Oracle Linux 6279 Published by

The following updates has been released for Oracle Linux:

ELSA-2019-2829 Important: Oracle Linux 7 kernel security update
ELSA-2019-2836 Important: Oracle Linux 7 dovecot security update
ELSA-2019-2836 Important: Oracle Linux 7 dovecot security update (aarch64)
ELSA-2019-4799 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
ELSA-2019-4799 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update (aarch64)
ELSA-2019-4800 Important: Oracle Linux 6 Unbreakable Enterprise kernel security update
ELSA-2019-4800 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
New Ksplice updates for RHCK 7 (ELSA-2019-2829-01)
New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2019-4789)
New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2019-4799)



ELSA-2019-2829 Important: Oracle Linux 7 kernel security update

Oracle Linux Security Advisory ELSA-2019-2829

http://linux.oracle.com/errata/ELSA-2019-2829.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

x86_64:
bpftool-3.10.0-1062.1.2.el7.x86_64.rpm
kernel-3.10.0-1062.1.2.el7.x86_64.rpm
kernel-abi-whitelists-3.10.0-1062.1.2.el7.noarch.rpm
kernel-debug-3.10.0-1062.1.2.el7.x86_64.rpm
kernel-debug-devel-3.10.0-1062.1.2.el7.x86_64.rpm
kernel-devel-3.10.0-1062.1.2.el7.x86_64.rpm
kernel-doc-3.10.0-1062.1.2.el7.noarch.rpm
kernel-headers-3.10.0-1062.1.2.el7.x86_64.rpm
kernel-tools-3.10.0-1062.1.2.el7.x86_64.rpm
kernel-tools-libs-3.10.0-1062.1.2.el7.x86_64.rpm
kernel-tools-libs-devel-3.10.0-1062.1.2.el7.x86_64.rpm
perf-3.10.0-1062.1.2.el7.x86_64.rpm
python-perf-3.10.0-1062.1.2.el7.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-3.10.0-1062.1.2.el7.src.rpm



Description of changes:

[3.10.0-1062.1.2.el7.OL7]
- Oracle Linux certificates (Alexey Petrenko)
- Oracle Linux RHCK Module Signing Key was compiled into kernel
(olkmod_signing_key.x509)(alexey.petrenko@oracle.com)
- Update x509.genkey [Orabug: 24817676]

[3.10.0-1062.1.2.el7]
- [vhost] vhost: make sure log_num < in_num (Eugenio Perez) [1750879
1750880] {CVE-2019-14835}

ELSA-2019-2836 Important: Oracle Linux 7 dovecot security update

Oracle Linux Security Advisory ELSA-2019-2836

http://linux.oracle.com/errata/ELSA-2019-2836.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

x86_64:
dovecot-2.2.36-3.el7_7.1.i686.rpm
dovecot-2.2.36-3.el7_7.1.x86_64.rpm
dovecot-devel-2.2.36-3.el7_7.1.x86_64.rpm
dovecot-mysql-2.2.36-3.el7_7.1.x86_64.rpm
dovecot-pgsql-2.2.36-3.el7_7.1.x86_64.rpm
dovecot-pigeonhole-2.2.36-3.el7_7.1.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/dovecot-2.2.36-3.el7_7.1.src.rpm



Description of changes:

[1:2.2.36-3.1]
- fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap
memory writes (#1751383)

ELSA-2019-2836 Important: Oracle Linux 7 dovecot security update (aarch64)

Oracle Linux Security Advisory ELSA-2019-2836

http://linux.oracle.com/errata/ELSA-2019-2836.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

aarch64:
dovecot-2.2.36-3.el7_7.1.aarch64.rpm
dovecot-mysql-2.2.36-3.el7_7.1.aarch64.rpm
dovecot-pgsql-2.2.36-3.el7_7.1.aarch64.rpm
dovecot-pigeonhole-2.2.36-3.el7_7.1.aarch64.rpm
dovecot-devel-2.2.36-3.el7_7.1.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/dovecot-2.2.36-3.el7_7.1.src.rpm



Description of changes:

[1:2.2.36-3.1]
- fix CVE-2019-11500: IMAP protocol parser does not properly handle NUL byte
when scanning data in quoted strings, leading to out of bounds heap
memory writes (#1751383)

ELSA-2019-4799 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update

Oracle Linux Security Advisory ELSA-2019-4799

http://linux.oracle.com/errata/ELSA-2019-4799.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

x86_64:
kernel-uek-4.14.35-1902.5.2.2.el7uek.x86_64.rpm
kernel-uek-debug-4.14.35-1902.5.2.2.el7uek.x86_64.rpm
kernel-uek-debug-devel-4.14.35-1902.5.2.2.el7uek.x86_64.rpm
kernel-uek-devel-4.14.35-1902.5.2.2.el7uek.x86_64.rpm
kernel-uek-tools-4.14.35-1902.5.2.2.el7uek.x86_64.rpm
kernel-uek-doc-4.14.35-1902.5.2.2.el7uek.noarch.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-4.14.35-1902.5.2.2.el7uek.src.rpm



Description of changes:

[4.14.35-1902.5.2.2.el7uek]
- KVM: coalesced_mmio: add bounds checking (Matt Delco) [Orabug:
30318013] {CVE-2019-14821} {CVE-2019-14821}

