[El-errata] New Ksplice updates for UEKR3 3.8.13 and UEKR2 2.6.39 on OL5, OL6 and OL7 (CVE-2017-1000364)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Jun 29 12:48:50 PDT 2017


Synopsis: CVE-2017-1000364 can now be patched using Ksplice
CVEs: CVE-2017-1000364

Users with Oracle Linux Premier Support can now use Ksplice to patch
their UEKR2 and UEKR3 kernels against CVE-2017-1000364.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR2 2.6.39 and UEKR3
3.8.13 on OL5, OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-1000364: Increase stack guard size to 1 MiB.

A vulnerability in how userspace programs are compiled can cause the
program's stack to grow into the program's heap and corrupt either of
them. Depending on which program is targeted, an attacker can gain
additional privileges.

This update provides a new sysctl variable which can be used to tune
the gap between a program's heap and stack. To change it, use e.g.:

    # set gap to 32 MiB
    echo 33554432 > /proc/sys/vm/heap_stack_gap

This update is a kernel mitigation for what is fundamentally a
userspace problem. As such, there is no guarantee that it will stop
every potential attack vector, but it will stop the ones that are
currently known and make it much more difficult to exploit in general.

Running processes where the stack and heap are already very close may
need to be restarted for the change to take effect. It is therefore
recommended that long-running processes and network daemons are
restarted after applying this update.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.





More information about the El-errata mailing list