[security-announce] SUSE-SU-2013:1182-1: important: kernel update for SLE11 SP3

[news 28]

SUSE Security Update: kernel update for SLE11 SP3

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2013:1182-1

Rating: important

References: #763968 #773837 #785901 #797090 #797727 #801427

#803320 #804482 #804609 #805804 #806976 #808015

#808136 #808837 #808855 #809130 #809895 #809975

#810722 #812281 #812332 #812526 #812974 #813604

#813922 #815356 #816451 #817035 #817377 #818047

#818371 #818465 #819018 #819195 #819523 #819610

#819655 #820172 #820434 #821052 #821070 #821235

#821799 #821859 #821930 #822066 #822077 #822080

#822164 #822340 #822431 #822722 #822825 #823082

#823223 #823342 #823386 #823597 #823795 #824159

#825037 #825591 #825657 #825696 #826186

Cross-References: CVE-2013-0160 CVE-2013-1774 CVE-2013-1979

CVE-2013-3076 CVE-2013-3222 CVE-2013-3223

CVE-2013-3224 CVE-2013-3225 CVE-2013-3227

CVE-2013-3228 CVE-2013-3229 CVE-2013-3231

CVE-2013-3232 CVE-2013-3234 CVE-2013-3235

 

Affected Products:

SLE 11 SERVER Unsupported Extras

______________________________________________________________________________

 

An update that solves 15 vulnerabilities and has 50 fixes

is now available.

 

Description:

 

The SUSE Linux Enterprise 11 Service Pack 3 kernel was

updated to 3.0.82 and to fix various bugs and security

issues.

 

Following security issues were fixed: CVE-2013-1774: The

chase_port function in drivers/usb/serial/io_ti.c in the

Linux kernel allowed local users to cause a denial of

service (NULL pointer dereference and system crash) via an

attempted /dev/ttyUSB read or write operation on a

disconnected Edgeport USB serial converter.

 

CVE-2013-0160: Timing side channel on attacks were possible

on /dev/ptmx that could allow local attackers to predict

keypresses like e.g. passwords. This has been fixed again

by up[censored] accessed/modified time on the pty devices in

resolution of 8 seconds, so that idle time detection can

still work.

 

CVE-2013-3222: The vcc_recvmsg function in net/atm/common.c

in the Linux kernel did not initialize a certain length

variable, which allowed local users to obtain sensitive

information from kernel stack memory via a crafted recvmsg

or recvfrom system call.

 

CVE-2013-3223: The ax25_recvmsg function in

net/ax25/af_ax25.c in the Linux kernel did not initialize a

certain data structure, which allowed local users to obtain

sensitive information from kernel stack memory via a

crafted recvmsg or recvfrom system call.

 

CVE-2013-3224: The bt_sock_recvmsg function in

net/bluetooth/af_bluetooth.c in the Linux kernel did not

properly initialize a certain length variable, which

allowed local users to obtain sensitive information from

kernel stack memory via a crafted recvmsg or recvfrom

system call.

 

CVE-2013-3225: The rfcomm_sock_recvmsg function in

net/bluetooth/rfcomm/sock.c in the Linux kernel did not

initialize a certain length variable, which allowed local

users to obtain sensitive information from kernel stack

memory via a crafted recvmsg or recvfrom system call.

 

CVE-2013-3227: The caif_seqpkt_recvmsg function in

net/caif/caif_socket.c in the Linux kernel did not

initialize a certain length variable, which allowed local

users to obtain sensitive information from kernel stack

memory via a crafted recvmsg or recvfrom system call.

 

CVE-2013-3228: The irda_recvmsg_dgram function in

net/irda/af_irda.c in the Linux kernel did not initialize a

certain length variable, which allowed local users to

obtain sensitive information from kernel stack memory via a

crafted recvmsg or recvfrom system call.

 

CVE-2013-3229: The iucv_sock_recvmsg function in

net/iucv/af_iucv.c in the Linux kernel did not initialize a

certain length variable, which allowed local users to

obtain sensitive information from kernel stack memory via a

crafted recvmsg or recvfrom system call.

 

CVE-2013-3231: The llc_ui_recvmsg function in

net/llc/af_llc.c in the Linux kernel did not initialize a

certain length variable, which allowed local users to

obtain sensitive information from kernel stack memory via a

crafted recvmsg or recvfrom system call.

 

CVE-2013-3232: The nr_recvmsg function in

net/netrom/af_netrom.c in the Linux kernel did not

initialize a certain data structure, which allowed local

users to obtain sensitive information from kernel stack

memory via a crafted recvmsg or recvfrom system call.

