Security update for the Linux Kernel (Live Patch 12 for SLE 15 SP1) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:1724-1 Final 1 1 2021-05-25T10:26:57Z current 2021-05-25T10:26:57Z 2021-05-25T10:26:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 12 for SLE 15 SP1) This update for the Linux Kernel 4.12.14-197_45 fixes several issues. The following security issues were fixed: - CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bsc#1184952). - CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bsc#1184710) - Fix system crash on kernfs_kill_sb() as a sysfs superblock's kernfs_super_info node list was NULL (bsc#1183452). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2021-1724,SUSE-SLE-Live-Patching-12-SP5-2021-1735,SUSE-SLE-Live-Patching-12-SP5-2021-1736,SUSE-SLE-Live-Patching-12-SP5-2021-1737,SUSE-SLE-Live-Patching-12-SP5-2021-1738,SUSE-SLE-Live-Patching-12-SP5-2021-1739,SUSE-SLE-Live-Patching-12-SP5-2021-1740,SUSE-SLE-Live-Patching-12-SP5-2021-1741,SUSE-SLE-Live-Patching-12-SP5-2021-1742,SUSE-SLE-Live-Patching-12-SP5-2021-1743,SUSE-SLE-Live-Patching-12-SP5-2021-1744,SUSE-SLE-Live-Patching-12-SP5-2021-1745,SUSE-SLE-Module-Live-Patching-15-SP1-2021-1717,SUSE-SLE-Module-Live-Patching-15-SP1-2021-1718,SUSE-SLE-Module-Live-Patching-15-SP1-2021-1719,SUSE-SLE-Module-Live-Patching-15-SP1-2021-1720,SUSE-SLE-Module-Live-Patching-15-SP1-2021-1721,SUSE-SLE-Module-Live-Patching-15-SP1-2021-1722,SUSE-SLE-Module-Live-Patching-15-SP1-2021-1723,SUSE-SLE-Module-Live-Patching-15-SP1-2021-1724,SUSE-SLE-Module-Live-Patching-15-SP1-2021-1725,SUSE-SLE-Module-Live-Patching-15-SP1-2021-1726 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20211724-1/ Link for SUSE-SU-2021:1724-1 https://lists.suse.com/pipermail/sle-updates/2021-May/019049.html E-Mail link for SUSE-SU-2021:1724-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1183452 SUSE Bug 1183452 https://bugzilla.suse.com/1184710 SUSE Bug 1184710 https://bugzilla.suse.com/1184952 SUSE Bug 1184952 https://www.suse.com/security/cve/CVE-2020-36322/ SUSE CVE CVE-2020-36322 page https://www.suse.com/security/cve/CVE-2021-29154/ SUSE CVE CVE-2021-29154 page SUSE Linux Enterprise Live Patching 12 SP5 SUSE Linux Enterprise Live Patching 15 SP1 kernel-livepatch-4_12_14-197_51-default-10-2.2 kgraft-patch-4_12_14-122_60-default-5-2.2 kgraft-patch-4_12_14-122_57-default-6-2.2 kgraft-patch-4_12_14-122_54-default-6-2.2 kgraft-patch-4_12_14-122_51-default-8-2.2 kgraft-patch-4_12_14-122_46-default-8-2.2 kgraft-patch-4_12_14-122_41-default-10-2.2 kgraft-patch-4_12_14-122_37-default-11-2.2 kgraft-patch-4_12_14-122_32-default-12-2.2 kgraft-patch-4_12_14-122_29-default-12-2.2 kgraft-patch-4_12_14-122_26-default-12-2.2 kgraft-patch-4_12_14-122_23-default-12-2.2 kernel-livepatch-4_12_14-197_78-default-6-2.2 kernel-livepatch-4_12_14-197_75-default-6-2.2 kernel-livepatch-4_12_14-197_72-default-6-2.2 kernel-livepatch-4_12_14-197_67-default-7-2.2 kernel-livepatch-4_12_14-197_64-default-7-2.2 kernel-livepatch-4_12_14-197_61-default-8-2.2 kernel-livepatch-4_12_14-197_56-default-9-2.2 kernel-livepatch-4_12_14-197_48-default-10-2.2 kernel-livepatch-4_12_14-197_45-default-10-2.2 kgraft-patch-4_12_14-122_60-default-5-2.2 as a component of SUSE Linux Enterprise Live Patching 12 SP5 kgraft-patch-4_12_14-122_57-default-6-2.2 as a component of SUSE Linux Enterprise Live Patching 12 SP5 kgraft-patch-4_12_14-122_54-default-6-2.2 as a component of SUSE Linux Enterprise Live Patching 12 SP5 kgraft-patch-4_12_14-122_51-default-8-2.2 as a component of SUSE Linux Enterprise Live Patching 12 SP5 kgraft-patch-4_12_14-122_46-default-8-2.2 as a component of SUSE Linux Enterprise Live Patching 12 SP5 kgraft-patch-4_12_14-122_41-default-10-2.2 as a component of SUSE Linux Enterprise Live Patching 12 SP5 kgraft-patch-4_12_14-122_37-default-11-2.2 as a component of SUSE Linux Enterprise Live Patching 12 SP5 kgraft-patch-4_12_14-122_32-default-12-2.2 as a component of SUSE Linux Enterprise Live Patching 12 SP5 kgraft-patch-4_12_14-122_29-default-12-2.2 as a component of SUSE Linux Enterprise Live Patching 12 SP5 kgraft-patch-4_12_14-122_26-default-12-2.2 as a component of SUSE Linux Enterprise Live Patching 12 SP5 kgraft-patch-4_12_14-122_23-default-12-2.2 as a component of SUSE Linux Enterprise Live Patching 12 SP5 kernel-livepatch-4_12_14-197_78-default-6-2.2 as a component of SUSE Linux Enterprise Live Patching 15 SP1 kernel-livepatch-4_12_14-197_75-default-6-2.2 as a component of SUSE Linux Enterprise Live Patching 15 SP1 kernel-livepatch-4_12_14-197_72-default-6-2.2 as a component of SUSE Linux Enterprise Live Patching 15 SP1 kernel-livepatch-4_12_14-197_67-default-7-2.2 as a component of