Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

         SUSE-SU-2019:1829-1 Security update for the Linux Kernel
                               15 July 2019


        AusCERT Security Bulletin Summary

Product:           Linux Kernel
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Increased Privileges     -- Remote with User Interaction
                   Denial of Service        -- Existing Account            
                   Reduced Security         -- Remote/Unauthenticated      
                   Access Confidential Data -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-12819 CVE-2019-12818 CVE-2019-12614
                   CVE-2019-12456 CVE-2019-12380 CVE-2019-11599
                   CVE-2019-10639 CVE-2019-10638 CVE-2019-10126
                   CVE-2018-20836 CVE-2018-16871 

Reference:         ESB-2019.2469

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for the Linux Kernel


Announcement ID:   SUSE-SU-2019:1829-1
Rating:            important
References:        #1051510 #1071995 #1088047 #1094555 #1098633 #1106383
                   #1106751 #1109137 #1114279 #1119532 #1120423 #1124167
                   #1127155 #1128432 #1128902 #1128910 #1131645 #1132154
                   #1132390 #1133401 #1133738 #1134303 #1134395 #1135296
                   #1135556 #1135642 #1136157 #1136598 #1136922 #1136935
                   #1137103 #1137194 #1137429 #1137625 #1137728 #1137884
                   #1137995 #1137996 #1137998 #1137999 #1138000 #1138002
                   #1138003 #1138005 #1138006 #1138007 #1138008 #1138009
                   #1138010 #1138011 #1138012 #1138013 #1138014 #1138015
                   #1138016 #1138017 #1138018 #1138019 #1138291 #1138293
                   #1138374 #1138375 #1138589 #1138719 #1139771 #1139782
                   #1139865 #1140133 #1140328 #1140405 #1140424 #1140428
                   #1140575 #1140577 #1140637 #1140658 #1140715 #1140719
                   #1140726 #1140727 #1140728 #1140814
Cross-References:  CVE-2018-16871 CVE-2018-20836 CVE-2019-10126 CVE-2019-10638
                   CVE-2019-10639 CVE-2019-11599 CVE-2019-12380 CVE-2019-12456
                   CVE-2019-12614 CVE-2019-12818 CVE-2019-12819
Affected Products:
                   SUSE Linux Enterprise Module for Public Cloud 15
                   SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1

An update that solves 11 vulnerabilities and has 71 fixes is now available.


The SUSE Linux Enterprise 15 kernel version 4.12.14 was updated to receive
various security and bugfixes.
The following security bugs were fixed:

  o CVE-2019-10638: Attackers used to be able to track the Linux kernel by the
    IP ID values the kernel produces for connection-less protocols. When such
    traffic was sent to multiple destination IP addresses, it was possible to
    obtain hash collisions (of indices to the counter array) and thereby obtain
    the hashing key (via enumeration). An attack could have been conducted by
    hosting a crafted web page that uses WebRTC or gQUIC to force UDP traffic
    to attacker-controlled IP addresses. [bnc#1140575]

  o CVE-2019-10639: The Linux kernel used to allow Information Exposure
    (partial kernel address disclosure), leading to a KASLR bypass.
    Specifically, it was possible to extract the KASLR kernel image offset
    using the IP ID values the kernel produces for connection-less protocols.
    When such traffic was sent to multiple destination IP addresses, it was
    possible to obtain hash collisions (of indices to the counter array) and
    thereby obtain the hashing key (via enumeration). This key contains enough
    bits from a kernel address (of a static variable) so when the key was
    extracted (via enumeration), the offset of the kernel image was exposed.
    This attack could be carried out remotely by the attacker forcing the
    target device to send UDP or ICMP traffic to attacker-controlled IP
    addresses. Forcing a server to send UDP traffic is trivial if the server is
    a DNS server. ICMP traffic is trivial if the server answers ICMP Echo
    requests (ping). For client targets, if the target visits the attacker's
    web page, then WebRTC or gQUIC can be used to force UDP traffic to
    attacker-controlled IP addresses. [bnc#1140577]

  o CVE-2018-20836: A race condition used to exist in smp_task_timedout() and
    smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a
    use-after-free. [bnc#1134395]

  o CVE-2019-10126: A heap based buffer overflow in the wireless driver code
    was fixed. This issue might have lead to memory corruption and possibly
    other consequences. [bnc#1136935]

  o CVE-2019-11599: The coredump implementation did not use locking or other
    mechanisms to prevent vma layout or vma flags changes while it ran, which
    allowed local users to obtain sensitive information, cause a denial of
    service, or possibly have unspecified other impact by triggering a race
    condition with mmget_not_zero or get_task_mm calls. [bnc#1131645].

