Описание
Security update for the Linux Kernel
The SUSE Linux Enterprise 11 SP4 kernel was updated to fix various security issues
The following security issues were fixed:
- CVE-2023-54168: RDMA/mlx4: Prevent shift wrapping in set_user_sq_size() (bsc#1256053).
- CVE-2025-40018: ipvs: Defer ip_vs_ftp unregister during netns cleanup (bsc#1253291 bsc#1253292).
- CVE-2025-40215: kABI: xfrm: delete x->tunnel as we delete x (bsc#1254959).
Список пакетов
SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE
Ссылки
- Link for SUSE-SU-2026:0352-1
- E-Mail link for SUSE-SU-2026:0352-1
- SUSE Security Ratings
- SUSE Bug 1207051
- SUSE Bug 1253291
- SUSE Bug 1253292
- SUSE Bug 1254959
- SUSE Bug 1256053
- SUSE Bug 1256353
- SUSE CVE CVE-2023-23559 page
- SUSE CVE CVE-2023-54110 page
- SUSE CVE CVE-2023-54168 page
- SUSE CVE CVE-2025-40018 page
- SUSE CVE CVE-2025-40215 page
Описание
In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.
Затронутые продукты
Ссылки
- CVE-2023-23559
- SUSE Bug 1207051
Описание
In the Linux kernel, the following vulnerability has been resolved: usb: rndis_host: Secure rndis_query check against int overflow Variables off and len typed as uint32 in rndis_query function are controlled by incoming RNDIS response message thus their value may be manipulated. Setting off to a unexpectetly large value will cause the sum with len and 8 to overflow and pass the implemented validation step. Consequently the response pointer will be referring to a location past the expected buffer boundaries allowing information leakage e.g. via RNDIS_OID_802_3_PERMANENT_ADDRESS OID.
Затронутые продукты
Ссылки
- CVE-2023-54110
- SUSE Bug 1256353
Описание
In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Prevent shift wrapping in set_user_sq_size() The ucmd->log_sq_bb_count variable is controlled by the user so this shift can wrap. Fix it by using check_shl_overflow() in the same way that it was done in commit 515f60004ed9 ("RDMA/hns: Prevent undefined behavior in hns_roce_set_user_sq_size()").
Затронутые продукты
Ссылки
- CVE-2023-54168
- SUSE Bug 1256053
- SUSE Bug 1256054
Описание
In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.
Затронутые продукты
Ссылки
- CVE-2025-40018
- SUSE Bug 1247374
- SUSE Bug 1252688
- SUSE Bug 1252689
- SUSE Bug 1253291
Описание
In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a reference to that user state still exists, the fallback state will remain on the hashtables/lists, triggering the WARN in xfrm_state_fini. Because of those remaining references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state synchronously on net exit path") is not complete. We recently fixed one such situation in TCP due to defered freeing of skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we currently drop dst")). This can also happen due to IP reassembly: skbs with a secpath remain on the reassembly queue until netns destruction. If we can't guarantee that the queues are flushed by the time xfrm_state_fini runs, there may still be references to a (user) xfrm_state, preventing the timely deletion of the corresponding fallback state. Instead of chasing each instance of skbs holding a secpath one by one, this patch fixes the issue directly within xfrm, by deleting the fallback state as soon as the last user state depending on it has been deleted. Destruction will still happen when the final reference is dropped. A separate lockdep class for the fallback state is required since we're going to lock x->tunnel while x is locked.
Затронутые продукты
Ссылки
- CVE-2025-40215
- SUSE Bug 1254959
- SUSE Bug 1255054