Discover Centmin Mod today
Register Now

Security Kernel TCP SACK PANIC Security Update CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Jun 18, 2019.

  1. eva2000

    eva2000 Administrator Staff Member

    40,634
    9,023
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,891
    Local Time:
    5:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Redhat and CentOS Linux Kernel security updates have been released via YUM for TCP SACK Panic security vulnerabilities. Redhat/CentOS 6 and Redhat/CentOS 7 and Redhat 8 are all affected.
    Updated Linux Kernel versions are
    • For Redhat/CentOS 6 = kernel-2.6.32-754.15
    • For Redhat/CentOS 7 = 3.10.0-957.21.3
    • For Redhat 8 = kernel-4.18.0-80.4.2
    • If you use 3rd party Linux Kernels i.e. ELrepo or Linode's custom Linux Kernels, then 5.1.11 Linux Kernel has the fix as well.
    Links
    Example for CentOS 7 yum list update listing available updates but as of writing this post, 3.10.0-957.21.3 updated kernel isn't available in yum yet so not showing up in below listing. You'd need to check for this frequently to see when it lands and do yum update and server reboot for changes to take effect.
    Code (Text):
    yum clean all
    yum list updates
    

    Code (Text):
    glibc.x86_64                  2.17-260.el7_6.5                  updates 
    glibc-common.x86_64           2.17-260.el7_6.5                  updates 
    glibc-devel.x86_64            2.17-260.el7_6.5                  updates 
    glibc-headers.x86_64          2.17-260.el7_6.5                  updates 
    kernel.x86_64                 3.10.0-957.12.2.el7               updates 
    kernel-devel.x86_64           3.10.0-957.12.2.el7               updates 
    kernel-headers.x86_64         3.10.0-957.12.2.el7               updates 
    kernel-tools.x86_64           3.10.0-957.12.2.el7               updates 
    kernel-tools-libs.x86_64      3.10.0-957.12.2.el7               updates 
    microcode_ctl.x86_64          2:2.1-47.2.el7_6                  updates
    

    Run yum update
    Code (Text):
    yum -y update

    Update:

    Looks like the updated Kernel is now showing up in yum list updates

    For CentOS 7
    Code (Text):
    yum -q clean all; yum list updates -q | tr -s ' ' | column -t
    Updated                   Packages
    kernel.x86_64             3.10.0-957.21.3.el7  updates
    kernel-devel.x86_64       3.10.0-957.21.3.el7  updates
    kernel-headers.x86_64     3.10.0-957.21.3.el7  updates
    kernel-tools.x86_64       3.10.0-957.21.3.el7  updates
    kernel-tools-libs.x86_64  3.10.0-957.21.3.el7  updates
    python-perf.x86_64        3.10.0-957.21.3.el7  updates
    

    For CentOS 6
    Code (Text):
    yum -q clean all; yum list updates -q | tr -s ' ' | column -t
    Updated                 Packages
    kernel.x86_64           2.6.32-754.15.3.el6  updates
    kernel-devel.x86_64     2.6.32-754.15.3.el6  updates
    kernel-firmware.noarch  2.6.32-754.15.3.el6  updates
    kernel-headers.x86_64   2.6.32-754.15.3.el6  updates
    

    updating now with command
    Code (Text):
    yum -y update

    then doing server reboot - usually i also flush mysql buffers to disk and wait a bit before reboot
    Code (Text):
    mysqladmin flush-tables && sleep 60 && reboot
    

    Then reboot server for Linux Kernel update to take effect and verify with command
    Code (Text):
    uname -r

    For CentOS 7
    Code (Text):
    uname -r
    3.10.0-957.21.3.el7.x86_64
    

    For CentOS 6
    Code (Text):
    uname -r
    2.6.32-754.15.3.el6.x86_64
    

    For ELrepo YUM Kernels
    Code (Text):
    uname -r
    5.1.11-1.el7.elrepo.x86_64
    

    For Linode custom Kernels
    Code (Text):
    uname -r
    5.1.11-x86_64-linode127
    
     
    • Informative Informative x 3
    • Like Like x 2
    • Agree Agree x 1
  2. BamaStangGuy

    BamaStangGuy Active Member

    568
    170
    43
    May 25, 2014
    Ratings:
    +231
    Local Time:
    2:23 PM
    Does Kernel Care work with Linode 5.x kernels?
     
  3. eva2000

    eva2000 Administrator Staff Member

    40,634
    9,023
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,891
    Local Time:
    5:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Last I checked 5.x wasn't on their list. So might need to ask them. On my CentOS 7 with Linux 5.1.11 Kernel just updated servers kernelcare check returns UNSUPPORTED
    Code (Text):
    wget -qq -O - https://kernelcare.com/checker | python
    UNSUPPORTED
    

    You can see list of supported Linux Kernels for Kernelcare at KernelCare live patches CentOs, RHEL, Debian, Ubuntu, etc.

    and KernelCare supports many distributions, but does it work with your kernel? - KernelCare

    and KernelCare
     
    style="display:inline-block;min-width:400px;max-width:970px;width:95%;height:90px" data-ad-client="ca-pub-6669518204467592" data-ad-slot="4024536743" data-ad-format="auto">
  4. eva2000

    eva2000 Administrator Staff Member

    40,634
    9,023
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,891
    Local Time:
    5:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Looks like the updated Kernel is now showing up in yum list updates

    For CentOS 7
    Code (Text):
    yum -q clean all; yum list updates -q | tr -s ' ' | column -t
    Updated                   Packages
    kernel.x86_64             3.10.0-957.21.3.el7  updates
    kernel-devel.x86_64       3.10.0-957.21.3.el7  updates
    kernel-headers.x86_64     3.10.0-957.21.3.el7  updates
    kernel-tools.x86_64       3.10.0-957.21.3.el7  updates
    kernel-tools-libs.x86_64  3.10.0-957.21.3.el7  updates
    python-perf.x86_64        3.10.0-957.21.3.el7  updates
    

    For CentOS 6
    Code (Text):
    yum -q clean all; yum list updates -q | tr -s ' ' | column -t
    Updated                 Packages
    kernel.x86_64           2.6.32-754.15.3.el6  updates
    kernel-devel.x86_64     2.6.32-754.15.3.el6  updates
    kernel-firmware.noarch  2.6.32-754.15.3.el6  updates
    kernel-headers.x86_64   2.6.32-754.15.3.el6  updates
    

    updating now with command
    Code (Text):
    yum -y update

    then doing server reboot - usually i also flush mysql buffers to disk and wait a bit before reboot
    Code (Text):
    mysqladmin flush-tables && sleep 60 && reboot
    
     
    • Like Like x 1
  5. deltahf

    deltahf Premium Member Premium Member

    325
    147
    43
    Jun 8, 2014
    Ratings:
    +235
    Local Time:
    3:23 PM
    How urgent is this, eva? I am traveling right now and I don't really have the time to do any server work, or deal with the problems should anything happen during the upgrades.

    Should I be OK to wait until next week or should I apply this ASAP? I'm on CentOS 7, behind Cloudflare.
     
  6. eva2000

    eva2000 Administrator Staff Member

    40,634
    9,023
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,891
    Local Time:
    5:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    If all domain and subdomains for your domain are before Cloudflare, then you are protected against this TCP SACK Panic vulnerability already so should be fine. But if some of your subdomains pointing to the same server IP are without orange cloud in Cloudflare DNS i.e. grey cloud which bypass Cloudflare proxying, them you'd be vulnerable.
     
    • Informative Informative x 1
  7. Venucci

    Venucci Member

    33
    4
    8
    Sep 25, 2018
    Ratings:
    +4
    Local Time:
    9:23 PM
    currentyl
    10
    Hi Eva ! Which is the command to double check which version of kernel i have ? I have done the 24 exit installation of yum updates but i wish to double check it , thanks
     
  8. eva2000

    eva2000 Administrator Staff Member

    40,634
    9,023
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,891
    Local Time:
    5:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    command is in 1st post ;)
     
    • Like Like x 1
  9. Venucci

    Venucci Member

    33
    4
    8
    Sep 25, 2018
    Ratings:
    +4
    Local Time:
    9:23 PM
    currentyl
    10
    thanks done . Just one noob question which is the command for ¨then doing server reboot ¨ ? #reboot ?
     
  10. pamamolf

    pamamolf Premium Member Premium Member

    3,353
    318
    83
    May 31, 2014
    Ratings:
    +593
    Local Time:
    10:23 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    reboot
     
    • Like Like x 1
  11. Andy

    Andy Active Member

    433
    66
    28
    Aug 6, 2014
    Ratings:
    +90
    Local Time:
    3:23 PM
    Just updated all and check kernel and still have the old one
    3.10.0-862.14.4.el7.x86_64

    Is there a way to force the newest kernel?
     
  12. rdan

    rdan Well-Known Member

    4,549
    1,090
    113
    May 25, 2014
    Ratings:
    +1,591
    Local Time:
    3:23 AM
    Mainline
    10.2
    Reboot server.
     
    • Like Like x 1
  13. eva2000

    eva2000 Administrator Staff Member

    40,634
    9,023
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,891
    Local Time:
    5:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah did you reboot server for Linux kernels to take effect ? ;)
     
    • Like Like x 1