openSUSE-SU-2019:2503

openSUSE-SU-2019:2507

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.0.11

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=19fad20d15a6494f47f85d869f00b11343ee5c78

According to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - In uvc_scan_chain_forward of uvc_driver.c, there is a     possible linked list corruption due to an unusual root     cause. This could lead to local escalation of privilege     in the kernel with no additional execution privileges     needed. User interaction is not needed for     exploitation.Product: AndroidVersions: Android     kernelAndroid ID: A-111893654References: Upstream     kernel.(CVE-2020-0404)

  - A flaw was found in the Linux kernel in versions from     2.2.3 through 5.9.rc5. When changing screen size, an     out-of-bounds memory write can occur leading to memory     corruption or a denial of service. This highest threat     from this vulnerability is to system     availability.(CVE-2020-14390)

  - A TOCTOU mismatch in the NFS client code in the Linux     kernel before 5.8.3 could be used by local attackers to     corrupt memory or possibly have unspecified other     impact because a size check is in fs/nfs/nfs4proc.c     instead of fs/nfs/nfs4xdr.c, aka     CID-b4487b935452.(CVE-2020-25212)

  - A flaw was found in the Linux kernel before 5.9-rc4. A     failure of the file system metadata validator in XFS     can cause an inode with a valid, user-creatable     extended attribute to be flagged as corrupt. This can     lead to the filesystem being shutdown, or otherwise     rendered inaccessible until it is remounted, leading to     a denial of service. The highest threat from this     vulnerability is to system     availability.(CVE-2020-14385)

  - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the     NFS server) can set incorrect permissions on new     filesystem objects when the filesystem lacks ACL     support, aka CID-22cf8419f131. This occurs because the     current umask is not considered.(CVE-2020-24394)

  - The rbd block device driver in drivers/block/rbd.c in     the Linux kernel through 5.8.9 used incomplete     permission checking for access to rbd devices, which     could be leveraged by local attackers to map or unmap     rbd block devices, aka     CID-f44d04e696fe.(CVE-2020-25284)

  - An issue was discovered in net/ipv4/sysctl_net_ipv4.c     in the Linux kernel before 5.0.11. There is a     net/ipv4/tcp_input.c signed integer overflow in     tcp_ack_update_rtt() when userspace writes a very large     integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading     to a denial of service or possibly unspecified other     impact, aka CID-19fad20d15a6.(CVE-2019-18805)

  - Insufficient input validation in i40e driver for     Intel(R) Ethernet 700 Series Controllers versions     before 7.0 may allow an authenticated user to     potentially enable a denial of service via local     access.(CVE-2019-0147)

  - Buffer overflow in i40e driver for Intel(R) Ethernet     700 Series Controllers versions before 7.0 may allow an     authenticated user to potentially enable an escalation     of privilege via local access.(CVE-2020-0145)

  - A race condition between hugetlb sysctl handlers in     mm/hugetlb.c in the Linux kernel before 5.8.8 could be     used by local attackers to corrupt memory, cause a NULL     pointer dereference, or possibly have unspecified other     impact, aka CID-17743798d812.(CVE-2020-25285)

  - A memory out-of-bounds read flaw was found in the Linux     kernel before 5.9-rc2 with the ext3/ext4 file system,     in the way it accesses a directory with broken     indexing. This flaw allows a local user to crash the     system if the directory exists. The highest threat from     this vulnerability is to system     availability.(CVE-2020-14314)

  - A missing CAP_NET_RAW check in NFC socket creation in     net/nfc/rawsock.c in the Linux kernel before 5.8.2     could be used by local attackers to create raw sockets,     bypassing security mechanisms, aka     CID-26896f01467a.(CVE-2020-26088)

  - A flaw was found in the HDLC_PPP module of the Linux     kernel in versions before 5.9-rc7. Memory corruption     and a read overflow is caused by improper input     validation in the ppp_cp_parse_cr function which can     cause the system to crash or cause a denial of service.
    The highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-25643)

  - The Linux kernel, as used in Red Hat Enterprise Linux     7, kernel-rt, and Enterprise MRG 2 and when booted with     UEFI Secure Boot enabled, allows local users to bypass     intended securelevel/secureboot restrictions by     leveraging improper handling of secure_boot flag across     kexec reboot.(CVE-2015-7837)

  - A flaw was found in the Linux kernel's implementation     of biovecs in versions before 5.9-rc7. A zero-length     biovec request issued by the block subsystem could     cause the kernel to enter an infinite loop, causing a     denial of service. This flaw allows a local attacker     with basic privileges to issue requests to a block     device, resulting in a denial of service. The highest     threat from this vulnerability is to system     availability.(CVE-2020-25641)

  - A flaw was found in the Linux kernel before 5.9-rc4.
    Memory corruption can be exploited to gain root     privileges from unprivileged processes. The highest     threat from this vulnerability is to data     confidentiality and integrity.(CVE-2020-14386)

  - A flaw was found in the Linux kernel in versions before     5.9-rc7. Traffic between two Geneve endpoints may be     unencrypted when IPsec is configured to encrypt traffic     for the specific UDP port used by the GENEVE tunnel     allowing anyone between the two endpoints to read the     traffic unencrypted. The main threat from this     vulnerability is to data     confidentiality.(CVE-2020-25645)

  - perf: Fix race in perf_mmap_close     function.(CVE-2020-14351)

  - An information leak flaw was found in the way the Linux     kernel's Bluetooth stack implementation handled     initialization of stack memory when handling certain     AMP packets. A remote attacker in adjacent range could     use this flaw to leak small portions of stack memory on     the system by sending a specially crafted AMP packets.
    The highest threat from this vulnerability is to data     confidentiality.(CVE-2020-12352)

  - A flaw was found in the way the Linux kernel Bluetooth     implementation handled L2CAP packets with A2MP CID. A     remote attacker in adjacent range could use this flaw     to crash the system causing denial of service or     potentially execute arbitrary code on the system by     sending a specially crafted L2CAP packet. The highest     threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-12351)

  - A heap buffer overflow flaw was found in the way the     Linux kernel's Bluetooth implementation processed     extended advertising report events. This flaw allows a     remote attacker in an adjacent range to crash the     system, causing a denial of service or to potentially     execute arbitrary code on the system by sending a     specially crafted Bluetooth packet. The highest threat     from this vulnerability is to confidentiality,     integrity, as well as system     availability.(CVE-2020-24490)

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2020-25656)

  - In skb_to_mamac of networking.c, there is a possible     out of bounds write due to an integer overflow. This     could lead to local escalation of privilege with no     additional execution privileges needed. User     interaction is not needed for exploitation.Product:
    AndroidVersions: Android kernelAndroid ID:
    A-143560807(CVE-2020-0432)

  - A slab-out-of-bounds read in fbcon in the Linux kernel     before 5.9.7 could be used by local attackers to read     privileged information or potentially crash the kernel,     aka CID-3c4e0dff2095. This occurs because     KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for     manipulations such as font height.(CVE-2020-28974)

  - A flaw memory leak in the Linux kernel performance     monitoring subsystem was found in the way if using     PERF_EVENT_IOC_SET_FILTER. A local user could use this     flaw to starve the resources causing denial of     service.(CVE-2020-25704)

  - A buffer over-read (at the framebuffer layer) in the     fbcon code in the Linux kernel before 5.8.15 could be     used by local attackers to read kernel memory, aka     CID-6735b4632def.(CVE-2020-28915)

  - There is a use-after-free problem seen due to a race     condition between the release of ptp_clock and cdev     while resource deallocation. When a (high privileged)     process allocates a ptp device file (like /dev/ptpX)     and voluntarily goes to sleep. During this time if the     underlying device is removed, it can cause an     exploitable condition as the process wakes up to     terminate and clean all attached files. The system     crashes due to the cdev structure being invalid (as     already freed) which is pointed to by the     inode.(CVE-2020-10690)

  - A device tracking vulnerability was found in the     flow_dissector feature in the Linux kernel. This flaw     occurs because the auto flowlabel of the UDP IPv6     packet relies on a 32-bit hashmd value as a secret, and     jhash (instead of siphash) is used. The hashmd value     remains the same starting from boot time and can be     inferred by an attacker.(CVE-2019-18282)

  - Use-after-free vulnerability in fs/block_dev.c in the     Linux kernel before 5.8 allows local users to gain     privileges or cause a denial of service by leveraging     improper access to a certain error     field.(CVE-2020-15436)

  - The Linux kernel before version 5.8 is vulnerable to a     NULL pointer dereference in     drivers/tty/serial/8250/8250_core.c:serial8250_isa_init
    _ports() that allows local users to cause a denial of     service by using the p->serial_in pointer which     uninitialized.(CVE-2020-15437)

  - An issue was discovered in kmem_cache_alloc_bulk in     mm/slub.c in the Linux kernel before 5.5.11. The     slowpath lacks the required TID increment, aka     CID-fd4d9c7d0c71.(CVE-2020-29370)

  - An issue was discovered in the Linux kernel before     5.2.6. On NUMA systems, the Linux fair scheduler has a     use-after-free in show_numa_stats() because NUMA fault     statistics are inappropriately freed, aka     CID-16d51a590a8c.(CVE-2019-20934)

  - An issue was discovered in romfs_dev_read in     fs/romfs/storage.c in the Linux kernel before 5.8.4.
    Uninitialized memory leaks to userspace, aka     CID-bcf85fcedfdd.(CVE-2020-29371)

  - An issue was discovered in the Linux kernel before     5.7.3, related to mm/gup.c and mm/huge_memory.c. The     get_user_pages (aka gup) implementation, when used for     a copy-on-write page, does not properly consider the     semantics of read operations and therefore can grant     unintended write access, aka     CID-17839856fd58.(CVE-2020-29374)

  - A flaw was found in the way RTAS handled memory     accesses in userspace to kernel communication. On a     locked down (usually due to Secure Boot) guest system     running on top of PowerVM or KVM hypervisors (pseries     platform) a root like local user could use this flaw to     further increase their privileges to that of a running     kernel.(CVE-2020-27777)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version MAIN 6.01, has kernel packages installed that are affected by multiple vulnerabilities:

  - A flaw was found in the Linux kernel's NFS     implementation, all versions 3.x and all versions 4.x up     to 4.20. An attacker, who is able to mount an exported     NFS filesystem, is able to trigger a null pointer     dereference by using an invalid NFS sequence. This can     panic the machine and deny access to the NFS server. Any     outstanding disk writes to the NFS server will be lost.
    (CVE-2018-16871)

  - ieee802154_create in net/ieee802154/socket.c in the     AF_IEEE802154 network module in the Linux kernel through     5.3.2 does not enforce CAP_NET_RAW, which means that     unprivileged users can create a raw socket, aka     CID-e69dbd4619e7. (CVE-2019-17053)

  - base_sock_create in drivers/isdn/mISDN/socket.c in the     AF_ISDN network module in the Linux kernel through 5.3.2     does not enforce CAP_NET_RAW, which means that     unprivileged users can create a raw socket, aka     CID-b91ee4aa2a21. (CVE-2019-17055)

  - The flow_dissector feature in the Linux kernel 4.3     through 5.x before 5.3.10 has a device tracking     vulnerability, aka CID-55667441c84f. This occurs because     the auto flowlabel of a UDP IPv6 packet relies on a     32-bit hashrnd value as a secret, and because jhash     (instead of siphash) is used. The hashrnd value remains     the same starting from boot time, and can be inferred by     an attacker. This affects net/core/flow_dissector.c and     related code. (CVE-2019-18282)

  - An issue was discovered in net/ipv4/sysctl_net_ipv4.c in     the Linux kernel before 5.0.11. There is a     net/ipv4/tcp_input.c signed integer overflow in     tcp_ack_update_rtt() when userspace writes a very large     integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading     to a denial of service or possibly unspecified other     impact, aka CID-19fad20d15a6. (CVE-2019-18805)

  - A memory leak in the mlx5_fpga_conn_create_cq() function     in drivers/net/ethernet/mellanox/mlx5/core/fpga/conn.c     in the Linux kernel before 5.3.11 allows attackers to     cause a denial of service (memory consumption) by     triggering mlx5_vector2eqn() failures, aka     CID-c8c2a057fdc7. (CVE-2019-19045)

  - ** DISPUTED ** A memory leak in the     nl80211_get_ftm_responder_stats() function in     net/wireless/nl80211.c in the Linux kernel through     5.3.11 allows attackers to cause a denial of service     (memory consumption) by triggering nl80211hdr_put()     failures, aka CID-1399c59fa929. NOTE: third parties     dispute the relevance of this because it occurs on a     code path where a successful allocation has already     occurred. (CVE-2019-19055)

  - A memory leak in the bnxt_re_create_srq() function in     drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux     kernel through 5.3.11 allows attackers to cause a denial     of service (memory consumption) by triggering copy to     udata failures, aka CID-4a9d46a9fe14. (CVE-2019-19077)

  - In the Linux kernel before 5.3.9, there are multiple     out-of-bounds write bugs that can be caused by a     malicious USB device in the Linux kernel HID drivers,     aka CID-d9d4b1e46d95. This affects drivers/hid/hid-     axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c,     drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c,     drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c,     drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c,     drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-     microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-     tmff.c, and drivers/hid/hid-zpff.c. (CVE-2019-19532)

  - In the Linux kernel before 5.3.11, there is an info-leak     bug that can be caused by a malicious USB device in the     drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka     CID-f7a1337f0d29. (CVE-2019-19534)

  - In the Linux kernel 5.4.0-rc2, there is a use-after-free     (read) in the __blk_add_trace function in     kernel/trace/blktrace.c (which is used to fill out a     blk_io_trace structure and place it in a per-cpu sub-     buffer). (CVE-2019-19768)

  - A memory leak in the kernel_read_file function in     fs/exec.c in the Linux kernel through 4.20.11 allows     attackers to cause a denial of service (memory     consumption) by triggering vfs_read failures.
    (CVE-2019-8980)

  - A NULL pointer dereference flaw was found in the Linux     kernel's SELinux subsystem in versions before 5.7. This     flaw occurs while importing the Commercial IP Security     Option (CIPSO) protocol's category bitmap into the     SELinux extensible bitmap via the'     ebitmap_netlbl_import' routine. While processing the     CIPSO restricted bitmap tag in the     'cipso_v4_parsetag_rbm' routine, it sets the security     attribute to indicate that the category bitmap is     present, even if it has not been allocated. This issue     leads to a NULL pointer dereference issue while     importing the same category bitmap into SELinux. This     flaw allows a remote network user to crash the system     kernel, resulting in a denial of service.
    (CVE-2020-10711)

  - In the Linux kernel through 5.6.7 on the s390 platform,     code execution may occur because of a race condition, as     demonstrated by code in enable_sacf_uaccess in     arch/s390/lib/uaccess.c that fails to protect against a     concurrent page table upgrade, aka CID-3f777e19d171. A     crash could also occur. (CVE-2020-11884)

  - An issue was discovered in the Linux kernel before     5.6.5. There is a use-after-free in block/bfq-iosched.c     related to bfq_idle_slice_timer_body. (CVE-2020-12657)

  - A flaw was discovered in the way that the KVM hypervisor     handled instruction emulation for an L2 guest when     nested virtualisation is enabled. Under some     circumstances, an L2 guest may trick the L0 guest into     accessing sensitive L1 resources that should be     inaccessible to the L2 guest. (CVE-2020-2732)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1567 advisory.

