[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2018-4126)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Fri Jun 22 13:48:39 PDT 2018 

Synopsis: ELSA-2018-4126 can now be patched using Ksplice
CVEs: CVE-2017-16939 CVE-2018-3639

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4126.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Device Mapper encrypted target Support big-endian plain64 IV.

Some encrypted devices store the initialization vector in big endian
byte ordering and require extra kernel support.

Orabug: 28043932


* Single Thread Indirect Branch Predictors enable failure.

Incorrect masking could prevent the STIBP feature of the IA32_SPEC_CTRL
MSR from being set.  Guests that used the STIBP feature to mitigate
Spectre v2 would not be fully mitigated.


* Improved fix to CVE-2018-3639: Speculative Store Bypass information leak.

Booting with speculative store bypass mitigation permanently enabled and
IBRS as the Spectre v2 mitigation would cause the SSBD feature to be
disabled when running in user-space and leaving applications
unprotected.


* Improved AMD fix to CVE-2018-3639: Speculative Store Bypass information leak.

The original vendor fix for CVE-2018-3639 did not expose the mitigation
to KVM guests on AMD or correctly handle symmetric multithreading (SMT)
systems.

This update enables the speculative store bypass mitigation full time to
protect guests and SMT systems by default on AMD systems and can be
manually enabled/disable by writing 1/0 to
/proc/sys/vm/ksplice_ssbd_control.  The /proc/sys/vm/ksplice_ssbd_status
file reports the current mitigation status.


SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list