[Ksplice][EL7-Updates] New Ksplice updates for OL 7, RHEL 7, CentOS 7, and Scientific Linux 7 (RHSA-2018:1965)

[Oracle Ksplice]

Synopsis: RHSA-2018:1965 can now be patched using Ksplice
CVEs: CVE-2017-11600 CVE-2018-3639

Systems running RHCK on Oracle Linux 7, Red Hat Enterprise Linux 7,
CentOS 7, and Scientific Linux 7 can now use Ksplice to patch against
the latest Red Hat Security Advisory, RHSA-2018:1965.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running OL 7, RHEL 7,
CentOS 7, and Scientific Linux 7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-11600: Out-of-bounds access when using transformation user configuration interface.

A missing check on user input when sending XFRM_MSG_MIGRATE over
transformation user configuration interface (XFRM) socket could lead to
an out-of-bounds access. A local attacker could use this flaw to cause
a denial-of-service.


* Improved AMD fix to CVE-2018-3639: Speculative Store Bypass information leak.

The original vendor fix for CVE-2018-3639 did not expose the mitigation
to KVM guests on AMD or correctly handle symmetric multithreading (SMT)
systems.

This update enables the speculative store bypass mitigation full time to
protect guests and SMT systems by default on AMD systems and can be
manually enabled/disable by writing 1/0 to
/proc/sys/vm/ksplice_ssbd_control.  The /proc/sys/vm/ksplice_ssbd_status
file reports the current mitigation status.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.