Bugzilla – Bug 1186666
VUL-0: CVE-2021-3573: kernel-source: Use-After-Free vulnerability in function hci_sock_bound_ioctl()
Last modified: 2024-06-25 16:03:58 UTC
public via oss-sec Hello there, Our team (BlockSec) found an UAF vulnerability in function hci_sock_bound_ioctl(). It can allow attackers to corrupt kernel heaps (kmalloc-8k to be specific) and adopt further exploitations. =*=*=*=*=*=*=*=*= BUG DETAILS =*=*=*=*=*=*=*=*= >>>>>>>> background knowledge <<<<<<<< The hci_sock_bound_ioctl() function is in charge of five HCI commands. /* Ioctls that require bound socket */ static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, unsigned long arg) { struct hci_dev *hdev = hci_pi(sk)->hdev; // { 1 } if (!hdev) return -EBADFD; /* ..... */ switch (cmd) { case HCISETRAW: ... case HCIGETCONNINFO: ... case HCIGETAUTHINFO: ... case HCIBLOCKADDR: ... case HCIUNBLOCKADDR: ... } return -ENOIOCTLCMD; } As you can see, the biggest difference between functions hci_sock_bound_ioctl() and hci_sock_ioctl() is that the former one will derive the hci_dev struct through hci_pi(sk)->hdev. (as code mark { 1 } shows) In other words, the bind() syscall needs to be called before the hci_sock_bound_ioctl() to write this struct. The hdev is obtained through hci_dev_get(), which based on the counter. static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_len) { ... switch (haddr.hci_channel) { case HCI_CHANNEL_RAW: ... hdev = hci_dev_get(haddr.hci_dev); // { 2 } ... hci_pi(sk)->hdev = hdev; ... } } >>>>>>>> bug iteself <<<<<<<< The bug itself is about the UAF of hdev and the root cause is the race (again). When the HCI device detaches from the kernel, the function hci_unregister_dev() will be called. This function will call hci_sock_dev_event(hdev, HCI_DEV_UNREG) to inform all sockets that this device is going to be removed. The core logic is presented below. void hci_sock_dev_event(struct hci_dev *hdev, int event) { ... if (event == HCI_DEV_UNREG) { struct sock *sk; /* Detach sockets from device */ read_lock(&hci_sk_list.lock); sk_for_each(sk, &hci_sk_list.head) { bh_lock_sock_nested(sk); if (hci_pi(sk)->hdev == hdev) { hci_pi(sk)->hdev = NULL; sk->sk_err = EPIPE; sk->sk_state = BT_OPEN; sk->sk_state_change(sk); hci_dev_put(hdev); } bh_unlock_sock(sk); } read_unlock(&hci_sk_list.lock); } } That is, the hci_sock_dev_event() function will release the hdev from the bounded sockets, all at once. Therefore, one question arises: Is there any possibility that the hci_sock_dev_event() in detaching routine take places and release the hdev while the hci_sock_bound_ioctl() is still working? Unfortunately, the answer is YES. The hci_sock_dev_event() can release the hdev and cause the UAF in function hci_sock_bound_ioctl(). This race can be shown below. hci_sock_bound_ioctl thread | hci_sock_dev_event thread | | if (!hdev) | return -EBADFD; | | | hci_pi(sk)->hdev = NULL; | ... | hci_dev_put(hdev); // UAF, for example | hci_dev_lock(hdev); | | | .... It is worth mentioning that the attacker can stably control and trigger this race with userfaultfd primitive, which will be discussed later. =*=*=*=*=*=*=*=*= BUG EFFECTS =*=*=*=*=*=*=*=*= There are four different types of functions will be called from the vulnerable hci_sock_bound_ioctl(). * hci_get_conn_info() * hci_get_auth_info() * hci_sock_blacklist_add() * hci_sock_blacklist_del() All these functions can have different effects