KernelCare update was released
9 views
Skip to first unread message
KernelCare
Nov 22, 2019, 9:40:07 AM11/22/19
to kernelcar...@googlegroups.com
Dear Customers,
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
rhel7:
CVE-2018-10853: A flaw was found in the way Linux kernel KVM hypervisor before 4.18
emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current
privilege(CPL) level while emulating unprivileged instructions. An unprivileged
guest user/process could use this flaw to potentially escalate privileges inside
guest.
CVE-2018-13053: The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the
Linux kernel through 4.17.3 has an integer overflow via a large relative timeout
because ktime_add_safe is not used.
CVE-2018-14625: A flaw was found in the Linux Kernel where an attacker may be able
to have an uncontrolled read to kernel-memory from within a vm guest. A race condition
between connect() and close() function may allow an attacker using the AF_VSOCK
protocol to gather a 4 byte information leak or possibly intercept or corrupt
AF_VSOCK messages destined to other clients.
CVE-2018-14734: drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11
allows ucma_leave_multicast to access a certain data structure after a cleanup
step in ucma_process_join, which allows attackers to cause a denial of service
(use-after-free).
CVE-2018-15594: arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles
certain indirect calls, which makes it easier for attackers to conduct Spectre-v2
attacks against paravirtual guests.
CVE-2018-16658: An issue was discovered in the Linux kernel before 4.18.6. An information
leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local
attackers to read kernel memory because a cast from unsigned long to int interferes
with bounds checking. This is similar to CVE-2018-10940.
CVE-2018-16885: A flaw was found in the Linux kernel that allows the userspace to
call memcpy_fromiovecend() and similar functions with a zero offset and buffer
length which causes the read beyond the buffer boundaries, in certain cases causing
a memory access fault and a system halt by accessing invalid memory address. This
issue only affects kernel version 3.10.x as shipped with Red Hat Enterprise Linux
7.
CVE-2018-18281: 'Since Linux kernel version 3.2, the mremap() syscall performs TLB
flushes after dropping pagetable locks. If a syscall such as ftruncate() removes
entries from the pagetables of a task that is in the middle of mremap(), a stale
TLB entry can remain for a short time that permits access to a physical page after
it has been released back to the page allocator and reused. This is fixed in the
following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.'
CVE-2018-7755: An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c
in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer
to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM
ioctl and use the obtained kernel pointer to discover the location of kernel code
and data and bypass kernel security protections such as KASLR.
CVE-2018-9516: 'In hid_debug_events_read of drivers/hid/hid-debug.c, there is a
possible out of bounds write due to a missing bounds check. This could lead to
local escalation of privilege with System execution privileges needed. User interaction
is not needed for exploitation. Product: Android Versions: Android kernel Android
ID: A-71361580.'
CVE-2018-9517: 'In pppol2tp_connect, there is possible memory corruption due to
a use after free. This could lead to local escalation of privilege with System
execution privileges needed. User interaction is not needed for exploitation.
Product: Android. Versions: Android kernel. Android ID: A-38159931.'
CVE-2019-11599: The coredump implementation in the Linux kernel before 5.0.10 does
not use locking or other mechanisms to prevent vma layout or vma flags changes
while it runs, which allows local users to obtain sensitive information, cause
a denial of service, or possibly have unspecified other impact by triggering a
race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c,
mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.
CVE-2019-11810: An issue was discovered in the Linux kernel before 5.0.7. A NULL
pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds()
in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service,
related to a use-after-free.
CVE-2019-11833: fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero
out the unused memory region in the extent tree block, which might allow local
users to obtain sensitive information by reading uninitialized data in the filesystem.
CVE-2019-3459: A heap address information leak while using L2CAP_GET_CONF_OPT was
discovered in the Linux kernel before 5.1-rc1.
CVE-2019-3460: A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP
was found in the Linux kernel before 5.1-rc1.
CVE-2019-3882: A flaw was found in the Linux kernel's vfio interface implementation
that permits violation of the user's locked memory limit. If a device is bound
to a vfio driver, such as vfio-pci, and the local attacker is administratively
granted ownership of the device, it may cause a system memory exhaustion and thus
a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable.
CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module in
Linux Kernel up to and including v5.1-rc6, while handling incoming packets in
handle_rx(). It could occur if one end sends packets faster than the other end
can process them. A guest user, maybe remote one, could use this flaw to stall
the vhost_net kernel thread, resulting in a DoS scenario.
CVE-2019-5489: The mincore() implementation in mm/mincore.c in the Linux kernel
through 4.19.13 allowed local attackers to observe page cache access patterns
of other processes on the same system, potentially allowing sniffing of secret
information. (Fixing this affects the output of the fincore program.) Limited
remote exploitation may be possible, as demonstrated by latency differences in
accessing public files from an Apache HTTP Server.
CVE-2019-7222: The KVM implementation in the Linux kernel through 4.20.5 has an
Information Leak.
cvelist: [CVE-2019-3900, CVE-2019-5489, CVE-2018-9517, CVE-2018-10853, CVE-2018-14625,
CVE-2018-14734, CVE-2018-15594, CVE-2018-18281, CVE-2019-3459, CVE-2019-3460,
CVE-2019-3882, CVE-2019-11599, CVE-2019-11810, CVE-2019-11833, CVE-2018-13053,
CVE-2018-16658, CVE-2018-16885, CVE-2018-7755, CVE-2018-9516, CVE-2019-7222]
latest-version: kernel-3.10.0-1062.4.3.el7
oel7:
CVE-2018-10853: A flaw was found in the way Linux kernel KVM hypervisor before 4.18
emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current
privilege(CPL) level while emulating unprivileged instructions. An unprivileged
guest user/process could use this flaw to potentially escalate privileges inside
guest.
CVE-2018-13053: The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the
Linux kernel through 4.17.3 has an integer overflow via a large relative timeout
because ktime_add_safe is not used.
CVE-2018-14625: A flaw was found in the Linux Kernel where an attacker may be able
to have an uncontrolled read to kernel-memory from within a vm guest. A race condition
between connect() and close() function may allow an attacker using the AF_VSOCK
protocol to gather a 4 byte information leak or possibly intercept or corrupt
AF_VSOCK messages destined to other clients.
CVE-2018-14734: drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11
allows ucma_leave_multicast to access a certain data structure after a cleanup
step in ucma_process_join, which allows attackers to cause a denial of service
(use-after-free).
CVE-2018-15594: arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles
certain indirect calls, which makes it easier for attackers to conduct Spectre-v2
attacks against paravirtual guests.
CVE-2018-16658: An issue was discovered in the Linux kernel before 4.18.6. An information
leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local
attackers to read kernel memory because a cast from unsigned long to int interferes
with bounds checking. This is similar to CVE-2018-10940.
CVE-2018-16885: A flaw was found in the Linux kernel that allows the userspace to
call memcpy_fromiovecend() and similar functions with a zero offset and buffer
length which causes the read beyond the buffer boundaries, in certain cases causing
a memory access fault and a system halt by accessing invalid memory address. This
issue only affects kernel version 3.10.x as shipped with Red Hat Enterprise Linux
7.
CVE-2018-18281: 'Since Linux kernel version 3.2, the mremap() syscall performs TLB
flushes after dropping pagetable locks. If a syscall such as ftruncate() removes
entries from the pagetables of a task that is in the middle of mremap(), a stale
TLB entry can remain for a short time that permits access to a physical page after
it has been released back to the page allocator and reused. This is fixed in the
following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.'
CVE-2018-7755: An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c
in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer
to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM
ioctl and use the obtained kernel pointer to discover the location of kernel code
and data and bypass kernel security protections such as KASLR.
CVE-2018-9516: 'In hid_debug_events_read of drivers/hid/hid-debug.c, there is a
possible out of bounds write due to a missing bounds check. This could lead to
local escalation of privilege with System execution privileges needed. User interaction
is not needed for exploitation. Product: Android Versions: Android kernel Android
ID: A-71361580.'
CVE-2018-9517: 'In pppol2tp_connect, there is possible memory corruption due to
a use after free. This could lead to local escalation of privilege with System
execution privileges needed. User interaction is not needed for exploitation.
Product: Android. Versions: Android kernel. Android ID: A-38159931.'
CVE-2019-11599: The coredump implementation in the Linux kernel before 5.0.10 does
not use locking or other mechanisms to prevent vma layout or vma flags changes
while it runs, which allows local users to obtain sensitive information, cause
a denial of service, or possibly have unspecified other impact by triggering a
race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c,
mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.
CVE-2019-11810: An issue was discovered in the Linux kernel before 5.0.7. A NULL
pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds()
in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service,
related to a use-after-free.
CVE-2019-11833: fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero
out the unused memory region in the extent tree block, which might allow local
users to obtain sensitive information by reading uninitialized data in the filesystem.
CVE-2019-3459: A heap address information leak while using L2CAP_GET_CONF_OPT was
discovered in the Linux kernel before 5.1-rc1.
CVE-2019-3460: A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP
was found in the Linux kernel before 5.1-rc1.
CVE-2019-3882: A flaw was found in the Linux kernel's vfio interface implementation
that permits violation of the user's locked memory limit. If a device is bound
to a vfio driver, such as vfio-pci, and the local attacker is administratively
granted ownership of the device, it may cause a system memory exhaustion and thus
a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable.
CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module in
Linux Kernel up to and including v5.1-rc6, while handling incoming packets in
handle_rx(). It could occur if one end sends packets faster than the other end
can process them. A guest user, maybe remote one, could use this flaw to stall
the vhost_net kernel thread, resulting in a DoS scenario.
CVE-2019-5489: The mincore() implementation in mm/mincore.c in the Linux kernel
through 4.19.13 allowed local attackers to observe page cache access patterns
of other processes on the same system, potentially allowing sniffing of secret
information. (Fixing this affects the output of the fincore program.) Limited
remote exploitation may be possible, as demonstrated by latency differences in
accessing public files from an Apache HTTP Server.
CVE-2019-7222: The KVM implementation in the Linux kernel through 4.20.5 has an
Information Leak.
cvelist: [CVE-2019-3900, CVE-2019-5489, CVE-2018-9517, CVE-2018-10853, CVE-2018-14625,
CVE-2018-14734, CVE-2018-15594, CVE-2018-18281, CVE-2019-3459, CVE-2019-3460,
CVE-2019-3882, CVE-2019-11599, CVE-2019-11810, CVE-2019-11833, CVE-2018-13053,
CVE-2018-16658, CVE-2018-16885, CVE-2018-7755, CVE-2018-9516, CVE-2019-7222]
latest-version: kernel-3.10.0-1062.4.3.el7
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
rhel7:
CVE-2018-10853: A flaw was found in the way Linux kernel KVM hypervisor before 4.18
emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current
privilege(CPL) level while emulating unprivileged instructions. An unprivileged
guest user/process could use this flaw to potentially escalate privileges inside
guest.
CVE-2018-13053: The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the
Linux kernel through 4.17.3 has an integer overflow via a large relative timeout
because ktime_add_safe is not used.
CVE-2018-14625: A flaw was found in the Linux Kernel where an attacker may be able
to have an uncontrolled read to kernel-memory from within a vm guest. A race condition
between connect() and close() function may allow an attacker using the AF_VSOCK
protocol to gather a 4 byte information leak or possibly intercept or corrupt
AF_VSOCK messages destined to other clients.
CVE-2018-14734: drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11
allows ucma_leave_multicast to access a certain data structure after a cleanup
step in ucma_process_join, which allows attackers to cause a denial of service
(use-after-free).
CVE-2018-15594: arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles
certain indirect calls, which makes it easier for attackers to conduct Spectre-v2
attacks against paravirtual guests.
CVE-2018-16658: An issue was discovered in the Linux kernel before 4.18.6. An information
leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local
attackers to read kernel memory because a cast from unsigned long to int interferes
with bounds checking. This is similar to CVE-2018-10940.
