CloudLinux 7 and CloudLinux 6 Hybrid Updates

8 views
Skip to first unread message

Irina Semenova

unread,
May 1, 2018, 11:04:46 AM5/1/18
to kernelcar...@googlegroups.com
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update

CHANGELOG:
cl6h:
  CVE-2016-3672: Hector Marco and Ismael Ripoll discovered that the Linux kernel would
    improperly disable Address Space Layout Randomization (ASLR) for x86 processes
    running in 32 bit mode if stack-consumption resource limits were disabled. A local
    attacker could use this to make it easier to exploit an existing vulnerability
    in a setuid/setgid program.
  CVE-2016-7913: It was discovered that a use-after-free vulnerability existed in
    the device driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local
    attacker could use this to cause a denial of service (system crash) or possibly
    execute arbitrary code.
  CVE-2016-8633: Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation
    in the Linux kernel contained a buffer overflow when handling fragmented packets.
    A remote attacker could use this to possibly execute arbitrary code with administrative
    privileges.
  CVE-2017-1000407: It was discovered that the KVM implementation in the Linux kernel
    allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM
    could use this to cause a denial of service (system crash) in the host OS.
  CVE-2017-1000410: A flaw was found in the processing of incoming L2CAP bluetooth
    commands. Uninitialized stack variables can be sent to an attacker leaking data
    in kernel address space.
  CVE-2017-12190: Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux
    kernel did not properly track reference counts when merging buffers. A local attacker
    could use this to cause a denial of service (memory exhaustion).
  CVE-2017-15127: A flaw was found in the Linux kernel when freeing pages in hugetlbfs.
    This could trigger a local denial of service by crashing the kernel.
  CVE-2017-17448: It was discovered that the netfilter component of the Linux did
    not properly restrict access to the connection tracking helpers list. A local
    attacker could use this to bypass intended access restrictions.
  CVE-2017-17449: It was discovered that the netlink subsystem in the Linux kernel
    did not properly restrict observations of netlink messages to the appropriate
    net namespace. A local attacker could use this to expose sensitive information
    (kernel netlink traffic).
  CVE-2017-17558: It was discovered that the core USB subsystem in the Linux kernel
    did not validate the number of configurations and interfaces in a device. A physically
    proximate attacker could use this to cause a denial of service (system crash).
  CVE-2017-18017: Denys Fedoryshchenko discovered a use-after-free vulnerability in
    the netfilter xt_TCPMSS filter of the Linux kernel. A remote attacker could use
    this to cause a denial of service (system crash).
  CVE-2017-18203: It was discovered that a race condition existed in the Device Mapper
    component of the Linux kernel. A local attacker could use this to cause a denial
    of service (system crash).
  CVE-2017-7294: Li Qiang discovered that an integer overflow vulnerability existed
    in the Direct Rendering Manager (DRM) driver for VMWare devices in the Linux kernel.
    A local attacker could use this to cause a denial of service (system crash) or
    possibly execute arbitrary code.
  CVE-2018-5750: Wang Qize discovered that an information disclosure vulnerability
    existed in the SMBus driver for ACPI Embedded Controllers in the Linux kernel.
    A local attacker could use this to expose sensitive information (kernel pointer
    addresses).
  CVE-2018-6927: It was discovered that an integer overflow error existed in the futex
    implementation in the Linux kernel. A local attacker could use this to cause a
    denial of service (system crash).
  cvelist: [CVE-2016-3672, CVE-2016-7913, CVE-2016-8633, CVE-2017-7294, CVE-2017-12190,
    CVE-2017-15127, CVE-2017-17448, CVE-2017-17449, CVE-2017-17558, CVE-2017-18017,
    CVE-2017-18203, CVE-2017-1000407, CVE-2017-1000410, CVE-2018-5750, CVE-2018-6927]
  latest-version: 3.10.0-714.10.2.lve1.5.15.el6h
cl7:
  CVE-2016-3672: Hector Marco and Ismael Ripoll discovered that the Linux kernel would