when the UAF of hdev happens. For example, the hci_sock_blacklist_add() will allow the attacker to write arbitrary 6 bytes to any place if the released hdev->blacklist can be sprayed. static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg) { bdaddr_t bdaddr; int err; if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) return -EFAULT; hci_dev_lock(hdev); err = hci_bdaddr_list_add(&hdev->blacklist, &bdaddr, BDADDR_BREDR); // the user controlled bdaddr will be insert to list hci_dev_unlock(hdev); return err; } In a nutshell, the UAF of hdev can easily crash the kernel. It can also be the weapon of skillful hackers (with CAP_NET_ADMIN privilege). Below we provide the report from KASan. [ 12.663166] ================================================================== [ 12.664161] BUG: KASAN: use-after-free in mutex_lock+0xa9/0x130 [ 12.664837] Write of size 8 at addr ffff88800c2ba010 by task exp/125 [ 12.665551] [ 12.665731] CPU: 0 PID: 125 Comm: exp Not tainted 5.11.11+ #8 [ 12.666378] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 12.667372] Call Trace: [ 12.667661] dump_stack+0x1b9/0x22e [ 12.668068] ? show_regs_print_info+0x12/0x12 [ 12.668563] ? log_buf_vmcoreinfo_setup+0x45d/0x45d [ 12.669114] print_address_description+0x7b/0x3a0 [ 12.669646] __kasan_report+0x14e/0x200 [ 12.670084] ? mutex_lock+0xa9/0x130 [ 12.670494] kasan_report+0x47/0x60 [ 12.670894] check_memory_region+0x2e2/0x330 [ 12.671379] mutex_lock+0xa9/0x130 [ 12.671777] ? mutex_trylock+0xb0/0xb0 [ 12.672206] ? copy_user_generic_string+0x31/0x40 [ 12.672742] hci_get_auth_info+0xbb/0x2b0 [ 12.673206] ? hci_get_conn_info+0x630/0x630 [ 12.673696] ? release_sock+0x155/0x1b0 [ 12.674140] hci_sock_ioctl+0x749/0x900 [ 12.674582] ? hci_sock_getname+0x1d0/0x1d0 [ 12.675060] ? do_vfs_ioctl+0x892/0x1a50 [ 12.675514] ? selinux_file_ioctl+0xd41/0x1200 [ 12.676036] ? __ia32_compat_sys_ioctl+0xc00/0xc00 [ 12.676599] sock_do_ioctl+0xdc/0x310 [ 12.677042] ? sock_show_fdinfo+0xb0/0xb0 [ 12.677523] ? hci_sock_release+0x400/0x400 [ 12.677991] sock_ioctl+0x4a6/0x710 [ 12.678386] ? sock_poll+0x400/0x400 [ 12.678816] ? __sys_socket+0x1c2/0x350 [ 12.679275] ? security_file_ioctl+0xa3/0xc0 [ 12.679818] ? sock_poll+0x400/0x400 [ 12.680219] __se_sys_ioctl+0x101/0x170 [ 12.680683] do_syscall_64+0x33/0x40 [ 12.681085] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 12.681675] RIP: 0033:0x7f89a2384247 [ 12.682077] Code: 00 00 90 48 8b 05 49 8c 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 19 8c 0c 00 f7 d8 64 89 01 48 [ 12.684221] RSP: 002b:00007ffd49ce4538 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 12.685111] RAX: ffffffffffffffda RBX: 00005623b3401c10 RCX: 00007f89a2384247 [ 12.685918] RDX: 00007f89a249e000 RSI: 00000000800448d7 RDI: 0000000000000006 [ 12.686752] RBP: 00007ffd49ce45c0 R08: 0000000000000001 R09: 00007f89a1a7c700 [ 12.687561] R10: 0000000000000000 R11: 0000000000000246 R12: 00005623b3400d50 [ 12.688367] R13: 00007ffd49ce46b0 R14: 0000000000000000 R15: 0000000000000000 [ 12.689172] [ 12.689345] Allocated by task 125: [ 12.689758] ____kasan_kmalloc+0xc6/0x100 [ 12.690235] kmem_cache_alloc_trace+0x124/0x200 [ 12.690768] hci_alloc_dev+0x4d/0x1ab0 [ 12.691186] hci_uart_tty_ioctl+0x3ba/0xa20 [ 12.691686] tty_ioctl+0x11ac/0x1b60 [ 12.692121] __se_sys_ioctl+0x101/0x170 [ 12.692581] do_syscall_64+0x33/0x40 [ 12.693011] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 