Bug 1196657 (CVE-2022-23960)

Summary: VUL-0: CVE-2022-23960: arm-trusted-firmware: Spectre BHB speculation issues
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: afaerber, gianluca.gabrielli, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/312331/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1191580    

Comment 1 Marcus Meissner 2022-03-02 15:37:22 UTC
seems arm has assigned a different CVE to the BHB issues: CVE-2022-23960.
Comment 2 Marcus Meissner 2022-03-08 18:14:00 UTC
is public now

https://www.vusec.net/projects/bhi-spectre-bhb/
Comment 6 Ivan Ivanov 2022-03-24 11:55:26 UTC
Fixes back-ported to arm-trusted-firmware v2.6 and SUSE:SLE-15-SP4:GA
package updated.
Comment 7 Gianluca Gabrielli 2022-03-25 09:36:29 UTC
Thanks Ivan, once your job is done you can reassign the issue back to security-team@suse.de, so we can monitor the update until it is released and then close this bug.
Comment 8 Ivan Ivanov 2022-03-25 10:45:22 UTC
Moving to security-team
Comment 9 Gianluca Gabrielli 2022-03-29 10:49:16 UTC
done
Comment 10 Swamp Workflow Management 2022-04-14 10:23:02 UTC
SUSE-SU-2022:1196-1: An update that solves 22 vulnerabilities, contains three features and has 39 fixes is now available.

Category: security (important)
Bug References: 1065729,1114648,1180153,1184207,1189562,1191428,1191451,1191580,1192273,1193738,1194163,1194541,1194580,1194586,1194590,1194591,1194943,1195051,1195353,1195403,1195480,1195482,1196018,1196114,1196339,1196367,1196468,1196478,1196488,1196514,1196639,1196657,1196723,1196761,1196830,1196836,1196901,1196942,1196973,1196999,1197099,1197227,1197331,1197366,1197462,1197531,1197661,1197675,1197754,1197755,1197756,1197757,1197758,1197760,1197763,1197806,1197894,1197914,1198031,1198032,1198033
CVE References: CVE-2021-39713,CVE-2021-45868,CVE-2022-0001,CVE-2022-0002,CVE-2022-0812,CVE-2022-0850,CVE-2022-1016,CVE-2022-1048,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-23960,CVE-2022-26490,CVE-2022-26966,CVE-2022-27666,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390
JIRA References: SLE-15288,SLE-18234,SLE-24125
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    kernel-default-4.12.14-122.116.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    kernel-docs-4.12.14-122.116.1, kernel-obs-build-4.12.14-122.116.1
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-default-4.12.14-122.116.1, kernel-source-4.12.14-122.116.1, kernel-syms-4.12.14-122.116.1
SUSE Linux Enterprise Live Patching 12-SP5 (src):    kernel-default-4.12.14-122.116.1, kgraft-patch-SLE12-SP5_Update_30-1-8.3.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    kernel-default-4.12.14-122.116.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-05-12 19:17:52 UTC
SUSE-SU-2022:1651-1: An update that solves 13 vulnerabilities and has 20 fixes is now available.

Category: security (important)
Bug References: 1028340,1065729,1071995,1084513,1114648,1121726,1129770,1137728,1172456,1183723,1187055,1191647,1191958,1194625,1196018,1196247,1196657,1196901,1197075,1197343,1197663,1197888,1197914,1198217,1198228,1198400,1198413,1198516,1198660,1198687,1198742,1198825,1199012
CVE References: CVE-2018-7755,CVE-2019-20811,CVE-2021-20292,CVE-2021-20321,CVE-2021-38208,CVE-2021-43389,CVE-2022-1011,CVE-2022-1280,CVE-2022-1353,CVE-2022-1419,CVE-2022-1516,CVE-2022-23960,CVE-2022-28748
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-azure-4.12.14-16.97.1, kernel-source-azure-4.12.14-16.97.1, kernel-syms-azure-4.12.14-16.97.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.