CVE-2018-16885: A flaw was found in the Linux kernel that allows the userspace to
call memcpy_fromiovecend() and similar functions with a zero offset and buffer
length which causes the read beyond the buffer boundaries, in certain cases causing
a memory access fault and a system halt by accessing invalid memory address. This
issue only affects kernel version 3.10.x as shipped with Red Hat Enterprise Linux
7.
CVE-2018-18281: 'Since Linux kernel version 3.2, the mremap() syscall performs TLB
flushes after dropping pagetable locks. If a syscall such as ftruncate() removes
entries from the pagetables of a task that is in the middle of mremap(), a stale
TLB entry can remain for a short time that permits access to a physical page after
it has been released back to the page allocator and reused. This is fixed in the
following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.'
CVE-2018-7755: An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c
in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer
to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM
ioctl and use the obtained kernel pointer to discover the location of kernel code
and data and bypass kernel security protections such as KASLR.
CVE-2018-9516: 'In hid_debug_events_read of drivers/hid/hid-debug.c, there is a
possible out of bounds write due to a missing bounds check. This could lead to
local escalation of privilege with System execution privileges needed. User interaction
is not needed for exploitation. Product: Android Versions: Android kernel Android
ID: A-71361580.'
CVE-2018-9517: 'In pppol2tp_connect, there is possible memory corruption due to
a use after free. This could lead to local escalation of privilege with System
execution privileges needed. User interaction is not needed for exploitation.
Product: Android. Versions: Android kernel. Android ID: A-38159931.'
CVE-2019-11599: The coredump implementation in the Linux kernel before 5.0.10 does
not use locking or other mechanisms to prevent vma layout or vma flags changes
while it runs, which allows local users to obtain sensitive information, cause
a denial of service, or possibly have unspecified other impact by triggering a
race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c,
mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.
CVE-2019-11810: An issue was discovered in the Linux kernel before 5.0.7. A NULL
pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds()
in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service,
related to a use-after-free.
CVE-2019-11833: fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero
out the unused memory region in the extent tree block, which might allow local
users to obtain sensitive information by reading uninitialized data in the filesystem.
CVE-2019-3459: A heap address information leak while using L2CAP_GET_CONF_OPT was
discovered in the Linux kernel before 5.1-rc1.
CVE-2019-3460: A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP
was found in the Linux kernel before 5.1-rc1.
CVE-2019-3882: A flaw was found in the Linux kernel's vfio interface implementation
that permits violation of the user's locked memory limit. If a device is bound
to a vfio driver, such as vfio-pci, and the local attacker is administratively
granted ownership of the device, it may cause a system memory exhaustion and thus
a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable.
CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module in
Linux Kernel up to and including v5.1-rc6, while handling incoming packets in
handle_rx(). It could occur if one end sends packets faster than the other end
can process them. A guest user, maybe remote one, could use this flaw to stall
the vhost_net kernel thread, resulting in a DoS scenario.
CVE-2019-5489: The mincore() implementation in mm/mincore.c in the Linux kernel
through 4.19.13 allowed local attackers to observe page cache access patterns
of other processes on the same system, potentially allowing sniffing of secret
information. (Fixing this affects the output of the fincore program.) Limited
remote exploitation may be possible, as demonstrated by latency differences in
accessing public files from an Apache HTTP Server.
CVE-2019-7222: The KVM implementation in the Linux kernel through 4.20.5 has an
Information Leak.
cvelist: [CVE-2019-3900, CVE-2019-5489, CVE-2018-9517, CVE-2018-10853, CVE-2018-14625,
CVE-2018-14734, CVE-2018-15594, CVE-2018-18281, CVE-2019-3459, CVE-2019-3460,
CVE-2019-3882, CVE-2019-11599, CVE-2019-11810, CVE-2019-11833, CVE-2018-13053,
CVE-2018-16658, CVE-2018-16885, CVE-2018-7755, CVE-2018-9516, CVE-2019-7222]
latest-version: kernel-3.10.0-1062.4.3.el7
oel7:
CVE-2018-10853: A flaw was found in the way Linux kernel KVM hypervisor before 4.18
emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current
privilege(CPL) level while emulating unprivileged instructions. An unprivileged
guest user/process could use this flaw to potentially escalate privileges inside
guest.