ELSA-2019-4799 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update (aarch64)

Oracle Linux Security Advisory ELSA-2019-4799

http://linux.oracle.com/errata/ELSA-2019-4799.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

aarch64:
kernel-uek-4.14.35-1902.5.2.2.el7uek.aarch64.rpm
kernel-uek-debug-4.14.35-1902.5.2.2.el7uek.aarch64.rpm
kernel-uek-debug-devel-4.14.35-1902.5.2.2.el7uek.aarch64.rpm
kernel-uek-devel-4.14.35-1902.5.2.2.el7uek.aarch64.rpm
kernel-uek-tools-4.14.35-1902.5.2.2.el7uek.aarch64.rpm
kernel-uek-tools-libs-4.14.35-1902.5.2.2.el7uek.aarch64.rpm
kernel-uek-tools-libs-devel-4.14.35-1902.5.2.2.el7uek.aarch64.rpm
perf-4.14.35-1902.5.2.2.el7uek.aarch64.rpm
python-perf-4.14.35-1902.5.2.2.el7uek.aarch64.rpm
kernel-uek-headers-4.14.35-1902.5.2.2.el7uek.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-4.14.35-1902.5.2.2.el7uek.src.rpm



Description of changes:

[4.14.35-1902.5.2.2.el7uek]
- KVM: coalesced_mmio: add bounds checking (Matt Delco) [Orabug:
30318013] {CVE-2019-14821} {CVE-2019-14821}

ELSA-2019-4800 Important: Oracle Linux 6 Unbreakable Enterprise kernel security update

Oracle Linux Security Advisory ELSA-2019-4800

http://linux.oracle.com/errata/ELSA-2019-4800.html

The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:

x86_64:
kernel-uek-doc-4.1.12-124.31.1.1.el6uek.noarch.rpm
kernel-uek-firmware-4.1.12-124.31.1.1.el6uek.noarch.rpm
kernel-uek-4.1.12-124.31.1.1.el6uek.x86_64.rpm
kernel-uek-devel-4.1.12-124.31.1.1.el6uek.x86_64.rpm
kernel-uek-debug-4.1.12-124.31.1.1.el6uek.x86_64.rpm
kernel-uek-debug-devel-4.1.12-124.31.1.1.el6uek.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/kernel-uek-4.1.12-124.31.1.1.el6uek.src.rpm



Description of changes:

[4.1.12-124.31.1.1.el6uek]
- KVM: coalesced_mmio: add bounds checking (Matt Delco) [Orabug:
30318042] {CVE-2019-14821} {CVE-2019-14821}

ELSA-2019-4800 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update

Oracle Linux Security Advisory ELSA-2019-4800

http://linux.oracle.com/errata/ELSA-2019-4800.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

x86_64:
kernel-uek-doc-4.1.12-124.31.1.1.el7uek.noarch.rpm
kernel-uek-firmware-4.1.12-124.31.1.1.el7uek.noarch.rpm
kernel-uek-4.1.12-124.31.1.1.el7uek.x86_64.rpm
kernel-uek-devel-4.1.12-124.31.1.1.el7uek.x86_64.rpm
kernel-uek-debug-4.1.12-124.31.1.1.el7uek.x86_64.rpm
kernel-uek-debug-devel-4.1.12-124.31.1.1.el7uek.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-4.1.12-124.31.1.1.el7uek.src.rpm



Description of changes:

[4.1.12-124.31.1.1.el7uek]
- KVM: coalesced_mmio: add bounds checking (Matt Delco) [Orabug:
30318042] {CVE-2019-14821} {CVE-2019-14821}

New Ksplice updates for RHCK 7 (ELSA-2019-2829-01)

Synopsis: ELSA-2019-2829-01 can now be patched using Ksplice
CVEs: CVE-2019-14835

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2019-2829-01.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2019-2829-01.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running RHCK 7 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-14835: Privilege escalation during live migration of guest.

A failure to check for guest creating a zero length queue in the vhost driver
can lead to a buffer overflow in the host kernel. A guest virtual machine
could use this flaw to crash the host or potentially escalate privileges when
the virtual machine is live migrated.

Orabug: 30312787

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.

New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2019-4789)

Synopsis: ELSA-2019-4789 can now be patched using Ksplice
CVEs: CVE-2018-18445 CVE-2019-14835

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2019-4789.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2019-4789.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Improved fix for Spectre v1: Bounds check bypass in Vhost ioctl.

A missing use of the indirect call protection macro in the vhost ioctl
code could lead to speculative execution. A local attacker could use
this flaw to leak information about the running system.

Orabug: 30312787


* CVE-2019-14835: Privilege escalation during live migration of guest.

A failure to check for guest creating a zero length queue in the vhost driver
can lead to a buffer overflow in the host kernel. A guest virtual machine
could use this flaw to crash the host or potentially escalate privileges when
the virtual machine is live migrated.

Orabug: 30312787

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.

New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2019-4799)

Synopsis: ELSA-2019-4799 can now be patched using Ksplice
CVEs: CVE-2019-14821

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2019-4799.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2019-4799.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-14821: Denial-of-service in KVM MMIO coalesced writes.

An out-of-bounds access to the coalesced MMIO ring buffer could result
in a kernel crash. A malicious guest could use this flaw to crash the
hypervisor or potentially, escalate privileges.

Orabug: 30318013

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.