 

CVE-2013-3234: The rose_recvmsg function in

net/rose/af_rose.c in the Linux kernel did not initialize a

certain data structure, which allowed local users to obtain

sensitive information from kernel stack memory via a

crafted recvmsg or recvfrom system call.

 

CVE-2013-3235: net/tipc/socket.c in the Linux kernel did

not initialize a certain data structure and a certain

length variable, which allowed local users to obtain

sensitive information from kernel stack memory via a

crafted recvmsg or recvfrom system call.

 

CVE-2013-3076: The crypto API in the Linux kernel did not

initialize certain length variables, which allowed local

users to obtain sensitive information from kernel stack

memory via a crafted recvmsg or recvfrom system call,

related to the hash_recvmsg function in crypto/algif_hash.c

and the skcipher_recvmsg function in

crypto/algif_skcipher.c.

 

CVE-2013-1979: The scm_set_cred function in

include/net/scm.h in the Linux kernel used incorrect uid

and gid values during credentials passing, which allowed

local users to gain privileges via a crafted application.

 

A kernel information leak via tkill/tgkill was fixed.

 

Following non security bugs were fixed: S/390:

- af_iucv: Missing man page (bnc#825037, LTC#94825).

- iucv: fix kernel panic at reboot (bnc#825037, LTC#93803).

- kernel: lost IPIs on CPU hotplug (bnc#825037, LTC#94784).

- dasd: Add missing descriptions for dasd timeout messages

(bnc#825037, LTC#94762).

- dasd: Fix hanging device after resume with internal error

13 (bnc#825037, LTC#94554).

- cio: Suppress 2nd path verification during resume

(bnc#825037, LTC#94554).

- vmcp: Missing man page (bnc#825037, LTC#94453).

- kernel: 3215 console crash (bnc#825037, LTC#94302).

- netiucv: Hold rtnl between name allocation and device

registration (bnc#824159).

- s390/ftrace: fix mcount adjustment (bnc#809895).

 

HyperV:

- Drivers: hv: Fix a bug in get_vp_index().

- hyperv: Fix a compiler warning in netvsc_send().

- Tools: hv: Fix a checkpatch warning.

- tools: hv: skip iso9660 mounts in hv_vss_daemon.

- tools: hv: use FIFREEZE/FITHAW in hv_vss_daemon.

- tools: hv: use getmntent in hv_vss_daemon.

- Tools: hv: Fix a checkpatch warning.

- tools: hv: fix checks for origin of netlink message in

hv_vss_daemon.

- Tools: hv: fix warnings in hv_vss_daemon.

- x86, hyperv: Handle Xen emulation of Hyper-V more

gracefully.

- hyperv: Fix a kernel warning from

netvsc_linkstatus_callback().

- Drivers: hv: balloon: make local functions static.

- tools: hv: daemon should check type of received Netlink

msg.

- tools: hv: daemon setsockopt should use options macros.

- tools: hv: daemon should subscribe only to CN_KVP_IDX

group.

- driver: hv: remove cast for kmalloc return value.

- hyperv: use 3.4 as LIC version string (bnc#822431).

 

BTRFS:

- btrfs: flush delayed inodes if we are short on space

(bnc#801427).

- btrfs: rework shrink_delalloc (bnc#801427).

- btrfs: fix our overcommit math (bnc#801427).

- btrfs: delay block group item insertion (bnc#801427).

- btrfs: remove bytes argument from do_chunk_alloc

(bnc#801427).

- btrfs: run delayed refs first when out of space

(bnc#801427).

- btrfs: do not commit instead of overcommitting

(bnc#801427).

- btrfs: do not take inode delalloc mutex if we are a free

space inode (bnc#801427).

- btrfs: fix chunk allocation error handling (bnc#801427).

- btrfs: remove extent mapping if we fail to add chunk

(bnc#801427).

- btrfs: do not overcommit if we do not have enough space

for global rsv (bnc#801427).

- btrfs: rework the overcommit logic to be based on the

total size (bnc#801427).

- btrfs: steal from global reserve if we are cleaning up

orphans (bnc#801427).

- btrfs: clear chunk_alloc flag on retryable failure

(bnc#801427).

- btrfs: use reserved space for creating a snapshot

(bnc#801427).

- btrfs: cleanup to make the function

btrfs_delalloc_reserve_metadata more logic (bnc#801427).

