Proxmox 3.10, CentOS7 Plus, RHEL 7 Updates

[Irina Semenova]

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:

# /usr/bin/kcarectl --update

CHANGELOG:

centos7-plus:

  CVE-2016-3672: Hector Marco and Ismael Ripoll discovered that the Linux kernel would

    improperly disable Address Space Layout Randomization (ASLR) for x86 processes

    running in 32 bit mode if stack-consumption resource limits were disabled. A local

    attacker could use this to make it easier to exploit an existing vulnerability

    in a setuid/setgid program.

  CVE-2016-7913: It was discovered that a use-after-free vulnerability existed in

    the device driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local

    attacker could use this to cause a denial of service (system crash) or possibly

    execute arbitrary code.

  CVE-2016-8633: Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation

    in the Linux kernel contained a buffer overflow when handling fragmented packets.

    A remote attacker could use this to possibly execute arbitrary code with administrative

    privileges.

  CVE-2017-1000407: It was discovered that the KVM implementation in the Linux kernel

    allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM

    could use this to cause a denial of service (system crash) in the host OS.

  CVE-2017-1000410: A flaw was found in the processing of incoming L2CAP bluetooth

    commands. Uninitialized stack variables can be sent to an attacker leaking data

    in kernel address space.

  CVE-2017-12190: Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux

    kernel did not properly track reference counts when merging buffers. A local attacker

    could use this to cause a denial of service (memory exhaustion).

  CVE-2017-15127: A flaw was found in the Linux kernel when freeing pages in hugetlbfs.

    This could trigger a local denial of service by crashing the kernel.

  CVE-2017-17448: It was discovered that the netfilter component of the Linux did

    not properly restrict access to the connection tracking helpers list. A local

    attacker could use this to bypass intended access restrictions.

  CVE-2017-17449: It was discovered that the netlink subsystem in the Linux kernel

    did not properly restrict observations of netlink messages to the appropriate

    net namespace. A local attacker could use this to expose sensitive information

    (kernel netlink traffic).

  CVE-2017-17558: It was discovered that the core USB subsystem in the Linux kernel

    did not validate the number of configurations and interfaces in a device. A physically

    proximate attacker could use this to cause a denial of service (system crash).

  CVE-2017-18017: Denys Fedoryshchenko discovered a use-after-free vulnerability in

    the netfilter xt_TCPMSS filter of the Linux kernel. A remote attacker could use

    this to cause a denial of service (system crash).

  CVE-2017-18203: It was discovered that a race condition existed in the Device Mapper

    component of the Linux kernel. A local attacker could use this to cause a denial

    of service (system crash).

  CVE-2017-7294: Li Qiang discovered that an integer overflow vulnerability existed

    in the Direct Rendering Manager (DRM) driver for VMWare devices in the Linux kernel.

    A local attacker could use this to cause a denial of service (system crash) or

    possibly execute arbitrary code.

  CVE-2018-5750: Wang Qize discovered that an information disclosure vulnerability

    existed in the SMBus driver for ACPI Embedded Controllers in the Linux kernel.

    A local attacker could use this to expose sensitive information (kernel pointer

    addresses).

  CVE-2018-6927: It was discovered that an integer overflow error existed in the futex

    implementation in the Linux kernel. A local attacker could use this to cause a

    denial of service (system crash).

  cvelist: [CVE-2016-3672, CVE-2016-7913, CVE-2016-8633, CVE-2017-7294, CVE-2017-12190,

    CVE-2017-15127, CVE-2017-17448, CVE-2017-17449, CVE-2017-17558, CVE-2017-18017,

    CVE-2017-18203, CVE-2017-1000407, CVE-2017-1000410, CVE-2018-5750, CVE-2018-6927]

  latest-version: 3.10.0-693.21.1.el7

pve-3.10:

  CVE-2016-3672: Hector Marco and Ismael Ripoll discovered that the Linux kernel would

    improperly disable Address Space Layout Randomization (ASLR) for x86 processes

    running in 32 bit mode if stack-consumption resource limits were disabled. A local

    attacker could use this to make it easier to exploit an existing vulnerability

    in a setuid/setgid program.

  CVE-2016-7913: It was discovered that a use-after-free vulnerability existed in

    the device driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local

    attacker could use this to cause a denial of service (system crash) or possibly

    execute arbitrary code.

  CVE-2016-8633: Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation

    in the Linux kernel contained a buffer overflow when handling fragmented packets.

    A remote attacker could use this to possibly execute arbitrary code with administrative

    privileges.

  CVE-2017-1000407: It was discovered that the KVM implementation in the Linux kernel

    allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM

    could use this to cause a denial of service (system crash) in the host OS.

  CVE-2017-1000410: A flaw was found in the processing of incoming L2CAP bluetooth

    commands. Uninitialized stack variables can be sent to an attacker leaking data

    in kernel address space.

  CVE-2017-12190: Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux

    kernel did not properly track reference counts when merging buffers. A local attacker

    could use this to cause a denial of service (memory exhaustion).

  CVE-2017-15127: A flaw was found in the Linux kernel when freeing pages in hugetlbfs.

    This could trigger a local denial of service by crashing the kernel.

  CVE-2017-17448: It was discovered that the netfilter component of the Linux did

    not properly restrict access to the connection tracking helpers list. A local

    attacker could use this to bypass intended access restrictions.

  CVE-2017-17449: It was discovered that the netlink subsystem in the Linux kernel

    did not properly restrict observations of netlink messages to the appropriate

    net namespace. A local attacker could use this to expose sensitive information

    (kernel netlink traffic).

  CVE-2017-17558: It was discovered that the core USB subsystem in the Linux kernel

    did not validate the number of configurations and interfaces in a device. A physically

    proximate attacker could use this to cause a denial of service (system crash).

  CVE-2017-18017: Denys Fedoryshchenko discovered a use-after-free vulnerability in

    the netfilter xt_TCPMSS filter of the Linux kernel. A remote attacker could use

    this to cause a denial of service (system crash).

  CVE-2017-18203: It was discovered that a race condition existed in the Device Mapper

    component of the Linux kernel. A local attacker could use this to cause a denial

    of service (system crash).

  CVE-2017-7294: Li Qiang discovered that an integer overflow vulnerability existed

    in the Direct Rendering Manager (DRM) driver for VMWare devices in the Linux kernel.

    A local attacker could use this to cause a denial of service (system crash) or

    possibly execute arbitrary code.

  CVE-2018-5750: Wang Qize discovered that an information disclosure vulnerability

    existed in the SMBus driver for ACPI Embedded Controllers in the Linux kernel.

    A local attacker could use this to expose sensitive information (kernel pointer

    addresses).

  CVE-2018-6927: It was discovered that an integer overflow error existed in the futex

    implementation in the Linux kernel. A local attacker could use this to cause a

    denial of service (system crash).

  cvelist: [CVE-2016-3672, CVE-2016-7913, CVE-2016-8633, CVE-2017-7294, CVE-2017-12190,

    CVE-2017-15127, CVE-2017-17448, CVE-2017-17449, CVE-2017-17558, CVE-2017-18017,

    CVE-2017-18203, CVE-2017-1000407, CVE-2017-1000410, CVE-2018-5750, CVE-2018-6927]

  latest-version: 3.10.0-22-pve_3.10.0-52

rhel7:

  CVE-2016-3672: Hector Marco and Ismael Ripoll discovered that the Linux kernel would

    improperly disable Address Space Layout Randomization (ASLR) for x86 processes

    running in 32 bit mode if stack-consumption resource limits were disabled. A local

    attacker could use this to make it easier to exploit an existing vulnerability

    in a setuid/setgid program.

  CVE-2016-7913: It was discovered that a use-after-free vulnerability existed in

    the device driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local

    attacker could use this to cause a denial of service (system crash) or possibly

    execute arbitrary code.

  CVE-2016-8633: Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation

    in the Linux kernel contained a buffer overflow when handling fragmented packets.

    A remote attacker could use this to possibly execute arbitrary code with administrative

    privileges.

  CVE-2017-1000407: It was discovered that the KVM implementation in the Linux kernel

    allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM

    could use this to cause a denial of service (system crash) in the host OS.

  CVE-2017-1000410: A flaw was found in the processing of incoming L2CAP bluetooth

    commands. Uninitialized stack variables can be sent to an attacker leaking data

    in kernel address space.

  CVE-2017-12190: Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux

    kernel did not properly track reference counts when merging buffers. A local attacker

    could use this to cause a denial of service (memory exhaustion).

  CVE-2017-15127: A flaw was found in the Linux kernel when freeing pages in hugetlbfs.

    This could trigger a local denial of service by crashing the kernel.

  CVE-2017-17448: It was discovered that the netfilter component of the Linux did

    not properly restrict access to the connection tracking helpers list. A local

    attacker could use this to bypass intended access restrictions.

  CVE-2017-17449: It was discovered that the netlink subsystem in the Linux kernel

    did not properly restrict observations of netlink messages to the appropriate

    net namespace. A local attacker could use this to expose sensitive information

    (kernel netlink traffic).

  CVE-2017-17558: It was discovered that the core USB subsystem in the Linux kernel

    did not validate the number of configurations and interfaces in a device. A physically

    proximate attacker could use this to cause a denial of service (system crash).

  CVE-2017-18017: Denys Fedoryshchenko discovered a use-after-free vulnerability in

    the netfilter xt_TCPMSS filter of the Linux kernel. A remote attacker could use

    this to cause a denial of service (system crash).

  CVE-2017-18203: It was discovered that a race condition existed in the Device Mapper

    component of the Linux kernel. A local attacker could use this to cause a denial

    of service (system crash).

  CVE-2017-7294: Li Qiang discovered that an integer overflow vulnerability existed

    in the Direct Rendering Manager (DRM) driver for VMWare devices in the Linux kernel.

    A local attacker could use this to cause a denial of service (system crash) or

    possibly execute arbitrary code.

  CVE-2018-5750: Wang Qize discovered that an information disclosure vulnerability

    existed in the SMBus driver for ACPI Embedded Controllers in the Linux kernel.

    A local attacker could use this to expose sensitive information (kernel pointer

    addresses).

  CVE-2018-6927: It was discovered that an integer overflow error existed in the futex

    implementation in the Linux kernel. A local attacker could use this to cause a

    denial of service (system crash).

  cvelist: [CVE-2016-3672, CVE-2016-7913, CVE-2016-8633, CVE-2017-7294, CVE-2017-12190,

    CVE-2017-15127, CVE-2017-17448, CVE-2017-17449, CVE-2017-17558, CVE-2017-18017,

    CVE-2017-18203, CVE-2017-1000407, CVE-2017-1000410, CVE-2018-5750, CVE-2018-6927]

  latest-version: 3.10.0-862.el7

==== deploy-prep ====

kernels='pve-3.10 centos7-plus rhel7'

lkernel['pve-3.10']=3.10.0-22-pve_3.10.0-52

lkernel['centos7-plus']=3.10.0-693.21.1.el7

lkernel['rhel7']=3.10.0-862.el7

==== end of deploy-prep ====

--

-- 

Regards, 

Irina Semenova | Project Coordinator of KernelCare 

Skype: iras535

CloudLinux.com  |  KernelCare.com  |  Imunify360 

helpdesk.cloudlinux.com: 24/7 Free, exceptionally good support
Follow twitter.com/CloudLinuxOS for technical updates