  - kernel: nfs: NULL pointer dereference due to an     anomalized NFS message sequence (CVE-2018-16871)

  - Kernel: net: using kernel space address bits to derive     IP ID may potentially break KASLR (CVE-2019-10639)

  - kernel: An out-of-bounds read in     drivers/scsi/qedi/qedi_dbg.c leading to crash or     information disclosure (CVE-2019-15090)

  - kernel: a NULL pointer dereference in     drivers/net/wireless/ath/ath10k/usb.c leads to a crash     (CVE-2019-15099)

  - kernel: Null pointer dereference in the     sound/usb/line6/pcm.c (CVE-2019-15221)

  - kernel: unprivileged users able to create RAW sockets     in AF_IEEE802154 network protocol. (CVE-2019-17053)

  - kernel: unprivileged users able to create RAW sockets in     AF_ISDN  network protocol. (CVE-2019-17055)

  - kernel: integer overflow in tcp_ack_update_rtt in     net/ipv4/tcp_input.c (CVE-2019-18805)

  - kernel: Two memory leaks in the     mwifiex_pcie_init_evt_ring() function in     drivers/net/wireless/marvell/mwifiex/pcie.c allows for a     DoS (CVE-2019-19057)

  - kernel: Memory leaks in     drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux     kernel (DOS) (CVE-2019-19073)

  - kernel: a memory leak in the ath9k management function     in allows local DoS (CVE-2019-19074)

  - kernel: information leak bug caused  by a malicious USB     device in the     drivers/net/can/usb/peak_usb/pcan_usb_core.c driver     (CVE-2019-19534)

  - kernel: use-after-free in __blk_add_trace in     kernel/trace/blktrace.c (CVE-2019-19768)

  - kernel: when cpu.cfs_quota_us is used allows attackers     to cause a denial of service against non-cpu-bound     applications (CVE-2019-19922)

  - kernel: memory leak in the kernel_read_file function in     fs/exec.c allows to cause a denial of service     (CVE-2019-8980)

  - kernel: some ipv6 protocols not encrypted over ipsec     tunnel. (CVE-2020-1749)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1769 advisory.

  - kernel: nfs: NULL pointer dereference due to an     anomalized NFS message sequence (CVE-2018-16871)

  - Kernel: net: using kernel space address bits to derive     IP ID may potentially break KASLR (CVE-2019-10639)

  - kernel: An out-of-bounds read in     drivers/scsi/qedi/qedi_dbg.c leading to crash or     information disclosure (CVE-2019-15090)

  - kernel: a NULL pointer dereference in     drivers/net/wireless/ath/ath10k/usb.c leads to a crash     (CVE-2019-15099)

  - kernel: Null pointer dereference in the     sound/usb/line6/pcm.c (CVE-2019-15221)

  - kernel: unprivileged users able to create RAW sockets     in AF_IEEE802154 network protocol. (CVE-2019-17053)

  - kernel: unprivileged users able to create RAW sockets in     AF_ISDN  network protocol. (CVE-2019-17055)

  - kernel: integer overflow in tcp_ack_update_rtt in     net/ipv4/tcp_input.c (CVE-2019-18805)

  - kernel: Two memory leaks in the     mwifiex_pcie_init_evt_ring() function in     drivers/net/wireless/marvell/mwifiex/pcie.c allows for a     DoS (CVE-2019-19057)

  - kernel: Memory leaks in     drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux     kernel (DOS) (CVE-2019-19073)

  - kernel: a memory leak in the ath9k management function     in allows local DoS (CVE-2019-19074)

  - kernel: information leak bug caused  by a malicious USB     device in the     drivers/net/can/usb/peak_usb/pcan_usb_core.c driver     (CVE-2019-19534)

  - kernel: use-after-free in __blk_add_trace in     kernel/trace/blktrace.c (CVE-2019-19768)

  - kernel: when cpu.cfs_quota_us is used allows attackers     to cause a denial of service against non-cpu-bound     applications (CVE-2019-19922)

  - kernel: memory leak in the kernel_read_file function in     fs/exec.c allows to cause a denial of service     (CVE-2019-8980)

  - kernel: some ipv6 protocols not encrypted over ipsec     tunnel. (CVE-2020-1749)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the kernel packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In the tun subsystem in the Linux kernel before     4.13.14, dev_get_valid_name is not called before     register_netdevice. This allows local users to cause a     denial of service (NULL pointer dereference and panic)     via an ioctl(TUNSETIFF) call with a dev name containing     a / character. This is similar to     CVE-2013-4343.(CVE-2018-7191)

  - A memory leak in the crypto_report() function in     crypto/crypto_user_base.c in the Linux kernel through     5.3.11 allows attackers to cause a denial of service     (memory consumption) by triggering crypto_report_alg()     failures, aka CID-ffdde5932042.(CVE-2019-19062)

  - An issue was discovered in net/ipv4/sysctl_net_ipv4.c     in the Linux kernel before 5.0.11. There is a     net/ipv4/tcp_input.c signed integer overflow in     tcp_ack_update_rtt() when userspace writes a very large     integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading     to a denial of service or possibly unspecified other     impact, aka CID-19fad20d15a6.(CVE-2019-18805)

  - In the Linux kernel before 5.0, a memory leak exists in     sit_init_net() in net/ipv6/sit.c when register_netdev()     fails to register sitn->fb_tunnel_dev, which may cause     denial of service, aka     CID-07f12b26e21a.(CVE-2019-16994)

  - An issue was discovered in the Linux kernel before     5.0.6. There is a memory leak issue when idr_alloc()     fails in genl_register_family() in     net/netlink/genetlink.c.(CVE-2019-15921)

  - In the Linux kernel before 5.1.13, there is a memory     leak in drivers/scsi/libsas/sas_expander.c when SAS     expander discovery fails. This will cause a BUG and     denial of service.(CVE-2019-15807)

  - An issue was discovered in xfs_setattr_nonsize in     fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9.
    XFS partially wedges when a chgrp fails on account of     being out of disk quota. xfs_setattr_nonsize is failing     to unlock the ILOCK after the xfs_qm_vop_chown_reserve     call fails. This is primarily a local DoS attack     vector, but it might result as well in remote DoS if     the XFS filesystem is exported for instance via     NFS.(CVE-2019-15538)

  - An out-of-bounds access issue was found in the Linux     kernel, all versions through 5.3, in the way Linux     kernel's KVM hypervisor implements the Coalesced MMIO     write operation. It operates on an MMIO ring buffer     'struct kvm_coalesced_mmio' object, wherein write     indices 'ring->first' and 'ring->last' value could be     supplied by a host user-space process. An unprivileged     host user or process with access to '/dev/kvm' device     could use this flaw to crash the host kernel, resulting     in a denial of service or potentially escalating     privileges on the system.(CVE-2019-14821)

  - ** DISPUTED ** An issue was discovered in ip_ra_control     in net/ipv4/ip_sockglue.c in the Linux kernel through     5.1.5. There is an unchecked kmalloc of new_ra, which     might allow an attacker to cause a denial of service     (NULL pointer dereference and system crash). NOTE: this     is disputed because new_ra is never used if it is     NULL.(CVE-2019-12381)

  - ** DISPUTED ** An issue was discovered in     ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux     kernel through 5.1.5. There is an unchecked kmalloc of     new_ra, which might allow an attacker to cause a denial     of service (NULL pointer dereference and system crash).
    NOTE: This has been disputed as not an     issue.(CVE-2019-12378)

  - An issue was discovered in fs/xfs/xfs_super.c in the     Linux kernel before 4.18. A use after free exists,     related to xfs_fs_fill_super failure.(CVE-2018-20976)

  - An issue was discovered in the Linux kernel before     4.18.7. In block/blk-core.c, there is an
    __blk_drain_queue() use-after-free because a certain     error case is mishandled.(CVE-2018-20856)

  - A flaw was found in the Linux kernel's NFS41+     subsystem. NFS41+ shares mounted in different network     namespaces at the same time can make bc_svc_process()     use wrong back-channel IDs and cause a use-after-free     vulnerability. Thus a malicious container user can     cause a host kernel memory corruption and a system     panic. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out.(CVE-2018-16884)

  - A flaw was found in the Linux kernel's NFS     implementation, all versions 3.x and all versions 4.x     up to 4.20. An attacker, who is able to mount an     exported NFS filesystem, is able to trigger a null     pointer dereference by using an invalid NFS sequence.
    This can panic the machine and deny access to the NFS     server. Any outstanding disk writes to the NFS server     will be lost.(CVE-2018-16871)

  - An issue was found in the Linux kernel ipv6     implementation of GRE tunnels which allows a remote     attacker to trigger an out-of-bounds access. At this     time we understand no trust barrier has been crossed     and there is no security implications in this     flaw.(CVE-2017-5897)

