SUSE-SU-2018:1377-2

Source
https://www.suse.com/support/update/announcement/2018/suse-su-20181377-2/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2018:1377-2.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2018:1377-2
Related
Published
2018-10-18T12:45:05Z
Modified
2018-10-18T12:45:05Z
Summary
Security update for the Linux Kernel
Details

The SUSE Linux Enterprise 12 SP2 LTSS kernel was updated to receive various security and bugfixes.

The following security bug was fixed:

  • CVE-2018-3639: Information leaks using 'Memory Disambiguation' feature in modern CPUs were mitigated, aka 'Spectre Variant 4' (bnc#1087082).

    A new boot commandline option was introduced, 'specstorebypass_disable', which can have following values:

    • auto: Kernel detects whether your CPU model contains an implementation of Speculative Store Bypass and picks the most appropriate mitigation.
    • on: disable Speculative Store Bypass
    • off: enable Speculative Store Bypass
    • prctl: Control Speculative Store Bypass per thread via prctl. Speculative Store Bypass is enabled for a process by default. The state of the control is inherited on fork.
    • seccomp: Same as 'prctl' above, but all seccomp threads will disable SSB unless they explicitly opt out.

    The default is 'seccomp', meaning programs need explicit opt-in into the mitigation.

    Status can be queried via the /sys/devices/system/cpu/vulnerabilities/specstorebypass file, containing:

    • 'Vulnerable'
    • 'Mitigation: Speculative Store Bypass disabled'
    • 'Mitigation: Speculative Store Bypass disabled via prctl'
    • 'Mitigation: Speculative Store Bypass disabled via prctl and seccomp'

The following related and non-security bugs were fixed:

  • cpuid: Fix cpuid.edx.7.0 propagation to guest
  • ext4: Fix hole length detection in ext4indmap_blocks() (bsc#1090953).
  • ibmvnic: Clean actual number of RX or TX pools (bsc#1092289).
  • kvm: Introduce nopvspin kernel parameter (bsc#1056427).
  • kvm: Fix nopvspin static branch init usage (bsc#1056427).
  • powerpc/64: Use barrier_nospec in syscall entry (bsc#1068032, bsc#1080157).
  • powerpc/64s: Add barrier_nospec (bsc#1068032, bsc#1080157).
  • powerpc/64s: Add support for ori barrier_nospec patching (bsc#1068032, bsc#1080157).
  • powerpc/64s: Enable barrier_nospec based on firmware settings (bsc#1068032, bsc#1080157).
  • powerpc/64s: Enhance the information in cpushowmeltdown() (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc/64s: Enhance the information in cpushowspectre_v1() (bsc#1068032).
  • powerpc/64s: Fix section mismatch warnings from setuprfiflush() (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc/64s: Move cpushowmeltdown() (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc/64s: Patch barrier_nospec in modules (bsc#1068032, bsc#1080157).
  • powerpc/64s: Wire up cpushowspectre_v1() (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc/64s: Wire up cpushowspectre_v2() (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc/powernv: Set or clear security feature flags (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc/powernv: Use the security flags in pnvsetuprfi_flush() (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc/pseries: Add new HGETCPU_CHARACTERISTICS flags (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc/pseries: Fix clearing of security feature flags (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc/pseries: Restore default security feature flags on setup (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc/pseries: Set or clear security feature flags (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc/pseries: Use the security flags in pseriessetuprfi_flush() (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc/rfi-flush: Always enable fallback flush on pseries (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc/rfi-flush: Differentiate enabled and patched flush types (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc/rfi-flush: Make it possible to call setuprfiflush() again (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc: Add security feature flags for Spectre/Meltdown (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc: Move default security feature flags (bsc#1068032, bsc#1075087, bsc#1091041).
  • powerpc: Use barriernospec in copyfrom_user() (bsc#1068032, bsc#1080157).
References

Affected packages

SUSE:Linux Enterprise Server 12 SP2-BCL / kernel-default

Package

Name
kernel-default
Purl
purl:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.4.121-92.80.1

Ecosystem specific

{
    "binaries": [
        {
            "kernel-macros": "4.4.121-92.80.1",
            "kernel-devel": "4.4.121-92.80.1",
            "kernel-default-base": "4.4.121-92.80.1",
            "kernel-default": "4.4.121-92.80.1",
            "kernel-source": "4.4.121-92.80.1",
            "kernel-syms": "4.4.121-92.80.1",
            "kgraft-patch-4_4_121-92_80-default": "1-3.5.2",
            "kernel-default-devel": "4.4.121-92.80.1"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP2-BCL / kernel-source

Package

Name
kernel-source
Purl
purl:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.4.121-92.80.1

Ecosystem specific

{
    "binaries": [
        {
            "kernel-macros": "4.4.121-92.80.1",
            "kernel-devel": "4.4.121-92.80.1",
            "kernel-default-base": "4.4.121-92.80.1",
            "kernel-default": "4.4.121-92.80.1",
            "kernel-source": "4.4.121-92.80.1",
            "kernel-syms": "4.4.121-92.80.1",
            "kgraft-patch-4_4_121-92_80-default": "1-3.5.2",
            "kernel-default-devel": "4.4.121-92.80.1"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP2-BCL / kernel-syms

Package

Name
kernel-syms
Purl
purl:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.4.121-92.80.1

Ecosystem specific

{
    "binaries": [
        {
            "kernel-macros": "4.4.121-92.80.1",
            "kernel-devel": "4.4.121-92.80.1",
            "kernel-default-base": "4.4.121-92.80.1",
            "kernel-default": "4.4.121-92.80.1",
            "kernel-source": "4.4.121-92.80.1",
            "kernel-syms": "4.4.121-92.80.1",
            "kgraft-patch-4_4_121-92_80-default": "1-3.5.2",
            "kernel-default-devel": "4.4.121-92.80.1"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP2-BCL / kgraft-patch-SLE12-SP2_Update_22

Package

Name
kgraft-patch-SLE12-SP2_Update_22
Purl
purl:rpm/suse/kgraft-patch-SLE12-SP2_Update_22&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1-3.5.2

Ecosystem specific

{
    "binaries": [
        {
            "kernel-macros": "4.4.121-92.80.1",
            "kernel-devel": "4.4.121-92.80.1",
            "kernel-default-base": "4.4.121-92.80.1",
            "kernel-default": "4.4.121-92.80.1",
            "kernel-source": "4.4.121-92.80.1",
            "kernel-syms": "4.4.121-92.80.1",
            "kgraft-patch-4_4_121-92_80-default": "1-3.5.2",
            "kernel-default-devel": "4.4.121-92.80.1"
        }
    ]
}