Oracle Linux 6266 Published by

The following updates has been released for Oracle Linux:

ELSA-2018-1319 Important: Oracle Linux 6 kernel security and bug fix update
New Ksplice updates for RHCK 7 (ELSA-2018-1319)
New Ksplice updates for UEKR2 2.6.39 on OL5 and OL6 (ELSA-2018-4097)
New Ksplice updates for UEKR3 3.8.13 on OL6 and OL7 (ELSA-2018-4098)



ELSA-2018-1319 Important: Oracle Linux 6 kernel security and bug fix update

Oracle Linux Security Advisory ELSA-2018-1319

http://linux.oracle.com/errata/ELSA-2018-1319.html

The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:

i386:
kernel-2.6.32-696.28.1.el6.i686.rpm
kernel-abi-whitelists-2.6.32-696.28.1.el6.noarch.rpm
kernel-debug-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-doc-2.6.32-696.28.1.el6.noarch.rpm
kernel-firmware-2.6.32-696.28.1.el6.noarch.rpm
kernel-headers-2.6.32-696.28.1.el6.i686.rpm
perf-2.6.32-696.28.1.el6.i686.rpm
python-perf-2.6.32-696.28.1.el6.i686.rpm

x86_64:
kernel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-abi-whitelists-2.6.32-696.28.1.el6.noarch.rpm
kernel-debug-2.6.32-696.28.1.el6.x86_64.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.i686.rpm
kernel-debug-devel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-devel-2.6.32-696.28.1.el6.x86_64.rpm
kernel-doc-2.6.32-696.28.1.el6.noarch.rpm
kernel-firmware-2.6.32-696.28.1.el6.noarch.rpm
kernel-headers-2.6.32-696.28.1.el6.x86_64.rpm
perf-2.6.32-696.28.1.el6.x86_64.rpm
python-perf-2.6.32-696.28.1.el6.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/kernel-2.6.32-696.28.1.el6.src.rpm



Description of changes:

[2.6.32-696.28.1.el6.OL6]
- Update genkey [bug 25599697]

[2.6.32-696.28.1.el6]
- [x86] entry/64: Don't use IST entry for #BP stack (Waiman Long)
[1567078 1567079] {CVE-2018-8897}
- [x86] xen: do not use xen_info on HVM, set pv_info name to "Xen HVM"
(Vitaly Kuznetsov) [1569141 1568241]

[2.6.32-696.27.1.el6]
- [mm] account skipped entries to avoid looping in find_get_pages (Dave
Wysochanski) [1565989 1559386]
- [x86] pti/32: Don't use trampoline stack on Xen PV (Waiman Long)
[1568327 1562725]
- [x86] pti: Use boot_cpu_has(X86_FEATURE_PTI_SUPPORT) for early call
sites (Waiman Long) [1568327 1562725]
- [x86] pti: Set X86_FEATURE_PTI_SUPPORT early (Waiman Long) [1568327
1562725]
- [x86] pti: Rename X86_FEATURE_NOPTI to X86_FEATURE_PTI_SUPPORT (Waiman
Long) [1568327 1562725]
- [x86] pti/32: Fix setup_trampoline_page_table() bug (Waiman Long)
[1568327 1562725]
- [x86] entry: Remove extra argument in call instruction (Waiman Long)
[1568332 1562552]
- [x86] syscall: Fix ia32_ptregs handling bug in 64-bit kernel (Waiman
Long) [1568332 1562552]
- [x86] efi/64: Align efi_pgd on even page boundary (Waiman Long)
[1568535 1558845]
- [x86] pgtable/pae: Revert "Use separate kernel PMDs for user
page-table" (Waiman Long) [1568535 1558845]
- [x86] pgtable/pae: Revert "Unshare kernel PMDs when PTI is enabled"
(Waiman Long) [1568535 1558845]
- [x86] mm: Dump both kernel & user page tables at fault (Waiman Long)
[1568535 1558845]
- [x86] entry/32: Fix typo in PARANOID_EXIT_TO_KERNEL_MODE (Waiman Long)
[1568535 1558845]

