You are here
Home > Preporuke > Sigurnosni nedostaci Live Patching servisa

Sigurnosni nedostaci Live Patching servisa

by ncert - 0

SUSE Security Update: Security update for Linux Kernel Live Patch 8 for SLE 12 SP2
______________________________________________________________________________

Announcement ID: SUSE-SU-2017:2046-1
Rating: important
References: #1038564 #1042364 #1042892 #1046191 #1046202
#1046206 #1047518 #1050751
Cross-References: CVE-2017-7533 CVE-2017-7645 CVE-2017-8797
CVE-2017-8890 CVE-2017-9077 CVE-2017-9242

Affected Products:
SUSE Linux Enterprise Live Patching 12
______________________________________________________________________________

An update that solves 6 vulnerabilities and has two fixes
is now available.

Description:

This update for the Linux Kernel 4.4.59-92_20 fixes several issues.

The following security bugs were fixed:

– CVE-2017-7533: A bug in inotify code allowed local users to escalate
privilege (bsc#1050751).
– CVE-2017-8797: The NFSv4 server in the Linux kernel did not properly
validate the layout type when processing the NFSv4 pNFS GETDEVICEINFO or
LAYOUTGET operand in a UDP packet from a remote attacker. This type
value is uninitialized upon encountering certain error conditions. This
value is used as an array index for dereferencing, which leads to an
OOPS and eventually a DoS of knfsd and a soft-lockup of the whole system
(bsc#1046202)
– CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux
kernel allowed remote attackers to cause a denial of service (system
crash) via a long RPC reply, related to net/sunrpc/svc.c,
fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191).
– CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c
in the Linux kernel is too late in checking whether an overwrite of an
skb data structure may occur, which allowed local users to cause a
denial of service (system crash) via crafted system calls (bsc#1042892).
– CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c
in the Linux kernel mishandled inheritance, which allowed local users to
cause a denial of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890 (bsc#1042364).
– CVE-2017-8890: The inet_csk_clone_lock function in
net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to
cause a denial of service (double free) or possibly have unspecified
other impact by leveraging use of the accept system call (bsc#1038564).

The following non-security bug was fixed:

– Fix for a btrfs deadlock between btrfs-cleaner and user space thread
regression, which could cause spurious WARN_ON’s from
fs/btrfs/qgroup.c:1445 during patch application if BTRFS quota groups
are enabled. (bsc#1047518)

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Live Patching 12:

zypper in -t patch SUSE-SLE-Live-Patching-12-2017-1258=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Live Patching 12 (x86_64):

kgraft-patch-4_4_59-92_20-default-3-2.1

References:

https://www.suse.com/security/cve/CVE-2017-7533.html
https://www.suse.com/security/cve/CVE-2017-7645.html
https://www.suse.com/security/cve/CVE-2017-8797.html
https://www.suse.com/security/cve/CVE-2017-8890.html
https://www.suse.com/security/cve/CVE-2017-9077.html
https://www.suse.com/security/cve/CVE-2017-9242.html
https://bugzilla.suse.com/1038564
https://bugzilla.suse.com/1042364
https://bugzilla.suse.com/1042892
https://bugzilla.suse.com/1046191
https://bugzilla.suse.com/1046202
https://bugzilla.suse.com/1046206
https://bugzilla.suse.com/1047518
https://bugzilla.suse.com/1050751


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

SUSE Security Update: Security update for Linux Kernel Live Patch 7 for SLE 12 SP2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:2064-1
Rating:             important
References:         #1038564 #1042364 #1042892 #1046191 #1046202
                    #1046206 #1047518 #1050751
Cross-References:   CVE-2017-7533 CVE-2017-7645 CVE-2017-8797
                    CVE-2017-8890 CVE-2017-9077 CVE-2017-9242
                  
Affected Products:
                    SUSE Linux Enterprise Live Patching 12
______________________________________________________________________________

   An update that solves 6 vulnerabilities and has two fixes
   is now available.

Description:

   This update for the Linux Kernel 4.4.59-92_17 fixes several issues.

