Want more timely Centmin Mod News Updates?
Become a Member

Security May 27, 2017: Kernel Security Update for CentOS 7 & CentOS 6

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, May 27, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    30,152
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    6:26 AM
    Nginx 1.13.x
    MariaDB 5.5
    Linux Kernel security update are available for CentOS 7 and CentOS 6. The CentOS 6 kernel was released actually in April 2017.

    For CentOS 7 - Red Hat Customer Portal with fixed updated kernel version = 3.10.0-514.21.1.el7 and for CentOS 6 kernel version = 2.6.32-696.1.1.el6

    Update Fixes


    • For CentOS 7 and Redhat 7 there's kernel update 3.10.0-514.21.1.el7 and for CentOS 6 2.6.32-696.1.1.el6
    So need to do 2 steps for non-openvz systems. For openvz vps you use host node kernel and not your own so only your web host can update the host node kernel so contact them. Some openvz vps providers also use KernelCare so are auto patched up but some don't.
    1. Do a yum update
      Code (Text):
      yum -y update
      then check if updated kernel version is updated via
      Code (Text):
      yum list kernel
      output
    2. Then reboot your server for Kernel update to take effect. If you use KernelCare KernelCare rebootless kernel updates - CentminMod.com LEMP Nginx web stack for CentOS they auto patch your kernel every 4hrs and do not require server reboots. Then verify after reboot of kernel version via
      Code (Text):
      uname -r
      or if using KernelCare via
      Code (Text):
      kcare-uname -r

    Update SSH Commands



    Updating yum packages via yum update
    Code (Text):
    yum -y update
    

    After update and server reboot verify updated kernel with command
    Code (Text):
    uname -r
    

    or if using KernelCare via
    Code (Text):
    kcare-uname -r
    


    Examples

    CentOS 6
    Code (Text):
    uname -r
    2.6.32-696.1.1.el6.x86_64
    

    CentOS 7
    Code (Text):
    uname -r
    3.10.0-514.21.1.el7.x86_64
    

    Looks like Kernelcare doesn't have the update yet ? As kpatch build time was = Thu May 18 08:07:06 2017 and May 22nd release date KernelCare Directory. So probably need to a wait a bit longer for CentOS 7's Kernelcare patch updates which are automatically patched every 4 hours if you have Kernelcare installed.
    Code (Text):
    kcare-uname -r
    3.10.0-514.16.1.el7
    

    Code (Text):
    kcarectl --info
    kpatch-state: patch is applied
    kpatch-for: Linux version 3.10.0-514.6.1.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) ) #1 SMP Wed Jan 18 13:06:36 UTC 2017
    kpatch-build-time: Thu May 18 08:07:06 2017
    kpatch-description: 14;3.10.0-514.16.1.el7
    

    Code (Text):
    kcarectl --patch-info
    OS: centos7
    kernel: kernel-3.10.0-514.6.1.el7
    time: 2017-05-22 09:38:02
    uname: 3.10.0-514.16.1.el7
    
    kpatch-name: 3.10.0/KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch
    kpatch-description: KEYS: Fix handling of stored error in a negatively instantiated user key
    kpatch-kernel: >kernel-3.10.0-514.6.1.el7
    kpatch-cve: CVE-2015-8539
    kpatch-cvss: 7.2
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-8539
    kpatch-patch-url: https://git.kernel.org/linus/096fe9eaea40a17e125569f9e657e34cdb6d73bd
    
    kpatch-name: 3.10.0/dccp-fix-freeing-skb-too-early-for-ipv6_recvpktinfo.patch
    kpatch-description: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
    kpatch-kernel: kernel-3.10.0-514.6.2.el7
    kpatch-cve: CVE-2017-6074
    kpatch-cvss: 7.8
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-6074
    kpatch-patch-url: https://git.kernel.org/linus/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4
    
    kpatch-name: 3.10.0/kvm-x86-check-memopp-before-dereference-cve-2016-8630.patch
    kpatch-description: kvm: x86: Check memopp before dereference
    kpatch-kernel: kernel-3.10.0-514.10.2
    kpatch-cve: CVE-2016-8630
    kpatch-cvss: 5.2
    kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-8630
    kpatch-patch-url: https://git.kernel.org/linus/d9092f52d7e61dd1557f2db2400ddb430e85937e
    
    kpatch-name: 3.10.0/vfio-pci-Fix-integer-overflows-bitmask-check.patch
    kpatch-description: vfio/pci: Fix integer overflows, bitmask check
    kpatch-kernel: kernel-3.10.0-514.10.2.el7
    kpatch-cve: CVE-2016-9083 CVE-2016-9084
    kpatch-cvss: 7.2
    kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-9084
    kpatch-patch-url: https://patchwork.kernel.org/patch/9373631/
    
    kpatch-name: 3.10.0/fix-CVE-2017-2636.patch
    kpatch-description: tty: n_hdlc: get rid of racy n_hdlc.tbuf
    kpatch-kernel: >3.10.0-514.10.2.el7
    kpatch-cve: CVE-2017-2636
    kpatch-cvss: 7.8
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-2636
    kpatch-patch-url: https://git.kernel.org/cgit/linux/kernel/git/gregkh/tty.git/commit/?h=tty-linus&id=82f2341c94d270421f383641b7cd670e474db56b
    
    kpatch-name: 3.10.0/kernel-Null-pointer-dereference-in-search_keyring_514.patch
    kpatch-description: kernel: Null pointer dereference in search_keyring
    kpatch-kernel: >3.10.0-514.10.2.el7
    kpatch-cve: CVE-2017-2647
    kpatch-cvss: 7.8
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-2647
    kpatch-patch-url: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c06cfb08b88d
    
