KernelCare update was released
13 views
Skip to first unread message
KernelCare
Sep 12, 2019, 11:09:05 AM9/12/19
to kernelcar...@googlegroups.com
Dear Customers,
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
rhel7:
CVE-2018-16871: A flaw was found in the Linux kernel's NFS implementation. An attacker,
who is able to mount an exported NFS filesystem, is able to trigger a null pointer
dereference by using an invalid NFS sequence. This can panic the machine and deny
access to the NFS server. Any outstanding disk writes to the NFS server will be
lost.
CVE-2019-11085: Adam Zabrocki discovered that the Intel i915 kernel mode graphics
driver in the Linux kernel did not properly restrict mmap() ranges in some situations.
A local attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code.
CVE-2019-1125: A Spectre gadget was found in the Linux kernel's implementation of
system interrupts. An attacker with local access could use this information to
reveal private data through a Spectre like side channel.
CVE-2019-11811: A flaw was found in the Linux kernel's implementation of IPMI (remote
baseband access). An attacker, with local access to read /proc/ioports, may be
able to create a use-after-free condition when the kernel module is unloaded which
may result in privilege escalation.
CVE-2019-9500: Hugues Anguelkov discovered that the Broadcom Wifi driver in the
Linux kernel contained a heap buffer overflow. A physically proximate attacker
could use this to cause a denial of service (system crash) or possibly execute
arbitrary code.
cvelist: [CVE-2019-1125, CVE-2019-9500, CVE-2018-16871, CVE-2019-11085, CVE-2019-11811]
latest-version: 3.10.0-1062.1.1.el7
oel7:
CVE-2018-16871: A flaw was found in the Linux kernel's NFS implementation. An attacker,
who is able to mount an exported NFS filesystem, is able to trigger a null pointer
dereference by using an invalid NFS sequence. This can panic the machine and deny
access to the NFS server. Any outstanding disk writes to the NFS server will be
lost.
CVE-2019-11085: Adam Zabrocki discovered that the Intel i915 kernel mode graphics
driver in the Linux kernel did not properly restrict mmap() ranges in some situations.
A local attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code.
CVE-2019-1125: A Spectre gadget was found in the Linux kernel's implementation of
system interrupts. An attacker with local access could use this information to
reveal private data through a Spectre like side channel.
CVE-2019-11811: A flaw was found in the Linux kernel's implementation of IPMI (remote
baseband access). An attacker, with local access to read /proc/ioports, may be
able to create a use-after-free condition when the kernel module is unloaded which
may result in privilege escalation.
CVE-2019-9500: Hugues Anguelkov discovered that the Broadcom Wifi driver in the
Linux kernel contained a heap buffer overflow. A physically proximate attacker
could use this to cause a denial of service (system crash) or possibly execute
arbitrary code.
cvelist: [CVE-2019-1125, CVE-2019-9500, CVE-2018-16871, CVE-2019-11085, CVE-2019-11811]
latest-version: 3.10.0-1062.1.1.el7
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
rhel7:
CVE-2018-16871: A flaw was found in the Linux kernel's NFS implementation. An attacker,
who is able to mount an exported NFS filesystem, is able to trigger a null pointer
dereference by using an invalid NFS sequence. This can panic the machine and deny
access to the NFS server. Any outstanding disk writes to the NFS server will be
lost.
CVE-2019-11085: Adam Zabrocki discovered that the Intel i915 kernel mode graphics
driver in the Linux kernel did not properly restrict mmap() ranges in some situations.
A local attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code.
CVE-2019-1125: A Spectre gadget was found in the Linux kernel's implementation of
system interrupts. An attacker with local access could use this information to
reveal private data through a Spectre like side channel.
CVE-2019-11811: A flaw was found in the Linux kernel's implementation of IPMI (remote
baseband access). An attacker, with local access to read /proc/ioports, may be
able to create a use-after-free condition when the kernel module is unloaded which
may result in privilege escalation.
CVE-2019-9500: Hugues Anguelkov discovered that the Broadcom Wifi driver in the
Linux kernel contained a heap buffer overflow. A physically proximate attacker
could use this to cause a denial of service (system crash) or possibly execute
arbitrary code.
cvelist: [CVE-2019-1125, CVE-2019-9500, CVE-2018-16871, CVE-2019-11085, CVE-2019-11811]
latest-version: 3.10.0-1062.1.1.el7
oel7:
CVE-2018-16871: A flaw was found in the Linux kernel's NFS implementation. An attacker,
who is able to mount an exported NFS filesystem, is able to trigger a null pointer
dereference by using an invalid NFS sequence. This can panic the machine and deny
access to the NFS server. Any outstanding disk writes to the NFS server will be
lost.