   The following security bugs were fixed:

   – CVE-2017-7533: A bug in inotify code allowed local users to escalate
     privilege (bsc#1050751).
   – CVE-2017-8797: The NFSv4 server in the Linux kernel did not properly
     validate the layout type when processing the NFSv4 pNFS GETDEVICEINFO or
     LAYOUTGET operand in a UDP packet from a remote attacker. This type
     value is uninitialized upon encountering certain error conditions. This
     value is used as an array index for dereferencing, which leads to an
     OOPS and eventually a DoS of knfsd and a soft-lockup of the whole system
     (bsc#1046202)
   – CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux
     kernel allowed remote attackers to cause a denial of service (system
     crash) via a long RPC reply, related to net/sunrpc/svc.c,
     fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191).
   – CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c
     in the Linux kernel is too late in checking whether an overwrite of an
     skb data structure may occur, which allowed local users to cause a
     denial of service (system crash) via crafted system calls (bsc#1042892).
   – CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c
     in the Linux kernel mishandled inheritance, which allowed local users to
     cause a denial of service or possibly have unspecified other impact via
     crafted system calls, a related issue to CVE-2017-8890 (bsc#1042364).
   – CVE-2017-8890: The inet_csk_clone_lock function in
     net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to
     cause a denial of service (double free) or possibly have unspecified
     other impact by leveraging use of the accept system call (bsc#1038564).

   The following non-security bug was fixed:

   – Fix for a btrfs deadlock between btrfs-cleaner and user space thread
     regression, which could cause spurious WARN_ON’s from
     fs/btrfs/qgroup.c:1445 during patch application if BTRFS quota groups
     are enabled.  (bsc#1047518)

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   – SUSE Linux Enterprise Live Patching 12:

      zypper in -t patch SUSE-SLE-Live-Patching-12-2017-1266=1

   To bring your system up-to-date, use “zypper patch”.

Package List:

   – SUSE Linux Enterprise Live Patching 12 (x86_64):

      kgraft-patch-4_4_59-92_17-default-3-2.1

References:

   https://www.suse.com/security/cve/CVE-2017-7533.html
   https://www.suse.com/security/cve/CVE-2017-7645.html
   https://www.suse.com/security/cve/CVE-2017-8797.html
   https://www.suse.com/security/cve/CVE-2017-8890.html
   https://www.suse.com/security/cve/CVE-2017-9077.html
   https://www.suse.com/security/cve/CVE-2017-9242.html
   https://bugzilla.suse.com/1038564
   https://bugzilla.suse.com/1042364
   https://bugzilla.suse.com/1042892
   https://bugzilla.suse.com/1046191
   https://bugzilla.suse.com/1046202
   https://bugzilla.suse.com/1046206
   https://bugzilla.suse.com/1047518
   https://bugzilla.suse.com/1050751


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

SUSE Security Update: Security update for Linux Kernel Live Patch 9 for SLE 12 SP2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:2066-1
Rating:             important
References:         #1038564 #1042364 #1042892 #1046191 #1046202
                    #1046206 #1047518 #1050751
Cross-References:   CVE-2017-7533 CVE-2017-7645 CVE-2017-8797
                    CVE-2017-8890 CVE-2017-9077 CVE-2017-9242
                  
Affected Products:
                    SUSE Linux Enterprise Live Patching 12
______________________________________________________________________________

   An update that solves 6 vulnerabilities and has two fixes
   is now available.

Description:

   This update for the Linux Kernel 4.4.59-92_24 fixes several issues.

   The following security bugs were fixed:

   – CVE-2017-7533: A bug in inotify code allowed local users to escalate
     privilege (bsc#1050751).
   – CVE-2017-8797: The NFSv4 server in the Linux kernel did not properly
     validate the layout type when processing the NFSv4 pNFS GETDEVICEINFO or
     LAYOUTGET operand in a UDP packet from a remote attacker. This type
     value is uninitialized upon encountering certain error conditions. This
     value is used as an array index for dereferencing, which leads to an
     OOPS and eventually a DoS of knfsd and a soft-lockup of the whole system
     (bsc#1046202)
   – CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux
     kernel allowed remote attackers to cause a denial of service (system
     crash) via a long RPC reply, related to net/sunrpc/svc.c,
     fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191).
   – CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c
     in the Linux kernel is too late in checking whether an overwrite of an
     skb data structure may occur, which allowed local users to cause a
     denial of service (system crash) via crafted system calls (bsc#1042892).
   – CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c
     in the Linux kernel mishandled inheritance, which allowed local users to
     cause a denial of service or possibly have unspecified other impact via
     crafted system calls, a related issue to CVE-2017-8890 (bsc#1042364).
   – CVE-2017-8890: The inet_csk_clone_lock function in
     net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to
     cause a denial of service (double free) or possibly have unspecified
     other impact by leveraging use of the accept system call (bsc#1038564).

   The following non-security bug was fixed:

   – Fix for a btrfs deadlock between btrfs-cleaner and user space thread
     regression, which could cause spurious WARN_ON’s from
     fs/btrfs/qgroup.c:1445 during patch application if BTRFS quota groups
     are enabled.  (bsc#1047518)

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   – SUSE Linux Enterprise Live Patching 12:

      zypper in -t patch SUSE-SLE-Live-Patching-12-2017-1264=1

   To bring your system up-to-date, use “zypper patch”.