- btrfs: fix space leak when we fail to reserve metadata

space (bnc#801427).

- btrfs: fix space accounting for unlink and rename

(bnc#801427).

- btrfs: allocate new chunks if the space is not enough for

global rsv (bnc#801427).

- btrfs: various abort cleanups (bnc#812526 bnc#801427).

- btrfs: simplify unlink reservations (bnc#801427).

 

XFS:

- xfs: Move allocation stack switch up to xfs_bmapi

(bnc#815356).

- xfs: introduce XFS_BMAPI_STACK_SWITCH (bnc#815356).

- xfs: zero allocation_args on the kernel stack

(bnc#815356).

- xfs: fix debug_object WARN at xfs_alloc_vextent()

(bnc#815356).

- xfs: do not defer metadata allocation to the workqueue

(bnc#815356).

- xfs: introduce an allocation workqueue (bnc#815356).

- xfs: fix race while discarding buffers [V4] (bnc#815356

(comment 36)).

- xfs: Serialize file-extending direct IO (bnc#818371).

- xfs: Do not allocate new buffers on every call to

_xfs_buf_find (bnc#763968).

- xfs: fix buffer lookup race on allocation failure

(bnc#763968).

 

ALSA:

- Fix VT1708 jack detection on SLEPOS machines (bnc#813922).

- ALSA: hda - Avoid choose same converter for unused pins

(bnc#826186).

- ALSA: hda - Cache the MUX selection for generic HDMI

(bnc#826186).

- ALSA: hda - Haswell converter power state D0 verify

(bnc#826186).

- ALSA: hda - Do not take unresponsive D3 transition too

serious (bnc#823597).

- ALSA: hda - Introduce bit flags to

snd_hda_codec_read/write() (bnc#823597).

- ALSA: hda - Check CORB overflow (bnc#823597).

- ALSA: hda - Check validity of CORB/RIRB WP reads

(bnc#823597).

- ALSA: hda - Fix system panic when DMA > 40 bits for

Nvidia audio controllers (bnc#818465).

- ALSA: hda - Add hint for suppressing lower cap for IDT

codecs (bnc#812332).

- ALSA: hda - Enable mic-mute LED on more HP laptops

(bnc#821859).

 

Direct Rendering Manager (DRM):

- drm/i915: Add wait_for in init_ring_common (bnc#813604).

- drm/i915: Mark the ringbuffers as being in the GTT domain

(bnc#813604).

- drm/edid: Do not print messages regarding stereo or csync

by default (bnc #821235).

- drm/i915: force full modeset if the connector is in DPMS

OFF mode (bnc #809975).

- drm/i915/sdvo: Use &intel_sdvo->ddc instead of

intel_sdvo->i2c for DDC (bnc #808855).

- drm/mm: fix dump table BUG. (bnc#808837)

- drm/i915: Clear the stolen fb before enabling

(bnc#808015).

 

XEN:

- xen/netback: Update references (bnc#823342).

- xen: Check for insane amounts of requests on the ring.

- Update Xen patches to 3.0.82.

- netback: do not disconnect frontend when seeing oversize

packet.

- netfront: reduce gso_max_size to account for max TCP

header.

- netfront: fix kABI after "reduce gso_max_size to account

for max TCP header".

 

Other:

- x86, efi: retry ExitBootServices() on failure

(bnc#823386).

- x86/efi: Fix dummy variable buffer allocation

(bnc#822080).

 

- ext4: avoid hang when mounting non-journal filesystems

with orphan list (bnc#817377).

 

- mm: compaction: Scan PFN caching KABI workaround (Fix

KABI breakage (bnc#825657)).

 

- autofs4 - fix get_next_positive_subdir() (bnc#819523).

 

- ocfs2: Add bits_wanted while calculating credits in

ocfs2_calc_extend_credits (bnc#822077).

 

- writeback: Avoid needless scanning of b_dirty list

(bnc#819018).

- writeback: Do not sort b_io list only because of block

device inode (bnc#819018).

 

- re-enable io tracing (bnc#785901).

 

- pciehp: Corrected the old mismatching DMI strings.

 

- SUNRPC: Prevent an rpc_task wakeup race (bnc#825591).

 

- tg3: Prevent system hang during repeated EEH errors

(bnc#822066).

 

- scsi_dh_alua: multipath failover fails with error 15

(bnc#825696).

 

- Do not switch camera on HP EB 8780 (bnc#797090).

 

- Do not switch webcam for HP EB 8580w (bnc#797090).