SUSE Linux Enterprise Live Patching 15 SP1 kernel-livepatch-4_12_14-197_64-default-7-2.2 as a component of SUSE Linux Enterprise Live Patching 15 SP1 kernel-livepatch-4_12_14-197_61-default-8-2.2 as a component of SUSE Linux Enterprise Live Patching 15 SP1 kernel-livepatch-4_12_14-197_56-default-9-2.2 as a component of SUSE Linux Enterprise Live Patching 15 SP1 kernel-livepatch-4_12_14-197_51-default-10-2.2 as a component of SUSE Linux Enterprise Live Patching 15 SP1 kernel-livepatch-4_12_14-197_48-default-10-2.2 as a component of SUSE Linux Enterprise Live Patching 15 SP1 kernel-livepatch-4_12_14-197_45-default-10-2.2 as a component of SUSE Linux Enterprise Live Patching 15 SP1 An issue was discovered in the FUSE filesystem implementation in the Linux kernel before 5.10.6, aka CID-5d069dbe8aaf. fuse_do_getattr() calls make_bad_inode() in inappropriate situations, causing a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950. CVE-2020-36322 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_23-default-12-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_26-default-12-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_29-default-12-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_32-default-12-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_37-default-11-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_41-default-10-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_46-default-8-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_51-default-8-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_54-default-6-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_57-default-6-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_60-default-5-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_45-default-10-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_48-default-10-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_51-default-10-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_56-default-9-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_61-default-8-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_64-default-7-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_67-default-7-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_72-default-6-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_75-default-6-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_78-default-6-2.2 important 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211724-1/ https://www.suse.com/security/cve/CVE-2020-36322.html CVE-2020-36322 https://bugzilla.suse.com/1184211 SUSE Bug 1184211 https://bugzilla.suse.com/1184952 SUSE Bug 1184952 https://bugzilla.suse.com/1189302 SUSE Bug 1189302 BPF JIT compilers in the Linux kernel through 5.11.12 have incorrect computation of branch displacements, allowing them to execute arbitrary code within the kernel context. This affects arch/x86/net/bpf_jit_comp.c and arch/x86/net/bpf_jit_comp32.c. CVE-2021-29154 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_23-default-12-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_26-default-12-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_29-default-12-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_32-default-12-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_37-default-11-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_41-default-10-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_46-default-8-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_51-default-8-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_54-default-6-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_57-default-6-2.2 SUSE Linux Enterprise Live Patching 12 SP5:kgraft-patch-4_12_14-122_60-default-5-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_45-default-10-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_48-default-10-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_51-default-10-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_56-default-9-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_61-default-8-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_64-default-7-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_67-default-7-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_72-default-6-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_75-default-6-2.2 SUSE Linux Enterprise Live Patching 15 SP1:kernel-livepatch-4_12_14-197_78-default-6-2.2 important 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211724-1/ https://www.suse.com/security/cve/CVE-2021-29154.html CVE-2021-29154 https://bugzilla.suse.com/1184391 SUSE Bug 1184391 https://bugzilla.suse.com/1184710 SUSE Bug 1184710 https://bugzilla.suse.com/1186408 SUSE Bug 1186408