Learn about Centmin Mod LEMP Stack today
Register Now

Security CentOS 6 & 7 Linux Kernel Update CVE-2016-6828, CVE-2016-7117, CVE-2016-9555

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jan 23, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    5:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    Redhat 6/7 and CentOS 6 and CentOS 7 has a security update released for Linux Kernel outlined below. Server must be rebooted after yum update (yum -y update). If you don't want to reboot server for Kernel updates, consider paying for KernelCare automatic rebootless Kernel updates (KernelCare install guide). They have a KernelCare 30 day free trial before you buy.
    CentOS 7 and Redhat 7 64bit packages
    Code (Text):
    [B]x86_64:[/B]
    kernel-3.10.0-514.6.1.el7.x86_64.rpm     MD5: 8836a4ade98abe6a23396342a7dd57e0
    SHA-256: abfb78666c63c0b5cb3629bfa119d42a62952930a7b53587d656b36973f6fac7
    kernel-abi-whitelists-3.10.0-514.6.1.el7.noarch.rpm     MD5: 8c0ede04347d984367a379ea6a405b89
    SHA-256: 8c6698f12e741aa6dd604e9e6a106b239e2d7f880e5c49a42ea9f726a2026f92
    kernel-debug-3.10.0-514.6.1.el7.x86_64.rpm     MD5: 147c58605cce30e2ae475390abecbd2e
    SHA-256: 2e194d113a1158f8d34bba0323ce50e7d027bd254e56554ad3591356e2e7982b
    kernel-debug-debuginfo-3.10.0-514.6.1.el7.x86_64.rpm     MD5: 2bbccc151f7c5cc349ff93cd60acd2cc
    SHA-256: fb0b5f2f6d2153bcba5df83a8e00129072e313ef2efa44b03884481516aa23e8
    kernel-debug-devel-3.10.0-514.6.1.el7.x86_64.rpm     MD5: c4b0e310fafdfa74c28e360892ed2c0d
    SHA-256: 1cd438c275df770078fd4ec525b5fd8708d03d69bffe351612349b54a4082034
    kernel-debuginfo-3.10.0-514.6.1.el7.x86_64.rpm     MD5: 27eef0e7a74997b4f48fe3cf1a3943ba
    SHA-256: 801d6d04c9efbab09c2468751dad2d2107ad127c753601c57d2110f93ac2f10c
    kernel-debuginfo-common-x86_64-3.10.0-514.6.1.el7.x86_64.rpm     MD5: 03849c028a06481cfe0a5b290bf45100
    SHA-256: f1cd402b33d5754b0a5e0fba13bcb0e8a97ca3432d8d45aa18b64422c8c7a026
    kernel-devel-3.10.0-514.6.1.el7.x86_64.rpm     MD5: 184905379f340a164f7814953ea9f40d
    SHA-256: ad48fdac967cf20059b9af3a1bfb691846fe19ff1eab72fa3991c0d9d03d162b
    kernel-doc-3.10.0-514.6.1.el7.noarch.rpm     MD5: 359835e4ef4c636d98fbd6f154294823
    SHA-256: 98979868ca5761b58fef1fdca45437e7317b5fb5bbf5de71919da7c1fb01e8f9
    kernel-headers-3.10.0-514.6.1.el7.x86_64.rpm     MD5: dbdc68dc7c8f32a9ad7092b12b06fe41
    SHA-256: 8d90d9d734dac5e5ef434eea7e5aa69a037b784da84b97fb425da6511aaa459d
    kernel-tools-3.10.0-514.6.1.el7.x86_64.rpm     MD5: 897914cd9db87e8f05d08acdf49f8656
    SHA-256: 1553e75d45fad911317399903f0b78795655d8c2cb48472a8b704049bdba845c
    kernel-tools-debuginfo-3.10.0-514.6.1.el7.x86_64.rpm     MD5: 52a4325bee947e003c5c20ba4dc27fdd
    SHA-256: c2e5064ae38a9b1f7ee216664e1f6c7dec7222a27dfbc56e6942f4e878662ed0
    kernel-tools-libs-3.10.0-514.6.1.el7.x86_64.rpm     MD5: 8353177230f9b169f0b7334bae6a9cf9
    SHA-256: e51485d7efc999db0777c33070c53f163bcaad536bb7f0e72c0989d66c6e35ba
    kernel-tools-libs-devel-3.10.0-514.6.1.el7.x86_64.rpm     MD5: 2c36c23e65c7243b068ddbc9ada4629e
    SHA-256: 8af4a603f5000508cc1156491b78bbd0975f99466240c0e030115d583f08cb9b
    perf-3.10.0-514.6.1.el7.x86_64.rpm     MD5: 8d641bdd0f0f3479766641d7e2154698
    SHA-256: 56f0cf8a2bd0a2222b5626336dbc0ecab303f5f6c15e35715268b26e3f833a37
    perf-debuginfo-3.10.0-514.6.1.el7.x86_64.rpm     MD5: 680f1574fdd73328a556f91c67dacc97
    SHA-256: c0bb562c8cf708d6df2b4f151f3bf0a64761d043e2ed3f50583d736ea857ac77
    python-perf-3.10.0-514.6.1.el7.x86_64.rpm     MD5: 560492757bdc6c5d14319e6245b2dcc1
    SHA-256: b9227af02ba38631eed6d8037b4f236e591c2369a7f4e647ffcde0d7ed36d0e0
    python-perf-debuginfo-3.10.0-514.6.1.el7.x86_64.rpm     MD5: 827f5d7c9bb8a473f1dd8ae82d5acefb
    SHA-256: a68228f94f0bea642d12f67820d922b7d66b28851a41fc3782cb62350da4f694
    