12.693600] [ 12.693773] Freed by task 126: [ 12.694115] kasan_set_track+0x3d/0x70 [ 12.694593] kasan_set_free_info+0x1f/0x40 [ 12.695050] ____kasan_slab_free+0x10e/0x140 [ 12.695551] kfree+0xeb/0x2d0 [ 12.695920] bt_host_release+0x18/0x20 [ 12.696339] device_release+0x9e/0x1d0 [ 12.696791] kobject_put+0x194/0x2b0 [ 12.697188] hci_uart_tty_close+0x1a7/0x220 [ 12.697681] tty_ldisc_hangup+0x4d7/0x6d0 [ 12.698128] __tty_hangup+0x6b2/0x970 [ 12.698569] tty_release+0x408/0x10e0 [ 12.698979] __fput+0x32f/0x7a0 [ 12.699334] task_work_run+0x15c/0x1e0 [ 12.699819] exit_to_user_mode_prepare+0xeb/0x110 [ 12.700338] syscall_exit_to_user_mode+0x20/0x40 [ 12.700880] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 12.701454] [ 12.701641] Last potentially related work creation: [ 12.702175] kasan_save_stack+0x27/0x50 [ 12.702633] kasan_record_aux_stack+0xbd/0xe0 [ 12.703116] insert_work+0x4f/0x340 [ 12.703536] __queue_work+0x9cc/0xdb0 [ 12.703975] queue_work_on+0xd8/0x130 [ 12.704387] hci_recv_frame+0x182/0x1e0 [ 12.704846] h4_recv_buf+0x904/0xd40 [ 12.705245] h4_recv+0xf4/0x1b0 [ 12.705628] hci_uart_tty_receive+0x1be/0x380 [ 12.706111] tty_ldisc_receive_buf+0x130/0x170 [ 12.706633] tty_port_default_receive_buf+0x6a/0x90 [ 12.707172] flush_to_ldisc+0x2e8/0x510 [ 12.707630] process_one_work+0x6df/0xf80 [ 12.708112] worker_thread+0xac1/0x1340 [ 12.708572] kthread+0x2fc/0x320 [ 12.708937] ret_from_fork+0x22/0x30 [ 12.709337] [ 12.709543] Second to last potentially related work creation: [ 12.710169] kasan_save_stack+0x27/0x50 [ 12.710627] kasan_record_aux_stack+0xbd/0xe0 [ 12.711111] insert_work+0x4f/0x340 [ 12.711532] __queue_work+0x9cc/0xdb0 [ 12.711983] queue_work_on+0xd8/0x130 [ 12.712392] hci_event_packet+0x1bce1/0x23430 [ 12.712908] hci_rx_work+0x2a8/0x780 [ 12.713308] process_one_work+0x6df/0xf80 [ 12.713783] worker_thread+0xac1/0x1340 [ 12.714212] kthread+0x2fc/0x320 [ 12.714610] ret_from_fork+0x22/0x30 [ 12.715012] [ 12.715186] The buggy address belongs to the object at ffff88800c2ba000 [ 12.715186] which belongs to the cache kmalloc-8k of size 8192 [ 12.716629] The buggy address is located 16 bytes inside of [ 12.716629] 8192-byte region [ffff88800c2ba000, ffff88800c2bc000) [ 12.717930] The buggy address belongs to the page: [ 12.718485] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc2b8 [ 12.719519] head:(____ptrval____) order:3 compound_mapcount:0 compound_pincount:0 [ 12.720364] flags: 0x100000000010200(slab|head) [ 12.720899] raw: 0100000000010200 ffffea0000346808 ffff888006c41270 ffff888006c4c2c0 [ 12.721776] raw: 0000000000000000 0000000000010001 00000001ffffffff 0000000000000000 [ 12.722676] page dumped because: kasan: bad access detected [ 12.723287] [ 12.723492] Memory state around the buggy address: [ 12.723961] ffff88800c2b9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.724547] ffff88800c2b9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 12.725133] >ffff88800c2ba000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.725718] ^ [ 12.726028] ffff88800c2ba080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.726612] ffff88800c2ba100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 12.727196] ================================================================== [ 12.727784] Disabling lock debugging due to kernel taint =*=*=*=*=*=*=*=*= BUG REPRODUCE =*=*=*=*=*=*=*=*= As above introduced, this race condition is highly