SUSE Security Update: Security update for Linux kernel
______________________________________________________________________________

Announcement ID: SUSE-SU-2014:0696-1
Rating: important
References: #708296 #736697 #746500 #814788 #819351 #831029
#836347 #843185 #844513 #847672 #849364 #851426
#852488 #852553 #852967 #853455 #854025 #855347
#855885 #856083 #857499 #857643 #858280 #858534
#858604 #858869 #858870 #858872 #862429 #863300
#863335 #864025 #864833 #865307 #865310 #865330
#865342 #865783 #866102 #867953 #868528 #868653
#869033 #869563 #870801 #871325 #871561 #871861
#873061 #874108 #875690 #875798 #876102
Cross-References: CVE-2013-4470 CVE-2013-4579 CVE-2013-6382
CVE-2013-6885 CVE-2013-7263 CVE-2013-7264
CVE-2013-7265 CVE-2013-7339 CVE-2014-0069
CVE-2014-0101 CVE-2014-0196 CVE-2014-1444
CVE-2014-1445 CVE-2014-1446 CVE-2014-1737
CVE-2014-1738 CVE-2014-1874 CVE-2014-2039
CVE-2014-2523 CVE-2014-2678 CVE-2014-3122

Affected Products:
SUSE Linux Enterprise Server 11 SP2 LTSS
SLE 11 SERVER Unsupported Extras
______________________________________________________________________________

An update that solves 21 vulnerabilities and has 32 fixes
is now available. It includes one version update.

Description:

The SUSE Linux Enterprise Server 11 SP2 LTSS kernel received a roll-up
update to fix security and non-security issues.

The following security bugs have been fixed:

*

CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation
Offload (UFO) is enabled, does not properly initialize certain data
structures, which allows local users to cause a denial of service (memory
corruption and system crash) or possibly gain privileges via a crafted
application that uses the UDP_CORK option in a setsockopt system call and
sends both short and long packets, related to the ip_ufo_append_data
function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in
net/ipv6/ip6_output.c. (bnc#847672)

*

CVE-2013-4579: The ath9k_htc_set_bssid_mask function in
drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through
3.12 uses a BSSID masking approach to determine the set of MAC addresses
on which a Wi-Fi device is listening, which allows remote attackers to
discover the original MAC address after spoofing by sending a series of
packets to MAC addresses with certain bit manipulations. (bnc#851426)

*

CVE-2013-6382: Multiple buffer underflows in the XFS implementation
in the Linux kernel through 3.12.1 allow local users to cause a denial of
service (memory corruption) or possibly have unspecified
other impact by leveraging the CAP_SYS_ADMIN capability for a (1)
XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call
with a crafted length value, related to the xfs_attrlist_by_handle
function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle
function in fs/xfs/xfs_ioctl32.c. (bnc#852553)

*

CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors
does not properly handle the interaction between locked instructions and
write-combined memory types, which allows local users to cause a denial of
service (system hang) via a crafted application, aka the errata 793 issue.
(bnc#852967)

*

CVE-2013-7263: The Linux kernel before 3.12.4 updates certain length
values before ensuring that associated data structures have been
initialized, which allows local users to obtain sensitive information from
kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg
system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c,
net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643)

*

CVE-2013-7264: The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in
the Linux kernel before 3.12.4 updates a certain length value before
ensuring that an associated data structure has been initialized, which
allows local users to obtain sensitive information from kernel stack
memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
(bnc#857643)

*

CVE-2013-7265: The pn_recvmsg function in net/phonet/datagram.c in
the Linux kernel before 3.12.4 updates a certain length value before
ensuring that an associated data structure has been initialized, which
allows local users to obtain sensitive information from kernel stack
memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
(bnc#857643)

