Get the most out of your Centmin Mod LEMP stack
Become a Member

Security April 12, 2017: Kernel Security Updates for CentOS 6 & 7

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Apr 14, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    26,466
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:51 AM
    Nginx 1.11.x
    MariaDB 5.5
    Linux Kernel security update are available for CentOS 6 & 7

    For CentOS 7 - Red Hat Customer Portal with fixed updated kernel version = 3.10.0-514.16.1
    For CentOS 6 Red Hat Customer Portal with fixed updated kernel version = 2.6.32-696.1.1

    Update Fixes


    • For CentOS 7 and Redhat 7 there's kernel update 3.10.0-514.16.1 and for CentOS 6 updated kernel 2.6.32-696.1.1
    So need to do 2 steps for non-openvz systems. For openvz vps you use host node kernel and not your own so only your web host can update the host node kernel so contact them. Some openvz vps providers also use KernelCare so are auto patched up but some don't.
    1. Do a yum update
      Code (Text):
      yum -y update
      then check if updated kernel version is updated via
      Code (Text):
      yum list kernel
      output
    2. Then reboot your server for Kernel update to take effect. If you use KernelCare KernelCare rebootless kernel updates - CentminMod.com LEMP Nginx web stack for CentOS they auto patch your kernel every 4hrs and do not require server reboots. Then verify after reboot of kernel version via
      Code (Text):
      uname -r
      or if using KernelCare via
      Code (Text):
      kcare-uname -r

    Update SSH Commands



    Updating yum packages via yum update
    Code (Text):
    yum -y update
    

    After update and server reboot verify updated kernel with command
    Code (Text):
    uname -r
    

    or if using KernelCare via
    Code (Text):
    kcare-uname -r
    
     
    Last edited: Apr 14, 2017
    • Like Like x 2
  2. eva2000

    eva2000 Administrator Staff Member

    26,466
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:51 AM
    Nginx 1.11.x
    MariaDB 5.5
    CentOS 7
     
  3. eva2000

    eva2000 Administrator Staff Member

    26,466
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:51 AM
    Nginx 1.11.x
    MariaDB 5.5
    CentOS 6
     
  4. eva2000

    eva2000 Administrator Staff Member

    26,466
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:51 AM
    Nginx 1.11.x
    MariaDB 5.5
    Linode 4.9.15 Kernels are fixed for this too from Linode support
    Code (Text):
    uname -r
    4.9.15-x86_64-linode81

    Indeed, seems Redhat updated CentOS 7 kernel for CVE-2017-2636 back on March 10th build of Kernel
    Code (Text):
    rpm -qa --changelog kernel| head -n44
    * Wed Apr 12 2017 CentOS Sources <bugs@centos.org> - 3.10.0-514.16.1.el7
    - Apply debranding changes
    
