Welcome to Centmin Mod Community
Register Now

Security March, 2017: Linux Kernel Security Fixes CVE-2016-8630, CVE-2016-8655, CVE-2016-9083, CVE-2016-9084

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, Mar 4, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    29,034
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    3:00 AM
    Nginx 1.13.x
    MariaDB 5.5
    New Linux Kernel security vulnerability fixes are out for CentOS 7 ONLY for CVE-2016-8630, CVE-2016-8655, CVE-2016-9083, CVE-2016-9084. CentOS 5 and 6 are NOT affected. The updated fixed Linux Kernel for CentOS 7 is 3.10.0-514.10.2.el7 and yum update and server reboot is required unless you are using KernelCare for auto Kernel patched updates which do not require a server reboot.

    Information


    Update Fixes


    • For CentOS 7 and Redhat 7 there's kernel update 3.10.0-514.10.2.el7
    So need to do 2 steps for non-openvz systems. For openvz vps you use host node kernel and not your own so only your web host can update the host node kernel so contact them. Some openvz vps providers also use KernelCare so are auto patched up but some don't.
    1. Do a yum update
      Code (Text):
      yum -y update
      then check if 3.10.0-514.10.2.el7 kernel is updated via
      Code (Text):
      yum list kernel
      output
    2. Then reboot your server for Kernel update to take effect. If you use KernelCare KernelCare rebootless kernel updates - CentminMod.com LEMP Nginx web stack for CentOS they auto patch your kernel every 4hrs and do not require server reboots. Then verify after reboot of kernel version via
      Code (Text):
      uname -r
      or if using KernelCare via
      Code (Text):
      kcare-uname -r

    Example listing updates which include Kernel
    Code (Text):
    yum list updates
    

    Code (Text):
    Loaded plugins: fastestmirror, priorities
    Loading mirror speeds from cached hostfile
     * base: ca.mirror.babylon.network
     * elrepo: ca.mirror.babylon.network
     * epel: ca.mirror.babylon.network
     * extras: ca.mirror.babylon.network
     * rpmforge: repoforge.mirror.constant.com
     * updates: ca.mirror.babylon.network
    383 packages excluded due to repository priority protections
    Updated Packages
    kernel.x86_64 3.10.0-514.10.2.el7 updates
    kernel-devel.x86_64 3.10.0-514.10.2.el7 updates
    kernel-headers.x86_64 3.10.0-514.10.2.el7 updates
    

    Updating yum packages via yum update
    Code (Text):
    yum -y update
    

    Code (Text):
    yum -y update
    Loaded plugins: fastestmirror, priorities
    Loading mirror speeds from cached hostfile
     * base: mirror2.evolution-host.com
     * elrepo: ca.mirror.babylon.network
     * epel: ca.mirror.babylon.network
     * extras: mirror2.evolution-host.com
     * rpmforge: repoforge.mirror.constant.com
     * updates: mirror2.evolution-host.com
    383 packages excluded due to repository priority protections
    Resolving Dependencies
    --> Running transaction check
    ---> Package kernel.x86_64 0:3.10.0-514.10.2.el7 will be installed
    ---> Package kernel-devel.x86_64 0:3.10.0-514.10.2.el7 will be installed
    ---> Package kernel-headers.x86_64 0:3.10.0-514.6.2.el7 will be updated
    ---> Package kernel-headers.x86_64 0:3.10.0-514.10.2.el7 will be an update
    --> Finished Dependency Resolution
    --> Running transaction check
    ---> Package kernel.x86_64 0:3.10.0-327.36.3.el7 will be erased
    ---> Package kernel-devel.x86_64 0:3.10.0-327.36.3.el7 will be erased
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ==========================================================================================================================================================================================================================================================
     Package                                                        Arch                                                   Version                                                             Repository                                                Size
    ==========================================================================================================================================================================================================================================================
    Installing:
     kernel                                                         x86_64                                                 3.10.0-514.10.2.el7                                                 updates                                                   37 M
     kernel-devel                                                   x86_64                                                 3.10.0-514.10.2.el7                                                 updates                                                   13 M
    Updating:
     kernel-headers                                                 x86_64                                                 3.10.0-514.10.2.el7                                                 updates                                                  4.8 M
    Removing:
     kernel                                                         x86_64                                                 3.10.0-327.36.3.el7                                                 @updates                                                 136 M
     kernel-devel                                                   x86_64                                                 3.10.0-327.36.3.el7                                                 @updates                                                  33 M
    
    Transaction Summary
    ==========================================================================================================================================================================================================================================================
    Install  2 Packages
    Upgrade  1 Package
    Remove   2 Packages
    