*

CVE-2013-7339: The rds_ib_laddr_check function in net/rds/ib.c in
the Linux kernel before 3.12.8 allows local users to cause a denial of
service (NULL pointer dereference and system crash) or possibly have
unspecified other impact via a bind system call for an RDS socket on a
system that lacks RDS transports. (bnc#869563)

*

CVE-2014-0069: The cifs_iovec_write function in fs/cifs/file.c in
the Linux kernel through 3.13.5 does not properly handle uncached write
operations that copy fewer than the requested number of bytes, which
allows local users to obtain sensitive information from kernel memory,
cause a denial of service (memory corruption and system crash), or
possibly gain privileges via a writev system call with a crafted pointer.
(bnc#864025)

*

CVE-2014-0101: The sctp_sf_do_5_1D_ce function in
net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not
validate certain auth_enable and auth_capable fields before making an
sctp_sf_authenticate call, which allows remote attackers to cause a denial
of service (NULL pointer dereference and system crash) via an SCTP
handshake with a modified INIT chunk and a crafted AUTH chunk before a
COOKIE_ECHO chunk. (bnc#866102)

*

CVE-2014-0196: The n_tty_write function in drivers/tty/n_tty.c in
the Linux kernel through 3.14.3 does not properly manage tty driver access
in the “LECHO & !OPOST” case, which allows local users to cause a denial
of service (memory corruption and system crash) or gain privileges by
triggering a race condition involving read and write operations with long
strings. (bnc#875690)

*

CVE-2014-1444: The fst_get_iface function in
drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not
properly initialize a certain data structure, which allows local users to
obtain sensitive information from kernel memory by leveraging the
CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869)

*

CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c
in the Linux kernel before 3.11.7 does not properly initialize a certain
data structure, which allows local users to obtain sensitive information
from kernel memory via an ioctl call. (bnc#858870)

*

CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c
in the Linux kernel before 3.12.8 does not initialize a certain structure
member, which allows local users to obtain sensitive information from
kernel memory by leveraging the CAP_NET_ADMIN capability for an
SIOCYAMGCFG ioctl call. (bnc#858872)

*

CVE-2014-1737: The raw_cmd_copyin function in drivers/block/floppy.c
in the Linux kernel through 3.14.3 does not properly handle error
conditions during processing of an FDRAWCMD ioctl call, which allows local
users to trigger kfree operations and gain privileges by leveraging write
access to a /dev/fd device. (bnc#875798)

*

CVE-2014-1738: The raw_cmd_copyout function in
drivers/block/floppy.c in the Linux kernel through 3.14.3 does not
properly restrict access to certain pointers during processing of an
FDRAWCMD ioctl call, which allows local users to obtain sensitive
information from kernel heap memory by leveraging write access to a
/dev/fd device. (bnc#875798)

*

CVE-2014-1874: The security_context_to_sid_core function in
security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows
local users to cause a denial of service (system crash) by leveraging the
CAP_MAC_ADMIN capability to set a zero-length security context.
(bnc#863335)

*

CVE-2014-2039: arch/s390/kernel/head64.S in the Linux kernel before
3.13.5 on the s390 platform does not properly handle attempted use of the
linkage stack, which allows local users to cause a denial of service
(system crash) by executing a crafted instruction. (bnc#865307)

*

CVE-2014-2523: net/netfilter/nf_conntrack_proto_dccp.c in the Linux
kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows
remote attackers to cause a denial of service (system crash)
or possibly execute arbitrary code via a DCCP packet that triggers a
call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function.
(bnc#868653)

*

CVE-2014-2678: The rds_iw_laddr_check function in net/rds/iw.c in
the Linux kernel through 3.14 allows local users to cause a denial of
service (NULL pointer dereference and system crash) or possibly have
unspecified other impact via a bind system call for an RDS socket on a
system that lacks RDS transports. (bnc#871561)

*

CVE-2014-3122: The try_to_unmap_cluster function in mm/rmap.c in the
Linux kernel before 3.14.3 does not properly consider which pages must be
locked, which allows local users to cause a denial of service (system
crash) by triggering a memory-usage pattern that requires removal of
page-table mappings. (bnc#876102)

