Bug 911326 – VUL-0: CVE-2014-9419: kernel-source: partial ASLR bypass through TLS base addresses leak

Bug 911326 - (CVE-2014-9419) VUL-0: CVE-2014-9419: kernel-source: partial ASLR bypass through TLS base addresses leak

(CVE-2014-9419)
Summary:	VUL-0: CVE-2014-9419: kernel-source: partial ASLR bypass through TLS base add...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assigned To:	E-mail List
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/111835/
Whiteboard:	maint:running:61844:important maint:r...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-12-29 09:27 UTC by Victor Pereira
Modified:	2016-02-08 14:53 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
working es test (1.50 KB, text/x-csrc) 2015-01-26 19:32 UTC, Borislav Petkov	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2014-12-29 09:27:25 UTC

CVE-2014-9419

The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel
through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are
loaded before proceeding with other steps, which makes it easier for local users
to bypass the ASLR protection mechanism via a crafted application that reads a
TLS base address.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1177260
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9419
http://www.openwall.com/lists/oss-security/2014/12/25/1
http://www.cvedetails.com/cve/CVE-2014-9419/
https://github.com/torvalds/linux/commit/f647d7c155f069c1a068030255c300663516420e
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f647d7c155f069c1a068030255c300663516420e

Comment 2 Swamp Workflow Management 2014-12-29 23:00:23 UTC

bugbot adjusting priority

Comment 3 Jiri Slaby 2015-01-08 10:24:22 UTC

I am confused too. Raised an issue on the stable list (no archive has that yet):
Message-ID: <54AE5930.9050802@suse.cz>

Comment 4 Jiri Slaby 2015-01-09 13:02:25 UTC

FWIW, I am not taking this one to 3.12 stable...

http://thread.gmane.org/gmane.linux.kernel.stable/119037/focus=119628

Comment 5 Borislav Petkov 2015-01-26 19:31:55 UTC

Just to hold down a couple of observations from looking at

f647d7c155f0 ("x86_64, switch_to(): Load TLS descriptors before switching DS and ES"):

set_thread_area() is 32-bit only, so kernel has to be built with IA_32
or a 32-bit kernel and on 64-bit that syscall is -ENOSYS.

I.e., es test needs to be compiled with -m32. Also, a couple of includes
are missing, I'm uploading the version which builds here.

Comment 6 Borislav Petkov 2015-01-26 19:32:37 UTC

Created attachment 620904 [details]
working es test

Comment 7 Borislav Petkov 2015-01-27 16:32:06 UTC

Ok, let me hold down what the deal is:

So, when you run the es.c test, this is what happens:

     kworker/1:2-363   [001] d..2   255.503106: __switch_to: next(es:1644)->es: 0x2b, prev(kworker/1:2:363)->es: 0x0
     kworker/1:2-363   [001] d..2   255.503107: __switch_to: segment loaded: 0x2b
              es-1644  [001] d..2   255.503119: __switch_to: next(kworker/1:2:363)->es: 0x0, prev(es:1644)->es: 0x2b
              es-1644  [001] d..2   255.503120: __switch_to: segment loaded: 0x0
     kworker/1:2-363   [001] d..2   255.503131: __switch_to: next(es:1644)->es: 0x2b, prev(kworker/1:2:363)->es: 0x0
     kworker/1:2-363   [001] d..2   255.503132: __switch_to: segment loaded: 0x2b

The 0x2b is something TLS-libc whatever segment selector which gets setup.

While es is running, we've written %es with GDT3(idx), i.e. idx=13 which turns
into 0x6b because it goes into the %es segment selector:

              es-1644  [001] d..2   255.503320: __switch_to: next(swapper/1:0)->es: 0x0, prev(es:1644)->es: 0x6b
              es-1644  [001] d..2   255.503321: __switch_to: segment loaded: 0x0

sched out "es", run swapper, time passes...

    kworker/1:1H-315   [001] d..2   255.507604: __switch_to: next(es:1644)->es: 0x6b, prev(kworker/1:1H:315)->es: 0x0
    kworker/1:1H-315   [001] d..2   255.507609: __switch_to: segment loaded: 0x0

when we sched "es" back in, we load 0x6b into %es but the write
doesn't stick because we GP on an invalid segment which we catch in
loadsegment() and write 0 by default.

Now, if 0x6b were a valid segment selector, we would end up with the
respective TLS segment in the hidden portion of %es prepared for the
next task which we sched in.

And next task would then be able to read that TLS segment of prev. Leak.

And yes, only 32-bit processes on 64-bit linux.

The hypothetical problem with a fix like that is this situation has been
the case since forever so if some obscure 32-bit program relies on this
behavior, we'd break it if we backport that fix.

Back to security team for a decision.

Comment 8 Borislav Petkov 2015-01-27 16:33:16 UTC

Damn bugzilla, copy-paste the above comment into a sane text editor to see the trace lines better.

Comment 9 Marcus Meissner 2015-02-03 08:22:53 UTC

I understand only half of the above. :(

So aslr would only be bypassable in a 32bit mode (and not on native 32bit)?

Only WINE might feel an impact if at all. I think Wine is not relying on such a behaviour.


(as this is a non default scenario for running services or setuid binaries, we could allow to let it rest unfixed too.)


So ... undecided :/

Comment 10 Borislav Petkov 2015-02-03 10:16:22 UTC

(In reply to Marcus Meissner from comment #9)
> I understand only half of the above. :(

Ditto :-P

> So aslr would only be bypassable in a 32bit mode (and not on native 32bit)?

Only 32-bit binaries running on 64-bit Linux.

> Only WINE might feel an impact if at all. I think Wine is not relying on
> such a behaviour.

What about some custom customer applications we don't know of?

> (as this is a non default scenario for running services or setuid binaries,
> we could allow to let it rest unfixed too.)
>
>
> So ... undecided :/

So this is the risk from my previous comment augmented with bitness:

The hypothetical problem with a fix like that is this potential leak has
been the case since forever so if some obscure 32-bit program running
on 64-bit relies on this obviously wrong behavior, we'd break it if we
backport that fix.

Better?

Comment 11 Marcus Meissner 2015-02-06 15:09:54 UTC

I would say do the fix and take the risk.

Comment 12 Borislav Petkov 2015-02-06 15:15:52 UTC

I feel the same. Ok, backporting...

Comment 13 Borislav Petkov 2015-02-07 19:11:45 UTC

SLE12: backported
oS13.2: backported
oS13.1: backported
11SP3: backported

Closing.

Comment 14 Swamp Workflow Management 2015-02-26 09:59:38 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-03-05.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60808

Comment 15 Swamp Workflow Management 2015-03-18 21:11:42 UTC

SUSE-SU-2015:0529-1: An update that solves 8 vulnerabilities and has 53 fixes is now available.

Category: security (important)
Bug References: 799216,800255,860346,875220,877456,884407,895805,896484,897736,898687,900270,902286,902346,902349,903640,904177,904883,904899,904901,905100,905304,905329,905482,905783,906196,907069,908069,908322,908825,908904,909829,910322,911326,912202,912654,912705,913059,914112,914126,914254,914291,914294,914300,914457,914464,914726,915188,915322,915335,915425,915454,915456,915550,915660,916107,916513,916646,917089,917128,918161,918255
CVE References: CVE-2014-3673,CVE-2014-3687,CVE-2014-7822,CVE-2014-7841,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9584
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.38-44.5, kernel-obs-build-3.12.38-44.1
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.38-44.1, kernel-syms-3.12.38-44.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_3-1-2.2
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.38-44.1, kernel-syms-3.12.38-44.1

Comment 16 Swamp Workflow Management 2015-03-24 06:20:06 UTC

SUSE-SU-2015:0581-1: An update that solves 21 vulnerabilities and has 67 fixes is now available.

Category: security (important)
Bug References: 771619,816099,829110,833588,833820,846656,853040,856760,864401,864404,864409,864411,865419,875051,876086,876594,877593,882470,883948,884817,887597,891277,894213,895841,896484,900279,900644,902232,902349,902351,902675,903096,903640,904053,904242,904659,904671,905304,905312,905799,906586,907196,907338,907551,907611,907818,908069,908163,908393,908550,908551,908572,908825,909077,909078,909088,909092,909093,909095,909264,909565,909740,909846,910013,910150,910159,910321,910322,910517,911181,911325,911326,912171,912705,913059,914355,914423,914726,915209,915322,915335,915791,915826,916515,916982,917839,917884,920250
CVE References: CVE-2013-7263,CVE-2014-0181,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4608,CVE-2014-7822,CVE-2014-7842,CVE-2014-7970,CVE-2014-8133,CVE-2014-8134,CVE-2014-8160,CVE-2014-8369,CVE-2014-8559,CVE-2014-9090,CVE-2014-9322,CVE-2014-9419,CVE-2014-9420,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-source-3.0.101-0.47.50.1, kernel-syms-3.0.101-0.47.50.1, kernel-trace-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-ec2-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-ppc64-3.0.101-0.47.50.1, kernel-source-3.0.101-0.47.50.1, kernel-syms-3.0.101-0.47.50.1, kernel-trace-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1, xen-4.2.5_04-0.7.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.7, gfs2-2-0.17.1.7, ocfs2-1.6-0.21.1.7
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-source-3.0.101-0.47.50.1, kernel-syms-3.0.101-0.47.50.1, kernel-trace-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1, xen-4.2.5_04-0.7.1
SLE 11 SERVER Unsupported Extras (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-ppc64-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1

Comment 17 Swamp Workflow Management 2015-04-13 12:11:53 UTC

openSUSE-SU-2015:0713-1: An update that solves 13 vulnerabilities and has 52 fixes is now available.

Category: security (important)
Bug References: 867199,893428,895797,900811,901925,903589,903640,904899,905681,907039,907818,907988,908582,908588,908589,908592,908593,908594,908596,908598,908603,908604,908605,908606,908608,908610,908612,909077,909078,909477,909634,910150,910322,910440,911311,911325,911326,911356,911438,911578,911835,912061,912202,912429,912705,913059,913466,913695,914175,915425,915454,915456,915577,915858,916608,917830,917839,918954,918970,919463,920581,920604,921313,922542,922944
CVE References: CVE-2014-8134,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9420,CVE-2014-9428,CVE-2014-9529,CVE-2014-9584,CVE-2014-9585,CVE-2015-0777,CVE-2015-1421,CVE-2015-1593,CVE-2015-2150
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.6.6, cloop-2.639-14.6.6, crash-7.0.8-6.6, hdjmod-1.28-18.7.6, ipset-6.23-6.6, kernel-docs-3.16.7-13.2, kernel-obs-build-3.16.7-13.7, kernel-obs-qa-3.16.7-13.1, kernel-obs-qa-xen-3.16.7-13.1, kernel-source-3.16.7-13.1, kernel-syms-3.16.7-13.1, pcfclock-0.44-260.6.2, vhba-kmp-20140629-2.6.2, virtualbox-4.3.20-10.2, xen-4.4.1_08-12.2, xtables-addons-2.6-6.2

Comment 18 Swamp Workflow Management 2015-04-13 12:18:45 UTC

openSUSE-SU-2015:0714-1: An update that solves 11 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 903640,904899,907988,909078,910150,911325,911326,912202,912654,912705,913059,913695,914175,915322,917839,920901
CVE References: CVE-2014-7822,CVE-2014-8134,CVE-2014-8160,CVE-2014-8173,CVE-2014-8559,CVE-2014-9419,CVE-2014-9420,CVE-2014-9529,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.19.1, crash-7.0.2-2.19.1, hdjmod-1.28-16.19.1, ipset-6.21.1-2.23.1, iscsitarget-1.4.20.3-13.19.1, kernel-docs-3.11.10-29.2, kernel-source-3.11.10-29.1, kernel-syms-3.11.10-29.1, ndiswrapper-1.58-19.1, pcfclock-0.44-258.19.1, vhba-kmp-20130607-2.20.1, virtualbox-4.2.28-2.28.1, xen-4.3.3_04-37.1, xtables-addons-2.3-2.19.1

Comment 19 Swamp Workflow Management 2015-04-20 19:20:40 UTC

SUSE-SU-2015:0736-1: An update that solves 21 vulnerabilities and has 69 fixes is now available.

Category: security (important)
Bug References: 771619,816099,829110,833588,833820,846656,853040,856760,864401,864404,864409,864411,865419,875051,876086,876594,877593,882470,883948,884817,887597,891277,894213,895841,896484,900279,900644,902232,902349,902351,902675,903096,903640,904053,904242,904659,904671,905304,905312,905799,906586,907196,907338,907551,907611,907818,908069,908163,908393,908550,908551,908572,908825,909077,909078,909088,909092,909093,909095,909264,909565,909740,909846,910013,910150,910159,910251,910321,910322,910517,911181,911325,911326,912171,912705,913059,914355,914423,914726,915209,915322,915335,915791,915826,916515,916982,917839,917884,920250,924282
CVE References: CVE-2013-7263,CVE-2014-0181,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4608,CVE-2014-7822,CVE-2014-7842,CVE-2014-7970,CVE-2014-8133,CVE-2014-8134,CVE-2014-8160,CVE-2014-8369,CVE-2014-8559,CVE-2014-9090,CVE-2014-9322,CVE-2014-9419,CVE-2014-9420,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.14, drbd-kmp-8.4.4-0.23.1.14, iscsitarget-1.4.20-0.39.1.14, kernel-rt-3.0.101.rt130-0.33.36.1, kernel-rt_trace-3.0.101.rt130-0.33.36.1, kernel-source-rt-3.0.101.rt130-0.33.36.1, kernel-syms-rt-3.0.101.rt130-0.33.36.1, lttng-modules-2.1.1-0.12.1.13, ocfs2-1.6-0.21.1.14, ofed-1.5.4.1-0.14.1.14

Comment 20 Swamp Workflow Management 2015-05-29 09:54:04 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-06-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61844

Comment 21 Swamp Workflow Management 2015-06-08 12:13:04 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-06-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61904

Comment 22 Swamp Workflow Management 2015-07-02 15:11:47 UTC

SUSE-SU-2015:1174-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (moderate)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-ec2-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.21, gfs2-2-0.17.1.21, ocfs2-1.6-0.21.1.21
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SLE 11 SERVER Unsupported Extras (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1

Comment 23 Swamp Workflow Management 2015-08-12 17:14:56 UTC

SUSE-SU-2015:1376-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (important)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.22, drbd-kmp-8.4.4-0.23.1.22, iscsitarget-1.4.20-0.39.1.22, kernel-rt-3.0.101.rt130-0.33.38.1, kernel-rt_trace-3.0.101.rt130-0.33.38.1, kernel-source-rt-3.0.101.rt130-0.33.38.1, kernel-syms-rt-3.0.101.rt130-0.33.38.1, lttng-modules-2.1.1-0.12.1.20, ocfs2-1.6-0.21.1.22, ofed-1.5.4.1-0.14.1.22

Comment 24 Swamp Workflow Management 2016-02-01 15:13:49 UTC

openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075
CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1