CVE-2018-13053: The alarm_timer_nsleep function in kernel/time/alarmtimer.c in the
Linux kernel through 4.17.3 has an integer overflow via a large relative timeout
because ktime_add_safe is not used.
CVE-2018-14625: A flaw was found in the Linux Kernel where an attacker may be able
to have an uncontrolled read to kernel-memory from within a vm guest. A race condition
between connect() and close() function may allow an attacker using the AF_VSOCK
protocol to gather a 4 byte information leak or possibly intercept or corrupt
AF_VSOCK messages destined to other clients.
CVE-2018-14734: drivers/infiniband/core/ucma.c in the Linux kernel through 4.17.11
allows ucma_leave_multicast to access a certain data structure after a cleanup
step in ucma_process_join, which allows attackers to cause a denial of service
(use-after-free).
CVE-2018-15594: arch/x86/kernel/paravirt.c in the Linux kernel before 4.18.1 mishandles
certain indirect calls, which makes it easier for attackers to conduct Spectre-v2
attacks against paravirtual guests.
CVE-2018-16658: An issue was discovered in the Linux kernel before 4.18.6. An information
leak in cdrom_ioctl_drive_status in drivers/cdrom/cdrom.c could be used by local
attackers to read kernel memory because a cast from unsigned long to int interferes
with bounds checking. This is similar to CVE-2018-10940.
CVE-2018-16885: A flaw was found in the Linux kernel that allows the userspace to
call memcpy_fromiovecend() and similar functions with a zero offset and buffer
length which causes the read beyond the buffer boundaries, in certain cases causing
a memory access fault and a system halt by accessing invalid memory address. This
issue only affects kernel version 3.10.x as shipped with Red Hat Enterprise Linux
7.
CVE-2018-18281: 'Since Linux kernel version 3.2, the mremap() syscall performs TLB
flushes after dropping pagetable locks. If a syscall such as ftruncate() removes
entries from the pagetables of a task that is in the middle of mremap(), a stale
TLB entry can remain for a short time that permits access to a physical page after
it has been released back to the page allocator and reused. This is fixed in the
following kernel versions: 4.9.135, 4.14.78, 4.18.16, 4.19.'
CVE-2018-7755: An issue was discovered in the fd_locked_ioctl function in drivers/block/floppy.c
in the Linux kernel through 4.15.7. The floppy driver will copy a kernel pointer
to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM
ioctl and use the obtained kernel pointer to discover the location of kernel code
and data and bypass kernel security protections such as KASLR.
CVE-2018-9516: 'In hid_debug_events_read of drivers/hid/hid-debug.c, there is a
possible out of bounds write due to a missing bounds check. This could lead to
local escalation of privilege with System execution privileges needed. User interaction
is not needed for exploitation. Product: Android Versions: Android kernel Android
ID: A-71361580.'
CVE-2018-9517: 'In pppol2tp_connect, there is possible memory corruption due to
a use after free. This could lead to local escalation of privilege with System
execution privileges needed. User interaction is not needed for exploitation.
Product: Android. Versions: Android kernel. Android ID: A-38159931.'
CVE-2019-11599: The coredump implementation in the Linux kernel before 5.0.10 does
not use locking or other mechanisms to prevent vma layout or vma flags changes
while it runs, which allows local users to obtain sensitive information, cause
a denial of service, or possibly have unspecified other impact by triggering a
race condition with mmget_not_zero or get_task_mm calls. This is related to fs/userfaultfd.c,
mm/mmap.c, fs/proc/task_mmu.c, and drivers/infiniband/core/uverbs_main.c.
CVE-2019-11810: An issue was discovered in the Linux kernel before 5.0.7. A NULL
pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds()
in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service,
related to a use-after-free.
CVE-2019-11833: fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero
out the unused memory region in the extent tree block, which might allow local
users to obtain sensitive information by reading uninitialized data in the filesystem.