controllable. This is because the four related functions all call copy_from_user() function after the check of hdev. static int hci_sock_blacklist_add(struct hci_dev *hdev, void __user *arg) { bdaddr_t bdaddr; int err; if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) return -EFAULT; ... } static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg) { bdaddr_t bdaddr; int err; if (copy_from_user(&bdaddr, arg, sizeof(bdaddr))) return -EFAULT; ... } int hci_get_conn_info(struct hci_dev *hdev, void __user *arg) { struct hci_conn_info_req req; struct hci_conn_info ci; struct hci_conn *conn; char __user *ptr = arg + sizeof(req); if (copy_from_user(&req, arg, sizeof(req))) return -EFAULT; ... } int hci_get_auth_info(struct hci_dev *hdev, void __user *arg) { struct hci_auth_info_req req; struct hci_conn *conn; if (copy_from_user(&req, arg, sizeof(req))) return -EFAULT; ... } That is, we can adopt userfaultfd to stop these functions and then call the detach routine to release the hdev object. After the hdev is already freed, we handle the page fault from copy_from_user() can let these functions cause UAF. (attacker can further spray the heap during this window) The provided POC code can be used to prove the feasibility. =*=*=*=*=*=*=*=*= Bug FIX =*=*=*=*=*=*=*=*= The adopted patch is presented at https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth.git/commit/?id=e305509e678b3a4af2b3cfd410f409f7cdaabb52 In short, this patch replaces the lock to the correct one for serialization requirements. =*=*=*=*=*=*=*=*= Timeline =*=*=*=*=*=*=*=*= 2021-05-30: Bug reported to security@kernel.org and linux-distros@vs.openwall.org 2021-05-31: Patch is adopted into Bluetooth tree 2021-06-01: CVE-2021-3573 is assigned =*=*=*=*=*=*=*=*= Credt =*=*=*=*=*=*=*=*= LinMa@BlockSec Team syzkaller of course Best Regards
code was added around 040030ef7d907 which is 3.4 and newer? can you confirm?
(In reply to Marcus Meissner from comment #5) > code was added around 040030ef7d907 which is 3.4 and newer? > > can you confirm? 040030ef7d90 Bluetooth: Remove HCI notifier handling (v3.4-rc1) depends on 4ce61d1c7a8e [BLUETOOTH]: Fix locking in hci_sock_dev_event(). (v2.6.22-rc2) commit 4ce61d1c7a8ef4c1337fa983a3036d4010e3c19e Author: Satyam Sharma <ssatyam@cse.iitk.ac.in> Date: Wed May 16 23:50:16 2007 -0700 [BLUETOOTH]: Fix locking in hci_sock_dev_event(). We presently use lock_sock() to acquire a lock on a socket in hci_sock_dev_event(), but this goes BUG because lock_sock() can sleep and we're already holding a read-write spinlock at that point. So, we must use the non-sleeping BH version, bh_lock_sock(). However, hci_sock_dev_event() is called from user context and hence using simply bh_lock_sock() will deadlock against a concurrent softirq that tries to acquire a lock on the same socket. Hence, disabling BH's before acquiring the socket lock and enable them afterwards, is the proper solution to fix socket locking in hci_sock_dev_event(). Signed-off-by: Satyam Sharma <ssatyam@cse.iitk.ac.in> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: David S. Miller <davem@davemloft.net> diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index bfc9a35bad33..1dae3dfc66a9 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -665,7 +665,8 @@ static int hci_sock_dev_event(struct notifier_block *this, unsigned long event, /* Detach sockets from device */ read_lock(&hci_sk_list.lock); sk_for_each(sk, node, &hci_sk_list.head) { - lock_sock(sk); + local_bh_disable(); + bh_lock_sock_nested(sk); if (hci_pi(sk)->hdev == hdev) { hci_pi(sk)->hdev = NULL; sk->sk_err = EPIPE; @@ -674,7 +675,8 @@ static int hci_sock_dev_event(struct notifier_block *this, unsigned long event, hci_dev_put(hdev); } - release_sock(sk); + bh_unlock_sock(sk); + local_bh_enable(); } read_unlock(&hci_sk_list.lock); } and now commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 Author: Lin Ma <linma@zju.edu.cn> Date: Sun May 30 21:37:43 2021 +0800 Bluetooth: use correct lock to prevent UAF of hdev object The hci_sock_dev_event() function will cleanup the hdev object for sockets even if this object may still be in used within the hci_sock_bound_ioctl() function, result in UAF vulnerability. This patch replace the BH context lock to serialize these affairs and prevent the race condition. Signed-off-by: Lin Ma <linma@zju.edu.cn> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index 251b9128f530..eed0dd066e12 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -762,7 +762,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) /* Detach sockets from device */ read_lock(&hci_sk_list.lock); sk_for_each(sk, &hci_sk_list.head) { - bh_lock_sock_nested(sk); + lock_sock(sk); if (hci_pi(sk)->hdev == hdev) { hci_pi(sk)->hdev = NULL; sk->sk_err = EPIPE; @@ -771,7 +771,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) hci_dev_put(hdev); } - bh_unlock_sock(sk); + release_sock(sk); } read_unlock(&hci_sk_list.lock); } --- That's a quite tricky....
(In reply to Al Cho from comment #6) > (In reply to Marcus Meissner from comment #5) > > code was added around 040030ef7d907 which is 3.4 and newer? > > > > can you confirm? > > > 040030ef7d90 Bluetooth: Remove HCI notifier handling (v3.4-rc1) > depends on > 4ce61d1c7a8e [BLUETOOTH]: Fix locking in hci_sock_dev_event(). (v2.6.22-rc2) > > That's a quite tricky.... It's not clarify issue. After compare with 040030ef7d90 Bluetooth: Remove HCI notifier handling (v3.4-rc1) and 4ce61d1c7a8e [BLUETOOTH]: Fix locking in hci_sock_dev_event(). (v2.6.22-rc2) There are no enough proof to show this affected under linux kernel version 5.0. So, I would like to apply this patch e305509e678b Bluetooth: use correct lock to prevent UAF of hdev object (v5.13-rc5) to master, SLE15-SP2 only. master: has it SLE15-SP2: Submitted cve/linux-4.12: Not affected cve/linux-4.4: Not affected cve/linux-3.0: Not affected cve/linux-2.6.32: Not affected
This is an autogenerated message for OBS integration: This bug (1186666) was mentioned in https://build.opensuse.org/request/show/904571 15.2 / kernel-source
openSUSE-SU-2021:0985-1: An update that solves 10 vulnerabilities and has 103 fixes is now available. Category: security (important) Bug References: 1152489,1153274,1154353,1155518,1164648,1174978,1176771,1179610,1182470,1183712,1184212,1184436,1184685,1185195,1185486,1185589,1185675,1185677,1185701,1185861,1185863,1186206,1186286,1186463,1186666,1186672,1186752,1186949,1186950,1186951,1186952,1186953,1186954,1186955,1186956,1186957,1186958,1186959,1186960,1186961,1186962,1186963,1186964,1186965,1186966,1186967,1186968,1186969,1186970,1186971,1186972,1186973,1186974,1186976,1186977,1186978,1186979,1186980,1186981,1186982,1186983,1186984,1186985,1186986,1186987,1186988,1186989,1186990,1186991,1186992,1186993,1186994,1186995,1186996,1186997,1186998,1186999,1187000,1187001,1187002,1187003,1187038,1187050,1187067,1187068,1187069,1187072,1187143,1187144,1187171,1187263,1187356,1187402,1187403,1187404,1187407,1187408,1187409,1187410,1187411,1187412,1187413,1187452,1187554,1187595,1187601,1187795,1187867,1187883,1187886,1187927,1187972,1187980 