The SUSE Linux Enterprise 12 SP2 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2018-12207: Untrusted virtual machines on Intel CPUs could exploit a race condition in the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional. The Linux Kernel kvm hypervisor was adjusted to avoid page size changes in executable pages by splitting / merging huge pages into small pages as needed. More information can be found on https://www.suse.com/support/kb/doc/?id=7023735 - CVE-2019-16995: Fix a memory leak in hsr_dev_finalize if hsr_add_port failed to add a port, which may have caused denial of service . - CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate sidechannel information leaks out of microarchitectural buffers, similar to the previously described quot;Microarchitectural Data Samplingquot; attack. The Linux kernel was supplemented with the option to disable TSX operation altogether and better flushing of microarchitectural buffers . The set of options available is described in our TID at https://www.suse.com/support/kb/doc/?id=7024251 - CVE-2019-16233: drivers/scsi/qla2xxx/qla_os.c did not check the alloc_workqueue return value, leading to a NULL pointer dereference. - CVE-2019-10220: Added sanity checks on the pathnames passed to the user space. - CVE-2019-17666: rtlwifi: Fix potential overflow in P2P code . - CVE-2019-17133: cfg80211 wireless extension did not reject a long SSID IE, leading to a Buffer Overflow . - CVE-2019-16232: Fix a potential NULL pointer dereference in the Marwell libertas driver . - CVE-2019-16234: iwlwifi pcie driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. - CVE-2019-17055: The AF_ISDN network module in the Linux kernel did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket . - CVE-2019-17056: The AF_NFC network module did not enforce CAP_NET_RAW, which meant that unprivileged users could create a raw socket . - CVE-2019-16413: The 9p filesystem did not protect i_size_write properly, which caused an i_size_read infinite loop and denial of service on SMP systems . - CVE-2019-15902: A backporting issue was discovered that re-introduced the Spectre vulnerability it had aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two code lines were swapped . - CVE-2019-15291: Fixed a NULL pointer dereference issue that could be caused by a malicious USB device . - CVE-2019-15807: Fixed a memory leak in the SCSI module that could be abused to cause denial of service . - CVE-2019-13272: Fixed a mishandled the recording of the credentials of a process that wants to create a ptrace relationship, which allowed local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve . - CVE-2019-14821: An out-of-bounds access issue was fixed in the kernel"s kvm hypervisor. An unprivileged host user or process with access to "/dev/kvm" device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system . - CVE-2019-15505: An out-of-bounds issue had been fixed that could be caused by crafted USB device traffic . - CVE-2017-18595: A double free in allocate_trace_buffer was fixed . - CVE-2019-14835: A buffer overflow flaw was found in the kernel"s vhost functionality that translates virtqueue buffers to IOVs. A privileged guest user able to pass descriptors with invalid length to the host could use this flaw to increase their privileges on the host . - CVE-2019-15216: A NULL pointer dereference was fixed that could be malicious USB device . - CVE-2019-15924: A a NULL pointer dereference has been fixed in the drivers/net/ethernet/intel/fm10k module . - CVE-2019-9456: An out-of-bounds write in the USB monitor driver has been fixed. This issue could lead to local escalation of privilege with System execution privileges needed. - CVE-2019-15926: An out-of-bounds access was fixed in the drivers/net/wireless/ath/ath6kl module. - CVE-2019-15927: An out-of-bounds access was fixed in the sound/usb/mixer module . - CVE-2019-15666: There was an out-of-bounds array access in the net/xfrm module that could cause denial of service . - CVE-2019-15219: A NULL pointer dereference was fixed that could be abused by a malicious USB device . - CVE-2019-15220: A use-after-free issue was fixed that could be caused by a malicious USB device . - CVE-2019-15221: A NULL pointer dereference was fixed that could be caused by a malicious USB device . - CVE-2019-14814: A heap-based buffer overflow was fixed in the marvell wifi chip driver. That issue allowed local users to cause a denial of service or possibly execute arbitrary code . - CVE-2019-14815: A missing length check while parsing WMM IEs was fixed . - CVE-2019-14816: A heap-based buffer overflow in the marvell wifi chip driver was fixed. Local users would have abused this issue to cause a denial of service or possibly execute arbitrary code . - CVE-2017-18509: An issue in net/ipv6 as fixed. By setting a specific socket option, an attacker could control a pointer in kernel land and cause an inet_csk_listen_stop general protection fault, or potentially execute arbitrary code under certain circumstances. The issue can be triggered as root or after namespace unsharing. - CVE-2019-9506: The Bluetooth BR/EDR specification used to permit sufficiently low encryption key length and did not prevent an attacker from influencing the key length negotiation. This allowed practical brute-force attacks that could decrypt traffic and inject arbitrary ciphertext without the victim noticing . - CVE-2019-15098: A NULL pointer dereference in drivers/net/wireless/ath was fixed . - CVE-2019-15290: A NULL pointer dereference in ath6kl_usb_alloc_urb_from_pipe was fixed . - CVE-2019-15212: A double-free issue was fixed in drivers/usb driver . - CVE-2016-10906: A use-after-free issue was fixed in drivers/net/ethernet/arc . - CVE-2019-15211: A use-after-free issue caused by a malicious USB device was fixed in the drivers/media/v4l2-core driver . - CVE-2019-15217: A a NULL pointer dereference issue caused by a malicious USB device was fixed in the drivers/media/usb/zr364xx driver . - CVE-2019-15214: An a use-after-free issue in the sound subsystem was fixed . - CVE-2019-15218: A NULL pointer dereference caused by a malicious USB device was fixed in the drivers/media/usb/siano driver . - CVE-2019-15215: A use-after-free issue caused by a malicious USB device was fixed in the drivers/media/usb/cpia2 driver . - CVE-2018-20976: A use-after-free issue was fixed in the fs/xfs driver . - CVE-2019-0154: An unprotected read access to i915 registers has been fixed that could have been abused to facilitate a local denial-of-service attack. - CVE-2019-0155: A privilege escalation vulnerability has been fixed in the i915 module that allowed batch buffers from user mode to gain super user privileges. - CVE-2019-16231: The fjes driver did not check the alloc_workqueue return value, leading to a NULL pointer dereference. - CVE-2019-18805: Fix signed integer overflow in tcp_ack_update_rtt that could have lead to a denial of service or possibly unspecified other impact - CVE-2019-18680: A NULL pointer dereference in rds_tcp_kill_sock could cause denial of service The following non-security bugs were fixed: - cpu/speculation: Uninline and export CPU mitigations helpers . - documentation: Add ITLB_MULTIHIT documentation . - ib/core: Add mitigation for Spectre V1 - ib/core: array_index_nospec: Sanitize speculative array - ipv6: Update ipv6 defrag code . - ksm: cleanup stable_node chain collapse case . - ksm: fix use after free with merge_across_nodes = 0 . - ksm: introduce ksm_max_page_sharing per page deduplication limit . - ksm: optimize refile of stable_node_dup at the head of the chain . - ksm: swap the two output parameters of chain/chain_prune . - kvm kABI Fix for NX patches . - kvm: Convert kvm_lock to a mutex . - kvm: MMU: drop vcpu param in gpte_access . - kvm: MMU: introduce kvm_mmu_gfn_{allow,disallow}_lpage . - kvm: MMU: rename has_wrprotected_page to mmu_gfn_lpage_is_disallowed . - kvm: vmx, svm: always run with EFER.NXE=1 when shadow paging is active . - kvm: x86, powerpc: do not allow clearing largepages debugfs entry . - kvm: x86: Do not release the page inside mmu_set_spte . - kvm: x86: MMU: Consolidate quickly_check_mmio_pf and is_mmio_page_fault . - kvm: x86: MMU: Encapsulate the type of rmap-chain head in a new struct . - kvm: x86: MMU: Move handle_mmio_page_fault call to kvm_mmu_page_fault . - kvm: x86: MMU: Move initialization of parent_ptes out from kvm_mmu_alloc_page . - kvm: x86: MMU: Move parent_pte handling from kvm_mmu_get_page to link_shadow_page . - kvm: x86: MMU: Remove unused parameter parent_pte from kvm_mmu_get_page . - kvm: x86: MMU: always set accessed bit in shadow PTEs . - kvm: x86: add tracepoints around __direct_map and FNAME . - kvm: x86: adjust kvm_mmu_page member to save 8 bytes . - kvm: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON . - kvm: x86: extend usage of RET_MMIO_PF_* constants . - kvm: x86: make FNAME and __direct_map more similar . - kvm: x86: mmu: Apply global mitigations knob to ITLB_MULTIHIT . - kvm: x86: remove now unneeded hugepage gfn adjustment . - kvm: x86: simplify ept_misconfig . - media: smsusb: better handle optional alignment . - mm: use upstream patch for bsc#1106913 - scsi: scsi_transport_fc: Drop double list_del - x86/bugs: correctly force-disable IBRS on !SKL systems . - x86/cpu: Add Atom Tremont . - x86/headers: Do not include asm/processor.h in asm/atomic.h . - x86/mitigations: Backport the STIBP pile See bsc#1139550 - xen-blkfront: avoid ENOMEM in blkif_recover after migration . Special Instructions and Notes: Please reboot the system after installing this update.