The SUSE Linux Enterprise Server 11 SP2 LTSS kernel received a roll-up
update to fix security and non-security issues.
The following security bugs have been fixed:
*
CVE-2013-4470: The Linux kernel before 3.12, when UDP Fragmentation
Offload (UFO) is enabled, does not properly initialize certain data
structures, which allows local users to cause a denial of service (memory
corruption and system crash) or possibly gain privileges via a crafted
application that uses the UDP_CORK option in a setsockopt system call and
sends both short and long packets, related to the ip_ufo_append_data
function in net/ipv4/ip_output.c and the ip6_ufo_append_data function in
net/ipv6/ip6_output.c. (bnc#847672)
*
CVE-2013-4579: The ath9k_htc_set_bssid_mask function in
drivers/net/wireless/ath/ath9k/htc_drv_main.c in the Linux kernel through
3.12 uses a BSSID masking approach to determine the set of MAC addresses
on which a Wi-Fi device is listening, which allows remote attackers to
discover the original MAC address after spoofing by sending a series of
packets to MAC addresses with certain bit manipulations. (bnc#851426)
*
CVE-2013-6382: Multiple buffer underflows in the XFS implementation
in the Linux kernel through 3.12.1 allow local users to cause a denial of
service (memory corruption) or possibly have unspecified
other impact by leveraging the CAP_SYS_ADMIN capability for a (1)
XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call
with a crafted length value, related to the xfs_attrlist_by_handle
function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle
function in fs/xfs/xfs_ioctl32.c. (bnc#852553)
*
CVE-2013-6885: The microcode on AMD 16h 00h through 0Fh processors
does not properly handle the interaction between locked instructions and
write-combined memory types, which allows local users to cause a denial of
service (system hang) via a crafted application, aka the errata 793 issue.
(bnc#852967)
*
CVE-2013-7263: The Linux kernel before 3.12.4 updates certain length
values before ensuring that associated data structures have been
initialized, which allows local users to obtain sensitive information from
kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg
system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c,
net/ipv6/raw.c, and net/ipv6/udp.c. (bnc#857643)
*
CVE-2013-7264: The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in
the Linux kernel before 3.12.4 updates a certain length value before
ensuring that an associated data structure has been initialized, which
allows local users to obtain sensitive information from kernel stack
memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
(bnc#857643)
*
CVE-2013-7265: The pn_recvmsg function in net/phonet/datagram.c in
the Linux kernel before 3.12.4 updates a certain length value before
ensuring that an associated data structure has been initialized, which
allows local users to obtain sensitive information from kernel stack
memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call.
(bnc#857643)
*
CVE-2013-7339: The rds_ib_laddr_check function in net/rds/ib.c in
the Linux kernel before 3.12.8 allows local users to cause a denial of
service (NULL pointer dereference and system crash) or possibly have
unspecified other impact via a bind system call for an RDS socket on a
system that lacks RDS transports. (bnc#869563)
*
CVE-2014-0069: The cifs_iovec_write function in fs/cifs/file.c in
the Linux kernel through 3.13.5 does not properly handle uncached write
operations that copy fewer than the requested number of bytes, which
allows local users to obtain sensitive information from kernel memory,
cause a denial of service (memory corruption and system crash), or
possibly gain privileges via a writev system call with a crafted pointer.
(bnc#864025)
*
CVE-2014-0101: The sctp_sf_do_5_1D_ce function in
net/sctp/sm_statefuns.c in the Linux kernel through 3.13.6 does not
validate certain auth_enable and auth_capable fields before making an
sctp_sf_authenticate call, which allows remote attackers to cause a denial
of service (NULL pointer dereference and system crash) via an SCTP
handshake with a modified INIT chunk and a crafted AUTH chunk before a
COOKIE_ECHO chunk. (bnc#866102)
*
CVE-2014-0196: The n_tty_write function in drivers/tty/n_tty.c in
the Linux kernel through 3.14.3 does not properly manage tty driver access
in the "LECHO & !OPOST" case, which allows local users to cause a denial
of service (memory corruption and system crash) or gain privileges by
triggering a race condition involving read and write operations with long
strings. (bnc#875690)
*
CVE-2014-1444: The fst_get_iface function in
drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not
properly initialize a certain data structure, which allows local users to
obtain sensitive information from kernel memory by leveraging the
CAP_NET_ADMIN capability for an SIOCWANDEV ioctl call. (bnc#858869)
*
CVE-2014-1445: The wanxl_ioctl function in drivers/net/wan/wanxl.c
in the Linux kernel before 3.11.7 does not properly initialize a certain
data structure, which allows local users to obtain sensitive information
from kernel memory via an ioctl call. (bnc#858870)
*
CVE-2014-1446: The yam_ioctl function in drivers/net/hamradio/yam.c
in the Linux kernel before 3.12.8 does not initialize a certain structure
member, which allows local users to obtain sensitive information from
kernel memory by leveraging the CAP_NET_ADMIN capability for an
SIOCYAMGCFG ioctl call. (bnc#858872)
*
CVE-2014-1737: The raw_cmd_copyin function in drivers/block/floppy.c
in the Linux kernel through 3.14.3 does not properly handle error
conditions during processing of an FDRAWCMD ioctl call, which allows local
users to trigger kfree operations and gain privileges by leveraging write
access to a /dev/fd device. (bnc#875798)
*
CVE-2014-1738: The raw_cmd_copyout function in
drivers/block/floppy.c in the Linux kernel through 3.14.3 does not
properly restrict access to certain pointers during processing of an
FDRAWCMD ioctl call, which allows local users to obtain sensitive
information from kernel heap memory by leveraging write access to a
/dev/fd device. (bnc#875798)
*
CVE-2014-1874: The security_context_to_sid_core function in
security/selinux/ss/services.c in the Linux kernel before 3.13.4 allows
local users to cause a denial of service (system crash) by leveraging the
CAP_MAC_ADMIN capability to set a zero-length security context.
