| Description: |
The SUSE Linux Enterprise 12 SP3 Kernel for Teradata was updated to receive the following fixes:
Security fixes:
- CVE-2020-36386: An issue exists in the Linux kernel prior to 5.8.1. net/bluetooth/hci_event.c has a slab
out-of-bounds read in hci_extended_inquiry_result_evt (bsc#1187038)
- CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired
Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is
authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part
of 802.11n), an adversary can abuse this to inject arbitrary network packets (bsc#1185861)
- CVE-2021-32399: net/bluetooth/hci_request.c in the Linux kernel through 5.12.2 has a race condition for
removal of the HCI controller (bsc#1184611)
- CVE-2021-33034: In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when
destroying an hci_chan. This leads to writing an arbitrary value (bsc#1186111)
- CVE-2020-26139: An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL
frames to other clients even though the sender has not yet successfully authenticated to the AP. This
might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients
and makes it easier to exploit other vulnerabilities in connected clients (bsc#1186062)
- CVE-2021-23134: Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows
local attackers to elevate their privileges. In typical configurations, the issue can only be triggered
by a privileged local user with the CAP_NET_RAW capability (bsc#1186060)
- CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired
Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting
to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,
CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data (bsc#1185859)
- CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired
Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An
adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP,
CCMP, or GCMP encryption key is periodically renewed (bsc#1185859, bsc#1185863, bsc#1185862)
- CVE-2020-26141: An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi
implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An
adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP
data-confidentiality protocol (bsc#1185987)
- CVE-2020-26145: An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and
WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and
process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets
independent of the network configuration (bsc#1185860)
- CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired
Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting
to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP,
CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data
(bsc#1185863, bsc#1185862, bsc#1185859)
- CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired
Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key.
An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and
the WEP, CCMP, or GCMP encryption key is periodically renewed (bsc#1185863, bsc#1185862, bsc#1185859)
- CVE-2020-26147: An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations
reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject
packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or
GCMP data-confidentiality protocol is used (bsc#1185863, bsc#1185859)
- CVE-2020-36312: An issue was discovered in the Linux kernel before 5.8.10. virt/kvm/kvm_main.c has a
kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bsc#1184509)
- CVE-2021-29650: An issue was discovered in the Linux kernel before 5.11.11. The netfilter subsystem allows
attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and
include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bsc#1184208)
- CVE-2020-27673: An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest
OS users can cause a denial of service (host OS hang) via a high rate of events to dom0 (bsc#1184583, bsc#1183638)
- CVE-2021-29154: BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements,
allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and
arch/x86/net/bpf_jit_comp32.c (bsc#1184391)
- CVE-2020-25673: A vulnerability was found in Linux kernel where non-blocking socket in llcp_sock_connect() leads to
leak and eventually hanging-up the system (bsc#1178181)
- CVE-2020-25672: A memory leak vulnerability was found in Linux kernel in llcp_sock_connect (bsc#1178181)
- CVE-2020-25671: A vulnerability was found in Linux Kernel, where a refcount leak in llcp_sock_connect() causing
use-after-free which might lead to privilege escalations (bsc#1178181)
- CVE-2020-25670: A vulnerability was found in Linux Kernel where refcount leak in llcp_sock_bind() causing
use-after-free which might lead to privilege escalations (bsc#1178181)
- CVE-2021-28950: An issue was discovered in fs/fuse/fuse_i.h in the Linux kernel before 5.11.8. A 'stall on CPU'
can occur because a retry loop continually finds the same bad inode (bsc#1184211)
- CVE-2020-36322: An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6.
fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original
fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184211)
- CVE-2020-36322: An issue was discovered in the Linux kernel before 5.11.3 when a webcam device exists. video_usercopy
in drivers/media/v4l2-core/v4l2-ioctl.c has a memory leak for large arguments (bsc#1184120)
- CVE-2021-3483: A flaw was found in the Nosy driver in the Linux kernel. This issue allows a device to be inserted
twice into a doubly-linked list, leading to a use-after-free when one of these devices is removed. The highest
threat from this vulnerability is to confidentiality, integrity, as well as system availability. Versions before
kernel 5.12-rc6 are affected (bsc#1184393)
- CVE-2021-20219: A denial of service vulnerability was found in n_tty_receive_char_special in drivers/tty/n_tty.c
of the Linux kernel. In this flaw a local attacker with a normal user privilege could delay the loop (due to a
changing ldata->read_head, and a missing sanity check) and cause a threat to the system availability (bsc#1184397)
- CVE-2021-29265: An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in drivers/usb/usbip/stub_dev.c
allows attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the
local and shared status (bsc#1184167)
- CVE-2021-29264: An issue was discovered in the Linux kernel through 5.11.10. drivers/net/ethernet/freescale/gianfar.c in the
Freescale Gianfar Ethernet driver allows attackers to cause a system crash because a negative fragment size is calculated in
situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bsc#1184168)
- CVE-2021-28972: In drivers/pci/hotplug/rpadlpar_sysfs.c in the Linux kernel through 5.11.8, the RPA PCI Hotplug driver has a
user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data
to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination
(bsc#1184198)
- CVE-2021-28660: rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6 allows
writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org releases, CVE IDs are not normally
used for drivers/staging/* (unfinished work); however, system integrators may have situations in which a drivers/staging
issue is relevant to their own customer base (bsc#1183593)
- CVE-2021-26931: An issue was discovered in the Linux kernel 2.6.39 through 5.10.16, as used in Xen. Block, net, and SCSI
backends consider certain errors a plain bug, deliberately causing a kernel crash. For errors potentially being at least
under the influence of guests (such as out of memory conditions), it isn't correct to assume a plain bug. Memory allocations
potentially causing such crashes occur only when Linux is running in PV mode, though. This affects
drivers/block/xen-blkback/blkback.c and drivers/xen/xen-scsiback.c (bsc#1181753)
- CVE-2020-0433: In blk_mq_queue_tag_busy_iter of blk-mq-tag.c, there is a possible use after free due to improper locking.
This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not
needed for exploitation (bsc#1176720, bsc#1167316)
- CVE-2021-28038: An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the
netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the
handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend
driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bsc#1183022)
- CVE-2021-27365: An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have
appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink
message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bsc#1182715)
- CVE-2021-27363: An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to
determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI
subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at
/sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function
(in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to
an iscsi_transport struct in the kernel module's global variables (bsc#1182716)
- CVE-2021-27364: An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c
is adversely affected by the ability of an unprivileged user to craft Netlink messages (bsc#1182717)
- CVE-2020-1749: A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec,
such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the
kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted.
This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from
this vulnerability is to data confidentiality (bsc#1165629)
- CVE-2021-26930: An issue was discovered in the Linux kernel 3.11 through 5.10.16, as used by Xen. To service requests
to the PV backend, the driver maps grant references provided by the frontend. In this process, errors may be
encountered. In one case, an error encountered earlier might be discarded by later processing, resulting in the
caller assuming successful mapping, and hence subsequent operations trying to access space that wasn't mapped. In
another case, internal state would be insufficiently updated, preventing safe recovery from the error. This affects
drivers/block/xen-blkback/blkback.c (bsc#1181843)
- CVE-2021-26932: An issue was discovered in the Linux kernel 3.2 through 5.10.16, as used by Xen. Grant mapping
operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the
success or failure of each one is reported to the backend driver, and the backend driver then loops over the
results, performing follow-up actions based on the success or failure of each operation. Unfortunately, when
running in PV mode, the Linux backend drivers mishandle this: Some errors are ignored, effectively implying
their success from the success of related batch elements. In other cases, errors resulting from one batch
element lead to further batch elements not being inspected, and hence successful ones to not be possible to
properly unmap upon error recovery. Only systems with Linux backends running in PV mode are vulnerable. Linux
backends run in HVM / PVH modes are not vulnerable. This affects arch/*/xen/p2m.c and drivers/xen/gntdev.c
(bsc#1181747)
- CVE-2020-27786: A flaw was found in the Linux kernel’s implementation of MIDI, where an attacker with a
local account and the permissions to issue ioctl commands to midi devices could trigger a use-after-free issue.
A write to this specific memory while freed and before use causes the flow of execution to change and possibly
allow for memory corruption or privilege escalation. The highest threat from this vulnerability is to
confidentiality, integrity, as well as system availability (bsc#1179601)
- CVE-2020-27835: A use after free in the Linux kernel infiniband hfi1 driver in versions prior to 5.10-rc6 was
found in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash
the system (bsc#1179878)
- CVE-2020-28374: In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10.7, insufficient identifier
checking in the LIO SCSI target code can be used by remote attackers to read or write files via directory
traversal in an XCOPY request, aka CID-2896c93811e3. For example, an attack can occur over a network if the
attacker has access to one iSCSI LUN. The attacker gains control over file access because I/O operations are
proxied via an attacker-selected backstore (bsc#1178372)
Regular fixes or improvements:
- scsi: storvsc: Enable scatterlist entry lengths > 4Kbytes (bsc#1187193)
- mm: consider __HW_POISON pages when allocating from pcp lists (bsc#1187388)
- video: hyperv_fb: Add ratelimit on error message (bsc#1185724).
- Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185724)
- Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185724)
- genirq: Fix reference leaks on irq affinity notifiers (bsc#1185433)
- genirq: Prevent use-after-free and work list corruption (bsc#1012382, bsc#1185433)
- blacklist.conf: blacklist d120198bd5ff ('xen/evtchn: Change irq_info lock to raw_spinlock_t')
no PREEMPT_RT kernel is pulling from this cve branch and this is a follow up fix for a CVE fix.
- KVM: Add proper lockdep assertion in I/O bus unregister (bsc#1185555)
- KVM: Stop looking for coalesced MMIO zones if the bus is destroyed (bsc#1185557)
- KVM: Destroy I/O bus devices on unregister failure after syncing SRCU (bsc#1185556)
- hv_netvsc: fix deadlock on hotplug (bsc#1175462)
- hv_netvsc: Simplify num_chn checking in rndis_filter_device_add() (bsc#1175462)
- netvsc: delay setup of VF device (bsc#1175462)
- netvsc: fix race on sub channel creation (bsc#1175462)
- netvsc: fix race during initialization (bsc#1175462)
- hv_netvsc: Fix unwanted wakeup in netvsc_attach() (bsc#1175462)
- hv_netvsc: Fix tx_table init in rndis_set_subchannel() (bsc#1175462)
- hv_netvsc: flag software created hash value (bsc#1175462)
- hv_netvsc: Fix error handling in netvsc_attach() (bsc#1175462)
- hv_netvsc: Fix extra rcu_read_unlock in netvsc_recv_callback() (bsc#1175462)
- hv_netvsc: fix race that may miss tx queue wakeup (bsc#1175462)
- hv_netvsc: Fix unwanted wakeup after tx_disable (bsc#1175462)
- hv_netvsc: Fix IP header checksum for coalesced packets (bsc#1175462)
- hv_netvsc: Fix hash key value reset after other ops (bsc#1175462)
- hv_netvsc: Refactor assignments of struct netvsc_device_info (bsc#1175462)
- hv_netvsc: fix schedule in RCU context (bsc#1175462)
- hv_netvsc: Fix a deadlock by getting rtnl lock earlier in netvsc_probe() (bsc#1175462)
- hv/netvsc: Fix NULL dereference at single queue mode fallback (bsc#1175462)
- hv/netvsc: fix handling of fallback to single queue mode (bsc#1175462)
- hv_netvsc: split sub-channel setup into async and sync (bsc#1175462)
- hv_netvsc: Fix the variable sizes in ipsecv2 and rsc offload (bsc#1175462)
- hv_netvsc: fix network namespace issues with VF support (bsc#1175462)
- hv_netvsc: Fix a network regression after ifdown/ifup (bsc#1175462)
- hv_netvsc: Add handlers for ethtool get/set msg level (bsc#1175462)
- hv_netvsc: typo in NDIS RSS parameters structure (bsc#1175462)
- hv_netvsc: set master device (bsc#1175462)
- hv_netvsc: Fix net device attach on older Windows hosts (bsc#1175462)
- hv_netvsc: Ensure correct teardown message sequence order (bsc#1175462)
- hv_netvsc: Split netvsc_revoke_buf() and netvsc_teardown_gpadl() (bsc#1175462)
- hv_netvsc: Use Windows version instead of NVSP version on GPAD teardown (bsc#1175462)
- hv_netvsc: common detach logic (bsc#1175462)
- hv_netvsc: pass netvsc_device to rndis halt (bsc#1175462)
- hv_netvsc: change GPAD teardown order on older versions (bsc#1175462)
- hv_netvsc: use RCU to fix concurrent rx and queue changes (bsc#1175462)
- hv_netvsc: disable NAPI before channel close (bsc#1175462)
- hv_netvsc: cancel subchannel setup before halting device (bsc#1175462)
- hv_netvsc: fix error unwind handling if vmbus_open fails (bsc#1175462)
- hv_netvsc: only wake transmit queue if link is up (bsc#1175462)
- hv_netvsc: avoid retry on send during shutdown (bsc#1175462)
- hv_netvsc: use reciprocal divide to speed up percent calculation (bsc#1175462)
- hv_netvsc: preserve hw_features on mtu/channels/ringparam changes (bsc#1175462)
- hv_netvsc: netvsc_teardown_gpadl() split (bsc#1175462)
- hv_netvsc: Set tx_table to equal weight after subchannels open (bsc#1175462)
- hv_netvsc: avoid unnecessary wakeups on subchannel creation (bsc#1175462)
- ext4: check journal inode extents more carefully (bsc#1173485).
- ext4: don't allow overlapping system zones (bsc#1173485).
- ext4: handle error of ext4_setup_system_zone() on remount (bsc#1173485)
- x86: fix speculation bug reporting (bsc#1012382)
- xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022)
- Xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022)
- xen/netback: fix spurious event detection for common event case (bsc#1182175)
- blacklist.conf: CVE-2020-4788 is ppc specific
- x86/speculation: Fix incorrect MDS/TAA mitigation status (bsc#1139073 CVE-2019-11135)
- x86/speculation/mds: fix asm to C function calls (bsc#1111331, CVE-2018-12126,
CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) |