CVE References: CVE-2020-24588,CVE-2020-26558,CVE-2020-36385,CVE-2020-36386,CVE-2021-0129,CVE-2021-0512,CVE-2021-0605,CVE-2021-33624,CVE-2021-34693,CVE-2021-3573 JIRA References: Sources used: openSUSE Leap 15.2 (src): kernel-debug-5.3.18-lp152.81.1, kernel-default-5.3.18-lp152.81.1, kernel-default-base-5.3.18-lp152.81.1.lp152.8.36.1, kernel-docs-5.3.18-lp152.81.1, kernel-kvmsmall-5.3.18-lp152.81.1, kernel-obs-build-5.3.18-lp152.81.1, kernel-obs-qa-5.3.18-lp152.81.1, kernel-preempt-5.3.18-lp152.81.1, kernel-source-5.3.18-lp152.81.1, kernel-syms-5.3.18-lp152.81.1
SUSE-SU-2021:2303-1: An update that solves 9 vulnerabilities, contains 8 features and has 100 fixes is now available. Category: security (important) Bug References: 1152489,1153274,1154353,1155518,1164648,1174978,1176771,1179610,1182470,1183712,1184212,1184685,1185195,1185486,1185589,1185675,1185677,1185701,1186206,1186463,1186666,1186672,1186752,1186949,1186950,1186951,1186952,1186953,1186954,1186955,1186956,1186957,1186958,1186959,1186960,1186961,1186962,1186963,1186964,1186965,1186966,1186967,1186968,1186969,1186970,1186971,1186972,1186973,1186974,1186976,1186977,1186978,1186979,1186980,1186981,1186982,1186983,1186984,1186985,1186986,1186987,1186988,1186989,1186990,1186991,1186992,1186993,1186994,1186995,1186996,1186997,1186998,1186999,1187000,1187001,1187002,1187003,1187038,1187050,1187067,1187068,1187069,1187072,1187143,1187144,1187171,1187263,1187356,1187402,1187403,1187404,1187407,1187408,1187409,1187410,1187411,1187412,1187413,1187452,1187554,1187595,1187601,1187795,1187867,1187883,1187886,1187927,1187972,1187980 CVE References: CVE-2020-26558,CVE-2020-36385,CVE-2020-36386,CVE-2021-0129,CVE-2021-0512,CVE-2021-0605,CVE-2021-33624,CVE-2021-34693,CVE-2021-3573 JIRA References: ECO-3691,SLE-11493,SLE-11796,SLE-17882,SLE-7926,SLE-8371,SLE-8389,SLE-8464 Sources used: SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src): kernel-azure-5.3.18-18.53.1, kernel-source-azure-5.3.18-18.53.1, kernel-syms-azure-5.3.18-18.53.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2305-1: An update that solves 5 vulnerabilities and has 40 fixes is now available. Category: security (important) Bug References: 1152489,1153274,1154353,1155518,1164648,1176447,1176774,1176919,1177028,1178134,1182470,1183682,1184212,1184685,1185486,1185675,1185677,1186071,1186206,1186666,1186949,1187171,1187263,1187356,1187402,1187403,1187404,1187407,1187408,1187409,1187410,1187411,1187412,1187413,1187452,1187554,1187595,1187601,1187795,1187867,1187883,1187886,1187927,1187972,1187980 CVE References: CVE-2021-0512,CVE-2021-0605,CVE-2021-33624,CVE-2021-34693,CVE-2021-3573 JIRA References: Sources used: SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src): kernel-azure-5.3.18-38.11.1, kernel-source-azure-5.3.18-38.11.1, kernel-syms-azure-5.3.18-38.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:2305-1: An update that solves 5 vulnerabilities and has 40 fixes is now available. Category: security (important) Bug References: 1152489,1153274,1154353,1155518,1164648,1176447,1176774,1176919,1177028,1178134,1182470,1183682,1184212,1184685,1185486,1185675,1185677,1186071,1186206,1186666,1186949,1187171,1187263,1187356,1187402,1187403,1187404,1187407,1187408,1187409,1187410,1187411,1187412,1187413,1187452,1187554,1187595,1187601,1187795,1187867,1187883,1187886,1187927,1187972,1187980 CVE References: CVE-2021-0512,CVE-2021-0605,CVE-2021-33624,CVE-2021-34693,CVE-2021-3573 JIRA References: Sources used: openSUSE Leap 15.3 (src): kernel-azure-5.3.18-38.11.1, kernel-source-azure-5.3.18-38.11.1, kernel-syms-azure-5.3.18-38.11.1