  o CVE-2019-12614: There was an unchecked kstrdup of prop->name on PowerPC
    platforms, which allowed an attacker to cause a denial of service (NULL
    pointer dereference and system crash). [bnc#1137194]

  o CVE-2018-16871: A flaw was found in the NFS implementation. An attacker who
    was able to mount an exported NFS filesystem was able to trigger a null
    pointer dereference by an invalid NFS sequence. This could panic the
    machine and deny access to the NFS server. Any outstanding disk writes to
    the NFS server will were lost. [bnc#1137103]

  o CVE-2019-12819: The function __mdiobus_register() used to call put_device
    (), which would trigger a fixed_mdio_bus_init use-after-free error. This
    would cause a denial of service. [bnc#1138291]

  o CVE-2019-12818: The nfc_llcp_build_tlv function in net/nfc/llcp_commands.c
    may return NULL. If the caller did not check for this, it could trigger a
    NULL pointer dereference. This would cause denial of service. [bnc#1138293]

  o CVE-2019-12456: An issue in the MPT3COMMAND case in _ctl_ioctl_main()
    allowed local users to cause a denial of service or possibly have
    unspecified other impact by changing the value of ioc_number between two
    kernel reads of that value, aka a "double fetch" vulnerability. [bsc#

  o CVE-2019-12380: An issue was in the EFI subsystem existed that mishandled
    memory allocation failures. Note, however, that all relevant code runs only
    at boot-time, before any user processes are started. Therefore, there was
    no possibility for an unprivileged user to exploit this issue. [bnc#

The following non-security bugs were fixed:

  o 6lowpan: Off by one handling ->nexthdr (bsc#1051510).
  o acpi: Add Hygon Dhyana support ().
  o af_key: unconditionally clone on broadcast (bsc#1051510).
  o alsa: firewire-lib/fireworks: fix miss detection of received MIDI messages
  o alsa: firewire-motu: fix destruction of data for isochronous resources (bsc
  o alsa: hda - Force polling mode on CNL for fixing codec communication (bsc#
  o alsa: hda/realtek - Change front mic location for Lenovo M710q (bsc#
  o alsa: hda/realtek - Update headset mode for ALC256 (bsc#1051510).
  o alsa: hda/realtek: Add quirks for several Clevo notebook barebones (bsc#
  o alsa: line6: Fix write on zero-sized buffer (bsc#1051510).
  o alsa: oxfw: allow PCM capture for Stanton SCS.1m (bsc#1051510).
  o alsa: seq: fix incorrect order of dest_client/dest_ports arguments (bsc#
  o alsa: usb-audio: fix sign unintended sign extension on left shifts (bsc#
  o apparmor: enforce nullbyte at end of tag string (bsc#1051510).
  o asoc: cs42xx8: Add regcache mask dirty (bsc#1051510).
  o asoc: fsl_asrc: Fix the issue about unsupported rate (bsc#1051510).
  o audit: fix a memory leak bug (bsc#1051510).
  o ax25: fix inconsistent lock state in ax25_destroy_timer (bsc#1051510).
  o blk-mq: fix hang caused by freeze/unfreeze sequence (bsc#1128432).
  o blk-mq: free hw queue's resource in hctx's release handler (bsc#1140637).
  o block: Fix a NULL pointer dereference in generic_make_request() (bsc#
  o bluetooth: Fix faulty expression for minimum encryption key size check (bsc
  o can: af_can: Fix error path of can_init() (bsc#1051510).
  o can: flexcan: fix timeout when set small bitrate (bsc#1051510).
  o can: purge socket error queue on sock destruct (bsc#1051510).
  o ceph: flush dirty inodes before proceeding with remount (bsc#1140405).
  o cfg80211: fix memory leak of wiphy device name (bsc#1051510).
  o clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288 (bsc#1051510).
  o clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider
  o coresight: etb10: Fix handling of perf mode (bsc#1051510).
  o coresight: etm4x: Add support to enable ETMv4.2 (bsc#1051510).
  o cpu/topology: Export die_id (jsc#SLE-5454).
  o cpufreq: AMD: Ignore the check for ProcFeedback in ST/CZ ().
  o cpufreq: Add Hygon Dhyana support ().
  o crypto: algapi - guard against uninitialized spawn list in
    crypto_remove_spawns (bsc#1133401).
  o crypto: cryptd - Fix skcipher instance memory leak (bsc#1051510).
  o crypto: user - prevent operating on larval algorithms (bsc#1133401).
  o device core: Consolidate locking and unlocking of parent and device (bsc#
  o dm, dax: Fix detection of DAX support (bsc#1139782).
  o dmaengine: imx-sdma: remove BD_INTR for channel0 (bsc#1051510).
  o doc: Cope with the deprecation of AutoReporter (bsc#1051510).
  o drbd: Avoid Clang warning about pointless switch statment (bsc#1051510).
  o drbd: disconnect, if the wrong UUIDs are attached on a connected peer (bsc#
  o drbd: narrow rcu_read_lock in drbd_sync_handshake (bsc#1051510).
  o drbd: skip spurious timeout (ping-timeo) when failing promote (bsc#
  o driver core: Establish order of operations for device_add and device_del
    via bitflag (bsc#1106383).
  o driver core: Probe devices asynchronously instead of the driver (bsc#
  o drivers/base: Introduce kill_device() (bsc#1139865).
  o drivers/base: kABI fixes for struct device_private (bsc#1106383).
  o drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error
    handling path in 'rio_dma_transfer()' (bsc#1051510).
  o drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen() (bsc#
  o drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var
  o drivers: thermal: tsens: Do not print error message on -EPROBE_DEFER (bsc#
  o drm/arm/hdlcd: Allow a bit of clock tolerance (bsc#1051510).
  o drm/gma500/cdv: Check vbt config bits when detecting lvds panels (bsc#
  o drm/i915/gvt: ignore unexpected pvinfo write (bsc#1051510).
  o drm/i915/perf: fix whitelist on Gen10+ (bsc#1051510).
  o drm/i915/sdvo: Implement proper HDMI audio support for SDVO (bsc#1051510).
  o drm/nouveau/disp/dp: respect sink limits when selecting failsafe link
    configuration (bsc#1051510).
  o drm/radeon: prefer lower reference dividers (bsc#1051510).
  o edac, amd64: Add Hygon Dhyana support.
  o edac/mc: Fix edac_mc_find() in case no device is found (bsc#1114279).
  o ftrace/x86: Remove possible deadlock between register_kprobe() and
    ftrace_run_update_code() (bsc#1071995).
  o genirq: Prevent use-after-free and work list corruption (bsc#1051510).
  o genirq: Respect IRQCHIP_SKIP_SET_WAKE in irq_chip_set_wake_parent() (bsc#
