Want more timely Centmin Mod News Updates?
Become a Member

Security Kernel TCP SACK PANIC Security Update CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jun 18, 2019.

  1. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Redhat and CentOS Linux Kernel security updates have been released via YUM for TCP SACK Panic security vulnerabilities. Redhat/CentOS 6 and Redhat/CentOS 7 and Redhat 8 are all affected.
    Updated Linux Kernel versions are
    • For Redhat/CentOS 6 = kernel-2.6.32-754.15
    • For Redhat/CentOS 7 = 3.10.0-957.21.3
    • For Redhat 8 = kernel-4.18.0-80.4.2
    • If you use 3rd party Linux Kernels i.e. ELrepo or Linode's custom Linux Kernels, then 5.1.11 Linux Kernel has the fix as well.
    Links
    Example for CentOS 7 yum list update listing available updates but as of writing this post, 3.10.0-957.21.3 updated kernel isn't available in yum yet so not showing up in below listing. You'd need to check for this frequently to see when it lands and do yum update and server reboot for changes to take effect.
    Code (Text):
    yum clean all
    yum list updates
    

    Code (Text):
    glibc.x86_64                  2.17-260.el7_6.5                  updates 
    glibc-common.x86_64           2.17-260.el7_6.5                  updates 
    glibc-devel.x86_64            2.17-260.el7_6.5                  updates 
    glibc-headers.x86_64          2.17-260.el7_6.5                  updates 
    kernel.x86_64                 3.10.0-957.12.2.el7               updates 
    kernel-devel.x86_64           3.10.0-957.12.2.el7               updates 
    kernel-headers.x86_64         3.10.0-957.12.2.el7               updates 
    kernel-tools.x86_64           3.10.0-957.12.2.el7               updates 
    kernel-tools-libs.x86_64      3.10.0-957.12.2.el7               updates 
    microcode_ctl.x86_64          2:2.1-47.2.el7_6                  updates
    

    Run yum update
    Code (Text):
    yum -y update

    Update:

    Looks like the updated Kernel is now showing up in yum list updates

    For CentOS 7
    Code (Text):
    yum -q clean all; yum list updates -q | tr -s ' ' | column -t
    Updated                   Packages
    kernel.x86_64             3.10.0-957.21.3.el7  updates
    kernel-devel.x86_64       3.10.0-957.21.3.el7  updates
    kernel-headers.x86_64     3.10.0-957.21.3.el7  updates
    kernel-tools.x86_64       3.10.0-957.21.3.el7  updates
    kernel-tools-libs.x86_64  3.10.0-957.21.3.el7  updates
    python-perf.x86_64        3.10.0-957.21.3.el7  updates
    

    For CentOS 6
    Code (Text):
    yum -q clean all; yum list updates -q | tr -s ' ' | column -t
    Updated                 Packages
    kernel.x86_64           2.6.32-754.15.3.el6  updates
    kernel-devel.x86_64     2.6.32-754.15.3.el6  updates
    kernel-firmware.noarch  2.6.32-754.15.3.el6  updates
    kernel-headers.x86_64   2.6.32-754.15.3.el6  updates
    

    updating now with command
    Code (Text):
    yum -y update

    then doing server reboot - usually i also flush mysql buffers to disk and wait a bit before reboot
    Code (Text):
    mysqladmin flush-tables && sleep 60 && reboot
    

    Then reboot server for Linux Kernel update to take effect and verify with command
    Code (Text):
    uname -r

    For CentOS 7
    Code (Text):
    uname -r
    3.10.0-957.21.3.el7.x86_64
    

    For CentOS 6
    Code (Text):
    uname -r
    2.6.32-754.15.3.el6.x86_64
    

    For ELrepo YUM Kernels
    Code (Text):
    uname -r
    5.1.11-1.el7.elrepo.x86_64
    

    For Linode custom Kernels
    Code (Text):
    uname -r
    5.1.11-x86_64-linode127
    

     
  2. BamaStangGuy

    BamaStangGuy Active Member

    668
    192
    43
    May 25, 2014
    Ratings:
    +272
    Local Time:
    3:40 PM
    Does Kernel Care work with Linode 5.x kernels?
     
  3. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Last I checked 5.x wasn't on their list. So might need to ask them. On my CentOS 7 with Linux 5.1.11 Kernel just updated servers kernelcare check returns UNSUPPORTED
    Code (Text):
    wget -qq -O - https://kernelcare.com/checker | python
    UNSUPPORTED
    

    You can see list of supported Linux Kernels for Kernelcare at KernelCare live patches CentOs, RHEL, Debian, Ubuntu, etc.

    and KernelCare supports many distributions, but does it work with your kernel? - KernelCare

    and KernelCare
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like the updated Kernel is now showing up in yum list updates

    For CentOS 7
    Code (Text):
    yum -q clean all; yum list updates -q | tr -s ' ' | column -t
    Updated                   Packages
    kernel.x86_64             3.10.0-957.21.3.el7  updates
    kernel-devel.x86_64       3.10.0-957.21.3.el7  updates
    kernel-headers.x86_64     3.10.0-957.21.3.el7  updates
    kernel-tools.x86_64       3.10.0-957.21.3.el7  updates
    kernel-tools-libs.x86_64  3.10.0-957.21.3.el7  updates
    python-perf.x86_64        3.10.0-957.21.3.el7  updates
    

    For CentOS 6
    Code (Text):
    yum -q clean all; yum list updates -q | tr -s ' ' | column -t
    Updated                 Packages
    kernel.x86_64           2.6.32-754.15.3.el6  updates
    kernel-devel.x86_64     2.6.32-754.15.3.el6  updates
    kernel-firmware.noarch  2.6.32-754.15.3.el6  updates
    kernel-headers.x86_64   2.6.32-754.15.3.el6  updates
    

    updating now with command
    Code (Text):
    yum -y update

    then doing server reboot - usually i also flush mysql buffers to disk and wait a bit before reboot
    Code (Text):
    mysqladmin flush-tables && sleep 60 && reboot
    
     
  5. deltahf

    deltahf Premium Member Premium Member

    587
    265
    63
    Jun 8, 2014
    Ratings:
    +489
    Local Time:
    4:40 PM
    How urgent is this, eva? I am traveling right now and I don't really have the time to do any server work, or deal with the problems should anything happen during the upgrades.

    Should I be OK to wait until next week or should I apply this ASAP? I'm on CentOS 7, behind Cloudflare.
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    If all domain and subdomains for your domain are before Cloudflare, then you are protected against this TCP SACK Panic vulnerability already so should be fine. But if some of your subdomains pointing to the same server IP are without orange cloud in Cloudflare DNS i.e. grey cloud which bypass Cloudflare proxying, them you'd be vulnerable.
     
  7. Venucci

    Venucci Member

    75
    8
    8
    Sep 25, 2018
    Ratings:
    +8
    Local Time:
    10:40 PM
    currentyl
    10
    Hi Eva ! Which is the command to double check which version of kernel i have ? I have done the 24 exit installation of yum updates but i wish to double check it , thanks
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    command is in 1st post ;)
     
  9. Venucci

    Venucci Member

    75
    8
    8
    Sep 25, 2018
    Ratings:
    +8
    Local Time:
    10:40 PM
    currentyl
    10
    thanks done . Just one noob question which is the command for ¨then doing server reboot ¨ ? #reboot ?
     
  10. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    11:40 PM
    Nginx-1.25.x
    MariaDB 10.3.x
    reboot
     
  11. Andy

    Andy Active Member

    544
    89
    28
    Aug 6, 2014
    Ratings:
    +133
    Local Time:
    3:40 PM
    Just updated all and check kernel and still have the old one
    3.10.0-862.14.4.el7.x86_64

    Is there a way to force the newest kernel?
     
  12. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    5:40 AM
    Mainline
    10.2
    Reboot server.
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    7:40 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah did you reboot server for Linux kernels to take effect ? ;)