dpdk-19.11.8-2.7 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10727-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z dpdk-19.11.8-2.7 on GA media These are all security issues fixed in the dpdk-19.11.8-2.7 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10727 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-1059/ SUSE CVE CVE-2018-1059 page https://www.suse.com/security/cve/CVE-2019-14818/ SUSE CVE CVE-2019-14818 page https://www.suse.com/security/cve/CVE-2020-10722/ SUSE CVE CVE-2020-10722 page https://www.suse.com/security/cve/CVE-2020-10725/ SUSE CVE CVE-2020-10725 page https://www.suse.com/security/cve/CVE-2020-14374/ SUSE CVE CVE-2020-14374 page https://www.suse.com/security/cve/CVE-2020-14375/ SUSE CVE CVE-2020-14375 page https://www.suse.com/security/cve/CVE-2020-14376/ SUSE CVE CVE-2020-14376 page https://www.suse.com/security/cve/CVE-2020-14378/ SUSE CVE CVE-2020-14378 page openSUSE Tumbleweed dpdk-19.11.8-2.7 dpdk-devel-19.11.8-2.7 dpdk-doc-19.11.8-2.7 dpdk-examples-19.11.8-2.7 dpdk-kmp-default-19.11.8_k5.13.13_1-2.7 dpdk-tools-19.11.8-2.7 libdpdk-20_0-19.11.8-2.7 dpdk-19.11.8-2.7 as a component of openSUSE Tumbleweed dpdk-devel-19.11.8-2.7 as a component of openSUSE Tumbleweed dpdk-doc-19.11.8-2.7 as a component of openSUSE Tumbleweed dpdk-examples-19.11.8-2.7 as a component of openSUSE Tumbleweed dpdk-kmp-default-19.11.8_k5.13.13_1-2.7 as a component of openSUSE Tumbleweed dpdk-tools-19.11.8-2.7 as a component of openSUSE Tumbleweed libdpdk-20_0-19.11.8-2.7 as a component of openSUSE Tumbleweed The DPDK vhost-user interface does not check to verify that all the requested guest physical range is mapped and contiguous when performing Guest Physical Addresses to Host Virtual Addresses translations. This may lead to a malicious guest exposing vhost-user backend process memory. All versions before 18.02.1 are vulnerable. CVE-2018-1059 openSUSE Tumbleweed:dpdk-19.11.8-2.7 openSUSE Tumbleweed:dpdk-devel-19.11.8-2.7 openSUSE Tumbleweed:dpdk-doc-19.11.8-2.7 openSUSE Tumbleweed:dpdk-examples-19.11.8-2.7 openSUSE Tumbleweed:dpdk-kmp-default-19.11.8_k5.13.13_1-2.7 openSUSE Tumbleweed:dpdk-tools-19.11.8-2.7 openSUSE Tumbleweed:libdpdk-20_0-19.11.8-2.7 moderate 2.9 AV:A/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-1059.html CVE-2018-1059 https://bugzilla.suse.com/1089638 SUSE Bug 1089638 https://bugzilla.suse.com/1090647 SUSE Bug 1090647 A flaw was found in all dpdk version 17.x.x before 17.11.8, 16.x.x before 16.11.10, 18.x.x before 18.11.4 and 19.x.x before 19.08.1 where a malicious master, or a container with access to vhost_user socket, can send specially crafted VRING_SET_NUM messages, resulting in a memory leak including file descriptors. This flaw could lead to a denial of service condition. CVE-2019-14818 openSUSE Tumbleweed:dpdk-19.11.8-2.7 openSUSE Tumbleweed:dpdk-devel-19.11.8-2.7 openSUSE Tumbleweed:dpdk-doc-19.11.8-2.7 openSUSE Tumbleweed:dpdk-examples-19.11.8-2.7 openSUSE Tumbleweed:dpdk-kmp-default-19.11.8_k5.13.13_1-2.7 openSUSE Tumbleweed:dpdk-tools-19.11.8-2.7 openSUSE Tumbleweed:libdpdk-20_0-19.11.8-2.7 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-14818.html CVE-2019-14818 https://bugzilla.suse.com/1156146 SUSE Bug 1156146 A vulnerability was found in DPDK versions 18.05 and above. A missing check for an integer overflow in vhost_user_set_log_base() could result in a smaller memory map than requested, possibly allowing memory corruption. CVE-2020-10722 openSUSE Tumbleweed:dpdk-19.11.8-2.7 openSUSE Tumbleweed:dpdk-devel-19.11.8-2.7 openSUSE Tumbleweed:dpdk-doc-19.11.8-2.7 openSUSE Tumbleweed:dpdk-examples-19.11.8-2.7 openSUSE Tumbleweed:dpdk-kmp-default-19.11.8_k5.13.13_1-2.7 openSUSE Tumbleweed:dpdk-tools-19.11.8-2.7 openSUSE Tumbleweed:libdpdk-20_0-19.11.8-2.7 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-10722.html CVE-2020-10722 https://bugzilla.suse.com/1171477 SUSE Bug 1171477 https://bugzilla.suse.com/1171930 SUSE Bug 1171930 A flaw was found in DPDK version 19.11 and above that allows a malicious guest to cause a segmentation fault of the vhost-user backend application running on the host, which could result in a loss of connectivity for the other guests running on that host. This is caused by a missing validity check of the descriptor address in the function `virtio_dev_rx_batch_packed()`. CVE-2020-10725 openSUSE Tumbleweed:dpdk-19.11.8-2.7 openSUSE Tumbleweed:dpdk-devel-19.11.8-2.7 openSUSE Tumbleweed:dpdk-doc-19.11.8-2.7 openSUSE Tumbleweed:dpdk-examples-19.11.8-2.7 openSUSE Tumbleweed:dpdk-kmp-default-19.11.8_k5.13.13_1-2.7 openSUSE Tumbleweed:dpdk-tools-19.11.8-2.7 openSUSE Tumbleweed:libdpdk-20_0-19.11.8-2.7 important 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-10725.html CVE-2020-10725 https://bugzilla.suse.com/1171477 SUSE Bug 1171477 https://bugzilla.suse.com/1171927 SUSE Bug 1171927 A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A flawed bounds checking in the copy_data function leads to a buffer overflow allowing an attacker in a virtual machine to write arbitrary data to any address in the vhost_crypto application. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-14374 openSUSE Tumbleweed:dpdk-19.11.8-2.7 openSUSE Tumbleweed:dpdk-devel-19.11.8-2.7 openSUSE Tumbleweed:dpdk-doc-19.11.8-2.7 openSUSE Tumbleweed:dpdk-examples-19.11.8-2.7 openSUSE Tumbleweed:dpdk-kmp-default-19.11.8_k5.13.13_1-2.7 openSUSE Tumbleweed:dpdk-tools-19.11.8-2.7 openSUSE Tumbleweed:libdpdk-20_0-19.11.8-2.7 critical 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14374.html CVE-2020-14374 https://bugzilla.suse.com/1176590 SUSE Bug 1176590 A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. Virtio ring descriptors, and the data they describe are in a region of memory accessible by from both the virtual machine and the host. An attacker in a VM can change the contents of the memory after vhost_crypto has validated it. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-14375 openSUSE Tumbleweed:dpdk-19.11.8-2.7 openSUSE Tumbleweed:dpdk-devel-19.11.8-2.7 openSUSE Tumbleweed:dpdk-doc-19.11.8-2.7 openSUSE Tumbleweed:dpdk-examples-19.11.8-2.7 openSUSE Tumbleweed:dpdk-kmp-default-19.11.8_k5.13.13_1-2.7 openSUSE Tumbleweed:dpdk-tools-19.11.8-2.7 openSUSE Tumbleweed:libdpdk-20_0-19.11.8-2.7 critical 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14375.html CVE-2020-14375 https://bugzilla.suse.com/1176590 SUSE Bug 1176590 A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A lack of bounds checking when copying iv_data from the VM guest memory into host memory can lead to a large buffer overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. CVE-2020-14376 openSUSE Tumbleweed:dpdk-19.11.8-2.7 openSUSE Tumbleweed:dpdk-devel-19.11.8-2.7 openSUSE Tumbleweed:dpdk-doc-19.11.8-2.7 openSUSE Tumbleweed:dpdk-examples-19.11.8-2.7 openSUSE Tumbleweed:dpdk-kmp-default-19.11.8_k5.13.13_1-2.7 openSUSE Tumbleweed:dpdk-tools-19.11.8-2.7 openSUSE Tumbleweed:libdpdk-20_0-19.11.8-2.7 critical 6.9 AV:L/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14376.html CVE-2020-14376 https://bugzilla.suse.com/1176590 SUSE Bug 1176590 An integer underflow in dpdk versions before 18.11.10 and before 19.11.5 in the `move_desc` function can lead to large amounts of CPU cycles being eaten up in a long running loop. An attacker could cause `move_desc` to get stuck in a 4,294,967,295-count iteration loop. Depending on how `vhost_crypto` is being used this could prevent other VMs or network tasks from being serviced by the busy DPDK lcore for an extended period. CVE-2020-14378 openSUSE Tumbleweed:dpdk-19.11.8-2.7 openSUSE Tumbleweed:dpdk-devel-19.11.8-2.7 openSUSE Tumbleweed:dpdk-doc-19.11.8-2.7 openSUSE Tumbleweed:dpdk-examples-19.11.8-2.7 openSUSE Tumbleweed:dpdk-kmp-default-19.11.8_k5.13.13_1-2.7 openSUSE Tumbleweed:dpdk-tools-19.11.8-2.7 openSUSE Tumbleweed:libdpdk-20_0-19.11.8-2.7 critical 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14378.html CVE-2020-14378 https://bugzilla.suse.com/1176590 SUSE Bug 1176590