    * Fri Mar 10 2017 Frantisek Hrbata <fhrbata@hrbata.com> [3.10.0-514.16.1.el7]
    - [tty] n_hdlc: get rid of racy n_hdlc.tbuf ("Herton R. Krzesinski") [1429919 1429920] {CVE-2017-2636}
    - [md] dm rq: cope with DM device destruction while in dm_old_request_fn() (Mike Snitzer) [1430334 1412854]
    - [fs] nfs: Fix inode corruption in nfs_prime_dcache() (Benjamin Coddington) [1429514 1416532]
    - [fs] nfs: Don't let readdirplus revalidate an inode that was marked as stale (Benjamin Coddington) [1429514 1416532]
    - [block] Copy a user iovec if it includes gaps (Jeff Moyer) [1429508 1421263]
    - [kernel] percpu-refcount: fix reference leak during percpu-atomic transition (Jeff Moyer) [1429507 1418333]
    - [powerpc] eeh: eeh_pci_enable(): fix checking of post-request state (Steve Best) [1425538 1383670]
    - [s390] mm: handle PTE-mapped tail pages in fast gup (Hendrik Brueckner) [1423438 1391532]
    - [net] skbuff: Fix skb checksum partial check (Lance Richardson) [1422964 1411480]
    - [net] skbuff: Fix skb checksum flag on skb pull (Lance Richardson) [1422964 1411480]
    - [security] selinux: fix off-by-one in setprocattr (Paul Moore) [1422368 1422369] {CVE-2017-2618}
    - [virtio] balloon: check the number of available pages in leak balloon (David Hildenbrand) [1417194 1401615]
    - [infiniband] ib/rdmavt: Only put mmap_info ref if it exists (Jonathan Toppins) [1417191 1391299]
    - [x86] kvm: x86: make lapic hrtimer pinned (Luiz Capitulino) [1416373 1392593]
    - [kernel] sched/nohz: Fix affine unpinned timers mess (Luiz Capitulino) [1416373 1392593]
    - [kernel] nohz: Affine unpinned timers to housekeepers (Luiz Capitulino) [1416373 1392593]
    - [kernel] tick-sched: add housekeeping_mask cpumask (Luiz Capitulino) [1416373 1392593]
    - [x86] platform/uv/bau: Add UV4-specific functions (Frank Ramsay) [1414715 1386692]
    - [x86] platform/uv/bau: Fix payload queue setup on UV4 hardware (Frank Ramsay) [1414715 1386692]
    - [x86] platform/uv/bau: Disable software timeout on UV4 hardware (Frank Ramsay) [1414715 1386692]
    - [x86] platform/uv/bau: Populate ->uvhub_version with UV4 version information (Frank Ramsay) [1414715 1386692]
    - [x86] platform/uv/bau: Use generic function pointers (Frank Ramsay) [1414715 1386692]
    - [x86] platform/uv/bau: Add generic function pointers (Frank Ramsay) [1414715 1386692]
    - [x86] platform/uv/bau: Convert uv_physnodeaddr() use to uv_gpa_to_offset() (Frank Ramsay) [1414715 1386692]
    - [x86] platform/uv/bau: Clean up pq_init() (Frank Ramsay) [1414715 1386692]
    - [x86] platform/uv/bau: Clean up and update printks (Frank Ramsay) [1414715 1386692]
    - [x86] platform/uv/bau: Clean up vertical alignment (Frank Ramsay) [1414715 1386692]
    - [virtio] virtio-pci: alloc only resources actually used (Laurent Vivier) [1413093 1375153]
    - [net] avoid signed overflows for SO_{SND|RCV}BUFFORCE (Sabrina Dubroca) [1412473 1412474] {CVE-2016-9793}
    - [netdrv] sfc: clear napi_hash state when copying channels (Jarod Wilson) [1401461 1394304]
    - [lib] mpi: Fix NULL ptr dereference in mpi_powm() (Mateusz Guzik) [1398457 1398458] {CVE-2016-8650}
    - [scsi] lpfc: Fix eh_deadline setting for sli3 adapters (Ewan Milne) [1430687 1366564]
    - [md] dm round robin: revert "use percpu 'repeat_count' and 'current_path'" (Mike Snitzer) [1430689 1422567]
    - [md] dm round robin: do not use this_cpu_ptr() without having preemption disabled (Mike Snitzer) [1430689 1422567]
    - Revert: [x86] Handle non enumerated CPU after physical hotplug (Prarit Bhargava) [1426633 1373738]
    - Revert: [x86] smp: Don't try to poke disabled/non-existent APIC (Prarit Bhargava) [1426633 1373738]
    - Revert: [x86] smpboot: Init apic mapping before usage (Prarit Bhargava) [1426633 1373738]
    - Revert: [x86] revert "perf/uncore: Disable uncore on kdump kernel" (Prarit Bhargava) [1426633 1373738]
    - Revert: [x86] perf/x86/intel/uncore: Fix hardcoded socket 0 assumption in the Haswell init code (Prarit Bhargava) [1426633 1373738]
    
    
     
    Last edited: Apr 14, 2017
  5. BamaStangGuy

    BamaStangGuy Active Member

    443
    129
    43
    May 25, 2014
    Ratings:
    +166
    Local Time:
    10:51 AM
    My kcare-uname -r shows:

    Code:
    [06:16][root@ovh-128.whippmedia.com ~]# kcare-uname -r
    
    3.10.0-514.10.2.el7
    I was under the impression now that I am using Kernelcare I don't have to do anything? How long before kernelcare updates?
     
  6. eva2000

    eva2000 Administrator Staff Member

    26,466
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:51 AM
    Nginx 1.11.x
    MariaDB 5.5
    Are you using 30 day kernelcare trial or updated to paid subscription service for kernelcare after 30 day free trial ? Once 30 day free trial ends, auto updates stop KernelCare rebootless kernel updates - CentminMod.com LEMP Nginx web stack for CentOS.

    output for commands
    Code (Text):
    kcarectl --version
    

    Code (Text):
    kcarectl --update
    

    Code (Text):
    uname -r
    

    Code (Text):
    kcare-uname -r
    

    Code (Text):
    kcarectl --info
    

    Code (Text):
    kcarectl --patch-info
    

    Code (Text):
    yum list kernel
    
     
  7. eva2000

    eva2000 Administrator Staff Member

    26,466
    6,078
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +8,896
    Local Time:
    1:51 AM
    Nginx 1.11.x
    MariaDB 5.5
    looks like kernelcare already patched it way back for at least CVE-2017-2636 at Major vulnerability CVE-2017-2636 found in Linux kernels that affects many distributions

    so CVE-2017-2636 dated back to March 9th, 2017 and Kernelcare auto patched you in March. While Redhat/CentOS kernel update only recently was released. So Kernelcare had you patched up for almost a month before Redhat/CentOS :)
    Code (Text):
    kcarectl --patch-info
    OS: centos7
    kernel: kernel-3.10.0-514.6.1.el7
    time: 2017-04-13 17:18:38
    uname: 3.10.0-514.10.2.el7
    
    
    
    kpatch-name: 3.10.0/KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch
    kpatch-description: KEYS: Fix handling of stored error in a negatively instantiated user key
    kpatch-kernel: >kernel-3.10.0-514.6.1.el7
    kpatch-cve: CVE-2015-8539
    kpatch-cvss: 7.2
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-8539
    kpatch-patch-url: https://git.kernel.org/linus/096fe9eaea40a17e125569f9e657e34cdb6d73bd
    
    kpatch-name: 3.10.0/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch
    kpatch-description: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
    kpatch-kernel: kernel-3.10.0-514.6.2.el7
    kpatch-cve: CVE-2017-6074
    kpatch-cvss: 7.8
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-6074
    kpatch-patch-url: https://git.kernel.org/linus/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4
    
    kpatch-name: 3.10.0/kvm-x86-check-memopp-before-dereference-cve-2016-8630.patch
    kpatch-description: kvm: x86: Check memopp before dereference
    kpatch-kernel: kernel-3.10.0-514.10.2
    kpatch-cve: CVE-2016-8630
    kpatch-cvss: 5.2
    kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-8630
    kpatch-patch-url: https://git.kernel.org/linus/d9092f52d7e61dd1557f2db2400ddb430e85937e
    
    kpatch-name: 3.10.0/vfio-pci-Fix-integer-overflows-bitmask-check.patch
    kpatch-description: vfio/pci: Fix integer overflows, bitmask check
    kpatch-kernel: kernel-3.10.0-514.10.2.el7
    kpatch-cve: CVE-2016-9083 CVE-2016-9084
    kpatch-cvss: 7.2
    kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-9084
    kpatch-patch-url: https://patchwork.kernel.org/patch/9373631/
    
    kpatch-name: 3.10.0/fix-CVE-2017-2636.patch
    kpatch-description: tty: n_hdlc: get rid of racy n_hdlc.tbuf
    kpatch-kernel: >3.10.0-514.10.2.el7
    kpatch-cve: CVE-2017-2636
    kpatch-cvss: 7.8
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-2636
    kpatch-patch-url: https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus&id=82f2341c94d270421f383641b7cd670e474db56b
    
    kpatch-name: 3.10.0/kernel-Null-pointer-dereference-in-search_keyring_514.patch
    kpatch-description: kernel: Null pointer dereference in search_keyring
    kpatch-kernel: >3.10.0-514.10.2.el7
    kpatch-cve: CVE-2017-2647
    kpatch-cvss: 7.8
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-2647
    kpatch-patch-url: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c06cfb08b88d
    
    kpatch-name: 3.10.0/xfrm_user-validate-XFRM_MSG_NEWAE-XFRMA_REPLAY_ESN_V.patch
    kpatch-description: xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
    kpatch-kernel: >kernel-3.10.0-514.10.2.el7
    kpatch-cve: CVE-2017-7184
    kpatch-cvss: 7.8
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-7184
    kpatch-patch-url: https://git.kernel.org/linus/677e806da4d916052585301785d847c3b3e6186a
    
    kpatch-name: 3.10.0/xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch
    kpatch-description: xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
    kpatch-kernel: >kernel-3.10.0-514.10.2.el7
    kpatch-cve: CVE-2017-7184
    kpatch-cvss: 7.8
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-7184
    kpatch-patch-url: https://git.kernel.org/linus/f843ee6dd019bcece3e74e76ad9df0155655d0df
    
    kpatch-name: 3.10.0/RDS-verify-the-underlying-transport-exists-before-cr.patch
    kpatch-description: RDS: verify the underlying transport exists before creating a connection
    kpatch-kernel: >kernel-3.10.0-229.14.1.el7
    kpatch-cve: CVE-2015-6937
    kpatch-cvss: 7.1
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-6937
    kpatch-patch-url: http://git.kernel.org/linus/74e98eb085889b0d2d4908f59f6e00026063014f
    
    kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
    kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
    kpatch-kernel:
    kpatch-cve:
    kpatch-cvss:
    kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
    kpatch-patch-url:
    
     
    Last edited: Apr 14, 2017
  8. BamaStangGuy

    BamaStangGuy Active Member

    443
    129
    43
    May 25, 2014
    Ratings:
    +166
    Local Time:
    10:51 AM
    Ok that makes sense. I pay monthly for it.