Bug 1220140 (CVE-2023-52439)

Summary: VUL-0: CVE-2023-52439: kernel-source,kernel-source-azure,kernel-source-rt: use-after-free in uio_open
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jlee, meissner, stoyan.manolov, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/394650/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-52439:6.7:(AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-21 09:27:00 UTC 
In the Linux kernel, the following vulnerability has been resolved:

uio: Fix use-after-free in uio_open

core-1				core-2
-------------------------------------------------------
uio_unregister_device		uio_open
				idev = idr_find()
device_unregister(&idev->dev)
put_device(&idev->dev)
uio_device_release
				get_device(&idev->dev)
kfree(idev)
uio_free_minor(minor)
				uio_release
				put_device(&idev->dev)
				kfree(idev)
-------------------------------------------------------

In the core-1 uio_unregister_device(), the device_unregister will kfree
idev when the idev->dev kobject ref is 1. But after core-1
device_unregister, put_device and before doing kfree, the core-2 may
get_device. Then:
1. After core-1 kfree idev, the core-2 will do use-after-free for idev.
2. When core-2 do uio_release and put_device, the idev will be double
   freed.

To address this issue, we can get idev atomic & inc idev reference with
minor_lock.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52439
https://www.cve.org/CVERecord?id=CVE-2023-52439
https://git.kernel.org/stable/c/0c9ae0b8605078eafc3bea053cc78791e97ba2e2
https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea
https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c
https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9d6e92ad
https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7
https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570
https://git.kernel.org/stable/c/913205930da6213305616ac539447702eaa85e41
https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50
Comment 1 Thomas Leroy 2024-02-21 09:31:09 UTC 
stable and SLE15-SP6 already fixed.

Affected:
- cve/linux-5.14                                                                                                                                                                        
- cve/linux-5.3
Comment 2 Joey Lee 2024-02-23 06:07:27 UTC 
Fixes: 57c5f4df0a5a ("uio: fix crash after the device is unregistered") [v4.18-rc5]
Comment 3 Joey Lee 2024-03-01 07:11:01 UTC 
commit 0c9ae0b8605078eafc3bea053cc78791e97ba2e2    [v6.8-rc1~62^2~1]
Author: Guanghui Feng <guanghuifeng@linux.alibaba.com>
Date:   Thu Dec 21 17:57:43 2023 +0800

    uio: Fix use-after-free in uio_open

    core-1                          core-2
    -------------------------------------------------------
    uio_unregister_device           uio_open
                                    idev = idr_find()
    device_unregister(&idev->dev)
    put_device(&idev->dev)
    uio_device_release
                                    get_device(&idev->dev)
    kfree(idev)
    uio_free_minor(minor)
                                    uio_release
                                    put_device(&idev->dev)
                                    kfree(idev)
    -------------------------------------------------------
    
    In the core-1 uio_unregister_device(), the device_unregister will kfree
    idev when the idev->dev kobject ref is 1. But after core-1
    device_unregister, put_device and before doing kfree, the core-2 may
    get_device. Then:
    1. After core-1 kfree idev, the core-2 will do use-after-free for idev.
    2. When core-2 do uio_release and put_device, the idev will be double
       freed.
    
    To address this issue, we can get idev atomic & inc idev reference with
    minor_lock.
    
    Fixes: 57c5f4df0a5a ("uio: fix crash after the device is unregistered")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Guanghui Feng <guanghuifeng@linux.alibaba.com>
    Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
    Link: https://lore.kernel.org/r/1703152663-59949-1-git-send-email-guanghuifeng@linux.alibaba.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Comment 4 Joey Lee 2024-03-01 08:28:52 UTC 
(In reply to Thomas Leroy from comment #1)
> stable and SLE15-SP6 already fixed.
> 
> Affected:
> - cve/linux-5.14                                                            
> 
> - cve/linux-5.3

status update:
- cve/linux-5.14        [wait to be merged]
- cve/linux-5.3         [wait to be merged]
Comment 5 Joey Lee 2024-03-01 17:00:11 UTC 
(In reply to Joey Lee from comment #4)
> (In reply to Thomas Leroy from comment #1)
> > stable and SLE15-SP6 already fixed.
> > 
> > Affected:
> > - cve/linux-5.14                                                            
> > 
> > - cve/linux-5.3
> 
> status update:
> - cve/linux-5.14        [wait to be merged]
> - cve/linux-5.3         [wait to be merged]

updated status:
- cve/linux-5.14        [merged]
- cve/linux-5.3         [merged]

reset assigner
Comment 19 Maintenance Automation 2024-03-12 20:30:08 UTC 
SUSE-SU-2024:0855-1: An update that solves 50 vulnerabilities, contains one feature and has 23 security fixes can now be installed.

Category: security (important)
Bug References: 1194869, 1206453, 1209412, 1216776, 1217927, 1218195, 1218216, 1218450, 1218527, 1218562, 1218663, 1218915, 1219126, 1219127, 1219141, 1219146, 1219295, 1219443, 1219653, 1219827, 1219835, 1219839, 1219840, 1219934, 1220003, 1220009, 1220021, 1220030, 1220106, 1220140, 1220187, 1220238, 1220240, 1220241, 1220243, 1220250, 1220251, 1220253, 1220254, 1220255, 1220257, 1220267, 1220277, 1220317, 1220325, 1220326, 1220328, 1220330, 1220335, 1220344, 1220348, 1220350, 1220364, 1220392, 1220393, 1220398, 1220409, 1220433, 1220444, 1220457, 1220459, 1220469, 1220649, 1220735, 1220736, 1220796, 1220825, 1220845, 1220848, 1220917, 1220930, 1220931, 1220933
CVE References: CVE-2019-25162, CVE-2021-46923, CVE-2021-46924, CVE-2021-46932, CVE-2021-46934, CVE-2021-47083, CVE-2022-48627, CVE-2022-48628, CVE-2023-5197, CVE-2023-52340, CVE-2023-52429, CVE-2023-52439, CVE-2023-52443, CVE-2023-52445, CVE-2023-52447, CVE-2023-52448, CVE-2023-52449, CVE-2023-52451, CVE-2023-52452, CVE-2023-52456, CVE-2023-52457, CVE-2023-52462, CVE-2023-52463, CVE-2023-52464, CVE-2023-52467, CVE-2023-52475, CVE-2023-52478, CVE-2023-52482, CVE-2023-52530, CVE-2023-52531, CVE-2023-52559, CVE-2023-6270, CVE-2023-6817, CVE-2024-0607, CVE-2024-1151, CVE-2024-23849, CVE-2024-23850, CVE-2024-23851, CVE-2024-25744, CVE-2024-26585, CVE-2024-26586, CVE-2024-26589, CVE-2024-26591, CVE-2024-26593, CVE-2024-26595, CVE-2024-26598, CVE-2024-26602, CVE-2024-26603, CVE-2024-26607, CVE-2024-26622
Jira References: PED-7618
Sources used:
openSUSE Leap 15.5 (src): kernel-syms-azure-5.14.21-150500.33.37.1, kernel-source-azure-5.14.21-150500.33.37.1
Public Cloud Module 15-SP5 (src): kernel-syms-azure-5.14.21-150500.33.37.1, kernel-source-azure-5.14.21-150500.33.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Maintenance Automation 2024-03-13 08:30:10 UTC 
SUSE-SU-2024:0858-1: An update that solves 39 vulnerabilities, contains one feature and has 23 security fixes can now be installed.

Category: security (important)
Bug References: 1194869, 1206453, 1209412, 1213456, 1216776, 1217927, 1218195, 1218216, 1218450, 1218527, 1218663, 1218915, 1219126, 1219127, 1219141, 1219146, 1219295, 1219443, 1219653, 1219827, 1219835, 1219839, 1219840, 1219934, 1220003, 1220009, 1220021, 1220030, 1220106, 1220140, 1220187, 1220238, 1220240, 1220241, 1220243, 1220250, 1220251, 1220253, 1220254, 1220255, 1220257, 1220267, 1220277, 1220317, 1220326, 1220328, 1220330, 1220335, 1220344, 1220348, 1220350, 1220364, 1220392, 1220393, 1220398, 1220409, 1220444, 1220457, 1220459, 1220649, 1220796, 1220825
CVE References: CVE-2019-25162, CVE-2021-46923, CVE-2021-46924, CVE-2021-46932, CVE-2023-28746, CVE-2023-5197, CVE-2023-52340, CVE-2023-52429, CVE-2023-52439, CVE-2023-52443, CVE-2023-52445, CVE-2023-52447, CVE-2023-52448, CVE-2023-52449, CVE-2023-52451, CVE-2023-52452, CVE-2023-52456, CVE-2023-52457, CVE-2023-52463, CVE-2023-52464, CVE-2023-52475, CVE-2023-52478, CVE-2023-6817, CVE-2024-0607, CVE-2024-1151, CVE-2024-23849, CVE-2024-23850, CVE-2024-23851, CVE-2024-25744, CVE-2024-26585, CVE-2024-26586, CVE-2024-26589, CVE-2024-26591, CVE-2024-26593, CVE-2024-26595, CVE-2024-26598, CVE-2024-26602, CVE-2024-26603, CVE-2024-26622
Jira References: PED-7618
Sources used:
openSUSE Leap 15.5 (src): kernel-default-base-5.14.21-150500.55.52.1.150500.6.23.1, kernel-syms-5.14.21-150500.55.52.1, kernel-source-5.14.21-150500.55.52.1, kernel-obs-qa-5.14.21-150500.55.52.1, kernel-obs-build-5.14.21-150500.55.52.1, kernel-livepatch-SLE15-SP5_Update_11-1-150500.11.3.1
SUSE Linux Enterprise Micro 5.5 (src): kernel-default-base-5.14.21-150500.55.52.1.150500.6.23.1
Basesystem Module 15-SP5 (src): kernel-default-base-5.14.21-150500.55.52.1.150500.6.23.1, kernel-source-5.14.21-150500.55.52.1
Development Tools Module 15-SP5 (src): kernel-source-5.14.21-150500.55.52.1, kernel-syms-5.14.21-150500.55.52.1, kernel-obs-build-5.14.21-150500.55.52.1
SUSE Linux Enterprise Live Patching 15-SP5 (src): kernel-livepatch-SLE15-SP5_Update_11-1-150500.11.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Maintenance Automation 2024-03-13 08:30:21 UTC 
SUSE-SU-2024:0857-1: An update that solves 67 vulnerabilities and has four security fixes can now be installed.

Category: security (important)
Bug References: 1200599, 1207653, 1212514, 1213456, 1216223, 1218195, 1218689, 1218915, 1219127, 1219128, 1219146, 1219295, 1219653, 1219827, 1219835, 1219915, 1220009, 1220140, 1220187, 1220238, 1220240, 1220241, 1220243, 1220250, 1220253, 1220255, 1220328, 1220330, 1220344, 1220398, 1220409, 1220416, 1220418, 1220421, 1220436, 1220444, 1220459, 1220469, 1220482, 1220526, 1220538, 1220570, 1220572, 1220599, 1220627, 1220641, 1220649, 1220660, 1220689, 1220700, 1220735, 1220736, 1220737, 1220742, 1220745, 1220767, 1220796, 1220825, 1220826, 1220831, 1220845, 1220860, 1220863, 1220870, 1220917, 1220918, 1220930, 1220931, 1220932, 1221039, 1221040
CVE References: CVE-2019-25162, CVE-2020-36777, CVE-2020-36784, CVE-2021-46904, CVE-2021-46905, CVE-2021-46906, CVE-2021-46915, CVE-2021-46924, CVE-2021-46929, CVE-2021-46932, CVE-2021-46934, CVE-2021-46953, CVE-2021-46964, CVE-2021-46966, CVE-2021-46968, CVE-2021-46974, CVE-2021-46989, CVE-2021-47005, CVE-2021-47012, CVE-2021-47013, CVE-2021-47054, CVE-2021-47060, CVE-2021-47061, CVE-2021-47069, CVE-2021-47076, CVE-2021-47078, CVE-2021-47083, CVE-2022-20154, CVE-2022-48627, CVE-2023-28746, CVE-2023-35827, CVE-2023-46343, CVE-2023-51042, CVE-2023-52340, CVE-2023-52429, CVE-2023-52439, CVE-2023-52443, CVE-2023-52445, CVE-2023-52448, CVE-2023-52449, CVE-2023-52451, CVE-2023-52463, CVE-2023-52475, CVE-2023-52478, CVE-2023-52482, CVE-2023-52502, CVE-2023-52530, CVE-2023-52531, CVE-2023-52532, CVE-2023-52569, CVE-2023-52574, CVE-2023-52597, CVE-2023-52605, CVE-2023-6817, CVE-2024-0340, CVE-2024-0607, CVE-2024-1151, CVE-2024-23849, CVE-2024-23851, CVE-2024-26585, CVE-2024-26586, CVE-2024-26589, CVE-2024-26593, CVE-2024-26595, CVE-2024-26602, CVE-2024-26607, CVE-2024-26622
Sources used:
openSUSE Leap 15.3 (src): kernel-obs-qa-5.3.18-150300.59.153.1, kernel-livepatch-SLE15-SP3_Update_42-1-150300.7.3.2, kernel-syms-5.3.18-150300.59.153.1, kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2, kernel-source-5.3.18-150300.59.153.2, kernel-obs-build-5.3.18-150300.59.153.2
SUSE Linux Enterprise Live Patching 15-SP3 (src): kernel-livepatch-SLE15-SP3_Update_42-1-150300.7.3.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2, kernel-source-5.3.18-150300.59.153.2, kernel-syms-5.3.18-150300.59.153.1, kernel-obs-build-5.3.18-150300.59.153.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2, kernel-source-5.3.18-150300.59.153.2, kernel-syms-5.3.18-150300.59.153.1, kernel-obs-build-5.3.18-150300.59.153.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2, kernel-source-5.3.18-150300.59.153.2, kernel-syms-5.3.18-150300.59.153.1, kernel-obs-build-5.3.18-150300.59.153.2
SUSE Enterprise Storage 7.1 (src): kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2, kernel-source-5.3.18-150300.59.153.2, kernel-syms-5.3.18-150300.59.153.1, kernel-obs-build-5.3.18-150300.59.153.2
SUSE Linux Enterprise Micro 5.1 (src): kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2
SUSE Linux Enterprise Micro 5.2 (src): kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src): kernel-default-base-5.3.18-150300.59.153.2.150300.18.90.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Maintenance Automation 2024-03-13 08:30:40 UTC 
SUSE-SU-2024:0856-1: An update that solves 67 vulnerabilities and has seven security fixes can now be installed.

Category: security (important)
Bug References: 1155518, 1184436, 1185988, 1186286, 1200599, 1207653, 1212514, 1213456, 1216223, 1218195, 1218689, 1218915, 1219127, 1219128, 1219146, 1219295, 1219653, 1219827, 1219835, 1219915, 1220009, 1220140, 1220187, 1220238, 1220240, 1220241, 1220243, 1220250, 1220253, 1220255, 1220328, 1220330, 1220344, 1220398, 1220409, 1220416, 1220418, 1220421, 1220436, 1220444, 1220459, 1220469, 1220482, 1220526, 1220538, 1220570, 1220572, 1220599, 1220627, 1220641, 1220649, 1220660, 1220700, 1220735, 1220736, 1220737, 1220742, 1220745, 1220767, 1220796, 1220825, 1220826, 1220831, 1220845, 1220860, 1220863, 1220870, 1220917, 1220918, 1220930, 1220931, 1220932, 1221039, 1221040
CVE References: CVE-2019-25162, CVE-2020-36777, CVE-2020-36784, CVE-2021-46904, CVE-2021-46905, CVE-2021-46906, CVE-2021-46915, CVE-2021-46924, CVE-2021-46929, CVE-2021-46932, CVE-2021-46934, CVE-2021-46953, CVE-2021-46964, CVE-2021-46966, CVE-2021-46968, CVE-2021-46974, CVE-2021-46989, CVE-2021-47005, CVE-2021-47012, CVE-2021-47013, CVE-2021-47054, CVE-2021-47060, CVE-2021-47061, CVE-2021-47069, CVE-2021-47076, CVE-2021-47078, CVE-2021-47083, CVE-2022-20154, CVE-2022-48627, CVE-2023-28746, CVE-2023-35827, CVE-2023-46343, CVE-2023-51042, CVE-2023-52340, CVE-2023-52429, CVE-2023-52439, CVE-2023-52443, CVE-2023-52445, CVE-2023-52448, CVE-2023-52449, CVE-2023-52451, CVE-2023-52463, CVE-2023-52475, CVE-2023-52478, CVE-2023-52482, CVE-2023-52502, CVE-2023-52530, CVE-2023-52531, CVE-2023-52532, CVE-2023-52569, CVE-2023-52574, CVE-2023-52597, CVE-2023-52605, CVE-2023-6817, CVE-2024-0340, CVE-2024-0607, CVE-2024-1151, CVE-2024-23849, CVE-2024-23851, CVE-2024-26585, CVE-2024-26586, CVE-2024-26589, CVE-2024-26593, CVE-2024-26595, CVE-2024-26602, CVE-2024-26607, CVE-2024-26622
Sources used:
SUSE Linux Enterprise Micro 5.1 (src): kernel-source-rt-5.3.18-150300.161.1
SUSE Linux Enterprise Micro 5.2 (src): kernel-source-rt-5.3.18-150300.161.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): kernel-source-rt-5.3.18-150300.161.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Maintenance Automation 2024-03-14 20:30:11 UTC 
SUSE-SU-2024:0900-1: An update that solves 49 vulnerabilities and has five security fixes can now be installed.

Category: security (important)
Bug References: 1211515, 1213456, 1214064, 1218195, 1218216, 1218562, 1218915, 1219073, 1219126, 1219127, 1219146, 1219295, 1219633, 1219653, 1219827, 1219835, 1220009, 1220140, 1220187, 1220238, 1220240, 1220241, 1220243, 1220250, 1220251, 1220253, 1220254, 1220255, 1220257, 1220326, 1220328, 1220330, 1220335, 1220344, 1220350, 1220364, 1220398, 1220409, 1220433, 1220444, 1220457, 1220459, 1220469, 1220649, 1220735, 1220736, 1220796, 1220797, 1220825, 1220845, 1220917, 1220930, 1220931, 1220933
CVE References: CVE-2019-25162, CVE-2021-46923, CVE-2021-46924, CVE-2021-46932, CVE-2021-46934, CVE-2021-47083, CVE-2022-48627, CVE-2023-28746, CVE-2023-5197, CVE-2023-52340, CVE-2023-52429, CVE-2023-52439, CVE-2023-52443, CVE-2023-52445, CVE-2023-52447, CVE-2023-52448, CVE-2023-52449, CVE-2023-52451, CVE-2023-52452, CVE-2023-52456, CVE-2023-52457, CVE-2023-52463, CVE-2023-52464, CVE-2023-52467, CVE-2023-52475, CVE-2023-52478, CVE-2023-52482, CVE-2023-52484, CVE-2023-52530, CVE-2023-52531, CVE-2023-52559, CVE-2023-6270, CVE-2023-6817, CVE-2024-0607, CVE-2024-1151, CVE-2024-23849, CVE-2024-23850, CVE-2024-23851, CVE-2024-26585, CVE-2024-26586, CVE-2024-26589, CVE-2024-26591, CVE-2024-26593, CVE-2024-26595, CVE-2024-26598, CVE-2024-26602, CVE-2024-26603, CVE-2024-26607, CVE-2024-26622
Sources used:
openSUSE Leap 15.4 (src): kernel-syms-5.14.21-150400.24.111.1, kernel-source-5.14.21-150400.24.111.1, kernel-obs-build-5.14.21-150400.24.111.1, kernel-livepatch-SLE15-SP4_Update_24-1-150400.9.3.1, kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1, kernel-obs-qa-5.14.21-150400.24.111.1
openSUSE Leap Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1
openSUSE Leap Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1
SUSE Linux Enterprise Micro 5.3 (src): kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1
SUSE Linux Enterprise Micro 5.4 (src): kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1
SUSE Linux Enterprise Live Patching 15-SP4 (src): kernel-livepatch-SLE15-SP4_Update_24-1-150400.9.3.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): kernel-source-5.14.21-150400.24.111.1, kernel-obs-build-5.14.21-150400.24.111.1, kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1, kernel-syms-5.14.21-150400.24.111.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): kernel-source-5.14.21-150400.24.111.1, kernel-obs-build-5.14.21-150400.24.111.1, kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1, kernel-syms-5.14.21-150400.24.111.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): kernel-source-5.14.21-150400.24.111.1, kernel-obs-build-5.14.21-150400.24.111.1, kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1, kernel-syms-5.14.21-150400.24.111.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): kernel-source-5.14.21-150400.24.111.1, kernel-obs-build-5.14.21-150400.24.111.1, kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1, kernel-syms-5.14.21-150400.24.111.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): kernel-source-5.14.21-150400.24.111.1, kernel-obs-build-5.14.21-150400.24.111.1, kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1, kernel-syms-5.14.21-150400.24.111.1
SUSE Manager Proxy 4.3 (src): kernel-source-5.14.21-150400.24.111.1, kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1
SUSE Manager Retail Branch Server 4.3 (src): kernel-source-5.14.21-150400.24.111.1, kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1
SUSE Manager Server 4.3 (src): kernel-source-5.14.21-150400.24.111.1, kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Maintenance Automation 2024-03-15 16:30:08 UTC 
SUSE-SU-2024:0910-1: An update that solves 39 vulnerabilities, contains one feature and has 23 security fixes can now be installed.

Category: security (important)
Bug References: 1194869, 1206453, 1209412, 1213456, 1216776, 1217927, 1218195, 1218216, 1218450, 1218527, 1218663, 1218915, 1219126, 1219127, 1219141, 1219146, 1219295, 1219443, 1219653, 1219827, 1219835, 1219839, 1219840, 1219934, 1220003, 1220009, 1220021, 1220030, 1220106, 1220140, 1220187, 1220238, 1220240, 1220241, 1220243, 1220250, 1220251, 1220253, 1220254, 1220255, 1220257, 1220267, 1220277, 1220317, 1220326, 1220328, 1220330, 1220335, 1220344, 1220348, 1220350, 1220364, 1220392, 1220393, 1220398, 1220409, 1220444, 1220457, 1220459, 1220649, 1220796, 1220825
CVE References: CVE-2019-25162, CVE-2021-46923, CVE-2021-46924, CVE-2021-46932, CVE-2023-28746, CVE-2023-5197, CVE-2023-52340, CVE-2023-52429, CVE-2023-52439, CVE-2023-52443, CVE-2023-52445, CVE-2023-52447, CVE-2023-52448, CVE-2023-52449, CVE-2023-52451, CVE-2023-52452, CVE-2023-52456, CVE-2023-52457, CVE-2023-52463, CVE-2023-52464, CVE-2023-52475, CVE-2023-52478, CVE-2023-6817, CVE-2024-0607, CVE-2024-1151, CVE-2024-23849, CVE-2024-23850, CVE-2024-23851, CVE-2024-25744, CVE-2024-26585, CVE-2024-26586, CVE-2024-26589, CVE-2024-26591, CVE-2024-26593, CVE-2024-26595, CVE-2024-26598, CVE-2024-26602, CVE-2024-26603, CVE-2024-26622
Jira References: PED-7618
Sources used:
openSUSE Leap 15.5 (src): kernel-source-rt-5.14.21-150500.13.38.1, kernel-syms-rt-5.14.21-150500.13.38.1, kernel-livepatch-SLE15-SP5-RT_Update_11-1-150500.11.3.1
SUSE Linux Enterprise Micro 5.5 (src): kernel-source-rt-5.14.21-150500.13.38.1
SUSE Linux Enterprise Live Patching 15-SP5 (src): kernel-livepatch-SLE15-SP5-RT_Update_11-1-150500.11.3.1
SUSE Real Time Module 15-SP5 (src): kernel-source-rt-5.14.21-150500.13.38.1, kernel-syms-rt-5.14.21-150500.13.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Maintenance Automation 2024-03-15 16:30:20 UTC 
SUSE-SU-2024:0900-2: An update that solves 49 vulnerabilities and has five security fixes can now be installed.

Category: security (important)
Bug References: 1211515, 1213456, 1214064, 1218195, 1218216, 1218562, 1218915, 1219073, 1219126, 1219127, 1219146, 1219295, 1219633, 1219653, 1219827, 1219835, 1220009, 1220140, 1220187, 1220238, 1220240, 1220241, 1220243, 1220250, 1220251, 1220253, 1220254, 1220255, 1220257, 1220326, 1220328, 1220330, 1220335, 1220344, 1220350, 1220364, 1220398, 1220409, 1220433, 1220444, 1220457, 1220459, 1220469, 1220649, 1220735, 1220736, 1220796, 1220797, 1220825, 1220845, 1220917, 1220930, 1220931, 1220933
CVE References: CVE-2019-25162, CVE-2021-46923, CVE-2021-46924, CVE-2021-46932, CVE-2021-46934, CVE-2021-47083, CVE-2022-48627, CVE-2023-28746, CVE-2023-5197, CVE-2023-52340, CVE-2023-52429, CVE-2023-52439, CVE-2023-52443, CVE-2023-52445, CVE-2023-52447, CVE-2023-52448, CVE-2023-52449, CVE-2023-52451, CVE-2023-52452, CVE-2023-52456, CVE-2023-52457, CVE-2023-52463, CVE-2023-52464, CVE-2023-52467, CVE-2023-52475, CVE-2023-52478, CVE-2023-52482, CVE-2023-52484, CVE-2023-52530, CVE-2023-52531, CVE-2023-52559, CVE-2023-6270, CVE-2023-6817, CVE-2024-0607, CVE-2024-1151, CVE-2024-23849, CVE-2024-23850, CVE-2024-23851, CVE-2024-26585, CVE-2024-26586, CVE-2024-26589, CVE-2024-26591, CVE-2024-26593, CVE-2024-26595, CVE-2024-26598, CVE-2024-26602, CVE-2024-26603, CVE-2024-26607, CVE-2024-26622
Sources used:
SUSE Manager Proxy 4.3 (src): kernel-source-5.14.21-150400.24.111.1, kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1, kernel-syms-5.14.21-150400.24.111.1
SUSE Manager Server 4.3 (src): kernel-source-5.14.21-150400.24.111.1, kernel-default-base-5.14.21-150400.24.111.2.150400.24.52.1, kernel-syms-5.14.21-150400.24.111.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Maintenance Automation 2024-03-22 12:32:03 UTC 
SUSE-SU-2024:0926-1: An update that solves 65 vulnerabilities and has six security fixes can now be installed.

Category: security (important)
Bug References: 1155518, 1184436, 1185988, 1186286, 1200599, 1212514, 1213456, 1218689, 1218915, 1219127, 1219128, 1219146, 1219295, 1219653, 1219827, 1219835, 1220009, 1220140, 1220187, 1220238, 1220240, 1220241, 1220243, 1220250, 1220253, 1220255, 1220328, 1220330, 1220344, 1220398, 1220409, 1220416, 1220418, 1220421, 1220436, 1220444, 1220459, 1220469, 1220482, 1220526, 1220538, 1220570, 1220572, 1220599, 1220627, 1220641, 1220649, 1220660, 1220700, 1220735, 1220736, 1220737, 1220742, 1220745, 1220767, 1220796, 1220825, 1220826, 1220831, 1220845, 1220860, 1220863, 1220870, 1220917, 1220918, 1220930, 1220931, 1220932, 1221039, 1221040, 1221287
CVE References: CVE-2019-25162, CVE-2020-36777, CVE-2020-36784, CVE-2021-46904, CVE-2021-46905, CVE-2021-46906, CVE-2021-46915, CVE-2021-46924, CVE-2021-46929, CVE-2021-46932, CVE-2021-46934, CVE-2021-46953, CVE-2021-46964, CVE-2021-46966, CVE-2021-46974, CVE-2021-46989, CVE-2021-47005, CVE-2021-47012, CVE-2021-47013, CVE-2021-47054, CVE-2021-47060, CVE-2021-47061, CVE-2021-47069, CVE-2021-47076, CVE-2021-47078, CVE-2021-47083, CVE-2022-20154, CVE-2022-48627, CVE-2023-28746, CVE-2023-35827, CVE-2023-46343, CVE-2023-51042, CVE-2023-52340, CVE-2023-52429, CVE-2023-52439, CVE-2023-52443, CVE-2023-52445, CVE-2023-52448, CVE-2023-52449, CVE-2023-52451, CVE-2023-52463, CVE-2023-52475, CVE-2023-52478, CVE-2023-52482, CVE-2023-52502, CVE-2023-52530, CVE-2023-52531, CVE-2023-52532, CVE-2023-52569, CVE-2023-52574, CVE-2023-52597, CVE-2023-52605, CVE-2024-0340, CVE-2024-0607, CVE-2024-1151, CVE-2024-23849, CVE-2024-23851, CVE-2024-26585, CVE-2024-26586, CVE-2024-26589, CVE-2024-26593, CVE-2024-26595, CVE-2024-26602, CVE-2024-26607, CVE-2024-26622
Maintenance Incident: [SUSE:Maintenance:32904](https://smelt.suse.de/incident/32904/)
Sources used:
SUSE Linux Enterprise Live Patching 15-SP2 (src):
 kernel-livepatch-SLE15-SP2_Update_46-1-150200.5.3.2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 kernel-obs-build-5.3.18-150200.24.183.1, kernel-syms-5.3.18-150200.24.183.1, kernel-source-5.3.18-150200.24.183.1, kernel-default-base-5.3.18-150200.24.183.1.150200.9.93.2
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 kernel-obs-build-5.3.18-150200.24.183.1, kernel-syms-5.3.18-150200.24.183.1, kernel-source-5.3.18-150200.24.183.1, kernel-default-base-5.3.18-150200.24.183.1.150200.9.93.2
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 kernel-obs-build-5.3.18-150200.24.183.1, kernel-syms-5.3.18-150200.24.183.1, kernel-source-5.3.18-150200.24.183.1, kernel-default-base-5.3.18-150200.24.183.1.150200.9.93.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Maintenance Automation 2024-03-22 16:30:06 UTC 
SUSE-SU-2024:0977-1: An update that solves 49 vulnerabilities and has five security fixes can now be installed.

Category: security (important)
Bug References: 1211515, 1213456, 1214064, 1218195, 1218216, 1218562, 1218915, 1219073, 1219126, 1219127, 1219146, 1219295, 1219633, 1219653, 1219827, 1219835, 1220009, 1220140, 1220187, 1220238, 1220240, 1220241, 1220243, 1220250, 1220251, 1220253, 1220254, 1220255, 1220257, 1220326, 1220328, 1220330, 1220335, 1220344, 1220350, 1220364, 1220398, 1220409, 1220433, 1220444, 1220457, 1220459, 1220469, 1220649, 1220735, 1220736, 1220796, 1220797, 1220825, 1220845, 1220917, 1220930, 1220931, 1220933
CVE References: CVE-2019-25162, CVE-2021-46923, CVE-2021-46924, CVE-2021-46932, CVE-2021-46934, CVE-2021-47083, CVE-2022-48627, CVE-2023-28746, CVE-2023-5197, CVE-2023-52340, CVE-2023-52429, CVE-2023-52439, CVE-2023-52443, CVE-2023-52445, CVE-2023-52447, CVE-2023-52448, CVE-2023-52449, CVE-2023-52451, CVE-2023-52452, CVE-2023-52456, CVE-2023-52457, CVE-2023-52463, CVE-2023-52464, CVE-2023-52467, CVE-2023-52475, CVE-2023-52478, CVE-2023-52482, CVE-2023-52484, CVE-2023-52530, CVE-2023-52531, CVE-2023-52559, CVE-2023-6270, CVE-2023-6817, CVE-2024-0607, CVE-2024-1151, CVE-2024-23849, CVE-2024-23850, CVE-2024-23851, CVE-2024-26585, CVE-2024-26586, CVE-2024-26589, CVE-2024-26591, CVE-2024-26593, CVE-2024-26595, CVE-2024-26598, CVE-2024-26602, CVE-2024-26603, CVE-2024-26607, CVE-2024-26622
Maintenance Incident: [SUSE:Maintenance:33016](https://smelt.suse.de/incident/33016/)
Sources used:
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 kernel-source-rt-5.14.21-150400.15.71.1
SUSE Linux Enterprise Micro 5.3 (src):
 kernel-source-rt-5.14.21-150400.15.71.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 kernel-source-rt-5.14.21-150400.15.71.1
SUSE Linux Enterprise Micro 5.4 (src):
 kernel-source-rt-5.14.21-150400.15.71.1
SUSE Linux Enterprise Live Patching 15-SP4 (src):
 kernel-livepatch-SLE15-SP4-RT_Update_19-1-150400.1.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.