Security May 27, 2017: Kernel Security Update for CentOS 7 & CentOS 6

Linux Kernel security update are available for CentOS 7 and CentOS 6. The CentOS 6 kernel was released actually in April 2017.

For CentOS 7 - Red Hat Customer Portal with fixed updated kernel version = 3.10.0-514.21.1.el7 and for CentOS 6 kernel version = 2.6.32-696.1.1.el6

• CVE-2016-10208 - CentOS 7 only
• CVE-2016-7910 - CentOS 6 & 7
• CVE-2016-8646 - CentOS 7 only
• CVE-2017-5986 - CentOS 7 (Redhat will not fix for CentOS 6 ). Hence, why I recommend CentOS 7 if you have >1GB memory based server.
• CVE-2017-7308 - CentOS 7 only

Update Fixes

• For CentOS 7 and Redhat 7 there's kernel update 3.10.0-514.21.1.el7 and for CentOS 6 2.6.32-696.1.1.el6

So need to do 2 steps for non-openvz systems. For openvz vps you use host node kernel and not your own so only your web host can update the host node kernel so contact them. Some openvz vps providers also use KernelCare so are auto patched up but some don't.

1. Do a yum update
   Code (Text):

   yum -y update

   then check if updated kernel version is updated via
   Code (Text):

   yum list kernel

   output
2. Then reboot your server for Kernel update to take effect. If you use KernelCare KernelCare rebootless kernel updates - CentminMod.com LEMP Nginx web stack for CentOS they auto patch your kernel every 4hrs and do not require server reboots. Then verify after reboot of kernel version via
   Code (Text):

   uname -r

   or if using KernelCare via
   Code (Text):

   kcare-uname -r

Update SSH Commands

Updating yum packages via yum update

Code (Text):

yum -y update

After update and server reboot verify updated kernel with command

Code (Text):

uname -r

or if using KernelCare via

Code (Text):

kcare-uname -r

Examples

---

CentOS 6

Code (Text):

uname -r
2.6.32-696.1.1.el6.x86_64

CentOS 7

Code (Text):

uname -r
3.10.0-514.21.1.el7.x86_64

Looks like Kernelcare doesn't have the update yet ? As kpatch build time was = Thu May 18 08:07:06 2017 and May 22nd release date KernelCare Directory. So probably need to a wait a bit longer for CentOS 7's Kernelcare patch updates which are automatically patched every 4 hours if you have Kernelcare installed.

Code (Text):

kcare-uname -r
3.10.0-514.16.1.el7

Code (Text):

kcarectl --info
kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-514.6.1.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) ) #1 SMP Wed Jan 18 13:06:36 UTC 2017
kpatch-build-time: Thu May 18 08:07:06 2017
kpatch-description: 14;3.10.0-514.16.1.el7

Code (Text):

kcarectl --patch-info
OS: centos7
kernel: kernel-3.10.0-514.6.1.el7
time: 2017-05-22 09:38:02
uname: 3.10.0-514.16.1.el7

kpatch-name: 3.10.0/KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch
kpatch-description: KEYS: Fix handling of stored error in a negatively instantiated user key
kpatch-kernel: >kernel-3.10.0-514.6.1.el7
kpatch-cve: CVE-2015-8539
kpatch-cvss: 7.2
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-8539
kpatch-patch-url: https://git.kernel.org/linus/096fe9eaea40a17e125569f9e657e34cdb6d73bd

kpatch-name: 3.10.0/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch
kpatch-description: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
kpatch-kernel: kernel-3.10.0-514.6.2.el7
kpatch-cve: CVE-2017-6074
kpatch-cvss: 7.8
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-6074
kpatch-patch-url: https://git.kernel.org/linus/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4

kpatch-name: 3.10.0/kvm-x86-check-memopp-before-dereference-cve-2016-8630.patch
kpatch-description: kvm: x86: Check memopp before dereference
kpatch-kernel: kernel-3.10.0-514.10.2
kpatch-cve: CVE-2016-8630
kpatch-cvss: 5.2
kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-8630
kpatch-patch-url: https://git.kernel.org/linus/d9092f52d7e61dd1557f2db2400ddb430e85937e

kpatch-name: 3.10.0/vfio-pci-Fix-integer-overflows-bitmask-check.patch
kpatch-description: vfio/pci: Fix integer overflows, bitmask check
kpatch-kernel: kernel-3.10.0-514.10.2.el7
kpatch-cve: CVE-2016-9083 CVE-2016-9084
kpatch-cvss: 7.2
kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-9084
kpatch-patch-url: https://patchwork.kernel.org/patch/9373631/

kpatch-name: 3.10.0/fix-CVE-2017-2636.patch
kpatch-description: tty: n_hdlc: get rid of racy n_hdlc.tbuf
kpatch-kernel: >3.10.0-514.10.2.el7
kpatch-cve: CVE-2017-2636
kpatch-cvss: 7.8
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-2636
kpatch-patch-url: https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus&id=82f2341c94d270421f383641b7cd670e474db56b