  - A flaw was found in the Linux kernel's vfio interface     implementation that permits violation of the user's     locked memory limit. If a device is bound to a vfio     driver, such as vfio-pci, and the local attacker is     administratively granted ownership of the device, it     may cause a system memory exhaustion and thus a denial     of service (DoS). Versions 3.10, 4.14 and 4.18 are     vulnerable.(CVE-2019-3882)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The kernel package contains the Linux kernel (vmlinuz),     the core of any Linux operating system. The kernel     handles the basic functions of the operating system:
    memory allocation, process allocation, device input and     output, etc.Security Fix(es):Heap-based buffer overflow     in the udf_load_logicalvol function in fs/udf/super.c     in the Linux kernel before 3.4.5 allows remote     attackers to cause a denial of service (system crash)     or possibly have unspecified other impact via a crafted     UDF filesystem.(CVE-2012-3400)The     mmc_ioctl_cdrom_read_data function in     drivers/cdrom/cdrom.c in the Linux kernel through 3.10     allows local users to obtain sensitive information from     kernel memory via a read operation on a malfunctioning     CD-ROM drive.(CVE-2013-2164)The     sctp_sf_do_5_2_4_dupcook function in     net/sctp/sm_statefuns.c in the SCTP implementation in     the Linux kernel before 3.8.5 does not properly handle     associations during the processing of a duplicate     COOKIE ECHO chunk, which allows remote attackers to     cause a denial of service (NULL pointer dereference and     system crash) or possibly have unspecified other impact     via crafted SCTP traffic.(CVE-2013-2206)The (1)     get_user and (2) put_user API functions in the Linux     kernel before 3.5.5 on the v6k and v7 ARM platforms do     not validate certain addresses, which allows attackers     to read or modify the contents of arbitrary kernel     memory locations via a crafted application, as     exploited in the wild against Android devices in     October and November 2013.(CVE-2013-6282)An issue was     discovered in the Linux kernel before 4.20. There is a     race condition in smp_task_timedout() and     smp_task_done() in drivers/scsi/libsas/sas_expander.c,     leading to a use-after-free.(CVE-2018-20836)The Siemens     R3964 line discipline driver in drivers/tty/n_r3964.c     in the Linux kernel before 5.0.8 has multiple race     conditions.(CVE-2019-11486)The Linux kernel before     5.1-rc5 allows page->_refcount reference count     overflow, with resultant use-after-free issues, if     about 140 GiB of RAM exists. This is related to     fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h,     kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It     can occur with FUSE requests.(CVE-2019-11487)The     coredump implementation in the Linux kernel before     5.0.10 does not use locking or other mechanisms to     prevent vma layout or vma flags changes while it runs,     which allows local users to obtain sensitive     information, cause a denial of service, or possibly     have unspecified other impact by triggering a race     condition with mmget_not_zero or get_task_mm calls.
    This is related to fs/userfaultfd.c, mm/mmap.c,     fs/proc/task_mmu.c, and     drivers/infiniband/core/uverbs_main.c.(CVE-2019-11599)A     n issue was discovered in the Linux kernel before     5.0.7. A NULL pointer dereference can occur when     megasas_create_frame_pool() fails in     megasas_alloc_cmds() in     drivers/scsi/megaraid/megaraid_sas_base.c. This causes     a Denial of Service, related to a     use-after-free.(CVE-2019-11810)An issue was discovered     in the Linux kernel before 5.0.4. There is a     use-after-free upon attempted read access to     /proc/ioports after the ipmi_si module is removed,     related to drivers/char/ipmi/ipmi_si_intf.c,     drivers/char/ipmi/ipmi_si_mem_io.c, and     drivers/char/ipmi/ipmi_si_port_io.c.(CVE-2019-11811)A     flaw was found in the Linux kernel's handle_rx()     function in the [vhost_net] driver. A malicious virtual     guest, under specific conditions, can trigger an     out-of-bounds write in a kmalloc-8 slab on a virtual     host which may lead to a kernel memory corruption and a     system panic. Due to the nature of the flaw, privilege     escalation cannot be fully ruled out. Versions from     v4.16 and newer are vulnerable.(CVE-2018-16880)An issue     was discovered in rds_tcp_kill_sock in net/rds/tcp.c in     the Linux kernel before 5.0.8. There is a race     condition leading to a use-after-free, related to net     namespace cleanup.(CVE-2019-11815)A flaw was found in     the Linux kernel in the function     hid_debug_events_read() in drivers/hid/hid-debug.c file     which may enter an infinite loop with certain     parameters passed from a userspace. A local privileged     user ('root') can cause a system lock up and a denial     of service. Versions from v4.18 and newer are     vulnerable.(CVE-2019-3819)A flaw was found in the Linux     kernel's vfio interface implementation that permits     violation of the user's locked memory limit. If a     device is bound to a vfio driver, such as vfio-pci, and     the local attacker is administratively granted     ownership of the device, it may cause a system memory     exhaustion and thus a denial of service (DoS). Versions     3.10, 4.14 and 4.18 are vulnerable.(CVE-2019-3882)An     infinite loop issue was found in the vhost_net kernel     module in Linux Kernel up to and including v5.1-rc6,     while handling incoming packets in handle_rx(). It     could occur if one end sends packets faster than the     other end can process them. A guest user, maybe remote     one, could use this flaw to stall the vhost_net kernel     thread, resulting in a DoS scenario.(CVE-2019-3900)In     the Linux Kernel before versions 4.20.8 and 4.19.21 a     use-after-free error in the 'sctp_sendmsg()' function     (net/sctp/socket.c) when handling SCTP_SENDALL flag can     be exploited to corrupt memory.(CVE-2019-8956)A flaw     was found in the Linux kernel's implementation of ext4     extent management. The kernel doesn't correctly     initialize memory regions in the extent tree block     which may be exported to a local user to obtain     sensitive information by reading empty/uninitialized     data from the filesystem.(CVE-2019-11833)An issue was     discovered in drm_load_edid_firmware in     drivers/gpu/drm/drm_edid_load.c in the Linux kernel     through 5.1.5. There is an unchecked kstrdup of fwstr,     which might allow an attacker to cause a denial of     service (NULL pointer dereference and system crash).
    NOTE: The vendor disputes this issues as not being a     vulnerability because kstrdup() returning NULL is     handled sufficiently and there is no chance for a NULL     pointer dereference.(CVE-2019-12382)An issue was     discovered in the efi subsystem in the Linux kernel     through 5.1.5. phys_efi_set_virtual_address_map in     arch/x86/platform/efi/efi.c and efi_call_phys_prolog in     arch/x86/platform/efi/efi_64.c mishandle memory     allocation failures. NOTE: This id is disputed as not     being an issue because ?All the code touched by the     referenced commit runs only at boot, before any user     processes are started. Therefore, there is no     possibility for an unprivileged user to control     it.(CVE-2019-12380)An issue was discovered in the Linux     kernel before 5.2.3. An out of bounds access exists in     the function hclge_tm_schd_mode_vnet_base_cfg in the     file drivers     et/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c.(CVE-2019-     15925)An issue was discovered in     dlpar_parse_cc_property in     arch/powerpc/platforms/pseries/dlpar.c in the Linux     kernel through 5.1.6. There is an unchecked kstrdup of     prop-i1/4zname, which might allow an attacker to cause a     denial of service (NULL pointer dereference and system     crash).(CVE-2019-12614)An issue was discovered in     net/ipv4/sysctl_net_ipv4.c in the Linux kernel before     5.0.11. There is a net/ipv4/tcp_input.c signed integer     overflow in tcp_ack_update_rtt() when userspace writes     a very large integer to     /proc/syset/ipv4/tcp_min_rtt_wlen, leading to a denial     of service or possibly unspecified other impact, aka     CID-19fad20d15a6.(CVE-2019-18805)A flaw was found in     the way PTRACE_TRACEME functionality was handled in the     Linux kernel. The kernel's implementation of ptrace can     inadvertently grant elevated permissions to an attacker     who can then abuse the relationship between the tracer     and the process being traced. This flaw could allow a     local, unprivileged user to increase their privileges     on the system or cause a denial of     service.(CVE-2019-13272)An issue was discovered in     ip6_ra_control in net/ipv6/ipv6_sockglue.c in the Linux     kernel through 5.1.5. There is an unchecked kmalloc of     new_ra, which might allow an attacker to cause a denial     of service (NULL pointer dereference and system crash).
    NOTE: This has been disputed as not an     issue.(CVE-2019-12378)An issue was discovered in     ip_ra_control in net/ipv4/ip_sockglue.c in the Linux     kernel through 5.1.5. There is an unchecked kmalloc of     new_ra, which might allow an attacker to cause a denial     of service (NULL pointer dereference and system crash).
    NOTE: this is disputed because new_ra is never used if     it is NULL.(CVE-2019-12381)An issue was discovered in     sunxi_divs_clk_setup in drivers/clk/sunxi/clk-sunxi.c     in the Linux kernel through 5.1.5. There is an     unchecked kstrndup of derived_name, which might allow     an attacker to cause a denial of service (NULL pointer     dereference and system crash). NOTE: This id is     disputed as not being an issue because 'The memory     allocation that was not checked is part of a code that     only runs at boot time, before user processes are     started. Therefore, there is no possibility for an     unprivileged user to control it, and no denial of     service.'.(CVE-2019-12455)An issue was discovered in     the MPT3COMMAND case in _ctl_ioctl_main in     drivers/scsi/mpt3sas/mpt3sas_ctl.c in the Linux kernel     through 5.1.5. It allows local users to cause a denial     of service or possibly have unspecified other impact by     changing the value of ioc_number between two kernel     reads of that value, aka a ''double fetch''     vulnerability. NOTE: a third party reports that this is     unexploitable because the doubly fetched value is not     used.(CVE-2019-12456)An issue was discovered in     get_vdev_port_node_info in arch/sparc/kernel/mdesc.c in     the Linux kernel through 5.1.6. There is an unchecked     kstrdup_const of node_info-i1/4zvdev_port.name, which     might allow an attacker to cause a denial of service     (NULL pointer dereference and system     crash).(CVE-2019-12615)In parse_hid_report_descriptor     in drivers/input/tablet/gtco.c in the Linux kernel     through 5.2.1, a malicious USB device can send an HID     report that triggers an out-of-bounds write during     generation of debugging messages.(CVE-2019-13631)A     vulnerability was found in the Linux kernelaEURtms floppy     disk driver implementation. A local attacker with     access to the floppy device could call set_geometry in     drivers/block/floppy.c, which does not validate the     sect and head fields, causing an integer overflow and     out-of-bounds read. This flaw may crash the system or     allow an attacker to gather information causing     subsequent successful     attacks.(CVE-2019-14283)check_input_term in     sound/usb/mixer.c in the Linux kernel through 5.2.9     mishandles recursion, leading to kernel stack     exhaustion.(CVE-2019-15118)An issue was discovered in     the Linux kernel before 5.2.6. There is a     use-after-free caused by a malicious USB device in the     drivers/media/v4l2-core/v4l2-dev.c driver because     drivers/media/radio/radio-raremono.c does not properly     allocate memory.(CVE-2019-15211)An issue was discovered     in the Linux kernel before 5.0.10. There is a     use-after-free in the sound subsystem because card     disconnection causes certain data structures to be     deleted too early. This is related to sound/core/init.c     and sound/core/info.c.(CVE-2019-15214)An issue was     discovered in the Linux kernel before 5.1.8. There is a     NULL pointer dereference caused by a malicious USB     device in the drivers/media/usb/siano/smsusb.c     driver.(CVE-2019-15218)An issue was discovered in the     Linux kernel before 5.1.8. There is a NULL pointer     dereference caused by a malicious USB device in the     drivers/usb/misc/sisusbvga/sisusb.c     driver.(CVE-2019-15219)An issue was discovered in the     Linux kernel before 5.2.1. There is a use-after-free     caused by a malicious USB device in the     driverset/wireless/intersil/p54/p54usb.c     driver.(CVE-2019-15220)An issue was discovered in the     Linux kernel before 5.1.17. There is a NULL pointer     dereference caused by a malicious USB device in the     sound/usb/line6/pcm.c driver.(CVE-2019-15221)An issue     was discovered in the Linux kernel before 5.0.9. There     is a use-after-free in atalk_proc_exit, related to     net/appletalk/atalk_proc.c, net/appletalk/ddp.c, and     net/appletalk/sysctl_net_atalk.c.(CVE-2019-15292)An     issue was discovered in xfs_setattr_nonsize in     fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9.
    XFS partially wedges when a chgrp fails on account of     being out of disk quota. xfs_setattr_nonsize is failing     to unlock the ILOCK after the xfs_qm_vop_chown_reserve     call fails. This is primarily a local DoS attack     vector, but it might result as well in remote DoS if     the XFS filesystem is exported for instance via     NFS.(CVE-2019-15538)An issue was discovered in the     Linux kernel before 5.0.19. There is an out-of-bounds     array access in __xfrm_policy_unlink, which will cause     denial of service, because verify_newpolicy_info in     net/xfrm/xfrm_user.c mishandles directory     validation.(CVE-2019-15666)In the Linux kernel before     5.1.13, there is a memory leak in     drivers/scsi/libsas/sas_expander.c when SAS expander     discovery fails. This will cause a BUG and denial of     service.(CVE-2019-15807)An issue was discovered in the     Linux kernel before 5.0.5. There is a use-after-free     issue when hci_uart_register_dev() fails in     hci_uart_set_proto() in     drivers/bluetooth/hci_ldisc.c.(CVE-2019-15917)An issue     was discovered in the Linux kernel before 5.0.10.
    SMB2_write in fs/cifs/smb2pdu.c has a     use-after-free.(CVE-2019-15919)An issue was discovered     in the Linux kernel before 5.0.10. SMB2_read in     fs/cifs/smb2pdu.c has a use-after-free. NOTE: this was     not fixed correctly in 5.0.10 see the 5.0.11 ChangeLog,     which documents a memory leak.(CVE-2019-15920)An issue     was discovered in the Linux kernel before 5.0.4. The 9p     filesystem did not protect i_size_write() properly,     which causes an i_size_read() infinite loop and denial     of service on SMP systems.(CVE-2019-16413)An issue was     discovered in can_can_gw_rcv in net/can/gw.c in the     Linux kernel through 4.19.13. The CAN frame     modification rules allow bitwise logical operations     that can be also applied to the can_dlc field. Because     of a missing check, the CAN drivers may write arbitrary     content beyond the data registers in the CAN     controller's I/O memory when processing can-gw     manipulated outgoing frames. This is related to     cgw_csum_xor_rel. An unprivileged user can trigger a     system crash (general protection     fault).(CVE-2019-3701)A flaw was found in the Linux     kernel's Marvell wifi chip driver. A heap overflow in     mwifiex_update_bss_desc_with_ie function in     marvell/mwifiex/scan.c allows remote attackers to cause     a denial of service(system crash) or execute arbitrary     code.(CVE-2019-3846)A new software page cache side     channel attack scenario was discovered in operating     systems that implement the very common 'page cache'     caching mechanism. A malicious user/process could use     'in memory' page-cache knowledge to infer access     timings to shared memory and gain knowledge which can     be used to reduce effectiveness of cryptographic     strength by monitoring algorithmic behavior, infer     access patterns of memory to determine code paths     taken, and exfiltrate data to a blinded attacker     through page-granularity access times as a     side-channel.(CVE-2019-5489)In the Android kernel in     the video driver there is a kernel pointer leak due to     a WARN_ON statement. This could lead to local     information disclosure with System execution privileges     needed. User interaction is not needed for     exploitation.(CVE-2019-9455)A vulnerability was found     in the arch/x86/lib/insn-eval.c function in the Linux     kernel. An attacker could corrupt the memory due to a     flaw in use-after-free access to an LDT entry caused by     a race condition between modify_ldt() and a #BR     exception for an MPX bounds violation.(CVE-2019-13233)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for kernel-alt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The kernel-alt packages provide the Linux kernel version 4.x.

Security Fix(es) :

* kernel: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain upper-bound check, leading to a buffer overflow (CVE-2019-17666)

* kernel: nfs: NULL pointer dereference due to an anomalized NFS message sequence (CVE-2018-16871)

* kernel: Heap address information leak while using L2CAP_GET_CONF_OPT (CVE-2019-3459)

* kernel: Heap address information leak while using L2CAP_PARSE_CONF_RSP (CVE-2019-3460)

* kernel: sensitive information disclosure from kernel stack memory via HIDPCONNADD command (CVE-2019-11884)

* kernel: powerpc: local user can read vector registers of other users' processes via a Facility Unavailable exception (CVE-2019-15030)

* kernel: memory leak in register_queue_kobjects() in net/core/net-sysfs.c leads to denial of service (CVE-2019-15916)

* kernel: integer overflow in tcp_ack_update_rtt in net/ipv4/tcp_input.c (CVE-2019-18805)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es) :

* lpfc: NVMe/FC target test machine rhel-storage-62 crashes on boot when connected to FC switch (BZ#1623205)

* kernel BUG at fs/nfs_common/grace.c:107! (BZ#1637543)

* RHEL-Alt-7.6 - Need a fix for kernel bug cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias() (BZ#1711934)

* Backport 'fs/dcache.c: add cond_resched() in shrink_dentry_list()' (32785c0539b7) [rhel-alt-7.6.z] (BZ#1758861)

* [RHEL-ALT-7.6.z][arm64] iommu/iova: Fix tracking of recently failed iova address (BZ#1780500)

The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2019-20095: mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c had some error-handling cases that did not free allocated hostcmd memory. This will cause a memory leak and denial of service (bnc#1159909).

CVE-2019-20054: Fixed a a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bnc#1159910).

CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which may cause denial of service (bnc#1159908).

CVE-2019-19966: Fixed a use-after-free in cpia2_exit() in drivers/media/usb/cpia2/cpia2_v4l.c that will cause denial of service (bnc#1159841).

CVE-2019-19447: Mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c (bnc#1158819).

CVE-2019-19319: A setxattr operation, after a mount of a crafted ext4 image, can cause a slab-out-of-bounds write access because of an ext4_xattr_set_entry use-after-free in fs/ext4/xattr.c when a large old_size value is used in a memset call (bnc#1158021).

CVE-2019-19767: Fixed mishandling of ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c (bnc#1159297).

CVE-2019-18808: A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c allowed attackers to cause a denial of service (memory consumption) (bnc#1156259).

CVE-2019-16746: An issue was discovered in net/wireless/nl80211.c where the length of variable elements in a beacon head were not checked, leading to a buffer overflow (bnc#1152107).

CVE-2019-19066: A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c allowed attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures (bnc#1157303).

CVE-2019-19051: There was a memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/net/wimax/i2400m/op-rfkill.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1159024).

