The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various
security and bugfixes.
The following security bugs were fixed:
CVE-2017-5715: Systems with microprocessors utilizing speculative
execution and indirect branch prediction may allow unauthorized
disclosure of information to an attacker with local user access via a
side-channel analysis (bnc#1068032).
Enhancements and bugfixes over the previous fixes have been added to
this kernel.
CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might have
allowed local users to cause a denial of service by triggering an
attempted use of the -INT_MIN value (bnc#1089608).
CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in
drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial
of service (memory consumption) via many read accesses to files in the
/sys/class/sas_phy directory, as demonstrated by the
/sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536).
CVE-2018-7566: There was a buffer overflow via an
SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by
a local user (bnc#1083483).
CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function
in the ALSA subsystem allowed attackers to gain privileges via
unspecified vectors (bnc#1088260).
CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel
function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious
NCPFS servers to crash the kernel or execute code (bnc#1086162).
CVE-2017-13166: An elevation of privilege vulnerability in the kernel
v4l2 video driver. (bnc#1072865).
CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c
allowed local users to cause a denial of service (BUG) by leveraging a
race condition with __dm_destroy during creation and removal of DM
devices (bnc#1083242).
CVE-2017-16911: The vhci_hcd driver allowed allows local attackers to
disclose kernel memory addresses. Successful exploitation requires that
a USB device is attached over IP (bnc#1078674).
CVE-2017-18208: The madvise_willneed function in mm/madvise.c local
users to cause a denial of service (infinite loop) by triggering use of
MADVISE_WILLNEED for a DAX mapping (bnc#1083494).
CVE-2017-16644: The hdpvr_probe function in
drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a
denial of service (improper error handling and system crash) or possibly
have unspecified other impact via a crafted USB device (bnc#1067118).
CVE-2018-6927: The futex_requeue function in kernel/futex.c in the Linux
kernel might allow attackers to cause a denial of service (integer
overflow) or possibly have unspecified other impact by triggering a
negative wake or requeue value (bnc#1080757).
CVE-2017-16914: The "stub_send_ret_submit()" function
(drivers/usb/usbip/stub_tx.c) allowed attackers to cause a denial of
service (NULL pointer dereference) via a specially crafted USB over IP
packet (bnc#1078669).
CVE-2016-7915: The hid_input_field function in drivers/hid/hid-core.c
allowed physically proximate attackers to obtain sensitive information
from kernel memory or cause a denial of service (out-of-bounds read) by
connecting a device, as demonstrated by a Logitech DJ receiver
(bnc#1010470).
CVE-2015-5156: The virtnet_probe function in drivers/net/virtio_net.c
attempted to support a FRAGLIST feature without proper memory
allocation, which allowed guest OS users to cause a denial of service
(buffer overflow and memory corruption) via a crafted sequence of
fragmented packets (bnc#940776).
CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions in
block/bio.c did unbalanced refcounting when a SCSI I/O vector has small
consecutive buffers belonging to the same page. The bio_add_pc_page
function merges them into one, but the page reference is never dropped.
This causes a memory leak and possible system lockup (exploitable
against the host OS by a guest OS user, if a SCSI disk is passed through
to a virtual machine) due to an out-of-memory condition (bnc#1062568).
CVE-2017-16912: The "get_pipe()" function (drivers/usb/usbip/stub_rx.c)
allowed attackers to cause a denial of service (out-of-bounds read) via
a specially crafted USB over IP packet (bnc#1078673).
CVE-2017-16913: The "stub_recv_cmd_submit()" function
(drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT packets allowed
attackers to cause a denial of service (arbitrary memory allocation) via
a specially crafted USB over IP packet (bnc#1078672).
The following non-security bugs were fixed:
bugzilla.suse.com/1010470
bugzilla.suse.com/1013018
bugzilla.suse.com/1039348
bugzilla.suse.com/1052943
bugzilla.suse.com/1062568
bugzilla.suse.com/1062840
bugzilla.suse.com/1063416
bugzilla.suse.com/1063516
bugzilla.suse.com/1065600
bugzilla.suse.com/1065999
bugzilla.suse.com/1067118
bugzilla.suse.com/1067912
bugzilla.suse.com/1068032
bugzilla.suse.com/1072689
bugzilla.suse.com/1072865
bugzilla.suse.com/1075088
bugzilla.suse.com/1075091
bugzilla.suse.com/1075994
bugzilla.suse.com/1078669
bugzilla.suse.com/1078672
bugzilla.suse.com/1078673
bugzilla.suse.com/1078674
bugzilla.suse.com/1080464
bugzilla.suse.com/1080757
bugzilla.suse.com/1080813
bugzilla.suse.com/1081358
bugzilla.suse.com/1082091
bugzilla.suse.com/1082424
bugzilla.suse.com/1083242
bugzilla.suse.com/1083275
bugzilla.suse.com/1083483
bugzilla.suse.com/1083494
bugzilla.suse.com/1084536
bugzilla.suse.com/1085113
bugzilla.suse.com/1085279
bugzilla.suse.com/1085331
bugzilla.suse.com/1085513
bugzilla.suse.com/1086162
bugzilla.suse.com/1087092
bugzilla.suse.com/1087260
bugzilla.suse.com/1087762
bugzilla.suse.com/1088147
bugzilla.suse.com/1088260
bugzilla.suse.com/1089608
bugzilla.suse.com/909077
bugzilla.suse.com/940776
bugzilla.suse.com/943786