Overview

File _patchinfo of Package patchinfo.26292

<patchinfo incident="26292">
  <issue id="1199564" tracker="bnc">VUL-0: CVE-2022-20008: kernel-source-rt,kernel-source-azure,kernel-source: possible to read kernel heap memory due to uninitialized data in mmc_blk_read_single of block.c</issue>
  <issue id="1200288" tracker="bnc">VUL-0: CVE-2022-32296: kernel-source-rt,kernel-source,kernel-source-azure: insufficient TCP source port randomness leads to client identification</issue>
  <issue id="1201309" tracker="bnc">[Azure][MANA] Add the Linux MANA PF Driver</issue>
  <issue id="1202677" tracker="bnc">VUL-0: CVE-2022-2503: kernel-source-rt,kernel-source,kernel-source-azure: LoadPin bypass via dm-verity table reload</issue>
  <issue id="1202960" tracker="bnc">VUL-0: CVE-2022-41218: kernel:  vmalloc use-after-free in dvb-core/dmxdev</issue>
  <issue id="1203552" tracker="bnc">VUL-0: CVE-2022-3239: kernel: em28xx  initialize refcount before kref_get</issue>
  <issue id="1203769" tracker="bnc">VUL-0: CVE-2022-3303: kernel: race condition in snd_pcm_oss_sync leads to NULL pointer dereference</issue>
  <issue id="1203987" tracker="bnc">VUL-0: CVE-2022-41848: kernel: Race condition between mgslpc_ioctl and mgslpc_detach</issue>
  <issue id="2022-41848" tracker="cve" />
  <issue id="2022-3303" tracker="cve" />
  <issue id="2022-41218" tracker="cve" />
  <issue id="2022-3239" tracker="cve" />
  <issue id="2022-2503" tracker="cve" />
  <issue id="2022-32296" tracker="cve" />
  <issue id="2022-20008" tracker="cve" />
  <issue id="PED-529" tracker="jsc" />
  <category>security</category>
  <rating>important</rating>
  <packager>alix82</packager>
  <reboot_needed/>
  <description>
The SUSE Linux Enterprise 15-SP1 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2022-20008: Fixed local information disclosure due to possibility to read kernel heap memory via mmc_blk_read_single of block.c (bnc#1199564).
- CVE-2022-2503: Fixed a vulnerability that allowed root to bypass LoadPin and load untrusted and unverified kernel modules and firmware (bnc#1202677).
- CVE-2022-32296: Fixed vulnerability where TCP servers were allowed to identify clients by observing what source ports are used (bnc#1200288).
- CVE-2022-3239: Fixed an use-after-free in the video4linux driver that could lead a local user to able to crash the system or escalate their privileges (bnc#1203552).
- CVE-2022-3303: Fixed a race condition in the sound subsystem due to improper locking (bnc#1203769).
- CVE-2022-41218: Fixed an use-after-free caused by refcount races in drivers/media/dvb-core/dmxdev.c (bnc#1202960).
- CVE-2022-41848: Fixed a race condition in drivers/char/pcmcia/synclink_cs.c mgslpc_ioctl and mgslpc_detach (bnc#1203987).

The following non-security bugs were fixed:

- dtb: Do not include sources in src.rpm - refer to kernel-source Same as other kernel binary packages there is no need to carry duplicate sources in dtb packages.
- mkspec: eliminate @NOSOURCE@ macro This should be alsways used with @SOURCES@, just include the content there.
- net: mana: Add rmb after checking owner bits (git-fixes).
- net: mana: Add the Linux MANA PF driver (bnc#1201309, jsc#PED-529).
- x86/bugs: Reenable retbleed=off While for older kernels the return thunks are statically built in and cannot be dynamically patched out, retbleed=off should still be possible to do so that the mitigation can still be disabled on Intel who do not use the return thunks but IBRS.
</description>
<summary>Security update for the Linux Kernel</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places