  o genwqe: Prevent an integer overflow in the ioctl (bsc#1051510).
  o hid: input: fix a4tech horizontal wheel custom usage (bsc#1137429).
  o hid: wacom: Add ability to provide explicit battery status info (bsc#
  o hid: wacom: Add support for 3rd generation Intuos BT (bsc#1051510).
  o hid: wacom: Add support for Pro Pen slim (bsc#1051510).
  o hid: wacom: Correct button numbering 2nd-gen Intuos Pro over Bluetooth (bsc
  o hid: wacom: Do not report anything prior to the tool entering range (bsc#
  o hid: wacom: Do not set tool type until we're in range (bsc#1051510).
  o hid: wacom: Mark expected switch fall-through (bsc#1051510).
  o hid: wacom: Move HID fix for AES serial number into wacom_hid_usage_quirk
  o hid: wacom: Move handling of HID quirks into a dedicated function (bsc#
  o hid: wacom: Properly handle AES serial number and tool type (bsc#1051510).
  o hid: wacom: Queue events with missing type/serial data for later processing
  o hid: wacom: Remove comparison of u8 mode with zero and simplify (bsc#
  o hid: wacom: Replace touch_max fixup code with static touch_max definitions
  o hid: wacom: Send BTN_TOUCH in response to INTUOSP2_BT eraser contact (bsc#
  o hid: wacom: Support "in range" for Intuos/Bamboo tablets where possible
  o hid: wacom: Sync INTUOSP2_BT touch state after each frame if necessary (bsc
  o hid: wacom: Work around HID descriptor bug in DTK-2451 and DTH-2452 (bsc#
  o hid: wacom: convert Wacom custom usages to standard HID usages (bsc#
  o hid: wacom: fix mistake in printk (bsc#1051510).
  o hid: wacom: generic: Ignore HID_DG_BATTERYSTRENTH == 0 (bsc#1051510).
  o hid: wacom: generic: Leave tool in prox until it completely leaves sense
  o hid: wacom: generic: Refactor generic battery handling (bsc#1051510).
  o hid: wacom: generic: Report AES battery information (bsc#1051510).
  o hid: wacom: generic: Reset events back to zero when pen leaves (bsc#
  o hid: wacom: generic: Scale battery capacity measurements to percentages
  o hid: wacom: generic: Send BTN_STYLUS3 when both barrel switches are set
  o hid: wacom: generic: Send BTN_TOOL_PEN in prox once the pen enters range
  o hid: wacom: generic: Support multiple tools per report (bsc#1051510).
  o hid: wacom: generic: Use generic codepath terminology in
    wacom_wac_pen_report (bsc#1051510).
  o hid: wacom: generic: add the "Report Valid" usage (bsc#1051510).
  o hid: wacom: switch Dell canvas into highres mode (bsc#1051510).
  o hid: wacom: wacom_wac_collection() is local to wacom_wac.c (bsc#1051510).
  o hwmon/coretemp: Cosmetic: Rename internal variables to zones from packages
  o hwmon/coretemp: Support multi-die/package (jsc#SLE-5454).
  o hwmon/k10temp, x86/amd_nb: Consolidate shared device IDs ().
  o hwmon: (k10temp) 27C Offset needed for Threadripper2 ().
  o hwmon: (k10temp) Add Hygon Dhyana support ().
  o hwmon: (k10temp) Add support for AMD Ryzen w/ Vega graphics ().
  o hwmon: (k10temp) Add support for Stoney Ridge and Bristol Ridge CPUs ().
  o hwmon: (k10temp) Add support for family 17h ().
  o hwmon: (k10temp) Add support for temperature offsets ().
  o hwmon: (k10temp) Add temperature offset for Ryzen 1900X ().
  o hwmon: (k10temp) Add temperature offset for Ryzen 2700X ().
  o hwmon: (k10temp) Correct model name for Ryzen 1600X ().
  o hwmon: (k10temp) Display both Tctl and Tdie ().
  o hwmon: (k10temp) Fix reading critical temperature register ().
  o hwmon: (k10temp) Make function get_raw_temp static ().
  o hwmon: (k10temp) Move chip specific code into probe function ().
  o hwmon: (k10temp) Only apply temperature offset if result is positive ().
  o hwmon: (k10temp) Support all Family 15h Model 6xh and Model 7xh processors
  o hwmon: (k10temp) Use API function to access System Management Network ().
  o hwmon: k10temp: Support Threadripper 2920X, 2970WX; simplify offset table
  o i2c-piix4: Add Hygon Dhyana SMBus support ().
  o i2c: acorn: fix i2c warning (bsc#1135642).
  o i2c: i801: Add support for Intel Comet Lake (jsc#SLE-5331).
  o ibmveth: Update ethtool settings to reflect virtual properties (bsc#
    1136157, LTC#177197).
  o input: synaptics - enable SMBus on ThinkPad E480 and E580 (bsc#1051510).
  o input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD (bsc
  o kabi workaround for the new pci_dev.skip_bus_pm field addition (bsc#
  o kabi: fixup blk_mq_register_dev() (bsc#1140637).
  o kabi: x86/topology: Add CPUID.1F multi-die/package support (jsc#SLE-5454).
  o kabi: x86/topology: Define topology_logical_die_id() (jsc#SLE-5454).