Also the following non-security bugs have been fixed:

* kabi: protect symbols modified by bnc#864833 fix (bnc#864833).
* arch: Fix incorrect config symbol in #ifdef (bnc#844513).
* ACPICA: Add a lock to the internal object reference count mechanism
(bnc#857499).
* x86/PCI: reduce severity of host bridge window conflict warnings
(bnc#858534).
* ia64: Change default PSR.ac from “1” to “0” (Fix erratum #237)
(bnc#874108).
* timer: Prevent overflow in apply_slack (bnc#873061).
* xen: Close a race condition in Xen nested spinlock (bnc#858280,
bnc#819351).
* storvsc: NULL pointer dereference fix (bnc#865330).
* sched: Make scale_rt_power() deal with backward clocks (bnc#865310).
* sched: Use CPUPRI_NR_PRIORITIES instead of MAX_RT_PRIO in cpupri
check (bnc#871861).
*

sched: update_rq_clock() must skip ONE update (bnc#868528,
bnc#869033).

*

md: Change handling of save_raid_disk and metadata update during
recovery (bnc#849364).

* dm-mpath: Fixup race condition in activate_path() (bnc#708296).
* dm-mpath: do not detach stale hardware handler (bnc#708296).
* dm-multipath: Improve logging (bnc#708296).
* scsi_dh_alua: Simplify state machine (bnc#854025).
* scsi_dh_alua: endless STPG retries for a failed LUN (bnc#865342).
*

scsi_dh_alua: fixup RTPG retry delay miscalculation (bnc#854025).

*

vfs,proc: guarantee unique inodes in /proc.

* FS-Cache: Handle removal of unadded object to the
fscache_object_list rb tree (bnc#855885).
* NFSD/sunrpc: avoid deadlock on TCP connection due to memory pressure
(bnc#853455).
* NFS: Avoid occasional hang with NFS (bnc#852488).
* NFS: do not try to use lock state when we hold a delegation
(bnc#831029) – add to series.conf
* btrfs: do not loop on large offsets in readdir (bnc#863300).
* btrfs: restrict snapshotting to own subvolumes (bnc#736697).
* btrfs: fix extent boundary check in bio_readpage_error.
*

btrfs: fix extent_map block_len after merging.

*

net: add missing bh_unlock_sock() calls (bnc#862429).

* inet: Pass inetpeer root into inet_getpeer*() interfaces
(bnc#864833).
* inet: Hide route peer accesses behind helpers (bnc#864833).
* inet: Avoid potential NULL peer dereference (bnc#864833).
* inet: handle rt{,6}_bind_peer() failure correctly (bnc#870801).
* inetpeer: prevent unlinking from unused list twice (bnc#867953).
* net/mlx4_en: Fix pages never dma unmapped on rx (bnc#858604).
* tcp: clear xmit timers in tcp_v4_syn_recv_sock() (bnc#862429).
* ipv6: fix race condition regarding dst->expires and dst->from
(bnc#843185).
*

ipv6 routing, NLM_F_* flag support: REPLACE and EXCL flags support,
warn about missing CREATE flag (bnc#865783).

*

mpt2sas: Do not check DIF for unwritten blocks (bnc#746500,
bnc#836347).

* mpt2sas: Add a module parameter that permits overriding protection
capabilities (bnc#746500).
*

mpt2sas: Return the correct sense key for DIF errors (bnc#746500).

*

s390/cio: Delay scan for newly available I/O devices (bnc#855347,
bnc#814788, bnc#856083).

* s390/cio: More efficient handling of CHPID availability events
(bnc#855347, bnc#814788, bnc#856083).
* s390/cio: Relax subchannel scan loop (bnc#855347, bnc#814788,
bnc#856083).
*

s390/css: stop stsch loop after cc 3 (bnc#855347, bnc#814788,
bnc#856083).

