SUSE-SU-2018:1374-1
See a problem?- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2018:1374-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2018:1374-1
- Related
- Published
- 2018-05-22T13:21:02Z
- Modified
- 2018-05-22T13:21:02Z
- Summary
- Security update for the Linux Kernel
- Details
-
The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive several security fixes.
The following security bugs were fixed:
CVE-2018-3639: Information leaks using 'Memory Disambiguation' feature in modern CPUs were mitigated, aka 'Spectre Variant 4' (bnc#1087082).
A new boot commandline option was introduced, 'specstorebypass_disable', which can have following values:
- auto: Kernel detects whether your CPU model contains an implementation of Speculative Store Bypass and picks the most appropriate mitigation.
- on: disable Speculative Store Bypass
- off: enable Speculative Store Bypass
- prctl: Control Speculative Store Bypass per thread via prctl. Speculative Store Bypass is enabled for a process by default. The state of the control is inherited on fork.
- seccomp: Same as 'prctl' above, but all seccomp threads will disable SSB unless they explicitly opt out.
The default is 'seccomp', meaning programs need explicit opt-in into the mitigation.
Status can be queried via the /sys/devices/system/cpu/vulnerabilities/specstorebypass file, containing:
- 'Vulnerable'
- 'Mitigation: Speculative Store Bypass disabled'
- 'Mitigation: Speculative Store Bypass disabled via prctl'
- 'Mitigation: Speculative Store Bypass disabled via prctl and seccomp'
CVE-2018-1000199: An address corruption flaw was discovered while modifying a h/w breakpoint via 'modifyuserhw_breakpoint' routine, an unprivileged user/process could use this flaw to crash the system kernel resulting in DoS OR to potentially escalate privileges on a the system. (bsc#1089895)
- CVE-2018-10675: The dogetmempolicy function in mm/mempolicy.c allowed local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted system calls (bnc#1091755).
The following non-security bugs were fixed:
- x86/bugs: Make sure that TIFSSBD does not end up in TIFALLWORK_MASK (bsc#1093215).
- x86/bugs: correctly force-disable IBRS on !SKL systems (bsc#1092497).
- x86/cpu/intel: Introduce macros for Intel family numbers (bsc#985025).
- x86/cpu/intel: Introduce macros for Intel family numbers (bsc985025).
- x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist (bsc#1087845).
- References
-
- https://www.suse.com/support/update/announcement/2018/suse-su-20181374-1/
- https://bugzilla.suse.com/1087082
- https://bugzilla.suse.com/1087845
- https://bugzilla.suse.com/1089895
- https://bugzilla.suse.com/1091755
- https://bugzilla.suse.com/1092497
- https://bugzilla.suse.com/1093215
- https://bugzilla.suse.com/1094019
- https://bugzilla.suse.com/985025
- https://www.suse.com/security/cve/CVE-2018-1000199
- https://www.suse.com/security/cve/CVE-2018-10675
- https://www.suse.com/security/cve/CVE-2018-3639
Affected packages
SUSE:Linux Enterprise Module for Public Cloud 12 / kernel-ec2
Package
- Name
- kernel-ec2
- Purl
- purl:rpm/suse/kernel-ec2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2012
SUSE:Linux Enterprise Server 12-LTSS / kernel-default
Package
- Name
- kernel-default
- Purl
- purl:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.12.61-52.133.1
Ecosystem specific
{
"binaries": [
{
"kernel-macros": "3.12.61-52.133.1",
"kernel-devel": "3.12.61-52.133.1",
"kernel-default-base": "3.12.61-52.133.1",
"kernel-default-man": "3.12.61-52.133.1",
"kernel-xen-devel": "3.12.61-52.133.1",
"kernel-default": "3.12.61-52.133.1",
"kernel-source": "3.12.61-52.133.1",
"kgraft-patch-3_12_61-52_133-xen": "1-1.5.1",
"kernel-xen-base": "3.12.61-52.133.1",
"kernel-syms": "3.12.61-52.133.1",
"kernel-default-devel": "3.12.61-52.133.1",
"kernel-xen": "3.12.61-52.133.1",
"kgraft-patch-3_12_61-52_133-default": "1-1.5.1"
}
]
}
SUSE:Linux Enterprise Server 12-LTSS / kernel-source
Package
- Name
- kernel-source
- Purl
- purl:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.12.61-52.133.1
Ecosystem specific
{
"binaries": [
{
"kernel-macros": "3.12.61-52.133.1",
"kernel-devel": "3.12.61-52.133.1",
"kernel-default-base": "3.12.61-52.133.1",
"kernel-default-man": "3.12.61-52.133.1",
"kernel-xen-devel": "3.12.61-52.133.1",
"kernel-default": "3.12.61-52.133.1",
"kernel-source": "3.12.61-52.133.1",
"kgraft-patch-3_12_61-52_133-xen": "1-1.5.1",
"kernel-xen-base": "3.12.61-52.133.1",
"kernel-syms": "3.12.61-52.133.1",
"kernel-default-devel": "3.12.61-52.133.1",
"kernel-xen": "3.12.61-52.133.1",
"kgraft-patch-3_12_61-52_133-default": "1-1.5.1"
}
]
}
SUSE:Linux Enterprise Server 12-LTSS / kernel-syms
Package
- Name
- kernel-syms
- Purl
- purl:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.12.61-52.133.1
Ecosystem specific
{
"binaries": [
{
"kernel-macros": "3.12.61-52.133.1",
"kernel-devel": "3.12.61-52.133.1",
"kernel-default-base": "3.12.61-52.133.1",
"kernel-default-man": "3.12.61-52.133.1",
"kernel-xen-devel": "3.12.61-52.133.1",
"kernel-default": "3.12.61-52.133.1",
"kernel-source": "3.12.61-52.133.1",
"kgraft-patch-3_12_61-52_133-xen": "1-1.5.1",
"kernel-xen-base": "3.12.61-52.133.1",
"kernel-syms": "3.12.61-52.133.1",
"kernel-default-devel": "3.12.61-52.133.1",
"kernel-xen": "3.12.61-52.133.1",
"kgraft-patch-3_12_61-52_133-default": "1-1.5.1"
}
]
}
SUSE:Linux Enterprise Server 12-LTSS / kernel-xen
Package
- Name
- kernel-xen
- Purl
- purl:rpm/suse/kernel-xen&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.12.61-52.133.1
Ecosystem specific
{
"binaries": [
{
"kernel-macros": "3.12.61-52.133.1",
"kernel-devel": "3.12.61-52.133.1",
"kernel-default-base": "3.12.61-52.133.1",
"kernel-default-man": "3.12.61-52.133.1",
"kernel-xen-devel": "3.12.61-52.133.1",
"kernel-default": "3.12.61-52.133.1",
"kernel-source": "3.12.61-52.133.1",
"kgraft-patch-3_12_61-52_133-xen": "1-1.5.1",
"kernel-xen-base": "3.12.61-52.133.1",
"kernel-syms": "3.12.61-52.133.1",
"kernel-default-devel": "3.12.61-52.133.1",
"kernel-xen": "3.12.61-52.133.1",
"kgraft-patch-3_12_61-52_133-default": "1-1.5.1"
}
]
}
SUSE:Linux Enterprise Server 12-LTSS / kgraft-patch-SLE12_Update_35
Package
- Name
- kgraft-patch-SLE12_Update_35
- Purl
- purl:rpm/suse/kgraft-patch-SLE12_Update_35&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSS
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1-1.5.1
Ecosystem specific
{
"binaries": [
{
"kernel-macros": "3.12.61-52.133.1",
"kernel-devel": "3.12.61-52.133.1",
"kernel-default-base": "3.12.61-52.133.1",
"kernel-default-man": "3.12.61-52.133.1",
"kernel-xen-devel": "3.12.61-52.133.1",
"kernel-default": "3.12.61-52.133.1",
"kernel-source": "3.12.61-52.133.1",
"kgraft-patch-3_12_61-52_133-xen": "1-1.5.1",
"kernel-xen-base": "3.12.61-52.133.1",
"kernel-syms": "3.12.61-52.133.1",
"kernel-default-devel": "3.12.61-52.133.1",
"kernel-xen": "3.12.61-52.133.1",
"kgraft-patch-3_12_61-52_133-default": "1-1.5.1"
}
]
}