    kpatch-name: 3.10.0/xfrm_user-validate-XFRM_MSG_NEWAE-XFRMA_REPLAY_ESN_V.patch
    kpatch-description: xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
    kpatch-kernel: >kernel-3.10.0-514.10.2.el7
    kpatch-cve: CVE-2017-7184
    kpatch-cvss: 7.8
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-7184
    kpatch-patch-url: https://git.kernel.org/linus/677e806da4d916052585301785d847c3b3e6186a
    
    kpatch-name: 3.10.0/xfrm_user-validate-XFRM_MSG_NEWAE-incoming-ESN-size-.patch
    kpatch-description: xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
    kpatch-kernel: >kernel-3.10.0-514.10.2.el7
    kpatch-cve: CVE-2017-7184
    kpatch-cvss: 7.8
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-7184
    kpatch-patch-url: https://git.kernel.org/linus/f843ee6dd019bcece3e74e76ad9df0155655d0df
    
    kpatch-name: 3.10.0/mpi-Fix-NULL-ptr-dereference-in-mpi_powm-ver-3.patch
    kpatch-description: mpi: Fix NULL ptr dereference in mpi_powm
    kpatch-kernel: kernel-3.10.0-514.16.1.el7
    kpatch-cve: CVE-2016-8650
    kpatch-cvss: 8.8
    kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-8650
    kpatch-patch-url: https://lkml.org/lkml/2016/11/23/477
    
    kpatch-name: 3.10.0/net-avoid-signed-overflows-for-SO_-SND-RCV-BUFFORCE.patch
    kpatch-description: net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
    kpatch-kernel: kernel-3.10.0-514.16.1.el7
    kpatch-cve: CVE-2016-9793
    kpatch-cvss: 6.7
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2016-9793
    kpatch-patch-url: https://github.com/torvalds/linux/commit/b98b0bc8c431e3ceb4b26b0dfc8db509518fb290
    
    kpatch-name: 3.10.0/selinux-fix-off-by-one-in-setprocattr.patch
    kpatch-description: selinux: fix off-by-one in setprocattr
    kpatch-kernel: kernel-3.10.0-514.16.1.el7
    kpatch-cve: CVE-2017-2618
    kpatch-cvss: 5.5
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2017-2618
    kpatch-patch-url: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=0c461cb727d146c9ef2d3e86214f498b78b7d125
    
    kpatch-name: 3.10.0/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
    kpatch-description: nfsd: stricter decoding of write-like NFSv2/v3 ops
    kpatch-kernel: >kernel-3.10.0-427.36.1.lve1.4.47.el7
    kpatch-cve: CVE-2017-7895
    kpatch-cvss: 6.5
    kpatch-cve-url: https://access.redhat.com/security/cve/cve-2017-7895
    kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/18127
    
    kpatch-name: 3.10.0/RDS-verify-the-underlying-transport-exists-before-cr.patch
    kpatch-description: RDS: verify the underlying transport exists before creating a connection
    kpatch-kernel: >kernel-3.10.0-229.14.1.el7
    kpatch-cve: CVE-2015-6937
    kpatch-cvss: 7.1
    kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-6937
    kpatch-patch-url: http://git.kernel.org/linus/74e98eb085889b0d2d4908f59f6e00026063014f
    
    kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
    kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
    kpatch-kernel:
    kpatch-cve:
    kpatch-cvss:
    kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
    kpatch-patch-url:
    

    However, seems Kernelcare has the CentOS 6 Kernel patch updated and released on May 25, 2017

    For Kernelcare patched Kernels for CentOS 6 and 7 you can check status at KernelCare Directory
     
    Last edited: May 27, 2017
    • Like Like x 1
  2. eva2000

    eva2000 Administrator Staff Member

    30,152
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    6:26 AM
    Nginx 1.13.x
    MariaDB 5.5
    For Linode KVM VPS users who use Linode custom latest 4.9.15 Kernels listed at Available Linux Kernels - Linode, a breakdown of each CVE

    CVE-2016-10208 does not apply to Linode 4.9.15 kernel as it's newer than 4.9.8

    details at CVE - CVE-2016-10208
    CVE-2016-7910 does not apply to Linode 4.9.15 kernel as it's newer than 4.7.1

    details CVE - CVE-2016-7910
    CVE-2016-8646 does not apply to Linode 4.9.15 kernel as it's newer than 4.3.6

    details CVE - CVE-2016-8646
    CVE-2017-5986 does not apply to Linode 4.9.15 kernel as it's newer than 4.9.11

    details CVE - CVE-2017-5986
    CVE-2017-7308 does apply to Linode 4.9.15 kernel as it's older than 4.10.6

    details CVE - CVE-2017-7308
    From CVE-2017-7308 - Red Hat Customer Portal
     
    Last edited: May 27, 2017
  3. eva2000

    eva2000 Administrator Staff Member

    30,152
    6,782
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,133
    Local Time:
    6:26 AM
    Nginx 1.13.x
    MariaDB 5.5
    For KernelCare users they have CentOS 7 patch update from May 30th build
    Code (Text):
    kcarectl --info
    
    kpatch-state: patch is applied
    kpatch-for: Linux version 3.10.0-514.21.1.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) ) #1 SMP Thu May 25 17:04:51 UTC 2017
    kpatch-build-time: Tue May 30 10:08:39 2017
    kpatch-description: 2;3.10.0-514.21.1.el7
    

    released on May 31st KernelCare Directory