[Ksplice][Virtuozzo 4.7 Updates] New Ksplice updates for Virtuozzo 4.7 or OpenVZ on RHEL 6 (2.6.32-042stab123.4, 2.6.32-042stab123.6, 2.6.32-042stab123.8)

Wed Jun 28 10:54:01 PDT 2017

Synopsis: 2.6.32-042stab123.4, 2.6.32-042stab123.6, 2.6.32-042stab123.8 can now be patched using Ksplice
CVEs: CVE-2017-1000364 CVE-2017-8890 CVE-2017-9074 CVE-2017-9075 CVE-2017-9076 CVE-2017-9077

Systems running Virtuozzo 4.7 or the OpenVZ RHEL 6 kernel can now use
Ksplice to patch against the latest Parallels Virtuozzo Containers 4.7
kernel security update, 2.6.32-042stab123.4, 2.6.32-042stab123.6,
2.6.32-042stab123.8.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Virtuozzo 4.7
or OpenVZ on RHEL 6 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2017-9076: Denial-of-service in DCCPv6 sockets.

A use-after-free in the DCCPv6 sockets could allow a local, unprivileged
user to crash the kernel, causing a denial of service.

* CVE-2017-9077: Denial-of-service in TCPv6 sockets.

A use-after-free in the TCPv6 sockets could allow a local, unprivileged
user to crash the kernel, causing a denial of service.

* CVE-2017-9075: Denial-of-service in SCTPv6 sockets.

A use-after-free in the SCTPv6 sockets could allow a local, unprivileged
user to crash the kernel, causing a denial of service.

* CVE-2017-8890: Denial-of-service in TCP and DCCP socket manipulation.

A failure to correctly initialise a structure can result in a double
free, leading to undefined behaviour. A local unprivileged attacker
could use this flaw to cause a denial-of-service or other unspecified
behaviour.

* CVE-2017-9074: Information leak via ipv6 fragment header.

The header size of an ipv6 fragment is not properly checked, potentially
allowing an attacker to read out-of-bounds memory when attempting to
parse it, leaking information.

* CVE-2017-1000364: Increase stack guard size to 1 MiB.

A vulnerability in how userspace programs are compiled can cause the
program's stack to grow into the program's heap and corrupt either of
them. Depending on which program is targeted, an attacker can gain
additional privileges.

This update provides a new sysctl variable which can be used to tune
the gap between a program's heap and stack. To change it, use e.g.:

    # set gap to 32 MiB
    echo 33554432 > /proc/sys/vm/heap_stack_gap

This update is a kernel mitigation for what is fundamentally a
userspace problem. As such, there is no guarantee that it will stop
every potential attack vector, but it will stop the ones that are
currently known and make it much more difficult to exploit in general.

Running processes where the stack and heap are already very close may
need to be restarted for the change to take effect. It is therefore
recommended that long-running processes and network daemons are
restarted after applying this update.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.