*

supported.conf: Driver corgi_bl was renamed to generic_bl in kernel
2.6.29.

* supported.conf: Add drivers/of/of_mdio That was a missing dependency
for mdio-gpio on ppc64.
* supported.conf: Fix mdio-gpio module name Module mdio-ofgpio was
renamed to mdio-gpio in kernel 2.6.29, this should have been
reflected in supported.conf.
* supported.conf: Adjust radio-si470x module names
* Update config files: re-enable twofish crypto support. (bnc#871325)

Security Issue references:

* CVE-2013-4470
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4470>
* CVE-2013-4579
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4579>
* CVE-2013-6382
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6382>
* CVE-2013-6885
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6885>
* CVE-2013-7263
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7263>
* CVE-2013-7264
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7264>
* CVE-2013-7265
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7265>
* CVE-2013-7339
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7339>
* CVE-2014-0069
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0069>
* CVE-2014-0101
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0101>
* CVE-2014-0196
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196>
* CVE-2014-1444
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1444>
* CVE-2014-1445
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1445>
* CVE-2014-1446
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1446>
* CVE-2014-1737
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1737>
* CVE-2014-1738
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1738>
* CVE-2014-1874
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1874>
* CVE-2014-2039
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2039>
* CVE-2014-2523
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2523>
* CVE-2014-2678
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2678>
* CVE-2014-3122
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3122>

Indications:

Everyone using the Linux Kernel on x86_64 architecture should update.

Special Instructions and Notes:

Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Server 11 SP2 LTSS:

zypper in -t patch slessp2-kernel-9248 slessp2-kernel-9249 slessp2-kernel-9254

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Server 11 SP2 LTSS (i586 s390x x86_64) [New Version: 3.0.101]:

kernel-default-3.0.101-0.7.19.1
kernel-default-base-3.0.101-0.7.19.1
kernel-default-devel-3.0.101-0.7.19.1
kernel-source-3.0.101-0.7.19.1
kernel-syms-3.0.101-0.7.19.1
kernel-trace-3.0.101-0.7.19.1
kernel-trace-base-3.0.101-0.7.19.1
kernel-trace-devel-3.0.101-0.7.19.1

– SUSE Linux Enterprise Server 11 SP2 LTSS (i586 x86_64) [New Version: 3.0.101]:

kernel-ec2-3.0.101-0.7.19.1
kernel-ec2-base-3.0.101-0.7.19.1
kernel-ec2-devel-3.0.101-0.7.19.1
kernel-xen-3.0.101-0.7.19.1
kernel-xen-base-3.0.101-0.7.19.1
kernel-xen-devel-3.0.101-0.7.19.1

– SUSE Linux Enterprise Server 11 SP2 LTSS (s390x) [New Version: 3.0.101]:

kernel-default-man-3.0.101-0.7.19.1

– SUSE Linux Enterprise Server 11 SP2 LTSS (i586) [New Version: 3.0.101]:

kernel-pae-3.0.101-0.7.19.1
kernel-pae-base-3.0.101-0.7.19.1
kernel-pae-devel-3.0.101-0.7.19.1

– SLE 11 SERVER Unsupported Extras (i586 s390x x86_64):

kernel-default-extra-3.0.101-0.7.19.1

– SLE 11 SERVER Unsupported Extras (i586 x86_64):

kernel-xen-extra-3.0.101-0.7.19.1

– SLE 11 SERVER Unsupported Extras (i586):

kernel-pae-extra-3.0.101-0.7.19.1

References:

http://support.novell.com/security/cve/CVE-2013-4470.html
http://support.novell.com/security/cve/CVE-2013-4579.html
http://support.novell.com/security/cve/CVE-2013-6382.html
http://support.novell.com/security/cve/CVE-2013-6885.html
http://support.novell.com/security/cve/CVE-2013-7263.html
http://support.novell.com/security/cve/CVE-2013-7264.html
http://support.novell.com/security/cve/CVE-2013-7265.html
http://support.novell.com/security/cve/CVE-2013-7339.html
http://support.novell.com/security/cve/CVE-2014-0069.html
http://support.novell.com/security/cve/CVE-2014-0101.html
http://support.novell.com/security/cve/CVE-2014-0196.html
http://support.novell.com/security/cve/CVE-2014-1444.html
http://support.novell.com/security/cve/CVE-2014-1445.html
http://support.novell.com/security/cve/CVE-2014-1446.html
http://support.novell.com/security/cve/CVE-2014-1737.html
http://support.novell.com/security/cve/CVE-2014-1738.html
http://support.novell.com/security/cve/CVE-2014-1874.html
http://support.novell.com/security/cve/CVE-2014-2039.html
http://support.novell.com/security/cve/CVE-2014-2523.html
http://support.novell.com/security/cve/CVE-2014-2678.html
http://support.novell.com/security/cve/CVE-2014-3122.html
https://bugzilla.novell.com/708296
https://bugzilla.novell.com/736697
https://bugzilla.novell.com/746500
https://bugzilla.novell.com/814788
https://bugzilla.novell.com/819351
https://bugzilla.novell.com/831029
https://bugzilla.novell.com/836347
https://bugzilla.novell.com/843185
https://bugzilla.novell.com/844513
https://bugzilla.novell.com/847672
https://bugzilla.novell.com/849364
https://bugzilla.novell.com/851426
https://bugzilla.novell.com/852488
https://bugzilla.novell.com/852553
https://bugzilla.novell.com/852967
https://bugzilla.novell.com/853455
https://bugzilla.novell.com/854025
https://bugzilla.novell.com/855347
https://bugzilla.novell.com/855885
https://bugzilla.novell.com/856083
https://bugzilla.novell.com/857499
https://bugzilla.novell.com/857643
https://bugzilla.novell.com/858280
https://bugzilla.novell.com/858534
https://bugzilla.novell.com/858604
https://bugzilla.novell.com/858869
https://bugzilla.novell.com/858870
https://bugzilla.novell.com/858872
https://bugzilla.novell.com/862429
https://bugzilla.novell.com/863300
https://bugzilla.novell.com/863335
https://bugzilla.novell.com/864025
https://bugzilla.novell.com/864833
https://bugzilla.novell.com/865307
https://bugzilla.novell.com/865310
https://bugzilla.novell.com/865330
https://bugzilla.novell.com/865342
https://bugzilla.novell.com/865783
https://bugzilla.novell.com/866102
https://bugzilla.novell.com/867953
https://bugzilla.novell.com/868528
https://bugzilla.novell.com/868653
https://bugzilla.novell.com/869033
https://bugzilla.novell.com/869563
https://bugzilla.novell.com/870801
https://bugzilla.novell.com/871325
https://bugzilla.novell.com/871561
https://bugzilla.novell.com/871861
https://bugzilla.novell.com/873061
https://bugzilla.novell.com/874108
https://bugzilla.novell.com/875690
https://bugzilla.novell.com/875798
https://bugzilla.novell.com/876102
http://download.suse.com/patch/finder/?keywords=787d82dbb16377714bc927d02557c4ee
http://download.suse.com/patch/finder/?keywords=8e83fb23e69fc57ddd82e1ab0aa469b8
http://download.suse.com/patch/finder/?keywords=be4d02e114cf7bfcc6687ae18820db1d
http://download.suse.com/patch/finder/?keywords=d8a4989ab7c16d4dac2badacf2d0efa8
http://download.suse.com/patch/finder/?keywords=da132fe457db88249d2db18bc5c22de5
http://download.suse.com/patch/finder/?keywords=ffc3bcce4bbb0dc6b7c0acc2c40fba06

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org