CVE-2019-19338: There was an incomplete fix for Transaction Asynchronous Abort (TAA) (bnc#1158954).

CVE-2019-19332: There was an OOB memory write via kvm_dev_ioctl_get_cpuid (bnc#1158827).

CVE-2019-19537: There was a race condition bug that can be caused by a malicious USB device in the USB character device driver layer (bnc#1158904).

CVE-2019-19535: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver (bnc#1158903).

CVE-2019-19527: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver (bnc#1158900).

CVE-2019-19526: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver (bnc#1158893).

CVE-2019-19533: There was an info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver (bnc#1158834).

CVE-2019-19532: There were multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers (bnc#1158824).

CVE-2019-19523: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79 (bnc#1158381 1158823 1158834).

CVE-2019-15213: There was a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver (bnc#1146544).

CVE-2019-19531: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bnc#1158445).

CVE-2019-19543: There was a use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c (bnc#1158427).

CVE-2019-19525: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver (bnc#1158417).

CVE-2019-19530: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (bnc#1158410).

CVE-2019-19536: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver (bnc#1158394).

CVE-2019-19524: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver (bnc#1158413).

CVE-2019-19528: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver (bnc#1158407).

CVE-2019-19534: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (bnc#1158398).

CVE-2019-19529: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver (bnc#1158381).

CVE-2019-14901: A heap overflow flaw was found in the Linux kernel in Marvell WiFi chip driver. The vulnerability allowed a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system (bnc#1157042).

CVE-2019-14895: A heap-based buffer overflow was discovered in the Linux kernel in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could have allowed the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158).

CVE-2019-18660: The Linux kernel on powerpc allowed Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038).

CVE-2019-18683: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded.
There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free (bnc#1155897).

CVE-2019-18809: A memory leak in the af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1156258).

CVE-2019-19046: A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure (bnc#1157304).

CVE-2019-19078: A memory leak in the ath10k_usb_hif_tx_sg() function in drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157032).

CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures (bnc#1157333).

CVE-2019-19057: Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures (bnc#1157197).

CVE-2019-19056: A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures (bnc#1157197).

CVE-2019-19068: A memory leak in the rtl8xxxu_submit_int_urb() function in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157307).

CVE-2019-19063: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157298).

CVE-2019-19227: In the AppleTalk subsystem in the Linux kernel there was a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client (bnc#1157678).

CVE-2019-19081: A memory leak in the nfp_flower_spawn_vnic_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157045).

CVE-2019-19080: Four memory leaks in the nfp_flower_spawn_phy_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157044).

CVE-2019-19065: A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures (bnc#1157191).

CVE-2019-19077: A memory leak in the bnxt_re_create_srq() function in drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering copy to udata failures (bnc#1157171).

CVE-2019-19052: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157324).

CVE-2019-19067: Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures (bsc#1157180).

CVE-2019-19060: A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157178).

CVE-2019-19049: A memory leak in the unittest_data_add() function in drivers/of/unittest.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering of_fdt_unflatten_tree() failures (bsc#1157173).

CVE-2019-19075: A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures (bnc#1157162).

CVE-2019-19058: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures (bnc#1157145).

CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157143).

CVE-2019-19073: Fixed memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c allowed attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures (bnc#1157070).

CVE-2019-19083: Memory leaks in *clock_source_create() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157049).

CVE-2019-19082: Memory leaks in *create_resource_pool() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157046).

CVE-2019-15916: An issue was discovered in the Linux kernel There was a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service (bnc#1149448).

CVE-2019-0154: Insufficient access control in subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100 Processor Families may have allowed an authenticated user to potentially enable denial of service via local access (bnc#1135966).

CVE-2019-0155: Insufficient access control in a subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and E-2200 Processor Families; Intel(R) Graphics Driver for Windows (DCH) or 26.20.100.6812 and before 21.20.x.5077 (aka15.45.5077), i915 Linux Driver for Intel(R) Processor Graphics before versions 5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may have allowed an authenticated user to potentially enable escalation of privilege via local access (bnc#1135967).

CVE-2019-16231: drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150466).

CVE-2019-18805: An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel There was a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact (bnc#1156187).

CVE-2019-17055: base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel did not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket (bnc#1152782).

CVE-2019-16995: In the Linux kernel before 5.0.3, a memory leak exits in hsr_dev_finalize() in net/hsr/hsr_device.c if hsr_add_port fails to add a port, which may cause denial of service, aka CID-6caabe7f197d (bnc#1152685).

CVE-2019-11135: TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may have allowed an authenticated user to potentially enable information disclosure via a side channel with local access (bnc#1139073).

CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150457).

CVE-2018-12207: Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may have allowed an authenticated user to potentially enable denial of service of the host system via local access (bnc#1117665).

CVE-2019-10220: Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists (bnc#1144903).

CVE-2019-17666: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain upper-bound check, leading to a buffer overflow (bnc#1154372).

CVE-2019-16232: drivers/net/wireless/marvell/libertas/if_sdio.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150465).

CVE-2019-16234: drivers/net/wireless/intel/iwlwifi/pcie/trans.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150452).

CVE-2019-17133: cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c did not reject a long SSID IE, leading to a Buffer Overflow (bnc#1153158).

CVE-2019-17056: llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC network module in the Linux kernel did not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-3a359798b176 (bnc#1152788).

CVE-2019-14821: An out-of-bounds access issue was found in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation (bnc#1151350).

CVE-2017-18595: An issue was discovered in the Linux kernel A double free may be caused by the function allocate_trace_buffer in the file kernel/trace/trace.c (bnc#1149555).

CVE-2019-9506: The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and did not prevent an attacker from influencing the key length negotiation. This allowed practical brute-force attacks (aka 'KNOB') that can decrypt traffic and inject arbitrary ciphertext without the victim noticing (bnc#1146042).

CVE-2019-14835: A buffer overflow flaw was found in the way Linux kernel's vhost functionality that translates virtqueue buffers to IOVs, logged the buffer descriptors during migration (bnc#1150112).

CVE-2019-9456: Ther is an issue inside the USB monitor driver that can lead to a possible OOB write due to a missing bounds check (bnc#1150025).

CVE-2019-15031: In the Linux kernel on the powerpc platform, a local user can read vector registers of other users' processes via an interrupt (bnc#1149713).

CVE-2019-15030: In the Linux kernel on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception (bnc#1149713).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2019-19767: Fixed ext4_expand_extra_isize mishandles, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c (bnc#1159297).

CVE-2019-18808: Fixed a memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c allowed attackers to cause a denial of service (memory consumption) (bnc#1156259).

CVE-2019-19066: Fixed memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/bfad_attr.c that allowed attackers to cause a denial of service (memory consumption) by triggering bfa_port_get_stats() failures (bnc#1157303).

CVE-2019-19051: Fixed memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/net/wimax/i2400m/op-rfkill.c that allowed attackers to cause a denial of service (memory consumption) (bnc#1159024).

CVE-2019-19338: There was an incomplete fix for Transaction Asynchronous Abort (TAA) (bsc#1158954).

CVE-2019-19332: There was an OOB memory write via kvm_dev_ioctl_get_cpuid (bsc#1158827).

CVE-2019-19537: There was a race condition bug that could have been caused by a malicious USB device in the USB character device driver layer (bnc#1158904).

CVE-2019-19535: There was an info-leak bug that could have been caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver (bnc#1158903).

CVE-2019-19527: There was a use-after-free bug that could have been caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver (bnc#1158900).

CVE-2019-19526: There was a use-after-free bug that could have been caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver (bnc#1158893).

CVE-2019-19533: There was an info-leak bug that could have been caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver (bnc#1158834).

CVE-2019-19532: There were multiple out-of-bounds write bugs that could have been caused by a malicious USB device in the Linux kernel HID drivers (bnc#1158824).

CVE-2019-19523: There was a use-after-free bug that could have been caused by a malicious USB device in the drivers/usb/misc/adutux.c driver (bnc#1158823).

CVE-2019-15213: An issue was discovered in the Linux kernel, there was a use-after-free caused by a malicious USB device in the drivers/media/usb/dvb-usb/dvb-usb-init.c driver (bnc#1146544).

CVE-2019-19531: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bnc#1158445).

CVE-2019-19543: There was a use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c (bnc#1158427).

CVE-2019-19525: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver (bnc#1158417).

CVE-2019-19530: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (bnc#1158410).

CVE-2019-19536: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver (bnc#1158394).

CVE-2019-19524: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver (bnc#1158413).

CVE-2019-19528: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver (bnc#1158407).

CVE-2019-19534: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (bnc#1158398).

CVE-2019-19529: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver (bnc#1158381).

CVE-2019-14901: A heap overflow flaw was found in the Linux kernel in Marvell WiFi chip driver. The vulnerability allowed a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system (bnc#1157042).

CVE-2019-14895: A heap-based buffer overflow was discovered in the Linux kernel in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could have allowed the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158).

CVE-2019-18660: The Linux kernel on powerpc allowed Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038).

CVE-2019-18683: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded.
There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free (bnc#1155897).

CVE-2019-18809: A memory leak in the af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1156258).

CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures (bnc#1157333).

CVE-2019-19057: Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures (bnc#1157197).

CVE-2019-19056: A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures (bnc#1157197).

CVE-2019-19068: A memory leak in the rtl8xxxu_submit_int_urb() function in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157307).

CVE-2019-19063: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157298).

CVE-2019-19227: In the AppleTalk subsystem in the Linux kernel there was a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client (bnc#1157678).

CVE-2019-19065: A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures (bnc#1157191).

CVE-2019-19077: A memory leak in the bnxt_re_create_srq() function in drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering copy to udata failures (bnc#1157171).

CVE-2019-19052: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157324).

CVE-2019-19067: Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures (bsc#1157180).

CVE-2019-19060: A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157178).

CVE-2019-19049: A memory leak in the unittest_data_add() function in drivers/of/unittest.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering of_fdt_unflatten_tree() failures (bsc#1157173).

CVE-2019-19075: A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures (bnc#1157162).

CVE-2019-19058: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures (bnc#1157145).

CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157143).

CVE-2019-19073: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function (bnc#1157070).

CVE-2019-15916: An issue was discovered in the Linux kernel There was a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service (bnc#1149448).

CVE-2019-16231: drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150466).

CVE-2019-18805: An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel There was a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact (bnc#1156187).

CVE-2019-17055: base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel did not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket (bnc#1152782).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP 3 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2019-14895: A heap-based buffer overflow was discovered in the Linux kernel in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could have allowed the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158).

CVE-2019-18660: The Linux kernel on powerpc allowed Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038).

CVE-2019-18683: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded.
There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free (bnc#1155897).

CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures (bnc#1157333).

CVE-2019-19065: A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures (bnc#1157191).

CVE-2019-19052: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157324).

CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157143).

CVE-2019-19073: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function (bnc#1157070).

CVE-2019-16231: drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150466).

CVE-2019-18805: An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel There was a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact (bnc#1156187).

CVE-2019-18680: An issue was discovered in the Linux kernel. There was a NULL pointer dereference in rds_tcp_kill_sock() in net/rds/tcp.c that will cause denial of service (bnc#1155898).

CVE-2019-15213: An use-after-free was fixed caused by malicious USB device in drivers/media/usb/dvb-usb/dvb-usb-init.c (bsc#1146544).

CVE-2019-19536: An uninitialized Kernel memory can leak to USB devices in drivers/net/can/usb/peak_usb/pcan_usb_pro.c (bsc#1158394).

CVE-2019-19534: An uninitialized Kernel memory can leak to USB devices in drivers/net/can/usb/peak_usb/pcan_usb_core.c (bsc#1158398).

CVE-2019-19530: An use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (bsc#1158410).

CVE-2019-19524: An use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver (bsc#1158413).

CVE-2019-19525: An use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver (bsc#1158417).

CVE-2019-19531: An use-after-free in yurex_delete may lead to denial of service (bsc#1158445).

CVE-2019-19523: An use-after-free on disconnect in USB adutux (bsc#1158823).

CVE-2019-19532: An out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers (bsc#1158824).

CVE-2019-19332: An out-of-bounds memory write via kvm_dev_ioctl_get_cpuid (bsc#1158827).

CVE-2019-19533: An info-leak bug that can be caused by a malicious USB device in the drivers/media/usb/ttusb-dec/ttusb_dec.c driver (bsc#1158834).

CVE-2019-19527: An use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver (bsc#1158900).

CVE-2019-19535: An info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver (bsc#1158903).

CVE-2019-19537: Two races in the USB character device registration and deregistration routines (bsc#1158904).

CVE-2019-19338: An incomplete fix for Transaction Asynchronous Abort (TAA) (bsc#1158954).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP4 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2019-14895: A heap-based buffer overflow was discovered in the Linux kernel in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could have allowed the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158).

CVE-2019-18660: The Linux kernel on powerpc allowed Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038).

CVE-2019-18683: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded.
There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free (bnc#1155897).

CVE-2019-18809: A memory leak in the af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1156258).

CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures (bnc#1157333).

CVE-2019-19057: Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures (bnc#1157197).

CVE-2019-19056: A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures (bnc#1157197).

CVE-2019-19068: A memory leak in the rtl8xxxu_submit_int_urb() function in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157307).

CVE-2019-19063: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157298).

CVE-2019-19227: In the AppleTalk subsystem in the Linux kernel there was a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client (bnc#1157678).

CVE-2019-19065: A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures (bnc#1157191).

CVE-2019-19077: A memory leak in the bnxt_re_create_srq() function in drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering copy to udata failures (bnc#1157171).

CVE-2019-19052: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157324).

CVE-2019-19067: Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures (bsc#1157180).

CVE-2019-19060: A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157178).

CVE-2019-19049: A memory leak in the unittest_data_add() function in drivers/of/unittest.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering of_fdt_unflatten_tree() failures (bsc#1157173).

CVE-2019-19075: A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures (bnc#1157162).

CVE-2019-19058: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures (bnc#1157145).

CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157143).

CVE-2019-19073: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function (bnc#1157070).

CVE-2019-15916: An issue was discovered in the Linux kernel There was a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service (bnc#1149448).

CVE-2019-16231: drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150466).

