[El-errata] New Ksplice updates for RHCK 7 (RHSA-2018:1965)

[Errata Announcements for Oracle Linux]

Synopsis: RHSA-2018:1965 can now be patched using Ksplice
CVEs: CVE-2017-11600 CVE-2018-3639

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle kernel update, RHSA-2018:1965.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running RHCK 7 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-11600: Out-of-bounds access when using transformation user configuration interface.

A missing check on user input when sending XFRM_MSG_MIGRATE over
transformation user configuration interface (XFRM) socket could lead to
an out-of-bounds access. A local attacker could use this flaw to cause
a denial-of-service.


* Improved AMD fix to CVE-2018-3639: Speculative Store Bypass information leak.

The original vendor fix for CVE-2018-3639 did not expose the mitigation
to KVM guests on AMD or correctly handle symmetric multithreading (SMT)
systems.

This update enables the speculative store bypass mitigation full time to
protect guests and SMT systems by default on AMD systems and can be
manually enabled/disable by writing 1/0 to
/proc/sys/vm/ksplice_ssbd_control.  The /proc/sys/vm/ksplice_ssbd_status
file reports the current mitigation status.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.