(bnc#863335)
*
CVE-2014-2039: arch/s390/kernel/head64.S in the Linux kernel before
3.13.5 on the s390 platform does not properly handle attempted use of the
linkage stack, which allows local users to cause a denial of service
(system crash) by executing a crafted instruction. (bnc#865307)
*
CVE-2014-2523: net/netfilter/nf_conntrack_proto_dccp.c in the Linux
kernel through 3.13.6 uses a DCCP header pointer incorrectly, which allows
remote attackers to cause a denial of service (system crash)
or possibly execute arbitrary code via a DCCP packet that triggers a
call to the (1) dccp_new, (2) dccp_packet, or (3) dccp_error function.
(bnc#868653)
*
CVE-2014-2678: The rds_iw_laddr_check function in net/rds/iw.c in
the Linux kernel through 3.14 allows local users to cause a denial of
service (NULL pointer dereference and system crash) or possibly have
unspecified other impact via a bind system call for an RDS socket on a
system that lacks RDS transports. (bnc#871561)
*
CVE-2014-3122: The try_to_unmap_cluster function in mm/rmap.c in the
Linux kernel before 3.14.3 does not properly consider which pages must be
locked, which allows local users to cause a denial of service (system
crash) by triggering a memory-usage pattern that requires removal of
page-table mappings. (bnc#876102)
Also the following non-security bugs have been fixed:
* kabi: protect symbols modified by bnc#864833 fix (bnc#864833).
* arch: Fix incorrect config symbol in #ifdef (bnc#844513).
* ACPICA: Add a lock to the internal object reference count mechanism
(bnc#857499).
* x86/PCI: reduce severity of host bridge window conflict warnings
(bnc#858534).
* ia64: Change default PSR.ac from "1" to "0" (Fix erratum #237)
(bnc#874108).
* timer: Prevent overflow in apply_slack (bnc#873061).
* xen: Close a race condition in Xen nested spinlock (bnc#858280,
bnc#819351).
* storvsc: NULL pointer dereference fix (bnc#865330).
* sched: Make scale_rt_power() deal with backward clocks (bnc#865310).
* sched: Use CPUPRI_NR_PRIORITIES instead of MAX_RT_PRIO in cpupri
check (bnc#871861).
*
sched: update_rq_clock() must skip ONE update (bnc#868528,
bnc#869033).
*
md: Change handling of save_raid_disk and metadata update during
recovery (bnc#849364).
* dm-mpath: Fixup race condition in activate_path() (bnc#708296).
* dm-mpath: do not detach stale hardware handler (bnc#708296).
* dm-multipath: Improve logging (bnc#708296).
* scsi_dh_alua: Simplify state machine (bnc#854025).
* scsi_dh_alua: endless STPG retries for a failed LUN (bnc#865342).
*
scsi_dh_alua: fixup RTPG retry delay miscalculation (bnc#854025).
*
vfs,proc: guarantee unique inodes in /proc.
* FS-Cache: Handle removal of unadded object to the
fscache_object_list rb tree (bnc#855885).
* NFSD/sunrpc: avoid deadlock on TCP connection due to memory pressure
(bnc#853455).
* NFS: Avoid occasional hang with NFS (bnc#852488).
* NFS: do not try to use lock state when we hold a delegation
(bnc#831029) - add to series.conf
* btrfs: do not loop on large offsets in readdir (bnc#863300).
* btrfs: restrict snapshotting to own subvolumes (bnc#736697).