[2.6.32-696.26.1.el6]
- [s390] qeth: check not more than 16 SBALEs on the completion queue
(Hendrik Brueckner) [1557477 1520860]
- [x86] pti: Disable kaiser_add_mapping if X86_FEATURE_NOPTI (Waiman
Long) [1561441 1557562] {CVE-2017-5754}
- [x86] irq/ioapic: Check for valid irq_cfg pointer in
smp_irq_move_cleanup_interrupt (Waiman Long) [1553283 1550599]
{CVE-2017-5754}
- [x86] kexec/64: Clear control page after PGD init (Waiman Long)
[1553283 1550599] {CVE-2017-5754}
- [x86] efi/64: Fix potential PTI data corruption problem (Waiman Long)
[1553283 1550599] {CVE-2017-5754}
- [x86] pti/mm: Fix machine check with PTI on old AMD CPUs (Waiman Long)
[1553283 1550599] {CVE-2017-5754}
- [x86] pti/mm: Enable PAGE_GLOBAL if not affected by Meltdown (Waiman
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] retpoline: Avoid retpolines for built-in __init functions
(Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] kexec/32: Allocate 8k PGD for PTI (Waiman Long) [1553283
1550599] {CVE-2017-5754}
- [x86] spec_ctrl: Patch out lfence on old 32-bit CPUs (Waiman Long)
[1553283 1550599] {CVE-2017-5754}
- [x86] cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2
microcodes (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] spec_ctrl/32: Enable IBRS processing on kernel entries & exits
(Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] spec_ctrl/32: Stuff RSB on kernel entry (Waiman Long) [1553283
1550599] {CVE-2017-5754}
- [x86] pti: Allow CONFIG_PAGE_TABLE_ISOLATION for x86_32 (Waiman Long)
[1553283 1550599] {CVE-2017-5754}
- [x86] pti/32: Add a PAE specific version of __pti_set_user_pgd (Waiman
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] mm/dump_pagetables: Support PAE page table dumping (Waiman Long)
[1553283 1550599] {CVE-2017-5754}
- [x86] pgtable/pae: Use separate kernel PMDs for user page-table
(Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] mm/pae: Populate valid user PGD entries (Waiman Long) [1553283
1550599] {CVE-2017-5754}
- [x86] pti: Enable x86-32 for kaiser.c (Waiman Long) [1553283 1550599]
{CVE-2017-5754}
- [x86] pti: Disable PCID handling in x86-32 TLB flushing code (Waiman
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pgtable: Disable user PGD poisoning for PAE (Waiman Long)
[1553283 1550599] {CVE-2017-5754}
- [x86] pgtable: Move more PTI functions out of pgtable_64.h (Waiman
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pgtable: Move pgdp kernel/user conversion functions to pgtable.h
(Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pgtable/32: Allocate 8k page-tables when PTI is enabled (Waiman
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pgtable/pae: Unshare kernel PMDs when PTI is enabled (Waiman
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Handle debug exception similar to NMI (Waiman Long)
[1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Add PTI cr3 switch to non-NMI entry/exit points
(Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Add PTI cr3 switches to NMI handler code (Waiman Long)
[1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Introduce SAVE_ALL_NMI and RESTORE_ALL_NMI (Waiman
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Enable the use of trampoline stack (Waiman Long)
[1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Change INT80 to be an interrupt gate (Waiman Long)
[1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Handle Entry from Kernel-Mode on Entry-Stack (Waiman
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Leave the kernel via trampoline stack (Waiman Long)
[1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Enter the kernel via trampoline stack (Waiman Long)
[1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Restore segments before int registers (Waiman Long)
[1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Split off return-to-kernel path (Waiman Long) [1553283
1550599] {CVE-2017-5754}
- [x86] entry/32: Unshare NMI return path (Waiman Long) [1553283
1550599] {CVE-2017-5754}
- [x86] entry/32: Put ESPFIX code into a macro (Waiman Long) [1553283
1550599] {CVE-2017-5754}
- [x86] entry/32: Load task stack from x86_tss.sp1 in SYSENTER handler
(Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Rename TSS_sysenter_sp0 to TSS_entry_stack (Waiman
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] pti: Add X86_FEATURE_NOPTI to permanently disable PTI (Waiman
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] entry/32: Simplify and fix up the SYSENTER stack #DB/NMI fixup
(Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] doublefault: Set the right gs register for doublefault (Waiman
Long) [1553283 1550599] {CVE-2017-5754}
- [x86] syscall: int80 must not clobber r12-15 (Waiman Long) [1553283
1550599] {CVE-2017-5754}
- [x86] syscall: change ia32_syscall() to create the full register frame
in ia32_do_call() (Waiman Long) [1553283 1550599] {CVE-2017-5754}
- [x86] cve: Make all Meltdown/Spectre percpu variables available to
x86-32 (Waiman Long) [1553283 1550599] {CVE-2017-5754}