CVE-2019-18805: An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel There was a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact (bnc#1156187).

CVE-2019-17055: base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel did not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket (bnc#1152782).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2019-19531: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/yurex.c driver (bnc#1158445).

CVE-2019-19543: There was a use-after-free in serial_ir_init_module() in drivers/media/rc/serial_ir.c (bnc#1158427).

CVE-2019-19525: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver (bnc#1158417).

CVE-2019-19530: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver (bnc#1158410).

CVE-2019-19536: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver (bnc#1158394).

CVE-2019-19524: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver (bnc#1158413).

CVE-2019-19528: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/iowarrior.c driver (bnc#1158407).

CVE-2019-19534: There was an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver (bnc#1158398).

CVE-2019-19529: There was a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver (bnc#1158381).

CVE-2019-14901: A heap overflow flaw was found in the Linux kernel in Marvell WiFi chip driver. The vulnerability allowed a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system (bnc#1157042).

CVE-2019-14895: A heap-based buffer overflow was discovered in the Linux kernel in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could have allowed the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158).

CVE-2019-18660: The Linux kernel on powerpc allowed Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038).

CVE-2019-18683: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded.
There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free (bnc#1155897).

CVE-2019-18809: A memory leak in the af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1156258).

CVE-2019-19046: A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure (bnc#1157304).

CVE-2019-19078: A memory leak in the ath10k_usb_hif_tx_sg() function in drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157032).

CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures (bnc#1157333).

CVE-2019-19057: Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures (bnc#1157197).

CVE-2019-19056: A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures (bnc#1157197).

CVE-2019-19068: A memory leak in the rtl8xxxu_submit_int_urb() function in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157307).

CVE-2019-19063: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157298).

CVE-2019-19227: In the AppleTalk subsystem in the Linux kernel there was a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client (bnc#1157678).

CVE-2019-19081: A memory leak in the nfp_flower_spawn_vnic_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157045).

CVE-2019-19080: Four memory leaks in the nfp_flower_spawn_phy_reprs() function in drivers/net/ethernet/netronome/nfp/flower/main.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157044).

CVE-2019-19065: A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures (bnc#1157191).

CVE-2019-19077: A memory leak in the bnxt_re_create_srq() function in drivers/infiniband/hw/bnxt_re/ib_verbs.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering copy to udata failures (bnc#1157171).

CVE-2019-19052: A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_usb.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures (bnc#1157324).

CVE-2019-19067: Four memory leaks in the acp_hw_init() function in drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering mfd_add_hotplug_devices() or pm_genpd_add_device() failures (bsc#1157180).

CVE-2019-19060: A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157178).

CVE-2019-19049: A memory leak in the unittest_data_add() function in drivers/of/unittest.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering of_fdt_unflatten_tree() failures (bsc#1157173).

CVE-2019-19075: A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures (bnc#1157162).

CVE-2019-19058: A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures (bnc#1157145).

CVE-2019-19074: A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) (bnc#1157143).

CVE-2019-19073: Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel allowed attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, and the htc_connect_service() function (bnc#1157070).

CVE-2019-19083: Memory leaks in *clock_source_create() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel allowed attackers to cause a denial of service (memory consumption). This affects the dce112_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c, the dce100_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c, the dcn10_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, the dcn20_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c, the dce120_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c, the dce110_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c, and the dce80_clock_source_create() function in drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c (bnc#1157049).

CVE-2019-19082: Memory leaks in *create_resource_pool() functions under drivers/gpu/drm/amd/display/dc in the Linux kernel allowed attackers to cause a denial of service (memory consumption). This affects the dce120_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c, the dce110_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c, the dce100_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c, the dcn10_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c, and the dce112_create_resource_pool() function in drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c (bnc#1157046).

CVE-2019-15916: An issue was discovered in the Linux kernel There was a memory leak in register_queue_kobjects() in net/core/net-sysfs.c, which will cause denial of service (bnc#1149448).

CVE-2019-0154: Insufficient access control in subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6 and E-2100 Processor Families may have allowed an authenticated user to potentially enable denial of service via local access (bnc#1135966).

CVE-2019-16231: drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 did not check the alloc_workqueue return value, leading to a NULL pointer dereference (bnc#1150466).

CVE-2019-18805: An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux kernel There was a net/ipv4/tcp_input.c signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact (bnc#1156187).

CVE-2019-17055: base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel did not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket (bnc#1152782).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 15 SP1 RT kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2019-15916: Fixed a memory leak in register_queue_kobjects() which might have led denial of service (bsc#1149448).

CVE-2019-0154: Fixed an improper access control in subsystem for Intel (R) processor graphics whichs may have allowed an authenticated user to potentially enable denial of service via local access (bsc#1135966).

CVE-2019-0155: Fixed an improper access control in subsystem for Intel (R) processor graphics whichs may have allowed an authenticated user to potentially enable escalation of privilege via local access (bsc#1135967).

CVE-2019-16231: Fixed a NULL pointer dereference due to lack of checking the alloc_workqueue return value (bsc#1150466).

CVE-2019-18805: Fixed an integer overflow in tcp_ack_update_rtt() leading to a denial of service or possibly unspecified other impact (bsc#1156187).

CVE-2019-17055: Enforced CAP_NET_RAW in the AF_ISDN network module to restrict unprivileged users to create a raw socket (bsc#1152782).

CVE-2019-16995: Fixed a memory leak in hsr_dev_finalize() which may have caused denial of service (bsc#1152685).

CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described 'Microarchitectural Data Sampling' attack.(bsc#1139073). The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW). The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251

CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference.
(bsc#1150457).

CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional.

CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903)

CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372).

CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver (bsc#1150465).

CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150452).

CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE, leading to a Buffer Overflow (bsc#1153158).

CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788).

CVE-2019-15291: Fixed a NULL pointer dereference caused by a malicious USB device in the flexcop_usb_probe function (bsc#1146519).

CVE-2019-14821: Fixed an out-of-bounds access resulting in a denial of service or potentially escalating privileges on the system (bnc#1151350).

CVE-2017-18595: Fixed a double free which caused by the function allocate_trace_buffer (bsc#1149555).

CVE-2019-9506: Fixed an issue with Bluetooth which permited low encryption key length and did not prevent an attacker from influencing the key length negotiation allowing brute-force attacks (bsc#1137865).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP5 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2019-19081: Fixed a memory leak in the nfp_flower_spawn_vnic_reprs() could have allowed attackers to cause a denial of service (bsc#1157045).

CVE-2019-19080: Fixed four memory leaks in the nfp_flower_spawn_phy_reprs() could have allowed attackers to cause a denial of service (bsc#1157044).

CVE-2019-19052: Fixed a memory leak in the gs_can_open() which could have led to denial of service (bsc#1157324).

CVE-2019-19067: Fixed multiple memory leaks in acp_hw_init (bsc#1157180).

CVE-2019-19060: Fixed a memory leak in the adis_update_scan_mode() which could have led to denial of service (bsc#1157178).

CVE-2019-19049: Fixed a memory leak in unittest_data_add (bsc#1157173).

CVE-2019-19075: Fixed a memory leak in the ca8210_probe() which could have led to denial of service by triggering ca8210_get_platform_data() failures (bsc#1157162).

CVE-2019-19058: Fixed a memory leak in the alloc_sgtable() which could have led to denial of service by triggering alloc_page() failures (bsc#1157145).

CVE-2019-19074: Fixed a memory leak in the ath9k_wmi_cmd() function which could have led to denial of service (bsc#1157143).

CVE-2019-19073: Fixed multiple memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c which could have led to denial of service by triggering wait_for_completion_timeout() failures (bsc#1157070).

CVE-2019-19083: Fixed multiple memory leaks in *clock_source_create() functions which could have led to denial of service (bsc#1157049).

CVE-2019-19082: Fixed multiple memory leaks in *create_resource_pool() which could have led to denial of service (bsc#1157046).

CVE-2019-15916: Fixed a memory leak in register_queue_kobjects() which might have led denial of service (bsc#1149448).

CVE-2019-0154: Fixed an improper access control in subsystem for Intel (R) processor graphics whichs may have allowed an authenticated user to potentially enable denial of service via local access (bsc#1135966).

CVE-2019-0155: Fixed an improper access control in subsystem for Intel (R) processor graphics whichs may have allowed an authenticated user to potentially enable escalation of privilege via local access (bsc#1135967).

CVE-2019-16231: Fixed a NULL pointer dereference due to lack of checking the alloc_workqueue return value (bsc#1150466).

CVE-2019-18805: Fixed an integer overflow in tcp_ack_update_rtt() leading to a denial of service or possibly unspecified other impact (bsc#1156187).

CVE-2019-17055: Enforced CAP_NET_RAW in the AF_ISDN network module to restrict unprivileged users to create a raw socket (bsc#1152782).

CVE-2019-16995: Fixed a memory leak in hsr_dev_finalize() which may have caused denial of service (bsc#1152685).

CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference.
(bsc#1150457).

CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903)

CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372).

CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788).

CVE-2019-14821: An out-of-bounds access issue was fixed in the kernel's kvm hypervisor. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system (bnc#1151350).

CVE-2017-18595: A double free in allocate_trace_buffer was fixed (bnc#1149555).

CVE-2019-9506: The Bluetooth BR/EDR specification used to permit sufficiently low encryption key length and did not prevent an attacker from influencing the key length negotiation. This allowed practical brute-force attacks (aka 'KNOB') that could decrypt traffic and inject arbitrary ciphertext without the victim noticing (bnc#1137865).

CVE-2019-14835: A buffer overflow flaw was found in the kernel's vhost functionality that translates virtqueue buffers to IOVs. A privileged guest user able to pass descriptors with invalid length to the host could use this flaw to increase their privileges on the host (bnc#1150112).

CVE-2019-9456: An out-of-bounds write in the USB monitor driver has been fixed. This issue could lead to local escalation of privilege with System execution privileges needed. (bnc#1150025).

CVE-2019-15030, CVE-2019-15031: On the powerpc platform, a local user could read vector registers of other users' processes via an interrupt (bsc#1149713).

CVE-2019-18683: An issue was discovered in drivers/media/platform/vivid. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free (bnc#1155897).

CVE-2019-18809: A memory leak in the af9005_identify_state() function in drivers/media/usb/dvb-usb/af9005.c allows attackers to cause a denial of service (memory consumption), aka CID-2289adbfa559 (bnc#1156258).

CVE-2019-19078: A memory leak in the ath10k_usb_hif_tx_sg() function in drivers/net/wireless/ath/ath10k/usb.c allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-b8d17e7d93d2 (bnc#1157032).

CVE-2019-18660: The Linux kernel on powerpc allows Information Exposure because the Spectre-RSB mitigation is not in place for all applicable CPUs, aka CID-39e72bf96f58. This is related to arch/powerpc/kernel/entry_64.S and arch/powerpc/kernel/security.c (bnc#1157038).

CVE-2019-14895: A heap-based buffer overflow was discovered in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1157158).

CVE-2019-19065: A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi1/sdma.c allows attackers to cause a denial of service (memory consumption) by triggering rhashtable_init() failures, aka CID-34b3be18a04e (bnc#1157191).

CVE-2019-19057: Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drivers/net/wireless/marvell/mwifiex/pcie.c allow attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-d10dcb615c8e (bnc#1157193).

CVE-2019-19056: A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drivers/net/wireless/marvell/mwifiex/pcie.c allows attackers to cause a denial of service (memory consumption) by triggering mwifiex_map_pci_memory() failures, aka CID-db8fd2cde932 (bnc#1157197).

CVE-2019-19063: Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113 (bnc#1157298).

CVE-2019-19046: A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c allow attackers to cause a denial of service (bsc#1157304).

CVE-2019-19068: A memory leak in the rtl8xxxu_submit_int_urb() function in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c allows attackers to cause a denial of service (memory consumption) by triggering usb_submit_urb() failures, aka CID-a2cdd07488e6 (bnc#1157307).

CVE-2019-19062: A memory leak in the crypto_report() function in crypto/crypto_user_base.c allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042 (bnc#1157333).

CVE-2019-19227: In the AppleTalk subsystem, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122 (bnc#1157678).

CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described 'Microarchitectural Data Sampling' attack.

The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW).

The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional.

The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685).

CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described 'Microarchitectural Data Sampling' attack.

The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW).

The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150457).

CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903).

CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372).

CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE, leading to a Buffer Overflow (bsc#1153158).

CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver (bsc#1150465).

CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150452).

CVE-2019-17055: The AF_ISDN network module in the Linux kernel did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bnc#1152782).

CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788).

CVE-2019-16413: The 9p filesystem did not protect i_size_write() properly, which caused an i_size_read() infinite loop and denial of service on SMP systems (bnc#1151347).

CVE-2019-15902: A backporting issue was discovered that re-introduced the Spectre vulnerability it had aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped (bnc#1149376).

CVE-2019-15291: Fixed a NULL pointer dereference issue that could be caused by a malicious USB device (bnc#1146519).

CVE-2019-15807: Fixed a memory leak in the SCSI module that could be abused to cause denial of service (bnc#1148938).

CVE-2019-13272: Fixed a mishandled the recording of the credentials of a process that wants to create a ptrace relationship, which allowed local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker).
(bnc#1140671).

CVE-2019-14821: An out-of-bounds access issue was fixed in the kernel's kvm hypervisor. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system (bnc#1151350).

CVE-2019-15505: An out-of-bounds issue had been fixed that could be caused by crafted USB device traffic (bnc#1147122).

CVE-2017-18595: A double free in allocate_trace_buffer was fixed (bnc#1149555).

CVE-2019-14835: A buffer overflow flaw was found in the kernel's vhost functionality that translates virtqueue buffers to IOVs. A privileged guest user able to pass descriptors with invalid length to the host could use this flaw to increase their privileges on the host (bnc#1150112).

CVE-2019-15216: A NULL pointer dereference was fixed that could be malicious USB device (bnc#1146361).

CVE-2019-15924: A a NULL pointer dereference has been fixed in the drivers/net/ethernet/intel/fm10k module (bnc#1149612).

CVE-2019-9456: An out-of-bounds write in the USB monitor driver has been fixed. This issue could lead to local escalation of privilege with System execution privileges needed. (bnc#1150025).

CVE-2019-15926: An out-of-bounds access was fixed in the drivers/net/wireless/ath/ath6kl module. (bnc#1149527).

CVE-2019-15927: An out-of-bounds access was fixed in the sound/usb/mixer module (bnc#1149522).

CVE-2019-15666: There was an out-of-bounds array access in the net/xfrm module that could cause denial of service (bnc#1148394).

CVE-2019-15219: A NULL pointer dereference was fixed that could be abused by a malicious USB device (bnc#1146519 1146524).

CVE-2019-15220: A use-after-free issue was fixed that could be caused by a malicious USB device (bnc#1146519 1146526).

CVE-2019-15221: A NULL pointer dereference was fixed that could be caused by a malicious USB device (bnc#1146519 1146529).

CVE-2019-14814: A heap-based buffer overflow was fixed in the marvell wifi chip driver. That issue allowed local users to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146512).

CVE-2019-14815: A missing length check while parsing WMM IEs was fixed (bsc#1146512, bsc#1146514, bsc#1146516).

CVE-2019-14816: A heap-based buffer overflow in the marvell wifi chip driver was fixed. Local users would have abused this issue to cause a denial of service (system crash) or possibly execute arbitrary code (bnc#1146516).

CVE-2017-18509: An issue in net/ipv6 as fixed. By setting a specific socket option, an attacker could control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root (e.g., inside a default LXC container or with the CAP_NET_ADMIN capability) or after namespace unsharing. (bnc#1145477)

CVE-2019-9506: The Bluetooth BR/EDR specification used to permit sufficiently low encryption key length and did not prevent an attacker from influencing the key length negotiation. This allowed practical brute-force attacks (aka 'KNOB') that could decrypt traffic and inject arbitrary ciphertext without the victim noticing (bnc#1137865).

CVE-2019-15098: A NULL pointer dereference in drivers/net/wireless/ath was fixed (bnc#1146378).

CVE-2019-15290: A NULL pointer dereference in ath6kl_usb_alloc_urb_from_pipe was fixed (bsc#1146378).

CVE-2019-15212: A double-free issue was fixed in drivers/usb driver (bnc#1146391).

CVE-2016-10906: A use-after-free issue was fixed in drivers/net/ethernet/arc (bnc#1146584).

CVE-2019-15211: A use-after-free issue caused by a malicious USB device was fixed in the drivers/media/v4l2-core driver (bnc#1146519).

CVE-2019-15217: A a NULL pointer dereference issue caused by a malicious USB device was fixed in the drivers/media/usb/zr364xx driver (bnc#1146519).

CVE-2019-15214: An a use-after-free issue in the sound subsystem was fixed (bnc#1146519).

CVE-2019-15218: A NULL pointer dereference caused by a malicious USB device was fixed in the drivers/media/usb/siano driver (bnc#1146413).

CVE-2019-15215: A use-after-free issue caused by a malicious USB device was fixed in the drivers/media/usb/cpia2 driver (bnc#1146425).

CVE-2018-20976: A use-after-free issue was fixed in the fs/xfs driver (bnc#1146285).

CVE-2019-0154: An unprotected read access to i915 registers has been fixed that could have been abused to facilitate a local denial-of-service attack. (bsc#1135966)

CVE-2019-0155: A privilege escalation vulnerability has been fixed in the i915 module that allowed batch buffers from user mode to gain super user privileges. (bsc#1135967)

CVE-2019-16231: The fjes driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bnc#1150466)

CVE-2019-18805: Fix signed integer overflow in tcp_ack_update_rtt() that could have lead to a denial of service or possibly unspecified other impact (bsc#1156187)

CVE-2019-18680: A NULL pointer dereference in rds_tcp_kill_sock() could cause denial of service (bnc#1155898)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The openSUSE Leap 15.1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2019-0154: An unprotected read access to i915     registers has been fixed that could have been abused to     facilitate a local denial-of-service attack.
    (bsc#1135966)

  - CVE-2019-0155: A privilege escalation vulnerability has     been fixed in the i915 module that allowed batch buffers     from user mode to gain super user privileges.
    (bsc#1135967)

  - CVE-2019-16231: drivers/net/fjes/fjes_main.c did not     check the alloc_workqueue return value, leading to a     NULL pointer dereference (bnc#1150466).

  - CVE-2019-18805: There was a net/ipv4/tcp_input.c signed     integer overflow in tcp_ack_update_rtt() when userspace     writes a very large integer to     /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial     of service or possibly unspecified other impact, aka     CID-19fad20d15a6 (bnc#1156187).

  - CVE-2019-17055: base_sock_create in     drivers/isdn/mISDN/socket.c in the AF_ISDN network     module did not enforce CAP_NET_RAW, which means that     unprivileged users can create a raw socket, aka     CID-b91ee4aa2a21 (bnc#1152782).

  - CVE-2019-11135: Aborting an asynchronous TSX operation     on Intel CPUs with Transactional Memory support could be     used to facilitate sidechannel information leaks out of     microarchitectural buffers, similar to the previously     described 'Microarchitectural Data Sampling' attack.

    The Linux kernel was supplemented with the option to     disable TSX operation altogether (requiring CPU     Microcode updates on older systems) and better flushing     of microarchitectural buffers (VERW).

    The set of options available is described in our TID at     https://www.suse.com/support/kb/doc/?id=7024251

  - CVE-2018-12207: Untrusted virtual machines on Intel CPUs     could exploit a race condition in the Instruction Fetch     Unit of the Intel CPU to cause a Machine Exception     during Page Size Change, causing the CPU core to be     non-functional.

    The Linux Kernel kvm hypervisor was adjusted to avoid     page size changes in executable pages by splitting /     merging huge pages into small pages as needed.

    More information can be found on     https://www.suse.com/support/kb/doc/?id=7023735

  - CVE-2019-10220: Added sanity checks on the pathnames     passed to the user space. (bsc#1144903).

The following non-security bugs were fixed :

  - ALSA: bebob: Fix prototype of helper function to return     negative value (bsc#1051510).

  - ALSA: bebob: fix to detect configured source of sampling     clock for Focusrite Saffire Pro i/o series (git-fixes).

  - ALSA: firewire-motu: add support for MOTU 4pre     (bsc#1111666).

  - ALSA: hda/ca0132 - Fix possible workqueue stall     (bsc#1155836).

  - ALSA: hda/realtek - Add support for ALC623     (bsc#1051510).

  - ALSA: hda/realtek - Fix 2 front mics of codec 0x623     (bsc#1051510).

  - ALSA: timer: Fix incorrectly assigned timer instance     (git-fixes).

  - ALSA: timer: Fix mutex deadlock at releasing card     (bsc#1051510).

  - ALSA: usb-audio: Add DSD support for Gustard U16/X26 USB     Interface (bsc#1051510).

  - ALSA: usb-audio: Disable quirks for BOSS Katana     amplifiers (bsc#1111666).

  - ALSA: usb-audio: Fix copy&paste error in the validator     (bsc#1111666).

  - arm64: Add decoding macros for CP15_32 and CP15_64 traps     (jsc#ECO-561).

  - arm64: Add part number for Neoverse N1 (jsc#ECO-561).

  - arm64: Add silicon-errata.txt entry for ARM erratum     1188873 (jsc#ECO-561).

  - arm64: Add support for new control bits CTR_EL0.DIC and     CTR_EL0.IDC (jsc#ECO-561,jsc#SLE-10671).

  - arm64: Apply ARM64_ERRATUM_1188873 to Neoverse-N1     (jsc#ECO-561).

  - arm64: arch_timer: Add workaround for ARM erratum     1188873 (jsc#ECO-561).

  - arm64: arch_timer: avoid unused function warning     (jsc#ECO-561).

  - arm64: compat: Add CNTFRQ trap handler (jsc#ECO-561).

  - arm64: compat: Add CNTVCT trap handler (jsc#ECO-561).

  - arm64: compat: Add condition code checks and IT advance     (jsc#ECO-561).

  - arm64: compat: Add cp15_32 and cp15_64 handler arrays     (jsc#ECO-561).

  - arm64: compat: Add separate CP15 trapping hook     (jsc#ECO-561).

  - arm64: compat: Workaround Neoverse-N1 #1542419 for     compat user-space (jsc#ECO-561,jsc#SLE-10671).

  - arm64: cpu_errata: Remove     ARM64_MISMATCHED_CACHE_LINE_SIZE     (jsc#ECO-561,jsc#SLE-10671).

  - arm64/cpufeature: Convert hook_lock to raw_spin_lock_t     in cpu_enable_ssbs() (jsc#ECO-561).

  - arm64: cpufeature: ctr: Fix cpu capability check for     late CPUs (jsc#ECO-561,jsc#SLE-10671).

  - arm64: cpufeature: Detect SSBS and advertise to     userspace (jsc#ECO-561).

  - arm64: cpufeature: Fix handling of CTR_EL0.IDC field     (jsc#ECO-561,jsc#SLE-10671).

  - arm64: cpufeature: Trap CTR_EL0 access only where it is     necessary (jsc#ECO-561,jsc#SLE-10671).

  - arm64: cpu: Move errata and feature enable callbacks     closer to callers (jsc#ECO-561).

  - arm64: entry: Allow handling of undefined instructions     from EL1 (jsc#ECO-561).

  - arm64: errata: Hide CTR_EL0.DIC on systems affected by     Neoverse-N1 #1542419 (jsc#ECO-561,jsc#SLE-10671).

  - arm64: Fake the IminLine size on systems affected by     Neoverse-N1 #1542419 (jsc#ECO-561,jsc#SLE-10671).

  - arm64: Fix mismatched cache line size detection     (jsc#ECO-561,jsc#SLE-10671).

  - arm64: Fix silly typo in comment (jsc#ECO-561).

  - arm64: fix SSBS sanitization (jsc#ECO-561).

  - arm64: force_signal_inject: WARN if called from kernel     context (jsc#ECO-561).

  - arm64: Force SSBS on context switch (jsc#ECO-561).

  - arm64: Handle erratum 1418040 as a superset of erratum     1188873 (jsc#ECO-561).

  - arm64: Introduce sysreg_clear_set() (jsc#ECO-561).

  - arm64: kill change_cpacr() (jsc#ECO-561).

  - arm64: kill config_sctlr_el1() (jsc#ECO-561).

  - arm64: KVM: Add invalidate_icache_range helper     (jsc#ECO-561,jsc#SLE-10671).

  - arm64: KVM: PTE/PMD S2 XN bit definition     (jsc#ECO-561,jsc#SLE-10671).

  - arm64: Make ARM64_ERRATUM_1188873 depend on COMPAT     (jsc#ECO-561).

  - arm64: move SCTLR_EL(1,2) assertions to <asm/sysreg.h>     (jsc#ECO-561).

  - arm64: Restrict ARM64_ERRATUM_1188873 mitigation to     AArch32 (jsc#ECO-561).

  - arm64: ssbd: Add support for PSTATE.SSBS rather than     trapping to EL3 (jsc#ECO-561).

  - arm64: ssbd: Drop #ifdefs for PR_SPEC_STORE_BYPASS     (jsc#ECO-561).

  - arm: KVM: Add optimized PIPT icache flushing     (jsc#ECO-561,jsc#SLE-10671).

  - ath10k: assign 'n_cipher_suites = 11' for WCN3990 to     enable WPA3 (bsc#1111666).

  - brcmfmac: sdio: Disable auto-tuning around commands     expected to fail (bsc#1111666).

  - brcmfmac: sdio: Do not tune while the card is off     (bsc#1111666).

  - can: dev: call netif_carrier_off() in register_candev()     (bsc#1051510).

  - config: arm64: enable erratum 1418040 and 1542419

  - dmaengine: bcm2835: Print error in case setting DMA mask     fails (bsc#1051510).

  - dmaengine: imx-sdma: fix size check for sdma     script_number (bsc#1051510).

  - drm/amd/display: fix odm combine pipe reset     (bsc#1111666).

  - drm/amdgpu: fix memory leak (bsc#1111666).

  - drm/amdgpu/powerplay/vega10: allow undervolting in p7     (bsc#1111666).

  - drm/i915: Add gen9 BCS cmdparsing (bsc#1135967)

  - drm/i915: Add gen9 BCS cmdparsing (bsc#1135967)

  - drm/i915: Add support for mandatory cmdparsing     (bsc#1135967)

  - drm/i915: Add support for mandatory cmdparsing     (bsc#1135967)

  - drm/i915: Allow parsing of unsized batches (bsc#1135967)

  - drm/i915: Allow parsing of unsized batches (bsc#1135967)

  - drm/i915/cmdparser: Add support for backward jumps     (bsc#1135967)

  - drm/i915/cmdparser: Add support for backward jumps     (bsc#1135967)

  - drm/i915/cmdparser: Ignore Length operands during     (bsc#1135967)

  - drm/i915/cmdparser: Ignore Length operands during     command matching (bsc#1135967)

  - drm/i915/cmdparser: Use explicit goto for error paths     (bsc#1135967)

  - drm/i915/cmdparser: Use explicit goto for error paths     (bsc#1135967)

  - drm/i915/cml: Add second PCH ID for CMP (bsc#1111666).

  - drm/i915: Disable Secure Batches for gen6+

  - drm/i915: Disable Secure Batches for gen6+ (bsc#1135967)

  - drm/i915/gen8+: Add RC6 CTX corruption WA (bsc#1135967)

  - drm/i915/gen8+: Add RC6 CTX corruption WA (bsc#1135967)

  - drm/i915/gtt: Add read only pages to gen8_pte_encode     (bsc#1135967)

  - drm/i915/gtt: Disable read-only support under GVT     (bsc#1135967)

  - drm/i915/gtt: Read-only pages for insert_entries on bdw     (bsc#1135967)

  - drm/i915/ilk: Fix warning when reading emon_status with     no output (bsc#1111666).

  - drm/i915: Lower RM timeout to avoid DSI hard hangs     (bsc#1135967)

  - drm/i915: Lower RM timeout to avoid DSI hard hangs     (bsc#1135967)

  - drm/i915: Prevent writing into a read-only object via a     GGTT mmap (bsc#1135967)

  - drm/i915: Remove Master tables from cmdparser

  - drm/i915: Remove Master tables from cmdparser     (bsc#1135967)

  - drm/i915: Rename gen7 cmdparser tables (bsc#1135967)

  - drm/i915: Rename gen7 cmdparser tables (bsc#1135967)

  - drm/i915: Support ro ppgtt mapped cmdparser shadow     (bsc#1135967)

  - drm/i915: Support ro ppgtt mapped cmdparser shadow     buffers (bsc#1135967)

  - drm/msm/dpu: handle failures while initializing displays     (bsc#1111666).