    CentOS 6 and Redhat 6 64bit packages
    Code (Text):
    [B]x86_64:[/B]
    kernel-2.6.32-642.13.1.el6.x86_64.rpm     MD5: 528a487cc34883f0605fd346a2dfef32
    SHA-256: 3db81223813f17280c2135b24c0398d2a94ce22ef4b8bb1685d86d1aa53c6323
    kernel-abi-whitelists-2.6.32-642.13.1.el6.noarch.rpm     MD5: 6c8b3457ecc3b0f7e9c59d88750f6438
    SHA-256: df3bdfea165a71c9ac5fafd7c90978a77bb2c4c0012981380343453ced26f531
    kernel-debug-2.6.32-642.13.1.el6.x86_64.rpm     MD5: 8de0dd5f3aac354ac8caf2ab3dff23c0
    SHA-256: d096f42dbe7defbbe4fcc6a08491109f3c07d33fec6b3e109b4345f63f5a4352
    kernel-debug-debuginfo-2.6.32-642.13.1.el6.i686.rpm     MD5: 88c0b789e10d411c53dac05260159130
    SHA-256: e527a5cfcdb7f46a1eca9b2738f512107eb23fa9430b9591dc0b89c6299822da
    kernel-debug-debuginfo-2.6.32-642.13.1.el6.x86_64.rpm     MD5: 5927f457b80c8129ab08776b72a489ea
    SHA-256: 728f66f2abbb93680403212a62542f6367909fdd234c1dde9d4a74f9b0a375a5
    kernel-debug-devel-2.6.32-642.13.1.el6.i686.rpm     MD5: 631fa63837c3b5bcf152d654110ff807
    SHA-256: 51e0bba62148e8926d40ba53724e7d22883061c8e65f8cc53f2401413b682a43
    kernel-debug-devel-2.6.32-642.13.1.el6.x86_64.rpm     MD5: cb2ab73ad0166b72773815e016f5bd15
    SHA-256: 5158ee1d99bc8a4ede03e8f57c140b35446636c254e07209bace6c3db564b4f2
    kernel-debuginfo-2.6.32-642.13.1.el6.i686.rpm     MD5: f4e115ef069b9ea1bcacc047f858061f
    SHA-256: aea92017fe162ccfa73f80bbfbe6e488dba550979d6768c02077579e8849bf2b
    kernel-debuginfo-2.6.32-642.13.1.el6.x86_64.rpm     MD5: 6c2c60addaa7ad8552460d6d649ef452
    SHA-256: 6efb2096ef205dfa0a3432904f2a16d2fcd115c298d141ce36057f0a793104aa
    kernel-debuginfo-common-i686-2.6.32-642.13.1.el6.i686.rpm     MD5: 3d7751dc9b52255ce447b527d1368173
    SHA-256: f03437762185c9f5de17498dfc89906bf1f8f80a27b2065ecf52bb2406942e96
