openSUSE Security Update: Security update for the Linux Kernel
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1420-1
Rating: important
References: #1087082 #1088273
Cross-References: CVE-2018-3639
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

The openSUSE Leap 15.0 kernel was updated to receive various security and
bugfixes.

The following security bugs were fixed:

– CVE-2018-3639: Systems with microprocessors utilizing speculative
execution and speculative execution of memory reads before the addresses
of all prior memory writes are known may allow unauthorized disclosure
of information to an attacker with local user access via a side-channel
analysis, aka Speculative Store Bypass (SSB), Variant 4 (bsc#1087082).

A new boot commandline option was introduced,
“spec_store_bypass_disable”, which can have following values:

– auto: Kernel detects whether your CPU model contains an implementation
of Speculative Store Bypass and picks the most appropriate mitigation.
– on: disable Speculative Store Bypass
– off: enable Speculative Store Bypass
– prctl: Control Speculative Store Bypass per thread via prctl.
Speculative Store Bypass is enabled for a process by default. The
state of the control is inherited on fork.
– seccomp: Same as “prctl” above, but all seccomp threads will disable
SSB unless they explicitly opt out.

The default is “seccomp”, meaning programs need explicit opt-in into the
mitigation.

Status can be queried via the
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass file, containing:

– “Vulnerable”
– “Mitigation: Speculative Store Bypass disabled”
– “Mitigation: Speculative Store Bypass disabled via prctl”
– “Mitigation: Speculative Store Bypass disabled via prctl and seccomp”

The following non-security bugs were fixed:

– allow_unsupported: add module tainting on feature use (FATE#323394).
– powerpc/64/kexec: fix race in kexec when XIVE is shutdown (bsc#1088273).
– reiserfs: mark read-write mode unsupported (FATE#323394).
– reiserfs: package in separate KMP (FATE#323394).

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.0:

zypper in -t patch openSUSE-2018-515=1

Package List:

– openSUSE Leap 15.0 (x86_64):

kernel-debug-4.12.14-lp150.12.4.1
kernel-debug-base-4.12.14-lp150.12.4.1
kernel-debug-base-debuginfo-4.12.14-lp150.12.4.1
kernel-debug-debuginfo-4.12.14-lp150.12.4.1
kernel-debug-debugsource-4.12.14-lp150.12.4.1
kernel-debug-devel-4.12.14-lp150.12.4.1
kernel-debug-devel-debuginfo-4.12.14-lp150.12.4.1
kernel-default-4.12.14-lp150.12.4.1
kernel-default-base-4.12.14-lp150.12.4.1
kernel-default-base-debuginfo-4.12.14-lp150.12.4.1
kernel-default-debuginfo-4.12.14-lp150.12.4.1
kernel-default-debugsource-4.12.14-lp150.12.4.1
kernel-default-devel-4.12.14-lp150.12.4.1
kernel-default-devel-debuginfo-4.12.14-lp150.12.4.1
kernel-kvmsmall-4.12.14-lp150.12.4.1
kernel-kvmsmall-base-4.12.14-lp150.12.4.1
kernel-kvmsmall-base-debuginfo-4.12.14-lp150.12.4.1
kernel-kvmsmall-debuginfo-4.12.14-lp150.12.4.1
kernel-kvmsmall-debugsource-4.12.14-lp150.12.4.1
kernel-kvmsmall-devel-4.12.14-lp150.12.4.1
kernel-kvmsmall-devel-debuginfo-4.12.14-lp150.12.4.1
kernel-obs-build-4.12.14-lp150.12.4.1
kernel-obs-build-debugsource-4.12.14-lp150.12.4.1
kernel-obs-qa-4.12.14-lp150.12.4.1
kernel-syms-4.12.14-lp150.12.4.1

– openSUSE Leap 15.0 (noarch):

kernel-devel-4.12.14-lp150.12.4.1
kernel-docs-4.12.14-lp150.12.4.1
kernel-docs-html-4.12.14-lp150.12.4.1
kernel-macros-4.12.14-lp150.12.4.1
kernel-source-4.12.14-lp150.12.4.1
kernel-source-vanilla-4.12.14-lp150.12.4.1

References:

https://www.suse.com/security/cve/CVE-2018-3639.html
https://bugzilla.suse.com/1087082
https://bugzilla.suse.com/1088273

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org