Security update for the Linux Kernel (Live Patch 6 for SLE 15 SP4) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:2031-1 Final 1 1 2023-04-26T01:07:05Z current 2023-04-26T01:07:05Z 2023-04-26T01:07:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 6 for SLE 15 SP4) This update for the Linux Kernel 5.14.21-150400_24_38 fixes several issues. The following security issues were fixed: - CVE-2023-0590: Fixed race condition in qdisc_graft() (bsc#1207795). - CVE-2023-1652: Fixed use-after-free that could lead to DoS and information leak in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c (bsc#1209788). - CVE-2023-1118: Fixed a use-after-free bugs caused by ene_tx_irqsim() in media/rc (bsc#1208837). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-2031,SUSE-SLE-Module-Live-Patching-15-SP4-2023-2022 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20232031-1/ Link for SUSE-SU-2023:2031-1 https://lists.suse.com/pipermail/sle-updates/2023-April/028995.html E-Mail link for SUSE-SU-2023:2031-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1207822 SUSE Bug 1207822 https://bugzilla.suse.com/1208910 SUSE Bug 1208910 https://bugzilla.suse.com/1209797 SUSE Bug 1209797 https://www.suse.com/security/cve/CVE-2023-0590/ SUSE CVE CVE-2023-0590 page https://www.suse.com/security/cve/CVE-2023-1118/ SUSE CVE CVE-2023-1118 page https://www.suse.com/security/cve/CVE-2023-1652/ SUSE CVE CVE-2023-1652 page SUSE Linux Enterprise Live Patching 15 SP4 kernel-livepatch-5_14_21-150400_24_11-default-10-150400.2.2 kernel-livepatch-5_14_21-150400_24_38-default-5-150400.2.2 kernel-livepatch-5_14_21-150400_24_38-default-5-150400.2.2 as a component of SUSE Linux Enterprise Live Patching 15 SP4 A use-after-free flaw was found in qdisc_graft in net/sched/sch_api.c in the Linux Kernel due to a race problem. This flaw leads to a denial of service issue. If patch ebda44da44f6 ("net: sched: fix race condition in qdisc_graft()") not applied yet, then kernel could be affected. CVE-2023-0590 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_38-default-5-150400.2.2 important 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232031-1/ https://www.suse.com/security/cve/CVE-2023-0590.html CVE-2023-0590 https://bugzilla.suse.com/1207036 SUSE Bug 1207036 https://bugzilla.suse.com/1207795 SUSE Bug 1207795 https://bugzilla.suse.com/1207822 SUSE Bug 1207822 https://bugzilla.suse.com/1211495 SUSE Bug 1211495 https://bugzilla.suse.com/1211833 SUSE Bug 1211833 A flaw use after free in the Linux kernel integrated infrared receiver/transceiver driver was found in the way user detaching rc device. A local user could use this flaw to crash the system or potentially escalate their privileges on the system. CVE-2023-1118 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_38-default-5-150400.2.2 important 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232031-1/ https://www.suse.com/security/cve/CVE-2023-1118.html CVE-2023-1118 https://bugzilla.suse.com/1208837 SUSE Bug 1208837 https://bugzilla.suse.com/1208910 SUSE Bug 1208910 https://bugzilla.suse.com/1210423 SUSE Bug 1210423 https://bugzilla.suse.com/1211495 SUSE Bug 1211495 https://bugzilla.suse.com/1213841 SUSE Bug 1213841 https://bugzilla.suse.com/1213842 SUSE Bug 1213842 A use-after-free flaw was found in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c in the NFS filesystem in the Linux Kernel. This issue could allow a local attacker to crash the system or it may lead to a kernel information leak problem. CVE-2023-1652 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_38-default-5-150400.2.2 important 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232031-1/ https://www.suse.com/security/cve/CVE-2023-1652.html CVE-2023-1652 https://bugzilla.suse.com/1209788 SUSE Bug 1209788 https://bugzilla.suse.com/1209797 SUSE Bug 1209797