* btrfs: fix extent boundary check in bio_readpage_error.
*
btrfs: fix extent_map block_len after merging.
*
net: add missing bh_unlock_sock() calls (bnc#862429).
* inet: Pass inetpeer root into inet_getpeer*() interfaces
(bnc#864833).
* inet: Hide route peer accesses behind helpers (bnc#864833).
* inet: Avoid potential NULL peer dereference (bnc#864833).
* inet: handle rt{,6}_bind_peer() failure correctly (bnc#870801).
* inetpeer: prevent unlinking from unused list twice (bnc#867953).
* net/mlx4_en: Fix pages never dma unmapped on rx (bnc#858604).
* tcp: clear xmit timers in tcp_v4_syn_recv_sock() (bnc#862429).
* ipv6: fix race condition regarding dst->expires and dst->from
(bnc#843185).
*
ipv6 routing, NLM_F_* flag support: REPLACE and EXCL flags support,
warn about missing CREATE flag (bnc#865783).
*
mpt2sas: Do not check DIF for unwritten blocks (bnc#746500,
bnc#836347).
* mpt2sas: Add a module parameter that permits overriding protection
capabilities (bnc#746500).
*
mpt2sas: Return the correct sense key for DIF errors (bnc#746500).
*
s390/cio: Delay scan for newly available I/O devices (bnc#855347,
bnc#814788, bnc#856083).
* s390/cio: More efficient handling of CHPID availability events
(bnc#855347, bnc#814788, bnc#856083).
* s390/cio: Relax subchannel scan loop (bnc#855347, bnc#814788,
bnc#856083).
*
s390/css: stop stsch loop after cc 3 (bnc#855347, bnc#814788,
bnc#856083).
*
supported.conf: Driver corgi_bl was renamed to generic_bl in kernel
2.6.29.
* supported.conf: Add drivers/of/of_mdio That was a missing dependency
for mdio-gpio on ppc64.
* supported.conf: Fix mdio-gpio module name Module mdio-ofgpio was
renamed to mdio-gpio in kernel 2.6.29, this should have been
reflected in supported.conf.
* supported.conf: Adjust radio-si470x module names
* Update config files: re-enable twofish crypto support. (bnc#871325)
download.suse.com/patch/finder/?keywords=787d82dbb16377714bc927d02557c4ee
download.suse.com/patch/finder/?keywords=8e83fb23e69fc57ddd82e1ab0aa469b8
download.suse.com/patch/finder/?keywords=be4d02e114cf7bfcc6687ae18820db1d
download.suse.com/patch/finder/?keywords=d8a4989ab7c16d4dac2badacf2d0efa8
download.suse.com/patch/finder/?keywords=da132fe457db88249d2db18bc5c22de5
download.suse.com/patch/finder/?keywords=ffc3bcce4bbb0dc6b7c0acc2c40fba06
bugzilla.novell.com/708296
bugzilla.novell.com/736697
bugzilla.novell.com/746500
bugzilla.novell.com/814788
bugzilla.novell.com/819351
bugzilla.novell.com/831029
bugzilla.novell.com/836347
bugzilla.novell.com/843185
bugzilla.novell.com/844513
bugzilla.novell.com/847672
bugzilla.novell.com/849364
bugzilla.novell.com/851426
bugzilla.novell.com/852488
bugzilla.novell.com/852553
bugzilla.novell.com/852967
bugzilla.novell.com/853455
bugzilla.novell.com/854025
bugzilla.novell.com/855347
bugzilla.novell.com/855885
bugzilla.novell.com/856083
bugzilla.novell.com/857499
bugzilla.novell.com/857643
bugzilla.novell.com/858280
bugzilla.novell.com/858534
bugzilla.novell.com/858604
bugzilla.novell.com/858869
bugzilla.novell.com/858870
bugzilla.novell.com/858872
bugzilla.novell.com/862429
bugzilla.novell.com/863300
bugzilla.novell.com/863335
bugzilla.novell.com/864025
bugzilla.novell.com/864833
bugzilla.novell.com/865307
bugzilla.novell.com/865310
bugzilla.novell.com/865330
bugzilla.novell.com/865342
bugzilla.novell.com/865783
bugzilla.novell.com/866102
bugzilla.novell.com/867953
bugzilla.novell.com/868528
bugzilla.novell.com/868653
bugzilla.novell.com/869033
bugzilla.novell.com/869563
bugzilla.novell.com/870801
bugzilla.novell.com/871325
bugzilla.novell.com/871561
bugzilla.novell.com/871861
bugzilla.novell.com/873061
bugzilla.novell.com/874108
bugzilla.novell.com/875690
bugzilla.novell.com/875798
bugzilla.novell.com/876102