kpatch-name: 3.10.0/kernel-Null-pointer-dereference-in-search_keyring_514.patch
kpatch-description: kernel: Null pointer dereference in search_keyring
kpatch-kernel: >3.10.0-514.10.2.el7
kpatch-cve: CVE-2017-2647
kpatch-cvss: 7.8
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-2647
kpatch-patch-url: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c06cfb08b88d

kpatch-name: 3.10.0/xfrm_user-validate-XFRM_MSG_NEWAE-XFRMA_REPLAY_ESN_V.patch
kpatch-description: xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
kpatch-kernel: >kernel-3.10.0-514.10.2.el7
kpatch-cve: CVE-2017-7184
kpatch-cvss: 7.8
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-7184
kpatch-patch-url: https://git.kernel.org/linus/677e806da4d916052585301785d847c3b3e6186a

kpatch-name: 3.10.0/xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch
kpatch-description: xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
kpatch-kernel: >kernel-3.10.0-514.10.2.el7
kpatch-cve: CVE-2017-7184
kpatch-cvss: 7.8
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-7184
kpatch-patch-url: https://git.kernel.org/linus/f843ee6dd019bcece3e74e76ad9df0155655d0df

kpatch-name: 3.10.0/mpi-Fix-NULL-ptr-dereference-in-mpi_powm-ver-3.patch
kpatch-description: mpi: Fix NULL ptr dereference in mpi_powm
kpatch-kernel: kernel-3.10.0-514.16.1.el7
kpatch-cve: CVE-2016-8650
kpatch-cvss: 8.8
kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-8650
kpatch-patch-url: https://lkml.org/lkml/2016/11/23/477

kpatch-name: 3.10.0/net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
kpatch-description: net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
kpatch-kernel: kernel-3.10.0-514.16.1.el7
kpatch-cve: CVE-2016-9793
kpatch-cvss: 6.7
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2016-9793
kpatch-patch-url: https://github.com/torvalds/linux/commit/b98b0bc8c431e3ceb4b26b0dfc8db509518fb290

kpatch-name: 3.10.0/selinux-fix-off-by-one-in-setprocattr.patch
kpatch-description: selinux: fix off-by-one in setprocattr
kpatch-kernel: kernel-3.10.0-514.16.1.el7
kpatch-cve: CVE-2017-2618
kpatch-cvss: 5.5
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-2618
kpatch-patch-url: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=0c461cb727d146c9ef2d3e86214f498b78b7d125

kpatch-name: 3.10.0/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
kpatch-description: nfsd: stricter decoding of write-like NFSv2/v3 ops
kpatch-kernel: >kernel-3.10.0-427.36.1.lve1.4.47.el7
kpatch-cve: CVE-2017-7895
kpatch-cvss: 6.5
kpatch-cve-url: https://access.redhat.com/security/cve/cve-2017-7895
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/18127

kpatch-name: 3.10.0/RDS-verify-the-underlying-transport-exists-before-cr.patch
kpatch-description: RDS: verify the underlying transport exists before creating a connection
kpatch-kernel: >kernel-3.10.0-229.14.1.el7
kpatch-cve: CVE-2015-6937
kpatch-cvss: 7.1
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-6937
kpatch-patch-url: http://git.kernel.org/linus/74e98eb085889b0d2d4908f59f6e00026063014f

kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
kpatch-kernel:
kpatch-cve:
kpatch-cvss:
kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
kpatch-patch-url:

However, seems Kernelcare has the CentOS 6 Kernel patch updated and released on May 25, 2017

• KernelCare Directory
• KernelCare Directory

For Kernelcare patched Kernels for CentOS 6 and 7 you can check status at KernelCare Directory

 

For Linode KVM VPS users who use Linode custom latest 4.9.15 Kernels listed at Available Linux Kernels - Linode, a breakdown of each CVE

• CVE-2016-10208
• CVE-2016-7910
• CVE-2016-8646
• CVE-2017-5986
• CVE-2017-7308

CVE-2016-10208 does not apply to Linode 4.9.15 kernel as it's newer than 4.9.8

details at CVE - CVE-2016-10208

CVE-2016-7910 does not apply to Linode 4.9.15 kernel as it's newer than 4.7.1

details CVE - CVE-2016-7910

CVE-2016-8646 does not apply to Linode 4.9.15 kernel as it's newer than 4.3.6

details CVE - CVE-2016-8646

CVE-2017-5986 does not apply to Linode 4.9.15 kernel as it's newer than 4.9.11

details CVE - CVE-2017-5986

CVE-2017-7308 does apply to Linode 4.9.15 kernel as it's older than 4.10.6

details CVE - CVE-2017-7308

From CVE-2017-7308 - Red Hat Customer Portal

 

For KernelCare users they have CentOS 7 patch update from May 30th build

Code (Text):

kcarectl --info

kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-514.21.1.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) ) #1 SMP Thu May 25 17:04:51 UTC 2017
kpatch-build-time: Tue May 30 10:08:39 2017
kpatch-description: 2;3.10.0-514.21.1.el7

released on May 31st KernelCare Directory