 

- mm: fixup compilation error due to an asm write through a

const pointer. (bnc#823795)

 

- do not switch cam port on HP EliteBook 840 (bnc#822164).

 

- net/sunrpc: xpt_auth_cache should be ignored when expired

(bnc#803320).

- sunrpc/cache: ensure items removed from cache do not have

pending upcalls (bnc#803320).

- sunrpc/cache: remove races with queuing an upcall

(bnc#803320).

- sunrpc/cache: use cache_fresh_unlocked consistently and

correctly (bnc#803320).

 

- KVM: x86: emulate movdqa (bnc#821070).

- KVM: x86: emulator: add support for vector alignment

(bnc#821070).

- KVM: x86: emulator: expand decode flags to 64 bits

(bnc#821070).

 

- xhci - correct comp_mode_recovery_timer on return from

hibernate (bnc#808136).

 

- md/raid10 enough fixes (bnc#773837).

 

- lib/Makefile: Fix oid_registry build dependency

(bnc#823223).

 

- Update config files: disable IP_PNP (bnc#822825)

 

- Fix kABI breakage for addition of

snd_hda_bus.no_response_fallback (bnc#823597).

 

- Disable efi pstore by default (bnc#804482 bnc#820172).

 

- md: Fix problem with GET_BITMAP_FILE returning wrong

status (bnc#812974).

 

- bnx2x: Fix bridged GSO for 57710/57711 chips (bnc#819610).

 

- USB: xHCI: override bogus bulk wMaxPacketSize values

(bnc#823082).

 

- BTUSB: Add MediaTek bluetooth MT76x0E support (bnc#797727

bnc#822340).

 

- qlge: Update version to 1.00.00.32 (bnc#819195).

- qlge: Fix ethtool autoneg advertising (bnc#819195).

- qlge: Fix receive path to drop error frames (bnc#819195).

- qlge: remove NETIF_F_TSO6 flag (bnc#819195).

- remove init of dev->perm_addr in drivers (bnc#819195).

- drivers/net: fix up function prototypes after __dev*

removals (bnc#819195).

- qlge: remove __dev* attributes (bnc#819195).

- drivers: ethernet: qlogic: qlge_dbg.c: Fixed a coding

style issue (bnc#819195).

 

- cxgb4: Force uninitialized state if FW_ON_ADAPTER is <

FW_VERSION and we are the MASTER_PF (bnc#809130).

 

- USB: UHCI: fix for suspend of virtual HP controller

(bnc#817035).

 

- timer_list: Convert timer list to be a proper seq_file

(bnc#818047).

- timer_list: Split timer_list_show_tickdevices

(bnc#818047).

- sched: Fix /proc/sched_debug failure on very very large

systems (bnc#818047).

- sched: Fix /proc/sched_stat failure on very very large

systems (bnc#818047).

 

- reiserfs: fix spurious multiple-fill in

reiserfs_readdir_dentry (bnc#822722).

 

- libfc: do not exch_done() on invalid sequence ptr

(bnc#810722).

 

- netfilter: ip6t_LOG: fix logging of packet mark

(bnc#821930).

 

 

- virtio_net: introduce VIRTIO_NET_HDR_F_DATA_VALID

(bnc#819655).

 

- HWPOISON: fix misjudgement of page_action() for errors on

mlocked pages (Memory failure RAS (bnc#821799)).

- HWPOISON: check dirty flag to match against clean page

(Memory failure RAS (bnc#821799)).

- HWPOISON: change order of error_states elements (Memory

failure RAS (bnc#821799)).

- mm: hwpoison: fix action_result() to print out

dirty/clean (Memory failure RAS (bnc#821799)).

 

- mm: mmu_notifier: re-fix freed page still mapped in

secondary MMU (bnc#821052).

 

- Do not switch webcams in some HP ProBooks to XHCI

(bnc#805804).

 

- Do not switch BT on HP ProBook 4340 (bnc#812281).

 

- mm: memory_dev_init make sure nmi watchdog does not

trigger while registering memory sections (bnc#804609,

bnc#820434).

 

- mm: compaction: Restart compaction from near where it

left off

- mm: compaction: cache if a pageblock was scanned and no

pages were isolated

- mm: compaction: clear PG_migrate_skip based on compaction

and reclaim activity

- mm: compaction: Scan PFN caching KABI workaround

- mm: page_allocator: Remove first_pass guard

- mm: vmscan: do not stall on writeback during memory

compaction Cache compaction restart points for faster

compaction cycles (bnc#816451)

 

 

Special Instructions and Notes:

 

Please reboot the system after installing this update.

