Antw: [security-announce] SUSE-SU-2017:2791-1: important: Security update for Linux Kernel Live Patch 21 for SLE 12 SP1

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Antw: [security-announce] SUSE-SU-2017:2791-1: important: Security update for Linux Kernel Live Patch 21 for SLE 12 SP1

Ulrich Windl
>>> <[hidden email]> schrieb am 20.10.2017 um 03:07 in Nachricht
<[hidden email]>:
> SUSE Security Update: Security update for Linux Kernel Live Patch 21 for SLE
> 12 SP1

I wonder: Shouldn't the subject be like "[security-announce] SUSE-SU-2017:2791-1: important: Security update (Linux Kernel Live Patch 21 for SLE 12 SP1)"? Or is it actually a security update for the kernel live patch?

Regards,
Ulrich

> ____________________________________________________________________________
> __
>
> Announcement ID:    SUSE-SU-2017:2791-1
> Rating:             important
> References:         #1038564 #1042892 #1045327 #1052311 #1052368
>                    
> Cross-References:   CVE-2017-1000112 CVE-2017-15274 CVE-2017-8890
>                     CVE-2017-9242
> Affected Products:
>                     SUSE Linux Enterprise Server for SAP 12-SP1
>                     SUSE Linux Enterprise Server 12-SP1-LTSS
> ____________________________________________________________________________
> __
>
>    An update that solves four vulnerabilities and has one
>    errata is now available.
>
> Description:
>
>    This update for the Linux Kernel 3.12.74-60_64_60 fixes several issues.
>
>    The following security bugs were fixed:
>
>    - CVE-2017-15274: security/keys/keyctl.c in the Linux kernel did not
>      consider the case of a NULL payload in conjunction with a nonzero
> length
>      value, which allowed local users to cause a denial of service (NULL
>      pointer dereference and OOPS) via a crafted add_key or keyctl system
>      call (bsc#1045327).
>    - CVE-2017-1000112: Updated patch for this issue to be in sync with the
>      other livepatches. Description of the issue: Prevent race condition in
>      net-packet code that could have been exploited by unprivileged users to
>      gain root access (bsc#1052368, bsc#1052311).
>    - CVE-2017-9242: The __ip6_append_data function in net/ipv6/ip6_output.c
>      was too late in checking whether an overwrite of an skb data structure
>      may occur, which allowed local users to cause a denial of service
>      (system crash) via crafted system calls (bsc#1042892).
>    - CVE-2017-8890: The inet_csk_clone_lock function in
>      net/ipv4/inet_connection_sock.c allowed attackers to cause a denial of
>      service (double free) or possibly have unspecified other impact by
>      leveraging use of the accept system call (bsc#1038564).
>
>
> Patch Instructions:
>
>    To install this SUSE Security Update use YaST online_update.
>    Alternatively you can run the command listed for your product:
>
>    - SUSE Linux Enterprise Server for SAP 12-SP1:
>
>       zypper in -t patch SUSE-SLE-SAP-12-SP1-2017-1732=1
>
>    - SUSE Linux Enterprise Server 12-SP1-LTSS:
>
>       zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-1732=1
>
>    To bring your system up-to-date, use "zypper patch".
>
>
> Package List:
>
>    - SUSE Linux Enterprise Server for SAP 12-SP1 (x86_64):
>
>       kgraft-patch-3_12_74-60_64_60-default-2-4.1
>       kgraft-patch-3_12_74-60_64_60-xen-2-4.1
>
>    - SUSE Linux Enterprise Server 12-SP1-LTSS (x86_64):
>
>       kgraft-patch-3_12_74-60_64_60-default-2-4.1
>       kgraft-patch-3_12_74-60_64_60-xen-2-4.1
>
>
> References:
>
>    https://www.suse.com/security/cve/CVE-2017-1000112.html 
>    https://www.suse.com/security/cve/CVE-2017-15274.html 
>    https://www.suse.com/security/cve/CVE-2017-8890.html 
>    https://www.suse.com/security/cve/CVE-2017-9242.html 
>    https://bugzilla.suse.com/1038564 
>    https://bugzilla.suse.com/1042892 
>    https://bugzilla.suse.com/1045327 
>    https://bugzilla.suse.com/1052311 
>    https://bugzilla.suse.com/1052368 
>
> --
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]




--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Antw: [security-announce] SUSE-SU-2017:2791-1: important: Security update for Linux Kernel Live Patch 21 for SLE 12 SP1

jsegitz
On Mon, Oct 23, 2017 at 08:18:42AM +0200,  Ulrich Windl  wrote:
> >>> <[hidden email]> schrieb am 20.10.2017 um 03:07 in Nachricht
> <[hidden email]>:
> > SUSE Security Update: Security update for Linux Kernel Live Patch 21 for SLE
> > 12 SP1
>
> I wonder: Shouldn't the subject be like "[security-announce] SUSE-SU-2017:2791-1: important: Security update (Linux Kernel Live Patch 21 for SLE 12 SP1)"? Or is it actually a security update for the kernel live patch?

yes, the wording is not good. I changed it to
Security update for the Linux Kernel (Live Patch XY for SLE 12 SP Z)

Thank you,
Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton
HRB 21284 (AG N├╝rnberg)

signature.asc (817 bytes) Download Attachment