  - hyperv: set nvme msi interrupts to unmanaged     (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461,     bsc#1119465, bsc#1138190, bsc#1154905).

  - IB/core: Add mitigation for Spectre V1 (bsc#1155671)

  - integrity: prevent deadlock during digsig verification     (bsc#1090631).

  - irqchip/gic-v3-its: Fix command queue pointer comparison     bug (jsc#ECO-561).

  - irqchip/gic-v3-its: Fix LPI release for Multi-MSI     devices (jsc#ECO-561).

  - irqchip/gic-v3-its: Fix misuse of GENMASK macro     (jsc#ECO-561).

  - iwlwifi: do not panic in error path on non-msix systems     (bsc#1155692).

  - iwlwifi: exclude GEO SAR support for 3168 (bsc#1111666).

  - iwlwifi: exclude GEO SAR support for 3168 (git-fixes).

  - iwlwifi: fw: do not send GEO_TX_POWER_LIMIT command to     FW version 36 (bsc#1111666).

  - kabi protect enum RDMA_DRIVER_EFA (jsc#SLE-4805)

  - kABI workaround for drm_vma_offset_node readonly field     addition (bsc#1135967)

  - kABI workaround for mmc_host retune_crc_disable flag     addition (bsc#1111666).

  - KVM: arm64: Set SCTLR_EL2.DSSBS if SSBD is forcefully     disabled and !vhe (jsc#ECO-561).

  - KVM: arm/arm64: Clean dcache to PoC when changing PTE     due to CoW (jsc#ECO-561,jsc#SLE-10671).

  - KVM: arm/arm64: Detangle kvm_mmu.h from kvm_hyp.h     (jsc#ECO-561,jsc#SLE-10671).

  - KVM: arm/arm64: Drop vcpu parameter from guest cache     maintenance operartions (jsc#ECO-561,jsc#SLE-10671).

  - KVM: arm/arm64: Limit icache invalidation to prefetch     aborts (jsc#ECO-561,jsc#SLE-10671).

  - KVM: arm/arm64: Only clean the dcache on translation     fault (jsc#ECO-561,jsc#SLE-10671).

  - KVM: arm/arm64: Preserve Exec permission across R/W     permission faults (jsc#ECO-561,jsc#SLE-10671).

  - KVM: arm/arm64: Split dcache/icache flushing     (jsc#ECO-561,jsc#SLE-10671).

  - KVM: vmx, svm: always run with EFER.NXE=1 when shadow     paging is active (bsc#1117665).

  - md/raid0: avoid RAID0 data corruption due to layout     confusion (bsc#1140090).

  - md/raid0: fix warning message for parameter     default_layout (bsc#1140090).

  - mmc: core: Add sdio_retune_hold_now() and     sdio_retune_release() (bsc#1111666).

  - mmc: core: API to temporarily disable retuning for SDIO     CRC errors (bsc#1111666).

  - Move upstreamed CA0132 fix into sorted section

  - net: openvswitch: free vport unless register_netdevice()     succeeds (git-fixes).

  - phylink: fix kernel-doc warnings (bsc#1111666).

  - power: supply: max14656: fix potential use-after-free     (bsc#1051510).

  - RDMA/efa: Add Amazon EFA driver (jsc#SLE-4805)

  - RDMA/hns: Add reset process for function-clear     (bsc#1155061).

  - RDMA/hns: Remove the some magic number (bsc#1155061).

  - RDMA/restrack: Track driver QP types in resource tracker     (jsc#SLE-4805)

  - Revert 'ALSA: hda: Flush interrupts on disabling'     (bsc#1051510).

  - Revert synaptics-rmi4 patch due to regression     (bsc#1155982) Also blacklisting it

  - rpm/kernel-subpackage-spec: Mention debuginfo in the     subpackage description (bsc#1149119).

  - s390: add support for IBM z15 machines (bsc#1152696     LTC#181731).

  - s390/cpumsf: Check for CPU Measurement sampling     (bsc#1153681 LTC#181855).

  - s390: fix setting of mio addressing control (bsc#1152665     LTC#181729).

  - s390/pci: add mio_enabled attribute (bsc#1152665     LTC#181729).

  - s390/pci: correctly handle MIO opt-out (bsc#1152665     LTC#181729).

  - s390/pci: deal with devices that have no support for MIO     instructions (bsc#1152665 LTC#181729).

  - s390/pci: fix MSI message data (bsc#1152697 LTC#181730).

  - sc16is7xx: Fix for 'Unexpected interrupt: 8'     (bsc#1051510).

  - sched/fair: Avoid divide by zero when rebalancing     domains (bsc#1096254).

  - scsi: lpfc: Limit xri count for kdump environment     (bsc#1154124).

  - scsi: qla2xxx: Add error handling for PLOGI ELS     passthrough (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop     event (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Check for MB timeout while capturing     ISP27/28xx FW dump (bsc#1143706 bsc#1082635     bsc#1123034).

  - scsi: qla2xxx: Do command completion on abort timeout     (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: do not use zero for FC4_PRIORITY_NVME     (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Dual FCP-NVMe target port support     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Fix a dma_pool_free() call (bsc#1143706     bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Fix device connect issues in P2P     configuration (bsc#1143706 bsc#1082635 bsc#1154526     bsc#1048942).

  - scsi: qla2xxx: Fix double scsi_done for abort path     (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Fix driver unload hang (bsc#1143706     bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Fix memory leak when sending I/O fails     (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Fix N2N link reset (bsc#1143706     bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706     bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Fix partial flash write of MBI     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Fix SRB leak on switch command timeout     (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Fix stale mem access on driver unload     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Fix unbound sleep in fcport delete path     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: fixup incorrect usage of host_byte     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Improve logging for scan thread     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Initialized mailbox to prevent driver     load failure (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: initialize fc4_type_priority (bsc#1143706     bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Optimize NPIV tear down process     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Remove an include directive (bsc#1143706     bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: remove redundant assignment to pointer     host (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Retry PLOGI on FC-NVMe PRLI failure     (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706     bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Silence fwdump template message     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: stop timer in shutdown path (bsc#1143706     bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Update driver version to 10.01.00.20-k     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Update driver version to 10.01.00.21-k     (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: sd: Ignore a failure to sync cache due to lack of     authorization (git-fixes).

  - scsi: storvsc: Add ability to change scsi queue depth     (bsc#1155021).

  - scsi: zfcp: fix reaction on bit error threshold     notification (bsc#1154956 LTC#182054).

  - serial: fix kernel-doc warning in comments     (bsc#1051510).

  - serial: mctrl_gpio: Check for NULL pointer     (bsc#1051510).

  - serial: uartlite: fix exit path NULL pointer     (bsc#1051510).

  - staging: rtl8188eu: fix null dereference when kzalloc     fails (bsc#1051510).

  - supporte.conf: add efivarfs to kernel-default-base     (bsc#1154858).

  - tracing: Get trace_array reference for available_tracers     files (bsc#1156429).

  - usb: gadget: Reject endpoints with 0 maxpacket value     (bsc#1051510).

  - usb: gadget: udc: atmel: Fix interrupt storm in FIFO     mode (bsc#1051510).

  - usb: handle warm-reset port requests on hub resume     (bsc#1051510).

  - usb: ldusb: fix control-message timeout (bsc#1051510).

  - usb: ldusb: fix ring-buffer locking (bsc#1051510).

  - usb: serial: whiteheat: fix line-speed endianness     (bsc#1051510).

  - usb: serial: whiteheat: fix potential slab corruption     (bsc#1051510).

  - usb-storage: Revert commit 747668dbc061 ('usb-storage:
    Set virt_boundary_mask to avoid SG overflows')     (bsc#1051510).

  - wil6210: fix freeing of rx buffers in EDMA mode     (bsc#1111666).

The openSUSE Leap 15.0 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

  - CVE-2019-0154: An unprotected read access to i915     registers has been fixed that could have been abused to     facilitate a local denial-of-service attack.
    (bsc#1135966)

  - CVE-2019-0155: A privilege escalation vulnerability has     been fixed in the i915 module that allowed batch buffers     from user mode to gain super user privileges.
    (bsc#1135967)

  - CVE-2019-16231: drivers/net/fjes/fjes_main.c did not     check the alloc_workqueue return value, leading to a     NULL pointer dereference (bnc#1150466).

  - CVE-2019-18805: There was a net/ipv4/tcp_input.c signed     integer overflow in tcp_ack_update_rtt() when userspace     writes a very large integer to     /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial     of service or possibly unspecified other impact, aka     CID-19fad20d15a6 (bnc#1156187).

  - CVE-2019-17055: base_sock_create in     drivers/isdn/mISDN/socket.c in the AF_ISDN network     module did not enforce CAP_NET_RAW, which means that     unprivileged users can create a raw socket, aka     CID-b91ee4aa2a21 (bnc#1152782).

  - CVE-2019-16995: A memory leak exits in     hsr_dev_finalize() in net/hsr/hsr_device.c, if     hsr_add_port fails to add a port, which may cause denial     of service, aka CID-6caabe7f197d (bnc#1152685).

  - CVE-2019-11135: Aborting an asynchronous TSX operation     on Intel CPUs with Transactional Memory support could be     used to facilitate sidechannel information leaks out of     microarchitectural buffers, similar to the previously     described 'Microarchitectural Data Sampling' attack.

    The Linux kernel was supplemented with the option to     disable TSX operation altogether (requiring CPU     Microcode updates on older systems) and better flushing     of microarchitectural buffers (VERW).

    The set of options available is described in our TID at     https://www.suse.com/support/kb/doc/?id=7024251

  - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not     check the alloc_workqueue return value, leading to a     NULL pointer dereference (bnc#1150457).

  - CVE-2018-12207: Untrusted virtual machines on Intel CPUs     could exploit a race condition in the Instruction Fetch     Unit of the Intel CPU to cause a Machine Exception     during Page Size Change, causing the CPU core to be     non-functional.

    The Linux Kernel kvm hypervisor was adjusted to avoid     page size changes in executable pages by splitting /     merging huge pages into small pages as needed.

    More information can be found on     https://www.suse.com/support/kb/doc/?id=7023735

  - CVE-2019-10220: Added sanity checks on the pathnames     passed to the user space. (bsc#1144903).

The following non-security bugs were fixed :

  - ALSA: bebob: Fix prototype of helper function to return     negative value (bsc#1051510).

  - ALSA: bebob: fix to detect configured source of sampling     clock for Focusrite Saffire Pro i/o series (git-fixes).

  - ALSA: hda: Add Elkhart Lake PCI ID (bsc#1051510).

  - ALSA: hda: Add Tigerlake/Jasperlake PCI ID     (bsc#1051510).

  - ALSA: hda/ca0132 - Fix possible workqueue stall     (bsc#1155836).

  - ALSA: hda/realtek - Add support for ALC623     (bsc#1051510).

  - ALSA: hda/realtek - Add support for ALC711     (bsc#1051510).

  - ALSA: hda/realtek - Fix 2 front mics of codec 0x623     (bsc#1051510).

  - ALSA: timer: Fix incorrectly assigned timer instance     (git-fixes).

  - ALSA: timer: Fix mutex deadlock at releasing card     (bsc#1051510).

  - arcnet: provide a buffer big enough to actually receive     packets (networking-stable-19_09_30).

  - ASoc: rockchip: i2s: Fix RPM imbalance (bsc#1051510).

  - ASoC: rsnd: Reinitialize bit clock inversion flag for     every format setting (bsc#1051510).

  - bpf: fix use after free in prog symbol exposure     (bsc#1083647).

  - btrfs: block-group: Fix a memory leak due to missing     btrfs_put_block_group() (bsc#1155178).

  - btrfs: qgroup: Always free PREALLOC META reserve in     btrfs_delalloc_release_extents() (bsc#1155179).

  - btrfs: tracepoints: Fix bad entry members of qgroup     events (bsc#1155186).

  - btrfs: tracepoints: Fix wrong parameter order for qgroup     events (bsc#1155184).

  - can: dev: call netif_carrier_off() in register_candev()     (bsc#1051510).

  - crypto: af_alg - consolidation of duplicate code     (bsc#1154737).

  - crypto: af_alg - fix race accessing cipher request     (bsc#1154737).

  - crypto: af_alg - Fix race around ctx->rcvused by making     it atomic_t (bsc#1154737).

  - crypto: af_alg - Initialize sg_num_bytes in error code     path (bsc#1051510).

  - crypto: af_alg - remove locking in async callback     (bsc#1154737).

  - crypto: af_alg - update correct dst SGL entry     (bsc#1051510).

  - crypto: af_alg - wait for data at beginning of recvmsg     (bsc#1154737).

  - crypto: algif_aead - copy AAD from src to dst     (bsc#1154737).

  - crypto: algif_aead - fix reference counting of null     skcipher (bsc#1154737).

  - crypto: algif_aead - overhaul memory management     (bsc#1154737).

  - crypto: algif_aead - skip SGL entries with NULL page     (bsc#1154737).

  - crypto: algif - return error code when no data was     processed (bsc#1154737).

  - crypto: algif_skcipher - overhaul memory management     (bsc#1154737).

  - cxgb4:Fix out-of-bounds MSI-X info array access     (networking-stable-19_10_05).

  - dmaengine: bcm2835: Print error in case setting DMA mask     fails (bsc#1051510).

  - dmaengine: imx-sdma: fix size check for sdma     script_number (bsc#1051510).

  - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50     (bsc#1051510).

