The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes.
This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032).
CVE-2017-5753 / 'SpecŧreAttack': Local attackers on systems with modern CPUs featuring deep instruction pipelining could use attacker controllable speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets.
This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel.
CVE-2017-5715 / 'SpectreAttack': Local attackers on systems with modern CPUs featuring branch prediction could use mispredicted branches to speculatively execute code patterns that in turn could be made to leak other non-readable content in the same address space, an attack similar to CVE-2017-5753.
This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries.
Please also check with your CPU / Hardware vendor on updated firmware or BIOS images regarding this issue.
As this feature can have a performance impact, it can be disabled using the 'nospec' kernel commandline option.
CVE-2017-5754 / 'MeltdownAttack': Local attackers on systems with modern CPUs featuring deep instruction pipelining could use code patterns in userspace to speculative executive code that would read otherwise read protected memory, an attack similar to CVE-2017-5753.
This problem is mitigated by unmapping the Linux Kernel from the user address space during user code execution, following a approach called 'KAISER'. The terms used here are 'KAISER' / 'Kernel Address Isolation' and 'PTI' / 'Page Table Isolation'.
Note that this is only done on affected platforms.
This feature can be enabled / disabled by the 'pti=[on|off|auto]' or 'nopti' commandline options.
Also the following unrelated security bugs were fixed:
The following non-security bugs were fixed:
{ "binaries": [ { "kernel-macros": "4.4.103-92.56.1", "kernel-devel": "4.4.103-92.56.1", "kernel-default": "4.4.103-92.56.1", "kernel-source": "4.4.103-92.56.1", "kernel-default-extra": "4.4.103-92.56.1", "kernel-syms": "4.4.103-92.56.1", "kernel-default-devel": "4.4.103-92.56.1" } ] }
{ "binaries": [ { "kernel-macros": "4.4.103-92.56.1", "kernel-devel": "4.4.103-92.56.1", "kernel-default": "4.4.103-92.56.1", "kernel-source": "4.4.103-92.56.1", "kernel-default-extra": "4.4.103-92.56.1", "kernel-syms": "4.4.103-92.56.1", "kernel-default-devel": "4.4.103-92.56.1" } ] }
{ "binaries": [ { "kernel-macros": "4.4.103-92.56.1", "kernel-devel": "4.4.103-92.56.1", "kernel-default": "4.4.103-92.56.1", "kernel-source": "4.4.103-92.56.1", "kernel-default-extra": "4.4.103-92.56.1", "kernel-syms": "4.4.103-92.56.1", "kernel-default-devel": "4.4.103-92.56.1" } ] }
{ "binaries": [ { "kernel-macros": "4.4.103-92.56.1", "kernel-devel": "4.4.103-92.56.1", "kernel-default-base": "4.4.103-92.56.1", "kernel-default": "4.4.103-92.56.1", "kernel-source": "4.4.103-92.56.1", "kernel-syms": "4.4.103-92.56.1", "kernel-default-devel": "4.4.103-92.56.1" } ] }
{ "binaries": [ { "kernel-macros": "4.4.103-92.56.1", "kernel-devel": "4.4.103-92.56.1", "kernel-default-base": "4.4.103-92.56.1", "kernel-default": "4.4.103-92.56.1", "kernel-source": "4.4.103-92.56.1", "kernel-syms": "4.4.103-92.56.1", "kernel-default-devel": "4.4.103-92.56.1" } ] }
{ "binaries": [ { "kernel-macros": "4.4.103-92.56.1", "kernel-devel": "4.4.103-92.56.1", "kernel-default-base": "4.4.103-92.56.1", "kernel-default": "4.4.103-92.56.1", "kernel-source": "4.4.103-92.56.1", "kernel-syms": "4.4.103-92.56.1", "kernel-default-devel": "4.4.103-92.56.1" } ] }
{ "binaries": [ { "kernel-macros": "4.4.103-92.56.1", "kernel-devel": "4.4.103-92.56.1", "kernel-default-base": "4.4.103-92.56.1", "kernel-default-man": "4.4.103-92.56.1", "kernel-default": "4.4.103-92.56.1", "kernel-source": "4.4.103-92.56.1", "kernel-syms": "4.4.103-92.56.1", "kernel-default-devel": "4.4.103-92.56.1" } ] }
{ "binaries": [ { "kernel-macros": "4.4.103-92.56.1", "kernel-devel": "4.4.103-92.56.1", "kernel-default-base": "4.4.103-92.56.1", "kernel-default-man": "4.4.103-92.56.1", "kernel-default": "4.4.103-92.56.1", "kernel-source": "4.4.103-92.56.1", "kernel-syms": "4.4.103-92.56.1", "kernel-default-devel": "4.4.103-92.56.1" } ] }
{ "binaries": [ { "kernel-macros": "4.4.103-92.56.1", "kernel-devel": "4.4.103-92.56.1", "kernel-default-base": "4.4.103-92.56.1", "kernel-default-man": "4.4.103-92.56.1", "kernel-default": "4.4.103-92.56.1", "kernel-source": "4.4.103-92.56.1", "kernel-syms": "4.4.103-92.56.1", "kernel-default-devel": "4.4.103-92.56.1" } ] }
{ "binaries": [ { "kernel-macros": "4.4.103-92.56.1", "kernel-devel": "4.4.103-92.56.1", "kernel-default-base": "4.4.103-92.56.1", "kernel-default-man": "4.4.103-92.56.1", "kernel-default": "4.4.103-92.56.1", "kernel-source": "4.4.103-92.56.1", "kernel-syms": "4.4.103-92.56.1", "kernel-default-devel": "4.4.103-92.56.1" } ] }
{ "binaries": [ { "kernel-macros": "4.4.103-92.56.1", "kernel-devel": "4.4.103-92.56.1", "kernel-default-base": "4.4.103-92.56.1", "kernel-default-man": "4.4.103-92.56.1", "kernel-default": "4.4.103-92.56.1", "kernel-source": "4.4.103-92.56.1", "kernel-syms": "4.4.103-92.56.1", "kernel-default-devel": "4.4.103-92.56.1" } ] }
{ "binaries": [ { "kernel-macros": "4.4.103-92.56.1", "kernel-devel": "4.4.103-92.56.1", "kernel-default-base": "4.4.103-92.56.1", "kernel-default-man": "4.4.103-92.56.1", "kernel-default": "4.4.103-92.56.1", "kernel-source": "4.4.103-92.56.1", "kernel-syms": "4.4.103-92.56.1", "kernel-default-devel": "4.4.103-92.56.1" } ] }