Security update for the Linux Kernel (Live Patch 11 for SLE 15 SP4) SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:2428-1 Final 1 1 2023-06-06T20:33:52Z current 2023-06-06T20:33:52Z 2023-06-06T20:33:52Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for the Linux Kernel (Live Patch 11 for SLE 15 SP4) This update for the Linux Kernel 5.14.21-150400_24_60 fixes several issues. The following security issues were fixed: - CVE-2023-0386: Fixed privileges escalation for low-privileged users in the OverlayFS subsystem (bsc#1210499). - CVE-2023-2162: Fixed an use-after-free flaw in iscsi_sw_tcp_session_create (bsc#1210662). - CVE-2023-23454: Fixed a type-confusion in the CBQ network scheduler (bsc#1207188). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-2428,SUSE-SLE-Module-Live-Patching-15-SP4-2023-2428 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20232428-1/ Link for SUSE-SU-2023:2428-1 https://lists.suse.com/pipermail/sle-security-updates/2023-June/015108.html E-Mail link for SUSE-SU-2023:2428-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1207188 SUSE Bug 1207188 https://bugzilla.suse.com/1210499 SUSE Bug 1210499 https://bugzilla.suse.com/1210662 SUSE Bug 1210662 https://www.suse.com/security/cve/CVE-2023-0386/ SUSE CVE CVE-2023-0386 page https://www.suse.com/security/cve/CVE-2023-2162/ SUSE CVE CVE-2023-2162 page https://www.suse.com/security/cve/CVE-2023-23454/ SUSE CVE CVE-2023-23454 page SUSE Linux Enterprise Live Patching 15 SP4 kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3 kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3 as a component of SUSE Linux Enterprise Live Patching 15 SP4 A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel's OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system. CVE-2023-0386 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232428-1/ https://www.suse.com/security/cve/CVE-2023-0386.html CVE-2023-0386 https://bugzilla.suse.com/1209615 SUSE Bug 1209615 https://bugzilla.suse.com/1210499 SUSE Bug 1210499 A use-after-free vulnerability was found in iscsi_sw_tcp_session_create in drivers/scsi/iscsi_tcp.c in SCSI sub-component in the Linux Kernel. In this flaw an attacker could leak kernel internal information. CVE-2023-2162 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232428-1/ https://www.suse.com/security/cve/CVE-2023-2162.html CVE-2023-2162 https://bugzilla.suse.com/1210647 SUSE Bug 1210647 https://bugzilla.suse.com/1210662 SUSE Bug 1210662 https://bugzilla.suse.com/1213841 SUSE Bug 1213841 https://bugzilla.suse.com/1213842 SUSE Bug 1213842 https://bugzilla.suse.com/1214128 SUSE Bug 1214128 https://bugzilla.suse.com/1222212 SUSE Bug 1222212 cbq_classify in net/sched/sch_cbq.c in the Linux kernel through 6.1.4 allows attackers to cause a denial of service (slab-out-of-bounds read) because of type confusion (non-negative numbers can sometimes indicate a TC_ACT_SHOT condition rather than valid classification results). CVE-2023-23454 SUSE Linux Enterprise Live Patching 15 SP4:kernel-livepatch-5_14_21-150400_24_60-default-2-150400.2.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232428-1/ https://www.suse.com/security/cve/CVE-2023-23454.html CVE-2023-23454 https://bugzilla.suse.com/1207036 SUSE Bug 1207036 https://bugzilla.suse.com/1207188 SUSE Bug 1207188 https://bugzilla.suse.com/1208030 SUSE Bug 1208030 https://bugzilla.suse.com/1208044 SUSE Bug 1208044 https://bugzilla.suse.com/1208085 SUSE Bug 1208085 https://bugzilla.suse.com/1211833 SUSE Bug 1211833