SUSE-SU-2021:2325-1: An update that solves 9 vulnerabilities, contains 8 features and has 100 fixes is now available. Category: security (important) Bug References: 1152489,1153274,1154353,1155518,1164648,1174978,1176771,1179610,1182470,1183712,1184212,1184685,1185195,1185486,1185589,1185675,1185677,1185701,1186206,1186463,1186666,1186672,1186752,1186949,1186950,1186951,1186952,1186953,1186954,1186955,1186956,1186957,1186958,1186959,1186960,1186961,1186962,1186963,1186964,1186965,1186966,1186967,1186968,1186969,1186970,1186971,1186972,1186973,1186974,1186976,1186977,1186978,1186979,1186980,1186981,1186982,1186983,1186984,1186985,1186986,1186987,1186988,1186989,1186990,1186991,1186992,1186993,1186994,1186995,1186996,1186997,1186998,1186999,1187000,1187001,1187002,1187003,1187038,1187050,1187067,1187068,1187069,1187072,1187143,1187144,1187171,1187263,1187356,1187402,1187403,1187404,1187407,1187408,1187409,1187410,1187411,1187412,1187413,1187452,1187554,1187595,1187601,1187795,1187867,1187883,1187886,1187927,1187972,1187980 CVE References: CVE-2020-26558,CVE-2020-36385,CVE-2020-36386,CVE-2021-0129,CVE-2021-0512,CVE-2021-0605,CVE-2021-33624,CVE-2021-34693,CVE-2021-3573 JIRA References: ECO-3691,SLE-11493,SLE-11796,SLE-17882,SLE-7926,SLE-8371,SLE-8389,SLE-8464 Sources used: SUSE MicroOS 5.0 (src): kernel-default-5.3.18-24.70.1, kernel-default-base-5.3.18-24.70.1.9.32.1 SUSE Linux Enterprise Workstation Extension 15-SP2 (src): kernel-default-5.3.18-24.70.1, kernel-preempt-5.3.18-24.70.1 SUSE Linux Enterprise Module for Live Patching 15-SP2 (src): kernel-default-5.3.18-24.70.1, kernel-livepatch-SLE15-SP2_Update_16-1-5.3.1 SUSE Linux Enterprise Module for Legacy Software 15-SP2 (src): kernel-default-5.3.18-24.70.1 SUSE Linux Enterprise Module for Development Tools 15-SP2 (src): kernel-docs-5.3.18-24.70.1, kernel-obs-build-5.3.18-24.70.1, kernel-preempt-5.3.18-24.70.1, kernel-source-5.3.18-24.70.1, kernel-syms-5.3.18-24.70.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): kernel-default-5.3.18-24.70.1, kernel-default-base-5.3.18-24.70.1.9.32.1, kernel-preempt-5.3.18-24.70.1, kernel-source-5.3.18-24.70.1 SUSE Linux Enterprise High Availability 15-SP2 (src): kernel-default-5.3.18-24.70.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:2352-1: An update that solves 5 vulnerabilities and has 38 fixes is now available. Category: security (important) Bug References: 1152489,1153274,1154353,1155518,1164648,1176447,1176774,1176919,1177028,1178134,1182470,1184212,1184685,1185486,1185675,1185677,1186206,1186666,1186949,1187171,1187263,1187356,1187402,1187403,1187404,1187407,1187408,1187409,1187410,1187411,1187412,1187413,1187452,1187554,1187595,1187601,1187795,1187867,1187883,1187886,1187927,1187972,1187980 CVE References: CVE-2021-0512,CVE-2021-0605,CVE-2021-33624,CVE-2021-34693,CVE-2021-3573 JIRA References: Sources used: openSUSE Leap 15.3 (src): kernel-64kb-5.3.18-59.13.1, kernel-debug-5.3.18-59.13.1, kernel-default-5.3.18-59.13.1, kernel-default-base-5.3.18-59.13.1.18.6.1, kernel-docs-5.3.18-59.13.1, kernel-kvmsmall-5.3.18-59.13.1, kernel-obs-build-5.3.18-59.13.1, kernel-obs-qa-5.3.18-59.13.1, kernel-preempt-5.3.18-59.13.1, kernel-source-5.3.18-59.13.1, kernel-syms-5.3.18-59.13.1, kernel-zfcpdump-5.3.18-59.13.1