Package List:

   – SUSE Linux Enterprise Live Patching 12 (x86_64):

      kgraft-patch-4_4_59-92_24-default-2-2.1

References:

   https://www.suse.com/security/cve/CVE-2017-7533.html
   https://www.suse.com/security/cve/CVE-2017-7645.html
   https://www.suse.com/security/cve/CVE-2017-8797.html
   https://www.suse.com/security/cve/CVE-2017-8890.html
   https://www.suse.com/security/cve/CVE-2017-9077.html
   https://www.suse.com/security/cve/CVE-2017-9242.html
   https://bugzilla.suse.com/1038564
   https://bugzilla.suse.com/1042364
   https://bugzilla.suse.com/1042892
   https://bugzilla.suse.com/1046191
   https://bugzilla.suse.com/1046202
   https://bugzilla.suse.com/1046206
   https://bugzilla.suse.com/1047518
   https://bugzilla.suse.com/1050751


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

SUSE Security Update: Security update for Linux Kernel Live Patch 6 for SLE 12 SP2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2017:2070-1
Rating:             important
References:         #1038564 #1042364 #1042892 #1046191 #1046202
                    #1046206 #1050751
Cross-References:   CVE-2017-7533 CVE-2017-7645 CVE-2017-8797
                    CVE-2017-8890 CVE-2017-9077 CVE-2017-9242
                  
Affected Products:
                    SUSE Linux Enterprise Live Patching 12
______________________________________________________________________________

   An update that solves 6 vulnerabilities and has one errata
   is now available.

Description:

   This update for the Linux Kernel 4.4.49-92_14 fixes several issues.

   The following security bugs were fixed:

   – CVE-2017-7533: A bug in inotify code allowed local users to escalate
     privilege (bsc#1050751).
   – CVE-2017-8797: The NFSv4 server in the Linux kernel did not properly
     validate the layout type when processing the NFSv4 pNFS GETDEVICEINFO or
     LAYOUTGET operand in a UDP packet from a remote attacker. This type
     value is uninitialized upon encountering certain error conditions. This
     value is used as an array index for dereferencing, which leads to an
     OOPS and eventually a DoS of knfsd and a soft-lockup of the whole system
     (bsc#1046202)
   – CVE-2017-7645: The NFSv2/NFSv3 server in the nfsd subsystem in the Linux
     kernel allowed remote attackers to cause a denial of service (system
     crash) via a long RPC reply, related to net/sunrpc/svc.c,
     fs/nfsd/nfs3xdr.c, and fs/nfsd/nfsxdr.c (bsc#1046191).
   – CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c
     in the Linux kernel is too late in checking whether an overwrite of an
     skb data structure may occur, which allowed local users to cause a
     denial of service (system crash) via crafted system calls (bsc#1042892).
   – CVE-2017-9077: The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c
     in the Linux kernel mishandled inheritance, which allowed local users to
     cause a denial of service or possibly have unspecified other impact via
     crafted system calls, a related issue to CVE-2017-8890 (bsc#1042364).
   – CVE-2017-8890: The inet_csk_clone_lock function in
     net/ipv4/inet_connection_sock.c in the Linux kernel allowed attackers to
     cause a denial of service (double free) or possibly have unspecified
     other impact by leveraging use of the accept system call (bsc#1038564).

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   – SUSE Linux Enterprise Live Patching 12:

      zypper in -t patch SUSE-SLE-Live-Patching-12-2017-1265=1

   To bring your system up-to-date, use “zypper patch”.

Package List:

   – SUSE Linux Enterprise Live Patching 12 (x86_64):

      kgraft-patch-4_4_49-92_14-default-4-2.1

References:

   https://www.suse.com/security/cve/CVE-2017-7533.html
   https://www.suse.com/security/cve/CVE-2017-7645.html
   https://www.suse.com/security/cve/CVE-2017-8797.html
   https://www.suse.com/security/cve/CVE-2017-8890.html
   https://www.suse.com/security/cve/CVE-2017-9077.html
   https://www.suse.com/security/cve/CVE-2017-9242.html
   https://bugzilla.suse.com/1038564
   https://bugzilla.suse.com/1042364
   https://bugzilla.suse.com/1042892
   https://bugzilla.suse.com/1046191
   https://bugzilla.suse.com/1046202
   https://bugzilla.suse.com/1046206
   https://bugzilla.suse.com/1050751


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

ncert
Top
More in Preporuke
Sigurnosni nedostaci Live Patching servisa

Izdana je nadogradnja za Live Patching servis za operacijski sustav SUSE. Otkriveni nedostaci potencijalnim lokalnim napadačima omogućuju stjecanje uvećanih ovlasti,...

Close