  - drm/i915: Add gen9 BCS cmdparsing (bsc#1135967)

  - drm/i915: Add support for mandatory cmdparsing     (bsc#1135967)

  - drm/i915: Allow parsing of unsized batches (bsc#1135967)

  - drm/i915/cmdparser: Add support for backward jumps     (bsc#1135967)

  - drm/i915/cmdparser: Ignore Length operands during     command matching (bsc#1135967)

  - drm/i915/cmdparser: Use explicit goto for error paths     (bsc#1135967)

  - drm/i915: Disable Secure Batches for gen6+

  - drm/i915/gen8+: Add RC6 CTX corruption WA (bsc#1135967)

  - drm/i915/gtt: Add read only pages to gen8_pte_encode     (bsc#1135967)

  - drm/i915/gtt: Disable read-only support under GVT     (bsc#1135967)

  - drm/i915/gtt: Read-only pages for insert_entries on bdw     (bsc#1135967)

  - drm/i915: Lower RM timeout to avoid DSI hard hangs     (bsc#1135967)

  - drm/i915: Prevent writing into a read-only object via a     GGTT mmap (bsc#1135967)

  - drm/i915: Remove Master tables from cmdparser

  - drm/i915: Rename gen7 cmdparser tables (bsc#1135967)

  - drm/i915: Support ro ppgtt mapped cmdparser shadow     buffers (bsc#1135967)

  - efi: cper: print AER info of PCIe fatal error     (bsc#1051510).

  - efi/memattr: Do not bail on zero VA if it equals the     region's PA (bsc#1051510).

  - efivar/ssdt: Do not iterate over EFI vars if no SSDT     override was specified (bsc#1051510).

  - HID: fix error message in hid_open_report()     (bsc#1051510).

  - HID: logitech-hidpp: do all FF cleanup in     hidpp_ff_destroy() (bsc#1051510).

  - hso: fix NULL-deref on tty open (bsc#1051510).

  - hyperv: set nvme msi interrupts to unmanaged     (jsc#SLE-8953, jsc#SLE-9221, jsc#SLE-4941, bsc#1119461,     bsc#1119465, bsc#1138190, bsc#1154905).

  - IB/core: Add mitigation for Spectre V1 (bsc#1155671)

  - ieee802154: ca8210: prevent memory leak (bsc#1051510).

  - input: synaptics-rmi4 - avoid processing unknown IRQs     (bsc#1051510).

  - integrity: prevent deadlock during digsig verification     (bsc#1090631).

  - ipv6: drop incoming packets having a v4mapped source     address (networking-stable-19_10_05).

  - ipv6: Handle missing host route in __ipv6_ifa_notify     (networking-stable-19_10_05).

  - iwlwifi: do not panic in error path on non-msix systems     (bsc#1155692).

  - iwlwifi: exclude GEO SAR support for 3168 (git-fixes).

  - kABI workaround for crypto/af_alg changes (bsc#1154737).

  - kABI workaround for drm_vma_offset_node readonly field     addition (bsc#1135967)

  - ksm: cleanup stable_node chain collapse case     (bnc#1144338).

  - ksm: fix use after free with merge_across_nodes = 0     (bnc#1144338).

  - ksm: introduce ksm_max_page_sharing per page     deduplication limit (bnc#1144338).

  - ksm: optimize refile of stable_node_dup at the head of     the chain (bnc#1144338).

  - ksm: swap the two output parameters of chain/chain_prune     (bnc#1144338).

  - KVM: vmx, svm: always run with EFER.NXE=1 when shadow     paging is active (bsc#1117665).

  - mac80211: fix txq NULL pointer dereference     (bsc#1051510).

  - mac80211: Reject malformed SSID elements (bsc#1051510).

  - md/raid0: avoid RAID0 data corruption due to layout     confusion (bsc#1140090).

  - md/raid0: fix warning message for parameter     default_layout (bsc#1140090).

  - Move upstreamed CA0132 fix into sorted section

  - netfilter: nf_nat: do not bug when mapping already     exists (bsc#1146612).

  - net: openvswitch: free vport unless register_netdevice()     succeeds (git-fixes).

  - net/phy: fix DP83865 10 Mbps HDX loopback disable     function (networking-stable-19_09_30).

  - net: qlogic: Fix memory leak in ql_alloc_large_buffers     (networking-stable-19_10_05).

  - net: qrtr: Stop rx_worker before freeing node     (networking-stable-19_09_30).

  - net/rds: Fix error handling in rds_ib_add_one()     (networking-stable-19_10_05).

  - net/rds: fix warn in rds_message_alloc_sgs     (bsc#1154848).

  - net/rds: remove user triggered WARN_ON in rds_sendmsg     (bsc#1154848).

  - net: Replace NF_CT_ASSERT() with WARN_ON()     (bsc#1146612).

  - net/sched: act_sample: do not push mac header on ip6gre     ingress (networking-stable-19_09_30).

  - net_sched: add policy validation for action attributes     (networking-stable-19_09_30).

  - net_sched: fix backward compatibility for TCA_ACT_KIND     (git-fixes).

  - net: Unpublish sk from sk_reuseport_cb before call_rcu     (networking-stable-19_10_05).

  - NFSv4.1 - backchannel request should hold ref on xprt     (bsc#1152624).

  - nl80211: fix NULL pointer dereference (bsc#1051510).

  - openvswitch: change type of UPCALL_PID attribute to     NLA_UNSPEC (networking-stable-19_09_30).

  - power: supply: max14656: fix potential use-after-free     (bsc#1051510).

  - qmi_wwan: add support for Cinterion CLS8 devices     (networking-stable-19_10_05).

  - r8152: Set macpassthru in reset_resume callback     (bsc#1051510).

  - rds: Fix warning (bsc#1154848).

  - Revert 'ALSA: hda: Flush interrupts on disabling'     (bsc#1051510).

  - Revert 'drm/radeon: Fix EEH during kexec' (bsc#1051510).

  - Revert synaptics-rmi4 patch due to regression     (bsc#1155982) Also blacklisting it

  - rpm/kernel-subpackage-spec: Mention debuginfo in the     subpackage description (bsc#1149119).

  - s390/cmf: set_schib_wait add timeout (bsc#1153509,     bsc#1153476).

  - s390/cpumsf: Check for CPU Measurement sampling     (bsc#1153681 LTC#181855).

  - sc16is7xx: Fix for 'Unexpected interrupt: 8'     (bsc#1051510).

  - sch_cbq: validate TCA_CBQ_WRROPT to avoid crash     (networking-stable-19_10_05).

  - sch_dsmark: fix potential NULL deref in dsmark_init()     (networking-stable-19_10_05).

  - sched/fair: Avoid divide by zero when rebalancing     domains (bsc#1096254).

  - sch_netem: fix a divide by zero in tabledist()     (networking-stable-19_09_30).

  - scsi: lpfc: Fix devices that do not return after devloss     followed by rediscovery (bsc#1137040).

  - scsi: lpfc: Limit xri count for kdump environment     (bsc#1154124).

  - scsi: qla2xxx: Add error handling for PLOGI ELS     passthrough (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Capture FW dump on MPI heartbeat stop     event (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Check for MB timeout while capturing     ISP27/28xx FW dump (bsc#1143706 bsc#1082635     bsc#1123034).

  - scsi: qla2xxx: Do command completion on abort timeout     (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: do not use zero for FC4_PRIORITY_NVME     (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Dual FCP-NVMe target port support     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Fix a dma_pool_free() call (bsc#1143706     bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Fix device connect issues in P2P     configuration (bsc#1143706 bsc#1082635 bsc#1154526     bsc#1048942).

  - scsi: qla2xxx: Fix double scsi_done for abort path     (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Fix driver unload hang (bsc#1143706     bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Fix memory leak when sending I/O fails     (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Fix N2N link reset (bsc#1143706     bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Fix N2N link up fail (bsc#1143706     bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Fix partial flash write of MBI     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Fix SRB leak on switch command timeout     (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Fix stale mem access on driver unload     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Fix unbound sleep in fcport delete path     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: fixup incorrect usage of host_byte     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Fix wait condition in loop (bsc#1143706     bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Improve logging for scan thread     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Initialized mailbox to prevent driver     load failure (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: initialize fc4_type_priority (bsc#1143706     bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Optimize NPIV tear down process     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Remove an include directive (bsc#1143706     bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: remove redundant assignment to pointer     host (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Retry PLOGI on FC-NVMe PRLI failure     (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: qla2xxx: Set remove flag for all VP (bsc#1143706     bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Silence fwdump template message     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: stop timer in shutdown path (bsc#1143706     bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Update driver version to 10.01.00.20-k     (bsc#1143706 bsc#1082635 bsc#1123034).

  - scsi: qla2xxx: Update driver version to 10.01.00.21-k     (bsc#1143706 bsc#1082635 bsc#1154526 bsc#1048942).

  - scsi: sd: Ignore a failure to sync cache due to lack of     authorization (git-fixes).

  - scsi: storvsc: Add ability to change scsi queue depth     (bsc#1155021).

  - scsi: zfcp: fix reaction on bit error threshold     notification (bsc#1154956 LTC#182054).

  - serial: fix kernel-doc warning in comments     (bsc#1051510).

  - serial: mctrl_gpio: Check for NULL pointer     (bsc#1051510).

  - serial: uartlite: fix exit path NULL pointer     (bsc#1051510).

  - skge: fix checksum byte order     (networking-stable-19_09_30).

  - staging: rtl8188eu: fix null dereference when kzalloc     fails (bsc#1051510).

  - staging: wlan-ng: fix exit return when sme->key_idx >=     NUM_WEPKEYS (bsc#1051510).

  - supporte.conf: add efivarfs to kernel-default-base     (bsc#1154858).

  - tipc: fix unlimited bundling of small messages     (networking-stable-19_10_05).

  - tracing: Get trace_array reference for available_tracers     files (bsc#1156429).

  - usb: gadget: Reject endpoints with 0 maxpacket value     (bsc#1051510).

  - usb: gadget: udc: atmel: Fix interrupt storm in FIFO     mode (bsc#1051510).

  - usb: handle warm-reset port requests on hub resume     (bsc#1051510).

  - usb: ldusb: fix control-message timeout (bsc#1051510).

  - usb: ldusb: fix memleak on disconnect (bsc#1051510).

  - usb: ldusb: fix NULL-derefs on driver unbind     (bsc#1051510).

  - usb: ldusb: fix read info leaks (bsc#1051510).

  - usb: ldusb: fix ring-buffer locking (bsc#1051510).

  - usb: legousbtower: fix a signedness bug in tower_probe()     (bsc#1051510).

  - usb: legousbtower: fix memleak on disconnect     (bsc#1051510).

  - usb: serial: ti_usb_3410_5052: fix port-close races     (bsc#1051510).

  - usb: serial: whiteheat: fix line-speed endianness     (bsc#1051510).

  - usb: serial: whiteheat: fix potential slab corruption     (bsc#1051510).

  - usb-storage: Revert commit 747668dbc061 ('usb-storage:
    Set virt_boundary_mask to avoid SG overflows')     (bsc#1051510).

  - usb: udc: lpc32xx: fix bad bit shift operation     (bsc#1051510).

  - usb: usblp: fix use-after-free on disconnect     (bsc#1051510).

  - vsock: Fix a lockdep warning in __vsock_release()     (networking-stable-19_10_05).

  - x86/boot/64: Make level2_kernel_pgt pages invalid     outside kernel area (bnc#1153969).

  - x86/boot/64: Round memory hole size up to next PMD page     (bnc#1153969).

The SUSE Linux Enterprise 15-SP1 Azure Kernel was updated to receive various security and bugfixes.

The following security bugs were fixed :

CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional.

The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 (bnc#1117665 1152505 1155812 1155817 1155945) CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described 'Microarchitectural Data Sampling' attack.

The Linux kernel was supplemented with the option to disable TSX operation altogether (requiring CPU Microcode updates on older systems) and better flushing of microarchitectural buffers (VERW).

The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 (bnc#1139073 1152497 1152505 1152506). CVE-2019-18805: There was a signed integer overflow in tcp_ack_update_rtt() when userspace writes a very large integer to /proc/sys/net/ipv4/tcp_min_rtt_wlen, leading to a denial of service or possibly unspecified other impact, aka CID-19fad20d15a6 (bnc#1156187).

CVE-2019-17055: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bnc#1152782).

CVE-2019-16995: Fix a memory leak in hsr_dev_finalize() if hsr_add_port failed to add a port, which may have caused denial of service (bsc#1152685).

CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference.
(bsc#1150457).

CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. (bsc#1144903).

CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code (bsc#1154372).

CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver (bsc#1150465).

CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. (bsc#1150452).

CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE, leading to a Buffer Overflow (bsc#1153158).

CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket (bsc#1152788).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
144731	EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2021-1039)	Nessus	Huawei Local Security Checks	high
138766	NewStart CGSL MAIN 6.01 : kernel Multiple Vulnerabilities (NS-SA-2020-0030)	Nessus	NewStart CGSL Local Security Checks	high
136116	RHEL 8 : kernel-rt (RHSA-2020:1567)	Nessus	Red Hat Local Security Checks	high
136115	RHEL 8 : kernel (RHSA-2020:1769)	Nessus	Red Hat Local Security Checks	high
135525	EulerOS 2.0 SP3 : kernel (EulerOS-SA-2020-1396)	Nessus	Huawei Local Security Checks	critical
134735	EulerOS Virtualization 3.0.2.2 : kernel (EulerOS-SA-2020-1269)	Nessus	Huawei Local Security Checks	high
134387	EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1186)	Nessus	Huawei Local Security Checks	critical
134361	RHEL 7 : kernel-alt (RHSA-2020:0740)	Nessus	Red Hat Local Security Checks	high
132925	SUSE SLES12 Security Update : kernel (SUSE-SU-2020:0093-1)	Nessus	SuSE Local Security Checks	critical
132394	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:3381-1)	Nessus	SuSE Local Security Checks	critical
132390	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3379-1)	Nessus	SuSE Local Security Checks	high
132389	SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2019:3371-1)	Nessus	SuSE Local Security Checks	high
132237	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:3317-1)	Nessus	SuSE Local Security Checks	critical
132071	SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2019:3295-1)	Nessus	SuSE Local Security Checks	high
131833	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:3200-1)	Nessus	SuSE Local Security Checks	high
131120	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:2984-1)	Nessus	SuSE Local Security Checks	critical
131061	openSUSE Security Update : the Linux Kernel (openSUSE-2019-2507)	Nessus	SuSE Local Security Checks	high
131057	openSUSE Security Update : the Linux Kernel (openSUSE-2019-2503)	Nessus	SuSE Local Security Checks	high
130951	SUSE SLES12 Security Update : kernel (SUSE-SU-2019:2953-1)	Nessus	SuSE Local Security Checks	high

CVE-2019-18805

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins