KernelCare update was released

[KernelCare]

Dear Customers,

KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:

/usr/bin/kcarectl --update

Changelog:

centos7:
CVE-2018-12126: It was discovered that memory previously stored in microarchitectural
store buffers of an Intel CPU core may be exposed to a malicious process that
is executing on the same CPU core. A local attacker could use this to expose sensitive
information.
CVE-2018-12127: It was discovered that memory previously stored in microarchitectural
load ports of an Intel CPU core may be exposed to a malicious process that is
executing on the same CPU core. A local attacker could use this to expose sensitive
information.
CVE-2018-12130: It was discovered that memory previously stored in microarchitectural
fill buffers of an Intel CPU core may be exposed to a malicious process that is
executing on the same CPU core. A local attacker could use this to expose sensitive
information.
CVE-2019-11091: It was discovered that uncacheable memory previously stored in microarchitectural
buffers of an Intel CPU core may be exposed to a malicious process that is executing
on the same CPU core. A local attacker could use this to expose sensitive information.
cvelist: [CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091]
latest-version: 3.10.0-957.21.2.el7

[KernelCare]

Dear Customers,

KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:

/usr/bin/kcarectl --update

Changelog:

rhel7:
CVE-2019-11477: An integer overflow flaw was found in the way the Linux kernel's
networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While
processing SACK segments, the Linux kernel's socket buffer (SKB) data structure
becomes fragmented. Each fragment is about TCP maximum segment size (MSS) bytes.
To efficiently process SACK blocks, the Linux kernel merges multiple fragmented
SKBs into one, potentially overflowing the variable holding the number of segments.
A remote attacker could use this flaw to crash the Linux kernel by sending a crafted
sequence of SACK segments on a TCP connection with small value of TCP MSS, resulting
in a denial of service (DoS).
CVE-2019-11478: An excessive resource consumption flaw was found in the way the
Linux kernel's networking subsystem processed TCP Selective Acknowledgment (SACK)
segments. While processing SACK segments, the Linux kernel's socket buffer (SKB)
data structure becomes fragmented, which leads to increased resource utilization
to traverse and process these fragments as further SACK segments are received
on the same TCP connection. A remote attacker could use this flaw to cause a denial
of service (DoS) by sending a crafted sequence of SACK segments on a TCP connection.
CVE-2019-11479: An excessive resource consumption flaw was found in the way the
Linux kernel's networking subsystem processed TCP segments. If the Maximum Segment
Size (MSS) of a TCP connection was set to low values, such as 48 bytes, it can
leave as little as 8 bytes for the user data, which significantly increases the
Linux kernel's resource (CPU, Memory, and Bandwidth) utilization. A remote attacker
could use this flaw to cause a denial of service (DoS) by repeatedly sending network
traffic on a TCP connection with low TCP MSS.
cvelist: [CVE-2019-11477, CVE-2019-11478, CVE-2019-11479]
latest-version: 3.10.0-957.21.3.el7
oel7:
CVE-2019-11477: An integer overflow flaw was found in the way the Linux kernel's
networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While
processing SACK segments, the Linux kernel's socket buffer (SKB) data structure
becomes fragmented. Each fragment is about TCP maximum segment size (MSS) bytes.
To efficiently process SACK blocks, the Linux kernel merges multiple fragmented
SKBs into one, potentially overflowing the variable holding the number of segments.
A remote attacker could use this flaw to crash the Linux kernel by sending a crafted
sequence of SACK segments on a TCP connection with small value of TCP MSS, resulting
in a denial of service (DoS).
CVE-2019-11478: An excessive resource consumption flaw was found in the way the
Linux kernel's networking subsystem processed TCP Selective Acknowledgment (SACK)
segments. While processing SACK segments, the Linux kernel's socket buffer (SKB)
data structure becomes fragmented, which leads to increased resource utilization
to traverse and process these fragments as further SACK segments are received
on the same TCP connection. A remote attacker could use this flaw to cause a denial
of service (DoS) by sending a crafted sequence of SACK segments on a TCP connection.
CVE-2019-11479: An excessive resource consumption flaw was found in the way the
Linux kernel's networking subsystem processed TCP segments. If the Maximum Segment
Size (MSS) of a TCP connection was set to low values, such as 48 bytes, it can
leave as little as 8 bytes for the user data, which significantly increases the
Linux kernel's resource (CPU, Memory, and Bandwidth) utilization. A remote attacker
could use this flaw to cause a denial of service (DoS) by repeatedly sending network
traffic on a TCP connection with low TCP MSS.
cvelist: [CVE-2019-11477, CVE-2019-11478, CVE-2019-11479]
latest-version: 3.10.0-957.21.3.el7

[KernelCare]

Dear Customers,

KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:

/usr/bin/kcarectl --update

Changelog:

centos7: