[Ksplice][EL7-Updates] New Ksplice updates for OL 7, RHEL 7, CentOS 7, and Scientific Linux 7 (RHSA-2020:0839)

[Oracle Ksplice]

Synopsis: RHSA-2020:0839 can now be patched using Ksplice
CVEs: CVE-2019-11487 CVE-2019-17666 CVE-2019-19338

Systems running RHCK on Oracle Linux 7, Red Hat Enterprise Linux 7,
CentOS 7, and Scientific Linux 7 can now use Ksplice to patch against
the latest Red Hat Security Advisory, RHSA-2020:0839.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running OL 7, RHEL 7,
CentOS 7, and Scientific Linux 7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-11487: Invalid memory access when overflowing pages refcount.

A reference count issue could let an attacker overflow pages reference
count and leads to invalid memory accesses. A local attacker could use
this flaw to cause a denial-of-service.


* CVE-2019-17666: Remote code execution in Realtek peer-to-peer Wifi.

Missing validation could result in a kernel buffer overflow and
potentially code-execution.  A remote attacker in proximity to the
device could use this flaw to crash the system or potentially, execute
code.


* CVE-2019-19338: Missing Intel TAA mitigation in KVM guests.

The original vendor fix for CVE-2019-11135 did not correctly pass
through mitigation status to KVM guests which could result in guests not
fully mitigating against TAA.  This update forcibly disables TSX on
affected hosts so that guests do not need runtime changes.  A new
control, /sys/kernel/debug/x86/tsx_force_abort is added to disable TSX,
defaulting to 1 on vulnerable systems, writing 0 to this file will
re-enable TSX but potentially leave guests vulnerable.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.