 

 

Package List:

 

- SLE 11 SERVER Unsupported Extras (ppc64 s390x x86_64):

 

kernel-default-extra-3.0.82-0.7.9

 

- SLE 11 SERVER Unsupported Extras (x86_64):

 

kernel-xen-extra-3.0.82-0.7.9

 

- SLE 11 SERVER Unsupported Extras (ppc64):

 

kernel-ppc64-extra-3.0.82-0.7.9

 

 

References:

 

http://support.novell.com/security/cve/CVE-2013-0160.html

http://support.novell.com/security/cve/CVE-2013-1774.html

http://support.novell.com/security/cve/CVE-2013-1979.html

http://support.novell.com/security/cve/CVE-2013-3076.html

http://support.novell.com/security/cve/CVE-2013-3222.html

http://support.novell.com/security/cve/CVE-2013-3223.html

http://support.novell.com/security/cve/CVE-2013-3224.html

http://support.novell.com/security/cve/CVE-2013-3225.html

http://support.novell.com/security/cve/CVE-2013-3227.html

http://support.novell.com/security/cve/CVE-2013-3228.html

http://support.novell.com/security/cve/CVE-2013-3229.html

http://support.novell.com/security/cve/CVE-2013-3231.html

http://support.novell.com/security/cve/CVE-2013-3232.html

http://support.novell.com/security/cve/CVE-2013-3234.html

http://support.novell.com/security/cve/CVE-2013-3235.html

https://bugzilla.novell.com/763968

https://bugzilla.novell.com/773837

https://bugzilla.novell.com/785901

https://bugzilla.novell.com/797090

https://bugzilla.novell.com/797727

https://bugzilla.novell.com/801427

https://bugzilla.novell.com/803320

https://bugzilla.novell.com/804482

https://bugzilla.novell.com/804609

https://bugzilla.novell.com/805804

https://bugzilla.novell.com/806976

https://bugzilla.novell.com/808015

https://bugzilla.novell.com/808136

https://bugzilla.novell.com/808837

https://bugzilla.novell.com/808855

https://bugzilla.novell.com/809130

https://bugzilla.novell.com/809895

https://bugzilla.novell.com/809975

https://bugzilla.novell.com/810722

https://bugzilla.novell.com/812281

https://bugzilla.novell.com/812332

https://bugzilla.novell.com/812526

https://bugzilla.novell.com/812974

https://bugzilla.novell.com/813604

https://bugzilla.novell.com/813922

https://bugzilla.novell.com/815356

https://bugzilla.novell.com/816451

https://bugzilla.novell.com/817035

https://bugzilla.novell.com/817377

https://bugzilla.novell.com/818047

https://bugzilla.novell.com/818371

https://bugzilla.novell.com/818465

https://bugzilla.novell.com/819018

https://bugzilla.novell.com/819195

https://bugzilla.novell.com/819523

https://bugzilla.novell.com/819610

https://bugzilla.novell.com/819655

https://bugzilla.novell.com/820172

https://bugzilla.novell.com/820434

https://bugzilla.novell.com/821052

https://bugzilla.novell.com/821070

https://bugzilla.novell.com/821235

https://bugzilla.novell.com/821799

https://bugzilla.novell.com/821859

https://bugzilla.novell.com/821930

https://bugzilla.novell.com/822066

https://bugzilla.novell.com/822077

https://bugzilla.novell.com/822080

https://bugzilla.novell.com/822164

https://bugzilla.novell.com/822340

https://bugzilla.novell.com/822431

https://bugzilla.novell.com/822722

https://bugzilla.novell.com/822825

https://bugzilla.novell.com/823082

https://bugzilla.novell.com/823223

https://bugzilla.novell.com/823342

https://bugzilla.novell.com/823386

https://bugzilla.novell.com/823597

https://bugzilla.novell.com/823795

https://bugzilla.novell.com/824159

https://bugzilla.novell.com/825037

https://bugzilla.novell.com/825591

https://bugzilla.novell.com/825657

https://bugzilla.novell.com/825696

https://bugzilla.novell.com/826186

http://download.novell.com/patch/finder/?keywords=9deafe882b5e3b5f0df9f5075f0d6114

http://download.novell.com/patch/finder/?keywords=bdd1cc737ed1a109b28b077184acad08

http://download.novell.com/patch/finder/?keywords=ddd472e1f756fe2a224c4a247ce90bef

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org