CVE-2019-3459: A heap address information leak while using L2CAP_GET_CONF_OPT was
discovered in the Linux kernel before 5.1-rc1.
CVE-2019-3460: A heap data infoleak in multiple locations including L2CAP_PARSE_CONF_RSP
was found in the Linux kernel before 5.1-rc1.
CVE-2019-3882: A flaw was found in the Linux kernel's vfio interface implementation
that permits violation of the user's locked memory limit. If a device is bound
to a vfio driver, such as vfio-pci, and the local attacker is administratively
granted ownership of the device, it may cause a system memory exhaustion and thus
a denial of service (DoS). Versions 3.10, 4.14 and 4.18 are vulnerable.
CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module in
Linux Kernel up to and including v5.1-rc6, while handling incoming packets in
handle_rx(). It could occur if one end sends packets faster than the other end
can process them. A guest user, maybe remote one, could use this flaw to stall
the vhost_net kernel thread, resulting in a DoS scenario.
CVE-2019-5489: The mincore() implementation in mm/mincore.c in the Linux kernel
through 4.19.13 allowed local attackers to observe page cache access patterns
of other processes on the same system, potentially allowing sniffing of secret
information. (Fixing this affects the output of the fincore program.) Limited
remote exploitation may be possible, as demonstrated by latency differences in
accessing public files from an Apache HTTP Server.
CVE-2019-7222: The KVM implementation in the Linux kernel through 4.20.5 has an
Information Leak.
cvelist: [CVE-2019-3900, CVE-2019-5489, CVE-2018-9517, CVE-2018-10853, CVE-2018-14625,
CVE-2018-14734, CVE-2018-15594, CVE-2018-18281, CVE-2019-3459, CVE-2019-3460,
CVE-2019-3882, CVE-2019-11599, CVE-2019-11810, CVE-2019-11833, CVE-2018-13053,
CVE-2018-16658, CVE-2018-16885, CVE-2018-7755, CVE-2018-9516, CVE-2019-7222]
latest-version: kernel-3.10.0-1062.4.3.el7
KernelCare
Nov 22, 2019, 1:57:05 PM11/22/19
to kernelcar...@googlegroups.com
Dear Customers,
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
centos7:
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
KernelCare
Dec 2, 2019, 5:31:06 AM12/2/19
to kernelcar...@googlegroups.com
Dear Customers,
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
rhel7:
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
CVE-2018-12207: Improper invalidation for page table updates by a virtual guest
operating system for multiple Intel(R) Processors may allow an authenticated user
to potentially enable denial of service of the host system via local access.
cvelist: [CVE-2018-12207]
latest-version: kernel-3.10.0-1062.7.1.el7
oel7:
CVE-2018-12207: Improper invalidation for page table updates by a virtual guest
operating system for multiple Intel(R) Processors may allow an authenticated user
to potentially enable denial of service of the host system via local access.
cvelist: [CVE-2018-12207]
latest-version: kernel-3.10.0-1062.4.3.el7
KernelCare
Dec 2, 2019, 6:04:05 AM12/2/19
to kernelcar...@googlegroups.com
Dear Customers,
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
centos7:
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
KernelCare
Dec 7, 2019, 11:57:07 AM12/7/19
to kernelcar...@googlegroups.com
Dear Customers,
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
rhel7:
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
CVE-2018-12207: Improper invalidation for page table updates by a virtual guest
operating system for multiple Intel(R) Processors may allow an authenticated user
to potentially enable denial of service of the host system via local access.
cvelist: [CVE-2018-12207]
latest-version: kernel-3.10.0-1062.7.1.el7
operating system for multiple Intel(R) Processors may allow an authenticated user
to potentially enable denial of service of the host system via local access.
cvelist: [CVE-2018-12207]
oel7:
KernelCare
Dec 7, 2019, 12:26:05 PM12/7/19
to kernelcar...@googlegroups.com
Dear Customers,
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
centos7:
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
Reply all
Reply to author
Forward
0 new messages