The SUSE Linux Enterprise 11 SP4 realtime kernel was updated to receive various security and bugfixes.
This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032).
CVE-2017-5753: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use attacker controllable speculative execution over code patterns in the Linux Kernel to leak content from otherwise not readable memory in the same address space, allowing retrieval of passwords, cryptographic keys and other secrets.
This problem is mitigated by adding speculative fencing on affected code paths throughout the Linux kernel.
CVE-2017-5715: Local attackers on systems with modern CPUs featuring branch prediction could use mispredicted branches to speculatively execute code patterns that in turn could be made to leak other non-readable content in the same address space, an attack similar to CVE-2017-5753.
This problem is mitigated by disabling predictive branches, depending on CPU architecture either by firmware updates and/or fixes in the user-kernel privilege boundaries.
This is done with help of Linux Kernel fixes on the Intel/AMD x8664 architectures. On x8664, this requires also updates of the CPU microcode packages, delivered in seperate updates.
As this feature can have a performance impact, it can be disabled using the 'nospec' kernel commandline option.
CVE-2017-5754: Local attackers on systems with modern CPUs featuring deep instruction pipelining could use code patterns in userspace to speculative executive code that would read otherwise read protected memory, an attack similar to CVE-2017-5753.
This problem is mitigated by unmapping the Linux Kernel from the user address space during user code execution, following a approach called 'KAISER'. The terms used here are 'KAISER' / 'Kernel Address Isolation' and 'PTI' / 'Page Table Isolation'.
The following security bugs were fixed:
The following non-security bugs were fixed:
{ "binaries": [ { "kernel-rt_trace-base": "3.0.101.rt130-69.14.1", "kernel-rt-devel": "3.0.101.rt130-69.14.1", "kernel-rt_trace": "3.0.101.rt130-69.14.1", "kernel-rt_trace-devel": "3.0.101.rt130-69.14.1", "kernel-source-rt": "3.0.101.rt130-69.14.1", "kernel-rt": "3.0.101.rt130-69.14.1", "kernel-syms-rt": "3.0.101.rt130-69.14.1", "kernel-rt-base": "3.0.101.rt130-69.14.1" } ] }
{ "binaries": [ { "kernel-rt_trace-base": "3.0.101.rt130-69.14.1", "kernel-rt-devel": "3.0.101.rt130-69.14.1", "kernel-rt_trace": "3.0.101.rt130-69.14.1", "kernel-rt_trace-devel": "3.0.101.rt130-69.14.1", "kernel-source-rt": "3.0.101.rt130-69.14.1", "kernel-rt": "3.0.101.rt130-69.14.1", "kernel-syms-rt": "3.0.101.rt130-69.14.1", "kernel-rt-base": "3.0.101.rt130-69.14.1" } ] }
{ "binaries": [ { "kernel-rt_trace-base": "3.0.101.rt130-69.14.1", "kernel-rt-devel": "3.0.101.rt130-69.14.1", "kernel-rt_trace": "3.0.101.rt130-69.14.1", "kernel-rt_trace-devel": "3.0.101.rt130-69.14.1", "kernel-source-rt": "3.0.101.rt130-69.14.1", "kernel-rt": "3.0.101.rt130-69.14.1", "kernel-syms-rt": "3.0.101.rt130-69.14.1", "kernel-rt-base": "3.0.101.rt130-69.14.1" } ] }
{ "binaries": [ { "kernel-rt_trace-base": "3.0.101.rt130-69.14.1", "kernel-rt-devel": "3.0.101.rt130-69.14.1", "kernel-rt_trace": "3.0.101.rt130-69.14.1", "kernel-rt_trace-devel": "3.0.101.rt130-69.14.1", "kernel-source-rt": "3.0.101.rt130-69.14.1", "kernel-rt": "3.0.101.rt130-69.14.1", "kernel-syms-rt": "3.0.101.rt130-69.14.1", "kernel-rt-base": "3.0.101.rt130-69.14.1" } ] }