QID 751381

Date Published: 2021-11-24

QID 751381: SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2021:3748-1)

The suse linux enterprise 12 sp5 kernel was updated to receive various security and bugfixes.
the following security bugs were fixed: - cve-2021-3655: fixed a missing size validations on inbound sctp packets, which may have allowed the kernel to read uninitialized memory (bsc#1188563).
- cve-2021-3715: fixed a use-after-free in route4_change() in net/sched/cls_route.c (bsc#1190349).
- cve-2021-33033: fixed a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the cipso and calipso refcounting for the doi definitions is mishandled (bsc#1186109).
- cve-2021-3760: fixed a use-after-free vulnerability with the ndev->rf_conn_info object (bsc#1190067).
- cve-2021-42739: the firewire subsystem had a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bsc#1184673).
- cve-2021-3542: fixed heap buffer overflow in firedtv driver (bsc#1186063).
- cve-2021-34556: fixed side-channel attack via a speculative store bypass via unprivileged bpf program that could have obtain sensitive information from kernel memory (bsc#1188983).
- cve-2021-35477: fixed bpf stack frame pointer which could have been abused to disclose content of arbitrary kernel memory (bsc#1188985).
- cve-2021-42252: fixed an issue inside aspeed_lpc_ctrl_mmap that could have allowed local attackers to access the aspeed lpc control interface to overwrite memory in the kernel and potentially execute privileges (bnc#1190479).
- cve-2021-42008: fixed a slab out-of-bounds write in the decode_data function in drivers/net/hamradio/6pack.c.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

Successful exploitation allows attacker to compromise the system.

  • CVSS V3 rated as High - 7.8 severity.
  • CVSS V2 rated as High - 6.9 severity.
  • Solution
    Upgrade to the latest package which contains the patch. To install this SUSE Security, Update use YaST online_update. Alternatively you can run the command listed for your product. To install packages using the command line interface, use command "yum update". Refer to Suse security advisory: SUSE-SU-2021:3748-1 to address this issue and obtain further details.
    Software Advisories
    Advisory ID Software Component Link
    SUSE-SU-2021:3748-1 SUSE Enterprise Linux URL Logo lists.suse.com/pipermail/sle-security-updates/2021-November/009756.html