CVE-2019-11085: Adam Zabrocki discovered that the Intel i915 kernel mode graphics
driver in the Linux kernel did not properly restrict mmap() ranges in some situations.
A local attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code.
CVE-2019-1125: A Spectre gadget was found in the Linux kernel's implementation of
system interrupts. An attacker with local access could use this information to
reveal private data through a Spectre like side channel.
CVE-2019-11811: A flaw was found in the Linux kernel's implementation of IPMI (remote
baseband access). An attacker, with local access to read /proc/ioports, may be
able to create a use-after-free condition when the kernel module is unloaded which
may result in privilege escalation.
CVE-2019-9500: Hugues Anguelkov discovered that the Broadcom Wifi driver in the
Linux kernel contained a heap buffer overflow. A physically proximate attacker
could use this to cause a denial of service (system crash) or possibly execute
arbitrary code.
cvelist: [CVE-2019-1125, CVE-2019-9500, CVE-2018-16871, CVE-2019-11085, CVE-2019-11811]
latest-version: 3.10.0-1062.1.1.el7
KernelCare
Sep 12, 2019, 12:05:04 PM9/12/19
to kernelcar...@googlegroups.com
Dear Customers,
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
centos7:
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
CVE-2018-16871: A flaw was found in the Linux kernel's NFS implementation. An attacker,
who is able to mount an exported NFS filesystem, is able to trigger a null pointer
dereference by using an invalid NFS sequence. This can panic the machine and deny
access to the NFS server. Any outstanding disk writes to the NFS server will be
lost.
CVE-2019-11085: Adam Zabrocki discovered that the Intel i915 kernel mode graphics
driver in the Linux kernel did not properly restrict mmap() ranges in some situations.
A local attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code.
CVE-2019-1125: A Spectre gadget was found in the Linux kernel's implementation of
system interrupts. An attacker with local access could use this information to
reveal private data through a Spectre like side channel.
CVE-2019-11811: A flaw was found in the Linux kernel's implementation of IPMI (remote
baseband access). An attacker, with local access to read /proc/ioports, may be
able to create a use-after-free condition when the kernel module is unloaded which
may result in privilege escalation.
CVE-2019-9500: Hugues Anguelkov discovered that the Broadcom Wifi driver in the
Linux kernel contained a heap buffer overflow. A physically proximate attacker
could use this to cause a denial of service (system crash) or possibly execute
arbitrary code.
cvelist: [CVE-2019-1125, CVE-2019-9500, CVE-2018-16871, CVE-2019-11085, CVE-2019-11811]
latest-version: 3.10.0-957.27.2.el7
who is able to mount an exported NFS filesystem, is able to trigger a null pointer
dereference by using an invalid NFS sequence. This can panic the machine and deny
access to the NFS server. Any outstanding disk writes to the NFS server will be
lost.
CVE-2019-11085: Adam Zabrocki discovered that the Intel i915 kernel mode graphics
driver in the Linux kernel did not properly restrict mmap() ranges in some situations.
A local attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code.
CVE-2019-1125: A Spectre gadget was found in the Linux kernel's implementation of
system interrupts. An attacker with local access could use this information to
reveal private data through a Spectre like side channel.
CVE-2019-11811: A flaw was found in the Linux kernel's implementation of IPMI (remote
baseband access). An attacker, with local access to read /proc/ioports, may be
able to create a use-after-free condition when the kernel module is unloaded which
may result in privilege escalation.
CVE-2019-9500: Hugues Anguelkov discovered that the Broadcom Wifi driver in the
Linux kernel contained a heap buffer overflow. A physically proximate attacker
could use this to cause a denial of service (system crash) or possibly execute
arbitrary code.
cvelist: [CVE-2019-1125, CVE-2019-9500, CVE-2018-16871, CVE-2019-11085, CVE-2019-11811]
KernelCare
Sep 13, 2019, 4:27:02 AM9/13/19
to kernelcar...@googlegroups.com
Dear Customers,
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
custom-0:
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
CVE-2019-1125: A Spectre gadget was found in the Linux kernel's implementation of
system interrupts. An attacker with local access could use this information to
reveal private data through a Spectre like side channel.