    kernel-debuginfo-common-x86_64-2.6.32-642.13.1.el6.x86_64.rpm     MD5: 17e98d36212e83159503554ac5da2885
    SHA-256: 6ee56300ce76886d1372bdc3fd1f7155e8d22d2bb87add342a3178f8a116a90c
    kernel-devel-2.6.32-642.13.1.el6.x86_64.rpm     MD5: ae8283f3d3abcd8e3f56ff7cb6921579
    SHA-256: 1e3ce5657f498a4ddae3db9835eaf3d89832d760ed78333bbb1cad51bf77c32e
    kernel-doc-2.6.32-642.13.1.el6.noarch.rpm     MD5: 6b72014cda77a7ce578df74215d88147
    SHA-256: 9178c4634d31bb4100a2893c4b9832218f1fa568be895b57e3fd86999504235f
    kernel-firmware-2.6.32-642.13.1.el6.noarch.rpm     MD5: fae017e01f1cdd03c2c3a7ea2ca6ac86
    SHA-256: 1866d8123ffe03c996b2fc70d80814e17de63977cc098a1ac9b5681c2c59267f
    kernel-headers-2.6.32-642.13.1.el6.x86_64.rpm     MD5: 9be21eeac4747c50ad3fb5fc6734102e
    SHA-256: 857d45f76133df46ba4d99b05e3009fb182296185aa5799f92445f5187b9fcdd
    perf-2.6.32-642.13.1.el6.x86_64.rpm     MD5: 5615b497c4b5c99b5f1bc420f0d6b773
    SHA-256: f29ad470c2918f6efa9eb1e2211c2205cc1c2458315462b70515778a600b4044
    perf-debuginfo-2.6.32-642.13.1.el6.i686.rpm     MD5: 4514fd5e84c70f959a1dd9e25072b4c1
    SHA-256: 776c04365fe6b35dde9d7092d6249a7aa14c9ba92056945e01d59a6069f6fdcf
    perf-debuginfo-2.6.32-642.13.1.el6.x86_64.rpm     MD5: dcc1d3246c0ccb716e99dd62390ea575
    SHA-256: ebff014d932f810f4d9ecdb3f57e60a62b0098d437c8efb59350a45552b72d8c
    python-perf-2.6.32-642.13.1.el6.x86_64.rpm     MD5: 8ad01dbf0ce4762776affe9d229c33d1
    SHA-256: 167d880f96470288dc19807a2cc14c20be966b2255fd5a24011db61aafc7ecd6
    python-perf-debuginfo-2.6.32-642.13.1.el6.i686.rpm     MD5: a20fe064a95b073523b2e93ad127e1ca
    SHA-256: 3347e8a6893cf5e932d084975c30427c508d4eb1ff6746665453385a5461733a
    python-perf-debuginfo-2.6.32-642.13.1.el6.x86_64.rpm     MD5: 6af8e2d18b4839d476b365ba7b38f1c9
    SHA-256: 111889088a114775798a70b2e0614ee0b49b926b2081677056b6555670f819e4
    


