce9Pa8VWeN2xhKfER/lcPp2sB6iIwYbW14vWkYVLTUu6W5g35h
gWvt8oxqsgGyW06vgfIBTfsMfHHPpwGZZtFg+NiQayxdmDHlzs/m4m4yldOWBfOl
5jwKmAzvGQRoqnRRVLK8b71xq5T92Z627AoVZebY8uKGNRMZSegm8ybgd5TkMJ28
KTvneYEbmgSITO6N+rRSIqlTqYSaz844Q9+v5LziE/6UUnz6cgfvqXi0T41EmaBF
SoG5ZW6A7qhkgFIE/6c8tXJdC7MlR2ZorOUsYHA8Cr8LTS9pEB+w/3UUx1Jw/bNz
GsER3RVSKM/sFMJ+HVI9+O/L/wF8zS2xrV0Sx1hLmlCtSQbvcWoIfR0otdixcn3w
P7Rtc/e6gHWpwbw0gInsE1dV6Zq+Ihr+3rMllJQs1pU8/Dx8SEyENlVrK2iMADOd
iQ0MdesfN6s=
=ychc
-----END PGP SIGNATURE-----