    improperly disable Address Space Layout Randomization (ASLR) for x86 processes
    running in 32 bit mode if stack-consumption resource limits were disabled. A local
    attacker could use this to make it easier to exploit an existing vulnerability
    in a setuid/setgid program.
  CVE-2016-7913: It was discovered that a use-after-free vulnerability existed in
    the device driver for XCeive xc2028/xc3028 tuners in the Linux kernel. A local
    attacker could use this to cause a denial of service (system crash) or possibly
    execute arbitrary code.
  CVE-2016-8633: Eyal Itkin discovered that the IP over IEEE 1394 (FireWire) implementation
    in the Linux kernel contained a buffer overflow when handling fragmented packets.
    A remote attacker could use this to possibly execute arbitrary code with administrative
    privileges.
  CVE-2017-1000407: It was discovered that the KVM implementation in the Linux kernel
    allowed passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM
    could use this to cause a denial of service (system crash) in the host OS.
  CVE-2017-1000410: A flaw was found in the processing of incoming L2CAP bluetooth
    commands. Uninitialized stack variables can be sent to an attacker leaking data
    in kernel address space.
  CVE-2017-12190: Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux
    kernel did not properly track reference counts when merging buffers. A local attacker
    could use this to cause a denial of service (memory exhaustion).
  CVE-2017-15127: A flaw was found in the Linux kernel when freeing pages in hugetlbfs.
    This could trigger a local denial of service by crashing the kernel.
  CVE-2017-17448: It was discovered that the netfilter component of the Linux did
    not properly restrict access to the connection tracking helpers list. A local
    attacker could use this to bypass intended access restrictions.
  CVE-2017-17449: It was discovered that the netlink subsystem in the Linux kernel
    did not properly restrict observations of netlink messages to the appropriate
    net namespace. A local attacker could use this to expose sensitive information
    (kernel netlink traffic).
  CVE-2017-17558: It was discovered that the core USB subsystem in the Linux kernel
    did not validate the number of configurations and interfaces in a device. A physically
    proximate attacker could use this to cause a denial of service (system crash).
  CVE-2017-18017: Denys Fedoryshchenko discovered a use-after-free vulnerability in
    the netfilter xt_TCPMSS filter of the Linux kernel. A remote attacker could use
    this to cause a denial of service (system crash).
  CVE-2017-18203: It was discovered that a race condition existed in the Device Mapper
    component of the Linux kernel. A local attacker could use this to cause a denial
    of service (system crash).
  CVE-2017-7294: Li Qiang discovered that an integer overflow vulnerability existed
    in the Direct Rendering Manager (DRM) driver for VMWare devices in the Linux kernel.
    A local attacker could use this to cause a denial of service (system crash) or
    possibly execute arbitrary code.
  CVE-2018-5750: Wang Qize discovered that an information disclosure vulnerability
    existed in the SMBus driver for ACPI Embedded Controllers in the Linux kernel.
    A local attacker could use this to expose sensitive information (kernel pointer
    addresses).
  CVE-2018-6927: It was discovered that an integer overflow error existed in the futex
    implementation in the Linux kernel. A local attacker could use this to cause a
    denial of service (system crash).
  cvelist: [CVE-2016-3672, CVE-2016-7913, CVE-2016-8633, CVE-2017-7294, CVE-2017-12190,
    CVE-2017-15127, CVE-2017-17448, CVE-2017-17449, CVE-2017-17558, CVE-2017-18017,
    CVE-2017-18203, CVE-2017-1000407, CVE-2017-1000410, CVE-2018-5750, CVE-2018-6927]
  latest-version: 3.10.0-714.10.2.lve1.5.15.el7

==== deploy-prep ====
kernels='cl7 cl6h'
lkernel['cl7']=3.10.0-714.10.2.lve1.5.15.el7
lkernel['cl6h']=3.10.0-714.10.2.lve1.5.15.el6h
==== end of deploy-prep ====




--
-- 
Regards, 
Irina Semenova | Project Coordinator of KernelCare 
Skype: iras535

CloudLinux.com  |  KernelCare.com  |  Imunify360 

helpdesk.cloudlinux.com: 24/7 Free, exceptionally good support
Follow twitter.com/CloudLinuxOS for technical updates
Reply all
Reply to author
Forward
0 new messages