SUSE-SU-2021:2352-1: An update that solves 5 vulnerabilities and has 38 fixes is now available. Category: security (important) Bug References: 1152489,1153274,1154353,1155518,1164648,1176447,1176774,1176919,1177028,1178134,1182470,1184212,1184685,1185486,1185675,1185677,1186206,1186666,1186949,1187171,1187263,1187356,1187402,1187403,1187404,1187407,1187408,1187409,1187410,1187411,1187412,1187413,1187452,1187554,1187595,1187601,1187795,1187867,1187883,1187886,1187927,1187972,1187980 CVE References: CVE-2021-0512,CVE-2021-0605,CVE-2021-33624,CVE-2021-34693,CVE-2021-3573 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 15-SP3 (src): kernel-default-5.3.18-59.13.1, kernel-preempt-5.3.18-59.13.1 SUSE Linux Enterprise Module for Live Patching 15-SP3 (src): kernel-default-5.3.18-59.13.1, kernel-livepatch-SLE15-SP3_Update_3-1-7.3.1 SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src): kernel-default-5.3.18-59.13.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): kernel-docs-5.3.18-59.13.1, kernel-obs-build-5.3.18-59.13.1, kernel-preempt-5.3.18-59.13.1, kernel-source-5.3.18-59.13.1, kernel-syms-5.3.18-59.13.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): kernel-64kb-5.3.18-59.13.1, kernel-default-5.3.18-59.13.1, kernel-default-base-5.3.18-59.13.1.18.6.1, kernel-preempt-5.3.18-59.13.1, kernel-source-5.3.18-59.13.1, kernel-zfcpdump-5.3.18-59.13.1 SUSE Linux Enterprise High Availability 15-SP3 (src): kernel-default-5.3.18-59.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2426-1: An update that solves 9 vulnerabilities, contains 8 features and has 101 fixes is now available. Category: security (important) Bug References: 1152489,1153274,1154353,1155518,1164648,1174978,1176771,1179610,1182470,1183712,1184212,1184685,1185195,1185486,1185589,1185675,1185677,1185701,1186206,1186463,1186666,1186672,1186752,1186949,1186950,1186951,1186952,1186953,1186954,1186955,1186956,1186957,1186958,1186959,1186960,1186961,1186962,1186963,1186964,1186965,1186966,1186967,1186968,1186969,1186970,1186971,1186972,1186973,1186974,1186976,1186977,1186978,1186979,1186980,1186981,1186982,1186983,1186984,1186985,1186986,1186987,1186988,1186989,1186990,1186991,1186992,1186993,1186994,1186995,1186996,1186997,1186998,1186999,1187000,1187001,1187002,1187003,1187038,1187050,1187067,1187068,1187069,1187072,1187143,1187144,1187171,1187263,1187356,1187402,1187403,1187404,1187407,1187408,1187409,1187410,1187411,1187412,1187413,1187452,1187554,1187595,1187601,1187795,1187834,1187867,1187883,1187886,1187927,1187972,1187980 CVE References: CVE-2020-26558,CVE-2020-36385,CVE-2020-36386,CVE-2021-0129,CVE-2021-0512,CVE-2021-0605,CVE-2021-33624,CVE-2021-34693,CVE-2021-3573 JIRA References: ECO-3691,SLE-11493,SLE-11796,SLE-17882,SLE-7926,SLE-8371,SLE-8389,SLE-8464 Sources used: SUSE Linux Enterprise Module for Realtime 15-SP2 (src): kernel-rt-5.3.18-42.2, kernel-rt_debug-5.3.18-42.2, kernel-source-rt-5.3.18-42.1, kernel-syms-rt-5.3.18-42.1, lttng-modules-2.10.10-1.5.1, oracleasm-2.0.8-1.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done