cvelist: [CVE-2019-1125]
system interrupts. An attacker with local access could use this information to
reveal private data through a Spectre like side channel.
latest-version: 4.14.132-1.el7.centos
KernelCare
Sep 18, 2019, 6:35:04 AM9/18/19
to kernelcar...@googlegroups.com
Dear Customers,
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
rhel7:
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
CVE-2019-14835: The vulnerability is in vhost/vhost_net kernel module, vhost/vhost_net
is a virtio network backend. The bug happens in the live migrate flow, when migrating,
QEMU needs to know the dirty pages, vhost/vhost_net uses a kernel buffer to record
the dirty log, but it doesn't check the bounds of the log buffer. So we can forge
the desc table in guest, wait for migrate or doing something (like increase host
machine workload or combine a mem leak bug, depends on vendor's migrate schedule
policy) to trigger cloud vendor to migrate this guest. When the guest migrating,
it will make the host kernel log buffer overflow.
cvelist: [CVE-2019-14835]
latest-version: kernel-3.10.0-1062.1.1.el7
oel7:
CVE-2019-14835: The vulnerability is in vhost/vhost_net kernel module, vhost/vhost_net
is a virtio network backend. The bug happens in the live migrate flow, when migrating,
QEMU needs to know the dirty pages, vhost/vhost_net uses a kernel buffer to record
the dirty log, but it doesn't check the bounds of the log buffer. So we can forge
the desc table in guest, wait for migrate or doing something (like increase host
machine workload or combine a mem leak bug, depends on vendor's migrate schedule
policy) to trigger cloud vendor to migrate this guest. When the guest migrating,
it will make the host kernel log buffer overflow.
cvelist: [CVE-2019-14835]
latest-version: kernel-3.10.0-1062.1.1.el7
KernelCare
Sep 18, 2019, 9:24:05 AM9/18/19
to kernelcar...@googlegroups.com
Dear Customers,
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
centos7:
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
CVE-2019-14835: The vulnerability is in vhost/vhost_net kernel module, vhost/vhost_net
is a virtio network backend. The bug happens in the live migrate flow, when migrating,
QEMU needs to know the dirty pages, vhost/vhost_net uses a kernel buffer to record
the dirty log, but it doesn't check the bounds of the log buffer. So we can forge
the desc table in guest, wait for migrate or doing something (like increase host
machine workload or combine a mem leak bug, depends on vendor's migrate schedule
policy) to trigger cloud vendor to migrate this guest. When the guest migrating,
it will make the host kernel log buffer overflow.
cvelist: [CVE-2019-14835]
latest-version: kernel-3.10.0-957.1062.1.1.el7
is a virtio network backend. The bug happens in the live migrate flow, when migrating,
QEMU needs to know the dirty pages, vhost/vhost_net uses a kernel buffer to record
the dirty log, but it doesn't check the bounds of the log buffer. So we can forge
the desc table in guest, wait for migrate or doing something (like increase host
machine workload or combine a mem leak bug, depends on vendor's migrate schedule
policy) to trigger cloud vendor to migrate this guest. When the guest migrating,
it will make the host kernel log buffer overflow.
cvelist: [CVE-2019-14835]
KernelCare
Sep 19, 2019, 6:46:05 AM9/19/19
to kernelcar...@googlegroups.com
KernelCare
Sep 27, 2019, 5:19:11 AM9/27/19
to kernelcar...@googlegroups.com
Dear Customers,
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
rhel7:
KernelCare prepared security updates for your system.
Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.
You can manually update the server by running:
/usr/bin/kcarectl --update
Changelog:
CVE-2018-16884: A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+
shares mounted in different network namespaces at the same time can make bc_svc_process()
use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious
container user can cause a host kernel memory corruption and a system panic. Due
to the nature of the flaw, privilege escalation cannot be fully ruled out.
cvelist: [CVE-2018-16884]
latest-version: kernel-3.10.0-957.27.2.el7
oel7:
CVE-2018-16884: A flaw was found in the Linux kernel's NFS41+ subsystem. NFS41+
shares mounted in different network namespaces at the same time can make bc_svc_process()
use wrong back-channel IDs and cause a use-after-free vulnerability. Thus a malicious
container user can cause a host kernel memory corruption and a system panic. Due
to the nature of the flaw, privilege escalation cannot be fully ruled out.
cvelist: [CVE-2018-16884]
latest-version: kernel-3.10.0-957.27.2.el7
Reply all
Reply to author
Forward
0 new messages