[Ksplice][Virtuozzo 4.7 Updates] New Ksplice updates for Virtuozzo 4.7 or OpenVZ on RHEL 6 (2.6.32-042stab132.1)

Mashiat Shakkhar mashiat.sarker at oracle.com
Wed Aug 1 08:02:14 PDT 2018 

Synopsis: 2.6.32-042stab132.1 can now be patched using Ksplice
CVEs: CVE-2018-10872 CVE-2018-1120 CVE-2018-3639 CVE-2018-3665 CVE-2018-8897

Systems running Virtuozzo 4.7 or the OpenVZ RHEL 6 kernel can now use
Ksplice to patch against the latest Parallels Virtuozzo Containers 4.7
kernel security update, 2.6.32-042stab132.1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Virtuozzo 4.7
or OpenVZ on RHEL 6 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Improved AMD fix to CVE-2018-3639: Speculative Store Bypass information leak.

The original vendor fix for CVE-2018-3639 did not expose the mitigation
to KVM guests on AMD or correctly handle symmetric multithreading (SMT)
systems.

This update enables the speculative store bypass mitigation full time to
protect guests and SMT systems by default on AMD systems and can be
manually enabled/disable by writing 1/0 to
/proc/sys/vm/ksplice_ssbd_control.  The /proc/sys/vm/ksplice_ssbd_status
file reports the current mitigation status.


* CVE-2018-10872 (CVE-2018-8897): Denial-of-service in KVM breakpoint handling.

Incorrect stack management of data watchpoints and breakpoints could
allow an unprivileged user to crash the system.


* CVE-2018-3665: Information leak in floating point registers.

An information leak from floating point registers when lazy FPU context
switching was performed could allow a malicious local user to gain
access to sensitive information across process boundaries.


* CVE-2018-1120: Denial-of-service when mmapping specifc part of process memory on a slow filesystem.

A missing check when an user mmap() specific part of process memory on a
slow filesystem could lead to delay in accessing those specific part
from kernel side. A local attacker could use this flaw to cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.oracle.com/pipermail/ksplice-vz4.7-updates/attachments/20180801/82dba775/attachment.html

More information about the Ksplice-VZ4.7-Updates mailing list