    OpenVZ VPS Users



    OpenVZ VPS uses do not use their own Kernel but share the Linux Kernel of the OpenVZ host node machine, so your web host has to update the OpenVZ host node's kernel and do a reboot or if they are smart they would use KernelCare for automatic updates without the need for rebooting.

    Linode Kernels



    Linode VPS uses don't use distro kernels but more up to date Linode built Linux Kernels outlined at Available Linux Kernels - Linode. Their latest kernel is 4.8.6 based but their current one is 4.9.0 based. This thread explains latest vs current Linode Forum :: "Latest 64 bit" kernel - 4.8.6-x86_64-linode78 or 4.9.0-x86_64-linode79 ?

    As such the latest automatic Kernel loaded for Linode VPS is 4.8.6 so you would need to manually select 4.9.0 linux Kernel taking care to select the right one 32bit or 64bit (which has x86_64 in the name) in the edit profile configuration section's Boot Settings drop down menu. Note that doing this will stop automatic latest Linode Kernel updated version loading on server reboots in future. So once 4.9.0 Kernel becomes latest marked, you can re-edit profile configuration section and select it as the latest kernel for future updates on server reboot to continue automatically loading the latest marked Linux Kernel.

    Selecting 4.9.0-x86_64-linode79 64bit Kernel

    edit-profile-config-kernel01.png edit-profile-config-kernel02.png

    Then reboot server and verify kernel via (uname -r) command
    Code (Text):
    uname -r    
    4.9.0-x86_64-linode79
    
     
    Last edited: Jan 23, 2017
    • Informative Informative x 2
  2. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    5:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    From softpedia news
     
  3. RB1

    RB1 Active Member

    281
    72
    28
    Nov 11, 2016
    California
    Ratings:
    +119
    Local Time:
    12:15 PM
    Nginx 1.13.x
    MariaDB 10.1.x
    Wait, so will 4.9.0-x86_64-linode79 replace 4.8.6-x86_64-linode78 if I have "Latest 64-bit" selected or do I always have to manually select the next kernel?
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    5:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    after you select 4.9.0 manually, you loose the latest ability to auto update kernel on next server reboots. So you have to later check when 4.9.0 is promoted to latest and change selection to latest 4.9.0 and then in future can go back to auto update kernel on next server reboots
     
    • Informative Informative x 1
  5. RB1

    RB1 Active Member

    281
    72
    28
    Nov 11, 2016
    California
    Ratings:
    +119
    Local Time:
    12:15 PM
    Nginx 1.13.x
    MariaDB 10.1.x
    Awesome, thanks!
    Code (Text):
    [root@atlstrk ~]# uname -r
    4.9.0-x86_64-linode79
     
    • Like Like x 1
  6. CarpCharacin

    CarpCharacin Member

    213
    14
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +18
    Local Time:
    1:15 PM
    1.13.0
    MariaDB 10
    So how do I set it to auto update now that I have manually selected 4.9.0? I picked he 64 bit one. It is a linode 2gb. Was that the right one?
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    5:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    Looks good :)
    you don't right now. You have to wait for 4.9.0 to be promoted from current to latest Available Linux Kernels - Linode and when it is promoted, re-select latest 4.9.0 from boot settings again
     
    • Like Like x 1
  8. CarpCharacin

    CarpCharacin Member

    213
    14
    18
    Oct 13, 2016
    Salt Lake City
    Ratings:
    +18
    Local Time:
    1:15 PM
    1.13.0
    MariaDB 10
    Why do I have to reselect it when it is promoted to latest?
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    5:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    it's explained at Available Linux Kernels - Linode - the kernel marked as latest
     
  10. negative

    negative Member

    216
    21
    18
    Apr 11, 2015
    Ratings:
    +49
    Local Time:
    10:15 PM
    1.9.10
    10.1.11
    I don't see any update on my dedicated server with yum update command.

