SUSE-SU-2019:3224-1

Опубликовано: 10 дек. 2019

Источник: suse-cvrf

Описание

Security update for the Linux Kernel (Live Patch 3 for SLE 12 SP4)

This update for the Linux Kernel 4.12.14-95_13 fixes several issues.

The following security issues were fixed:

CVE-2019-15917: Fixed a use-after-free when hci_uart_register_dev() fails in hci_uart_set_proto() (bsc#1156334).
CVE-2019-13272: Fixed a privilege escalation from user to root due to improper handling of credentials by leveraging certain scenarios with a parent-child process relationship (bsc#1156321).
CVE-2019-10220: Fixed an issue where samba servers could inject relative paths in directory entry lists (bsc#1153108).

Список пакетов

SUSE Linux Enterprise Live Patching 12 SP4

kgraft-patch-4_12_14-95_13-default-6-2.5

Ссылки

https://www.suse.com/support/update/announcement/2019/suse-su-20193224-1/
Link for SUSE-SU-2019:3224-1
https://lists.suse.com/pipermail/sle-security-updates/2019-December/006230.html
E-Mail link for SUSE-SU-2019:3224-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1153108
SUSE Bug 1153108
https://bugzilla.suse.com/1156321
SUSE Bug 1156321
https://bugzilla.suse.com/1156334
SUSE Bug 1156334
https://www.suse.com/security/cve/CVE-2019-10220/
SUSE CVE CVE-2019-10220 page
https://www.suse.com/security/cve/CVE-2019-13272/
SUSE CVE CVE-2019-13272 page
https://www.suse.com/security/cve/CVE-2019-15917/
SUSE CVE CVE-2019-15917 page

Описание

Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.

Затронутые продукты

SUSE Linux Enterprise Live Patching 12 SP4:kgraft-patch-4_12_14-95_13-default-6-2.5

Ссылки

https://www.suse.com/security/cve/CVE-2019-10220.html
CVE-2019-10220
https://bugzilla.suse.com/1144903
SUSE Bug 1144903
https://bugzilla.suse.com/1153108
SUSE Bug 1153108

Описание

In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a parent drops privileges and calls execve (potentially allowing control by an attacker). One contributing factor is an object lifetime issue (which can also cause a panic). Another contributing factor is incorrect marking of a ptrace relationship as privileged, which is exploitable through (for example) Polkit's pkexec helper with PTRACE_TRACEME. NOTE: SELinux deny_ptrace might be a usable workaround in some environments.

Затронутые продукты

SUSE Linux Enterprise Live Patching 12 SP4:kgraft-patch-4_12_14-95_13-default-6-2.5

Ссылки

https://www.suse.com/security/cve/CVE-2019-13272.html
CVE-2019-13272
https://bugzilla.suse.com/1140671
SUSE Bug 1140671
https://bugzilla.suse.com/1156321
SUSE Bug 1156321
https://bugzilla.suse.com/1198122
SUSE Bug 1198122

Описание

An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c.

Затронутые продукты

SUSE Linux Enterprise Live Patching 12 SP4:kgraft-patch-4_12_14-95_13-default-6-2.5

Ссылки

https://www.suse.com/security/cve/CVE-2019-15917.html
CVE-2019-15917
https://bugzilla.suse.com/1149539
SUSE Bug 1149539
https://bugzilla.suse.com/1156334
SUSE Bug 1156334

SUSE-SU-2019:3224-1

Описание

Список пакетов

SUSE Linux Enterprise Live Patching 12 SP4

Ссылки

Уязвимость: CVE-2019-10220

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2019-13272

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2019-15917

Описание

Затронутые продукты

Ссылки