    Total download size: 55 M
    Downloading packages:
    Delta RPMs reduced 13 M of updates to 5.8 M (54% saved)
    (1/3): kernel-3.10.0-514.10.2.el7.x86_64.rpm                                                                                                                                                                                       |  37 MB  00:00:00  
    (2/3): kernel-devel-3.10.0-514.6.2.el7_3.10.0-514.10.2.el7.x86_64.drpm                                                                                                                                                             | 5.8 MB  00:00:00  
    (3/3): kernel-headers-3.10.0-514.10.2.el7.x86_64.rpm                                                                                                                                                                               | 4.8 MB  00:00:00  
    Finishing delta rebuilds of 1 package(s) (13 M)
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Total                                                                                                                                                                                                                      11 MB/s |  48 MB  00:00:04  
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : kernel-devel-3.10.0-514.10.2.el7.x86_64                                                                                                                                                                                                1/6
      Updating   : kernel-headers-3.10.0-514.10.2.el7.x86_64                                                                                                                                                                                              2/6
      Installing : kernel-3.10.0-514.10.2.el7.x86_64                                                                                                                                                                                                      3/6
      Cleanup    : kernel-3.10.0-327.36.3.el7.x86_64                                                                                                                                                                                                      4/6
      Cleanup    : kernel-headers-3.10.0-514.6.2.el7.x86_64                                                                                                                                                                                               5/6
      Cleanup    : kernel-devel-3.10.0-327.36.3.el7.x86_64                                                                                                                                                                                                6/6
      Verifying  : kernel-3.10.0-514.10.2.el7.x86_64                                                                                                                                                                                                      1/6
      Verifying  : kernel-headers-3.10.0-514.10.2.el7.x86_64                                                                                                                                                                                              2/6
      Verifying  : kernel-devel-3.10.0-514.10.2.el7.x86_64                                                                                                                                                                                                3/6
      Verifying  : kernel-devel-3.10.0-327.36.3.el7.x86_64                                                                                                                                                                                                4/6
      Verifying  : kernel-headers-3.10.0-514.6.2.el7.x86_64                                                                                                                                                                                               5/6
      Verifying  : kernel-3.10.0-327.36.3.el7.x86_64                                                                                                                                                                                                      6/6
    
    Removed:
      kernel.x86_64 0:3.10.0-327.36.3.el7                                                                                      kernel-devel.x86_64 0:3.10.0-327.36.3.el7                                                                                  
    
    Installed:
      kernel.x86_64 0:3.10.0-514.10.2.el7                                                                                      kernel-devel.x86_64 0:3.10.0-514.10.2.el7                                                                                  
    
    Updated:
      kernel-headers.x86_64 0:3.10.0-514.10.2.el7                                                                                                                                                                                                          
    
    Complete!
    

    After update and server reboot verify updated kernel with command
    Code (Text):
    uname -r
    

    or if using KernelCare via
    Code (Text):
    kcare-uname -r
    
     
    Last edited: Mar 4, 2017
  2. eva2000

    eva2000 Administrator Staff Member

    29,034
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    3:00 AM
    Nginx 1.13.x
    MariaDB 5.5
    Updated and rebooted on CentOS 7
    Code (Text):
    uname -r
    3.10.0-514.10.2.el7.x86_64
    

    Remember only non-OpenVZ systems can update their Linux Kernels. For openvz vps you use host node kernel and not your own so only your web host can update the host node kernel so contact them. Some openvz vps providers also use KernelCare so are auto patched up but some don't.
     
  3. eva2000

    eva2000 Administrator Staff Member

    29,034
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    3:00 AM
    Nginx 1.13.x
    MariaDB 5.5
    KernelCare users would of auto updated and DO NOT require server reboot
    Code (Text):
    kcare-uname -r
    3.10.0-514.6.2.el7
    

    Code (Text):
    kcarectl --info
    kpatch-state: patch is applied
    kpatch-for: Linux version 3.10.0-514.6.1.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) ) #1 SMP Wed Jan 18 13:06:36 UTC 2017
    kpatch-build-time: Wed Feb 22 12:34:36 2017
    kpatch-description: 5;3.10.0-514.6.2.el7

    Code (Text):
    kcarectl --patch-info
    OS: centos7
    kernel: kernel-3.10.0-514.6.1.el7
    time: 2017-02-23 23:09:11
    uname: 3.10.0-514.6.2.el7
    
    
    
    kpatch-name: 3.10.0/KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch
    kpatch-description: KEYS: Fix handling of stored error in a negatively instantiated user key
    kpatch-kernel: >kernel-3.10.0-514.6.1.el7
    kpatch-cve: CVE-2015-8539
    kpatch-cvss: 7.2
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-8539
    kpatch-patch-url: https://git.kernel.org/linus/096fe9eaea40a17e125569f9e657e34cdb6d73bd
    
    kpatch-name: 3.10.0/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch
    kpatch-description: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
    kpatch-kernel: kernel-3.10.0-514.6.2.el7
    kpatch-cve: CVE-2017-6074
    kpatch-cvss: 7.8
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-6074
    kpatch-patch-url: https://git.kernel.org/linus/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4
    
    kpatch-name: 3.10.0/RDS-verify-the-underlying-transport-exists-before-cr.patch
    kpatch-description: RDS: verify the underlying transport exists before creating a connection
    kpatch-kernel: >kernel-3.10.0-229.14.1.el7
    kpatch-cve: CVE-2015-6937
    kpatch-cvss: 7.1
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-6937
    kpatch-patch-url: http://git.kernel.org/linus/74e98eb085889b0d2d4908f59f6e00026063014f
    
    kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
    kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
    kpatch-kernel:
    kpatch-cve:
    kpatch-cvss:
    kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
    kpatch-patch-url: 
     
  4. eva2000

    eva2000 Administrator Staff Member

    29,034
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    3:00 AM
    Nginx 1.13.x
    MariaDB 5.5
    Linode support says these bugs don't apply to their provided Linux 4.9.x Kernels
     
  5. BamaStangGuy

    BamaStangGuy Active Member

    465
    136
    43
    May 25, 2014
    Ratings:
    +179
    Local Time:
    12:00 PM
    My kernel care is outputting this:

    Code:
    [11:47][root@christianforums.whippmedia.com ~]# kcare-uname -r
    3.10.0-514.6.2.el7
    Is this correct?
     
  6. eva2000

    eva2000 Administrator Staff Member

    29,034
    6,589
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,784
    Local Time:
    3:00 AM
    Nginx 1.13.x
    MariaDB 5.5