    Code (Text):
    [root@server ~]# uname -r
    3.10.0-514.2.2.el7.x86_64
     
  11. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    5:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    try
    Code (Text):
    yum clean all
    yum -y update
    

    sometimes mirrors lag behind
     
  12. negative

    negative Member

    216
    21
    18
    Apr 11, 2015
    Ratings:
    +49
    Local Time:
    10:15 PM
    1.9.10
    10.1.11
    Yes i tried with yum clean all first but still no package of new kernel.
     
  13. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    5:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    it's a waiting game for yum mirrors to catch :)
    Code (Text):
    uname -r
    3.10.0-514.6.1.el7.x86_64
    

    Code (Text):
    uname -r
    2.6.32-642.13.1.el6.x86_64
    
     
  14. SneakyDave

    SneakyDave Member

    68
    11
    8
    Jul 24, 2014
    Ratings:
    +16
    Local Time:
    2:15 PM
    1.0.15
    Maybe a little offtopic, so please move or direct this post to a better area for explanation.

    I've been curious as to why Linode uses it's own kernels for their infrastructure? Does it provide better security? I don't think I've seen any other VPS providers do it this way, at least I don't think I've seen the option with DO or Vultr.

    And in the same question, when a update is done to the system configuration, what happens to those kernel updates? Are they ignored and overridden by the Linode VPS kernel system?
     
    • Like Like x 2
  15. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    9:15 PM
    1
    10
    Updated, what would we all do without you @eva2000, thanks!!!
     
    • Like Like x 2
    • Agree Agree x 2
  16. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    5:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    you're welcome :)

    Newer kernels generally have a few bug fixes and improved performance. It's why before CentOS 7 was released, for CentOS 6 systems, I used Oracle Linux's UEK 3.1*.x kernels whenever I could for better performance especially at TCP level. Then came CentOS 7 with 3.x kernels :D

    Also Linode by using own kernels can react quicker to kernel security fixes i.e. Linode released patched fixed kernel way before Redhat/CentOS did https://community.centminmod.com/posts/38602/ (article Linode Blog » Linux “Dirty Cow” Vulnerability (CVE-2016-5195))

    Sort of like why Centmin Mod Nginx supports Nginx compiled via source against custom static build of OpenSSL 1.0.2+, 1.1.0+, LibreSSL 2.4+ and LibreSSL 2.5+. You get potentially faster and more timely updates direct from the source developers than you would via Redhat/Yum repos and well CentOS systems don't natively support OpenSSL 1.0.2+, OpenSSL 1.1.0+ or LibreSSL. Plus the bonus of better HTTPS/SSL performance :)
     
    • Like Like x 3
    • Informative Informative x 1
  17. deltahf

    deltahf Active Member

    207
    101
    43
    Jun 8, 2014
    Ratings:
    +154
    Local Time:
    3:15 PM
    Updated!

    Thanks for the notification, @eva2000!
     
    • Like Like x 1
  18. negative

    negative Member

    216
    21
    18
    Apr 11, 2015
    Ratings:
    +49
    Local Time:
    10:15 PM
    1.9.10
    10.1.11
    I didn't get newest kernel version still, interesting.
     
  19. BobbyWibowo

    BobbyWibowo Active Member

    166
    36
    28
    Jul 30, 2015
    Medan, Indonesia
    Ratings:
    +57
    Local Time:
    2:15 AM
    i trust you will make an announcement as well when that happens right? all this announcement thingy in centmin mod has been so useful to keep me up-to-date without having to actively look for the information all this time (big thanks to you for that!), so i've started to take this this 'heads up' as granted luls
    ayy~ you know what's on our mind
     
  20. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,138
    Local Time:
    5:15 AM
    Nginx 1.13.x
    MariaDB 5.5
    probably not for linode kernels

    the official linode kernel page at Available Linux Kernels - Linode has a rss feed support so you can feed it into your fav rss reader or setup rss feed update notifications yourself. For example, I have a slack channel to feed in linode kernel updates from Available Linux Kernels - Linode to a dedicated slack channel
     
    • Useful Useful x 1