[2.6.32-696.25.1.el6]
- [net] packet: Allow packets with only a header (but no payload)
(Lorenzo Bianconi) [1557896 1535024]
- [net] packet: make packet too small warning match condition (Lorenzo
Bianconi) [1557896 1535024]
- [net] packet: bail out of packet_snd() if L2 header creation fails
(Lorenzo Bianconi) [1557896 1535024]
- [net] packet: make packet_snd fail on len smaller than l2 header
(Lorenzo Bianconi) [1557896 1535024]
- [net] dccp: use-after-free in DCCP code (Stefano Brivio) [1520818
1520817] {CVE-2017-8824}
- [fs] nfsd: check for oversized NFSv2/v3 arguments (J. Bruce Fields)
[1447640 1447641] {CVE-2017-7645}
- [netdrv] be2net: Fix UE detection logic for BE3 (Ivan Vecera) [1552706
1437991]
- [x86] skip check for spurious faults for non-present faults (Daniel
Vacek) [1551471 1495167]
- [x86] mm: Fix boot crash caused by incorrect loop count calculation in
sync_global_pgds() (Daniel Vacek) [1551471 1495167]
- [scsi] lpfc: Null pointer dereference when log_verbose is set to
0xffffffff (Dick Kennedy) [1540481 1538340]
- [mm] prevent concurrent unmap_mapping_range() on the same inode
(Miklos Szeredi) [1538654 1408108]
- [s390] fix transactional execution control register handling (Hendrik
Brueckner) [1538591 1520862]
- [netdrv] bnx2x: prevent crash when accessing PTP with interface down
(Michal Schmidt) [1538586 1518669]
- [v4l] media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic
fixup (Jarod Wilson) [1548429 1548432] {CVE-2017-13166}
- [v4l] media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic
(Jarod Wilson) [1548429 1548432] {CVE-2017-13166}
- [net] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
(Florian Westphal) [1543089 1543091] {CVE-2017-18017}
- [net] netfilter: xt_TCPMSS: fix handling of malformed TCP header and
options (Florian Westphal) [1543089 1543091] {CVE-2017-18017}
- [net] netfilter: xt_TCPMSS: SYN packets are allowed to contain data
(Florian Westphal) [1543089 1543091] {CVE-2017-18017}
- [net] bluetooth: Prevent uninitialized data (Gopal Tiwari) [1519627
1519626] {CVE-2017-1000410}

[2.6.32-696.24.1.el6]
- [kernel] sched/core: Rework rq->clock update skips (Lauro Ramos
Venancio) [1551475 1212959]
- [kernel] sched: Remove useless code in yield_to() (Lauro Ramos
Venancio) [1551475 1212959]
- [kernel] sched: Set skip_clock_update in yield_task_fair() (Lauro
Ramos Venancio) [1551475 1212959]
- [kernel] sched, rt: Update rq clock when unthrottling of an otherwise
idle CPU (Lauro Ramos Venancio) [1551475 1212959]
- [kernel] lockdep: Fix lock_is_held() on recursion (Lauro Ramos
Venancio) [1551475 1212959]
- [net] bonding: discard lowest hash bit for 802.3ad layer3+4 (Hangbin
Liu) [1550103 1532167]


New Ksplice updates for RHCK 7 (ELSA-2018-1319)

Synopsis: ELSA-2018-1319 can now be patched using Ksplice
CVEs: CVE-2017-16939 CVE-2018-1000199 CVE-2018-1068 CVE-2018-1087 CVE-2018-8897

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-1319.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running RHCK 7 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-8897: Denial-of-service in KVM breakpoint handling.

Incorrect stack management of data watchpoints and breakpoints could
allow an unprivileged user to crash the system.


* CVE-2018-1087: KVM guest breakpoint privilege escalation.

Incorrect breakpoint emulation for a KVM guest could allow a local,
unprivileged user to escalate privileges inside the guest.


* CVE-2017-16939: Denial-of-service in IPSEC transform policy netlink dump.

A failure to handle an error case when dumping IPSEC transform
information via netlink can result in a Kernel crash. A local user with
the ability to administer an IPSEC tunnel could use this flaw to cause a
denial-of-service.


* CVE-2018-1068: Privilege escalation when configuring bridge filtering.

Lack of input validation when configuring bridge filtering from a 32 bits
compat syscall could lead to an out-of-bounds write. Unprivileged users
with the ability to create namespaces could use this flaw to escalate
privileges.


* CVE-2018-1000199: Denial-of-service in hardware breakpoints.

Incorrect validation of a ptrace hardware breakpoint could result in
corrupted kernel state. A local, unprivileged user could use this flaw
to crash the system or potentially, escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.


New Ksplice updates for UEKR2 2.6.39 on OL5 and OL6 (ELSA-2018-4097)

Synopsis: ELSA-2018-4097 can now be patched using Ksplice
CVEs: CVE-2018-8897

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4097.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR2 2.6.39 on
OL5 and OL6 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-8897: Denial-of-service in KVM breakpoint handling.

Incorrect stack management of data watchpoints and breakpoints could
allow an unprivileged user to crash the system.

OraBug: 27895351

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.

New Ksplice updates for UEKR3 3.8.13 on OL6 and OL7 (ELSA-2018-4098)

Synopsis: ELSA-2018-4098 can now be patched using Ksplice
CVEs: CVE-2018-8897

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4098.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR3 3.8.13 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-8897: Denial-of-service in KVM breakpoint handling.

Incorrect stack management of data watchpoints and breakpoints could
allow an unprivileged user to crash the system.

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.