  o kernel-binary: Use -c grep option in klp project detection.
  o kernel-binary: fix missing \
  o kernel-binary: rpm does not support multiline condition
  o kvm: x86: Include CPUID leaf 0x8000001e in kvm's supported CPUID (bsc#
  o kvm: x86: Include multiple indices with CPUID leaf 0x8000001d (bsc#
  o libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk (bsc#
  o libnvdimm, pfn: Fix over-trim in trim_pfn_device() (bsc#1140719).
  o libnvdimm/bus: Prevent duplicate device_unregister() calls (bsc#1139865).
  o mISDN: make sure device name is NUL terminated (bsc#1051510).
  o mac80211: Do not use stack memory with scatterlist for GMAC (bsc#1051510).
  o mac80211: drop robust management frames from unknown TA (bsc#1051510).
  o mac80211: handle deauthentication/disassociation from TDLS peer (bsc#
  o media: v4l2-ioctl: clear fields in s_parm (bsc#1051510).
  o mfd: intel-lpss: Set the device in reset state when init (bsc#1051510).
  o mfd: tps65912-spi: Add missing of table registration (bsc#1051510).
  o mfd: twl6040: Fix device init errors for ACCCTL register (bsc#1051510).
  o mmc: core: Prevent processing SDIO IRQs when the card is suspended (bsc#
  o mmc: core: make pwrseq_emmc (partially) support sleepy GPIO controllers
  o mmc: mmci: Prevent polling for busy detection in IRQ context (bsc#1051510).
  o mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support (bsc#
  o module: Fix livepatch/ftrace module text permissions race (bsc#1071995).
  o net: mvpp2: Use strscpy to handle stat strings (bsc#1098633).
  o net: mvpp2: prs: Fix parser range for VID filtering (bsc#1098633).
  o net: mvpp2: prs: Use the correct helpers when removing all VID filters (bsc
  o nfit/ars: Allow root to busy-poll the ARS state machine (bsc#1140814).
  o nfit/ars: Avoid stale ARS results (jsc#SLE-5433).
  o nfit/ars: Introduce scrub_flags (jsc#SLE-5433).
  o ntp: Allow TAI-UTC offset to be set to zero (bsc#1135642).
  o nvme-rdma: fix double freeing of async event data (bsc#1120423).
  o nvme-rdma: fix possible double free of controller async event buffer (bsc#
  o nvme: copy MTFA field from identify controller (bsc#1140715).
  o nvme: skip nvme_update_disk_info() if the controller is not live (bsc#
  o nvmem: Do not let a NULL cell_id for nvmem_cell_get() crash us (bsc#
  o nvmem: allow to select i.MX nvmem driver for i.MX 7D (bsc#1051510).
  o nvmem: core: fix read buffer in place (bsc#1051510).
  o nvmem: correct Broadcom OTP controller driver writes (bsc#1051510).
  o nvmem: imx-ocotp: Add i.MX7D timing write clock setup support (bsc#
  o nvmem: imx-ocotp: Add support for banked OTP addressing (bsc#1051510).
  o nvmem: imx-ocotp: Enable i.MX7D OTP write support (bsc#1051510).
  o nvmem: imx-ocotp: Move i.MX6 write clock setup to dedicated function (bsc#
  o nvmem: imx-ocotp: Pass parameters via a struct (bsc#1051510).
  o nvmem: imx-ocotp: Restrict OTP write to IMX6 processors (bsc#1051510).
  o nvmem: imx-ocotp: Update module description (bsc#1051510).
  o nvmem: properly handle returned value nvmem_reg_read (bsc#1051510).
  o ocfs2: try to reuse extent block in dealloc without meta_alloc (bsc#
  o pci: pm: Avoid possible suspend-to-idle issue (bsc#1051510).
  o pci: pm: Skip devices in D0 for suspend-to-idle (bsc#1051510).
  o pci: rpadlpar: Fix leaked device_node references in add/remove paths (bsc#
  o perf tools: Add Hygon Dhyana support ().
  o perf/x86/intel/cstate: Support multi-die/package (jsc#SLE-5454).
  o perf/x86/intel/rapl: Cosmetic rename internal variables in response to
    multi-die/pkg support (jsc#SLE-5454).
  o perf/x86/intel/rapl: Support multi-die/package (jsc#SLE-5454).
  o perf/x86/intel/uncore: Cosmetic renames in response to multi-die/pkg
    support (jsc#SLE-5454).
  o perf/x86/intel/uncore: Support multi-die/package (jsc#SLE-5454).
  o platform/chrome: cros_ec_proto: check for NULL transfer function (bsc#
  o platform/x86: mlx-platform: Fix parent device in i2c-mux-reg device
    registration (bsc#1051510).
  o pm / core: Propagate dev->power.wakeup_path when no callbacks (bsc#
  o power: supply: max14656: fix potential use-before-alloc (bsc#1051510).
  o power: supply: sysfs: prevent endless uevent loop with
    CONFIG_POWER_SUPPLY_DEBUG (bsc#1051510).
  o powercap/intel_rapl: Simplify rapl_find_package() (jsc#SLE-5454).
  o powercap/intel_rapl: Support multi-die/package (jsc#SLE-5454).
  o powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild (bsc#1138374,
  o powerpc/perf: Add PM_LD_MISS_L1 and PM_BR_2PATH to power9 event list (bsc#
    1137728, LTC#178106).
  o powerpc/perf: Add POWER9 alternate PM_RUN_CYC and PM_RUN_INST_CMPL events
