The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes.
This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032).
CVE-2017-5753 / 'SpectreAttack': Local attackers on systems with modern CPUs featuring deep instruction pipelining could use attacker controllable speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets.
This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel.
This issue is addressed for the x86_64, the IBM Power and IBM zSeries architecture.
CVE-2017-5715 / 'SpectreAttack': Local attackers on systems with modern CPUs featuring branch prediction could use mispredicted branches to speculatively execute code patterns that in turn could be made to leak other non-readable content in the same address space, an attack similar to CVE-2017-5753.
This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries.
This is done with help of Linux Kernel fixes on the Intel/AMD x8664 and IBM zSeries architectures. On x8664, this requires also updates of the CPU microcode packages, delivered in seperate updates.
For IBM Power and zSeries the required firmware updates are supplied over regular channels by IBM.
As this feature can have a performance impact, it can be disabled using the 'nospec' kernel commandline option.
CVE-2017-5754 / 'MeltdownAttack': Local attackers on systems with modern CPUs featuring deep instruction pipelining could use code patterns in userspace to speculative executive code that would read otherwise read protected memory, an attack similar to CVE-2017-5753.
This problem is mitigated by unmapping the Linux Kernel from the user address space during user code execution, following a approach called 'KAISER'. The terms used here are 'KAISER' / 'Kernel Address Isolation' and 'PTI' / 'Page Table Isolation'.
This update does this on the x86_64 architecture, it is not required on the IBM zSeries architecture.
This feature can be enabled / disabled by the 'pti=[on|off|auto]' or 'nopti' commandline options.
The following security bugs were fixed:
The following non-security bugs were fixed:
{ "binaries": [ { "kernel-macros": "3.12.61-52.111.1", "kernel-devel": "3.12.61-52.111.1", "kernel-default-base": "3.12.61-52.111.1", "kernel-default-man": "3.12.61-52.111.1", "kernel-xen-devel": "3.12.61-52.111.1", "kernel-default": "3.12.61-52.111.1", "kernel-source": "3.12.61-52.111.1", "kernel-xen-base": "3.12.61-52.111.1", "kernel-syms": "3.12.61-52.111.1", "kernel-default-devel": "3.12.61-52.111.1", "kernel-xen": "3.12.61-52.111.1" } ] }
{ "binaries": [ { "kernel-macros": "3.12.61-52.111.1", "kernel-devel": "3.12.61-52.111.1", "kernel-default-base": "3.12.61-52.111.1", "kernel-default-man": "3.12.61-52.111.1", "kernel-xen-devel": "3.12.61-52.111.1", "kernel-default": "3.12.61-52.111.1", "kernel-source": "3.12.61-52.111.1", "kernel-xen-base": "3.12.61-52.111.1", "kernel-syms": "3.12.61-52.111.1", "kernel-default-devel": "3.12.61-52.111.1", "kernel-xen": "3.12.61-52.111.1" } ] }
{ "binaries": [ { "kernel-macros": "3.12.61-52.111.1", "kernel-devel": "3.12.61-52.111.1", "kernel-default-base": "3.12.61-52.111.1", "kernel-default-man": "3.12.61-52.111.1", "kernel-xen-devel": "3.12.61-52.111.1", "kernel-default": "3.12.61-52.111.1", "kernel-source": "3.12.61-52.111.1", "kernel-xen-base": "3.12.61-52.111.1", "kernel-syms": "3.12.61-52.111.1", "kernel-default-devel": "3.12.61-52.111.1", "kernel-xen": "3.12.61-52.111.1" } ] }
{ "binaries": [ { "kernel-macros": "3.12.61-52.111.1", "kernel-devel": "3.12.61-52.111.1", "kernel-default-base": "3.12.61-52.111.1", "kernel-default-man": "3.12.61-52.111.1", "kernel-xen-devel": "3.12.61-52.111.1", "kernel-default": "3.12.61-52.111.1", "kernel-source": "3.12.61-52.111.1", "kernel-xen-base": "3.12.61-52.111.1", "kernel-syms": "3.12.61-52.111.1", "kernel-default-devel": "3.12.61-52.111.1", "kernel-xen": "3.12.61-52.111.1" } ] }