[Ksplice][Virtuozzo 4.7 Updates] New Ksplice updates for Virtuozzo 4.7 or OpenVZ on RHEL 6 (2.6.32-042stab127.2)

Jamie Iles jamie.iles at oracle.com
Fri Jan 12 04:58:10 PST 2018 

Synopsis: 2.6.32-042stab127.2 can now be patched using Ksplice
CVEs: CVE-2017-7542 CVE-2017-9074

IMPORTANT

The Oracle Ksplice development team has determined that mitigations for 
the Intel processor design flaws leading to vulnerabilities 
CVE-2017-5753, CVE-2017-5754, and CVE-2017-5715 cannot be applied using 
zero-downtime (Ksplice) patching. Oracle therefore recommends that 
customers install the required updates from their systems and hardware 
vendors as they become available and reboot these machines upon applying 
these patches.

Systems running Virtuozzo 4.7 or the OpenVZ RHEL 6 kernel can now use
Ksplice to patch against the latest Parallels Virtuozzo Containers 4.7
kernel security update, 2.6.32-042stab127.2.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Virtuozzo 4.7
or OpenVZ on RHEL 6 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-9074: Denial-of-service when using Generic Segmentation Offload on IPV6 socket.

A missing check when using Generic Segmentation Offload on IPV6 socket
could lead to a memory leak. A local attacker could use this flaw to
cause a denial-of-service.


* Improved fix for CVE-2017-7542: Buffer overflow when parsing IPV6 fragments header.

An incorrect data type when parsing IPV6 fragments header could lead to
a buffer overflow and to an infinite loop. A remote attacker could use
this flaw to cause a denial-of-service.


* Denial-of-service when setting options for RDS over Infiniband socket.

A missing check when setting RDS_GET_MR option for RDS over Infiniband
socket could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-VZ4.7-Updates mailing list