    (bsc#1137728, LTC#178106).
  o powerpc/pseries/mobility: prevent cpu hotplug during DT update (bsc#
    1138374, LTC#178199).
  o powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration (bsc#
    1138374, LTC#178199).
  o powerpc/pseries: Fix oops in hotplug memory notifier (bsc#1138375, LTC#
  o powerpc/rtas: retry when cpu offline races with suspend/migration (bsc#
    1140428, LTC#178808).
  o ppp: mppe: Add softdep to arc4 (bsc#1088047).
  o qlcnic: Avoid potential NULL pointer dereference (bsc#1051510).
  o qmi_wwan: Add quirk for Quectel dynamic config (bsc#1051510).
  o qmi_wwan: add network device usage statistics for qmimux devices (bsc#
  o qmi_wwan: add support for QMAP padding in the RX path (bsc#1051510).
  o qmi_wwan: avoid RCU stalls on device disconnect when in QMAP mode (bsc#
  o qmi_wwan: extend permitted QMAP mux_id value range (bsc#1051510).
  o rapidio: fix a NULL pointer dereference when create_workqueue() fails (bsc#
  o ras/cec: Convert the timer callback to a workqueue (bsc#1114279).
  o ras/cec: Fix binary search function (bsc#1114279).
  o s390/dasd: fix using offset into zero size array error (bsc#1051510).
  o s390/jump_label: Use "jdd" constraint on gcc9 (bsc#1138589).
  o s390/qeth: fix VLAN attribute in bridge_hostnotify udev event (bsc#
  o s390/qeth: fix race when initializing the IP address table (bsc#1051510).
  o s390/setup: fix early warning messages (bsc#1051510).
  o s390/virtio: handle find on invalid queue gracefully (bsc#1051510).
  o sbitmap: fix improper use of smp_mb__before_atomic() (bsc#1140658).
  o scripts/git_sort/git_sort.py: add djbw/nvdimm nvdimm-pending.
  o scripts/git_sort/git_sort.py: add nvdimm/libnvdimm-fixes
  o scsi: core: add new RDAC LENOVO/DE_Series device (bsc#1132390).
  o scsi: qla2xxx: Fix FC-AL connection target discovery (bsc#1094555).
  o scsi: qla2xxx: Fix N2N target discovery with Local loop (bsc#1094555).
  o scsi: qla2xxx: Fix abort handling in tcm_qla2xxx_write_pending() (bsc#
  o scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines
  o scsi: target/iblock: Fix overrun in WRITE SAME emulation (bsc#1140424).
  o scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck() (bsc#1135296).
  o scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove
  o scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host (bsc#
  o scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP
    devices (bsc#1051510).
  o scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only
    sdevs) (bsc#1051510).
  o serial: sh-sci: disable DMA for uart_console (bsc#1051510).
  o smb3: Fix endian warning (bsc#1137884).
  o soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher (bsc#
  o soc: rockchip: Set the proper PWM for rk3288 (bsc#1051510).
  o spi: spi-topcliff-pch: Fix to handle empty DMA buffers (bsc#1051510).
  o spi: Fix zero length xfer bug (bsc#1051510).
  o spi: bitbang: Fix NULL pointer dereference in spi_unregister_master (bsc#
  o spi: pxa2xx: Add support for Intel Comet Lake (jsc#SLE-5331).
  o spi: pxa2xx: fix SCR (divisor) calculation (bsc#1051510).
  o spi: spi-fsl-spi: call spi_finalize_current_message() at the end (bsc#
  o spi: tegra114: reset controller on probe (bsc#1051510).
  o staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest (bsc#
  o svm: Add warning message for AVIC IPI invalid target (bsc#1140133).
  o svm: Fix AVIC incomplete IPI emulation (bsc#1140133).
  o sysctl: handle overflow in proc_get_long (bsc#1051510).
  o thermal/x86_pkg_temp_thermal: Cosmetic: Rename internal variables to zones
    from packages (jsc#SLE-5454).
  o thermal/x86_pkg_temp_thermal: Support multi-die/package (jsc#SLE-5454).
  o thermal: rcar_gen3_thermal: disable interrupt in .remove (bsc#1051510).
  o tmpfs: fix link accounting when a tmpfile is linked in (bsc#1051510).
  o tmpfs: fix uninitialized return value in shmem_link (bsc#1051510).
  o tools/cpupower: Add Hygon Dhyana support ().
  o topology: Create core_cpus and die_cpus sysfs attributes (jsc#SLE-5454).
  o topology: Create package_cpus sysfs attribute (jsc#SLE-5454).
  o tracing/snapshot: Resize spare buffer if size changed (bsc#1140726).
  o tty: max310x: Fix external crystal register setup (bsc#1051510).
  o usb: Fix chipmunk-like voice when using Logitech C270 for recording audio
  o usb: chipidea: udc: workaround for endpoint conflict issue (bsc#1135642).
  o usb: dwc2: Fix DMA cache alignment issues (bsc#1051510).
  o usb: dwc2: host: Fix wMaxPacketSize handling (fix webcam regression) (bsc#
  o usb: serial: fix initial-termios handling (bsc#1135642).
  o usb: serial: option: add Telit 0x1260 and 0x1261 compositions (bsc#
  o usb: serial: option: add support for Simcom SIM7500/SIM7600 RNDIS mode (bsc
  o usb: serial: pl2303: add Allied Telesis VT-Kit3 (bsc#1051510).
  o usb: serial: pl2303: fix tranceiver suspend mode (bsc#1135642).
  o usb: usb-storage: Add new ID to ums-realtek (bsc#1051510).
  o usb: xhci: avoid null pointer deref when bos field is NULL (bsc#1135642).
  o usbnet: ipheth: fix racing condition (bsc#1051510).
  o vfio: ccw: only free cp on final interrupt (bsc#1051510).
  o video: hgafb: fix potential NULL pointer dereference (bsc#1051510).
  o video: imsttfb: fix potential NULL pointer dereferences (bsc#1051510).
  o virtio_console: initialize vtermno value for ports (bsc#1051510).
  o vlan: disable SIOCSHWTSTAMP in container (bsc#1051510).
  o watchdog: imx2_wdt: Fix set_timeout for big timeout values (bsc#1051510).
  o x86/CPU/AMD: Do not force the CPB cap when running under a hypervisor (bsc#
  o x86/CPU/hygon: Fix phys_proc_id calculation logic for multi-die processors
  o x86/alternative: Init ideal_nops for Hygon Dhyana ().
  o x86/amd_nb: Add support for Raven Ridge CPUs ().
  o x86/amd_nb: Check vendor in AMD-only functions ().
  o x86/apic: Add Hygon Dhyana support ().
  o x86/bugs: Add Hygon Dhyana to the respective mitigation machinery ().
  o x86/cpu/mtrr: Support TOP_MEM2 and get MTRR number ().
  o x86/cpu: Create Hygon Dhyana architecture support file ().
  o x86/cpu: Get cache info and setup cache cpumap for Hygon Dhyana ().
  o x86/cpufeatures: Carve out CQM features retrieval (jsc#SLE-5382).
  o x86/cpufeatures: Combine word 11 and 12 into a new scattered features word
    (jsc#SLE-5382). This changes definitions of some bits, but they are
    intended to be used only by the core, so hopefully, no KMP uses the
  o x86/cpufeatures: Enumerate the new AVX512 BFLOAT16 instructions (jsc#
  o x86/events: Add Hygon Dhyana support to PMU infrastructure ().
  o x86/kvm: Add Hygon Dhyana support to KVM ().
  o x86/mce: Add Hygon Dhyana support to the MCA infrastructure ().
  o x86/mce: Do not disable MCA banks when offlining a CPU on AMD ().
  o x86/mce: Fix machine_check_poll() tests for error types (bsc#1114279).
  o x86/microcode, cpuhotplug: Add a microcode loader CPU hotplug callback (bsc
  o x86/microcode: Fix microcode hotplug state (bsc#1114279).
  o x86/microcode: Fix the ancient deprecated microcode loading method (bsc#
  o x86/mm/mem_encrypt: Disable all instrumentation for early SME setup (bsc#
  o x86/pci, x86/amd_nb: Add Hygon Dhyana support to PCI and northbridge ().
  o x86/smpboot: Do not use BSP INIT delay and MWAIT to idle on Dhyana ().
  o x86/smpboot: Rename match_die() to match_pkg() (jsc#SLE-5454).
  o x86/speculation/mds: Revert CPU buffer clear on double fault exit (bsc#
  o x86/topology: Add CPUID.1F multi-die/package support (jsc#SLE-5454).
  o x86/topology: Create topology_max_die_per_package() (jsc#SLE-5454).
  o x86/topology: Define topology_die_id() (jsc#SLE-5454).
  o x86/topology: Define topology_logical_die_id() (jsc#SLE-5454).
  o x86/xen: Add Hygon Dhyana support to Xen ().
  o xfs: do not clear imap_valid for a non-uptodate buffers (bsc#1138018).
  o xfs: do not look at buffer heads in xfs_add_to_ioend (bsc#1138013).
  o xfs: do not set the page uptodate in xfs_writepage_map (bsc#1138003).
  o xfs: do not use XFS_BMAPI_ENTRIRE in xfs_get_blocks (bsc#1137999).
  o xfs: do not use XFS_BMAPI_IGSTATE in xfs_map_blocks (bsc#1138005).
  o xfs: eof trim writeback mapping as soon as it is cached (bsc#1138019).
  o xfs: fix s_maxbytes overflow problems (bsc#1137996).
  o xfs: make xfs_writepage_map extent map centric (bsc#1138009).
  o xfs: minor cleanup for xfs_get_blocks (bsc#1138000).
  o xfs: move all writeback buffer_head manipulation into xfs_map_at_offset
  o xfs: refactor the tail of xfs_writepage_map (bsc#1138016).
  o xfs: remove XFS_IO_INVALID (bsc#1138017).
  o xfs: remove the imap_valid flag (bsc#1138012).
  o xfs: remove unused parameter from xfs_writepage_map (bsc#1137995).
  o xfs: remove xfs_map_cow (bsc#1138007).
  o xfs: remove xfs_reflink_find_cow_mapping (bsc#1138010).
  o xfs: remove xfs_reflink_trim_irec_to_next_cow (bsc#1138006).
  o xfs: remove xfs_start_page_writeback (bsc#1138015).
  o xfs: rename the offset variable in xfs_writepage_map (bsc#1138008).
  o xfs: simplify xfs_map_blocks by using xfs_iext_lookup_extent directly (bsc#
  o xfs: skip CoW writes past EOF when writeback races with truncate (bsc#
  o xfs: xfs_reflink_convert_cow() memory allocation deadlock (bsc#1138002).

Special Instructions and Notes:

Please reboot the system after installing this update.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Module for Public Cloud 15:
    zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-2019-1829=1
  o SUSE Linux Enterprise Module for Open Buildservice Development Tools
    zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-1829=1

Package List:

  o SUSE Linux Enterprise Module for Public Cloud 15 (x86_64):
  o SUSE Linux Enterprise Module for Public Cloud 15 (noarch):
  o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1
  o SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1


  o https://www.suse.com/security/cve/CVE-2018-16871.html
  o https://www.suse.com/security/cve/CVE-2018-20836.html
  o https://www.suse.com/security/cve/CVE-2019-10126.html
  o https://www.suse.com/security/cve/CVE-2019-10638.html
  o https://www.suse.com/security/cve/CVE-2019-10639.html
  o https://www.suse.com/security/cve/CVE-2019-11599.html
  o https://www.suse.com/security/cve/CVE-2019-12380.html
  o https://www.suse.com/security/cve/CVE-2019-12456.html
  o https://www.suse.com/security/cve/CVE-2019-12614.html
  o https://www.suse.com/security/cve/CVE-2019-12818.html
  o https://www.suse.com/security/cve/CVE-2019-12819.html
  o https://bugzilla.suse.com/1051510
  o https://bugzilla.suse.com/1071995
  o https://bugzilla.suse.com/1088047
  o https://bugzilla.suse.com/1094555
  o https://bugzilla.suse.com/1098633
  o https://bugzilla.suse.com/1106383
  o https://bugzilla.suse.com/1106751
  o https://bugzilla.suse.com/1109137
  o https://bugzilla.suse.com/1114279
  o https://bugzilla.suse.com/1119532
  o https://bugzilla.suse.com/1120423
  o https://bugzilla.suse.com/1124167
  o https://bugzilla.suse.com/1127155
  o https://bugzilla.suse.com/1128432
  o https://bugzilla.suse.com/1128902
  o https://bugzilla.suse.com/1128910
  o https://bugzilla.suse.com/1131645
  o https://bugzilla.suse.com/1132154
  o https://bugzilla.suse.com/1132390
  o https://bugzilla.suse.com/1133401
  o https://bugzilla.suse.com/1133738
  o https://bugzilla.suse.com/1134303
  o https://bugzilla.suse.com/1134395
  o https://bugzilla.suse.com/1135296
  o https://bugzilla.suse.com/1135556
  o https://bugzilla.suse.com/1135642
  o https://bugzilla.suse.com/1136157
  o https://bugzilla.suse.com/1136598
  o https://bugzilla.suse.com/1136922
  o https://bugzilla.suse.com/1136935
  o https://bugzilla.suse.com/1137103
  o https://bugzilla.suse.com/1137194
  o https://bugzilla.suse.com/1137429
  o https://bugzilla.suse.com/1137625
  o https://bugzilla.suse.com/1137728
  o https://bugzilla.suse.com/1137884
  o https://bugzilla.suse.com/1137995
  o https://bugzilla.suse.com/1137996
  o https://bugzilla.suse.com/1137998
  o https://bugzilla.suse.com/1137999
  o https://bugzilla.suse.com/1138000
  o https://bugzilla.suse.com/1138002
  o https://bugzilla.suse.com/1138003
  o https://bugzilla.suse.com/1138005
  o https://bugzilla.suse.com/1138006
  o https://bugzilla.suse.com/1138007
  o https://bugzilla.suse.com/1138008
  o https://bugzilla.suse.com/1138009
  o https://bugzilla.suse.com/1138010
  o https://bugzilla.suse.com/1138011
  o https://bugzilla.suse.com/1138012
  o https://bugzilla.suse.com/1138013
  o https://bugzilla.suse.com/1138014
  o https://bugzilla.suse.com/1138015
  o https://bugzilla.suse.com/1138016
  o https://bugzilla.suse.com/1138017
  o https://bugzilla.suse.com/1138018
  o https://bugzilla.suse.com/1138019
  o https://bugzilla.suse.com/1138291
  o https://bugzilla.suse.com/1138293
  o https://bugzilla.suse.com/1138374
  o https://bugzilla.suse.com/1138375
  o https://bugzilla.suse.com/1138589
  o https://bugzilla.suse.com/1138719
  o https://bugzilla.suse.com/1139771
  o https://bugzilla.suse.com/1139782
  o https://bugzilla.suse.com/1139865
  o https://bugzilla.suse.com/1140133
  o https://bugzilla.suse.com/1140328
  o https://bugzilla.suse.com/1140405
  o https://bugzilla.suse.com/1140424
  o https://bugzilla.suse.com/1140428
  o https://bugzilla.suse.com/1140575
  o https://bugzilla.suse.com/1140577
  o https://bugzilla.suse.com/1140637
  o https://bugzilla.suse.com/1140658
  o https://bugzilla.suse.com/1140715
  o https://bugzilla.suse.com/1140719
  o https://bugzilla.suse.com/1140726
  o https://bugzilla.suse.com/1140727
  o https://bugzilla.suse.com/1140728
  o https://bugzilla.suse.com/1140814

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967