The following updates has been released for Oracle Linux:
ELBA-2018-2406 Oracle Linux 6 sos bug fix update
ELBA-2018-2407 Oracle Linux 6 389-ds-base bug fix update
ELSA-2018-2384 Important: Oracle Linux 7 kernel security and bug fix update
ELSA-2018-2390 Important: Oracle Linux 6 kernel security and bug fix update
ELSA-2018-4195 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
ELSA-2018-4195 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update (aarch64)
ELSA-2018-4196 Important: Oracle Linux 6 Unbreakable Enterprise kernel security update
ELSA-2018-4196 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2018-4196)
ELBA-2018-2406 Oracle Linux 6 sos bug fix update
ELBA-2018-2407 Oracle Linux 6 389-ds-base bug fix update
ELSA-2018-2384 Important: Oracle Linux 7 kernel security and bug fix update
ELSA-2018-2390 Important: Oracle Linux 6 kernel security and bug fix update
ELSA-2018-4195 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
ELSA-2018-4195 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update (aarch64)
ELSA-2018-4196 Important: Oracle Linux 6 Unbreakable Enterprise kernel security update
ELSA-2018-4196 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2018-4196)
ELBA-2018-2406 Oracle Linux 6 sos bug fix update
Oracle Linux Bug Fix Advisory ELBA-2018-2406
http://linux.oracle.com/errata/ELBA-2018-2406.html
The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:
i386:
sos-3.2-63.0.1.el6_10.2.noarch.rpm
x86_64:
sos-3.2-63.0.1.el6_10.2.noarch.rpm
SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/sos-3.2-63.0.1.el6_10.2.src.rpm
Description of changes:
[3.2-63.0.1]
- Add vendor, vendor URL info for Oracle Linux [orabug 17656507]
(joe.jin@oracle.com)
- Direct traceroute to linux.oracle.com (John Haxby) [orabug 11713272]
(joe.jin@oracle.com)
- Check oraclelinux-release instead of redhat-release to get OS version
(John Haxby) [bug 11681869] (joe.jin@oracle.com)
- Remove RH ftp URL and support email (joe.jin@oracle.com)
- add sos-oracle-enterprise.patch (joe.jin@oracle.com)
- Add smartmon plugin (John Haxby) [orabug 17995005] (joe.jin@oracle.com)
[= 3.2-63.2]
[rhui] Fix detection of CDS for RHUI3]
Resolves: bz1596496
[= 3.2-63.1]
[archive] Force decoding if content is bytes]
[reporting] deal with UTF-8 characters
Resolves: bz1599234
ELBA-2018-2407 Oracle Linux 6 389-ds-base bug fix update
Oracle Linux Bug Fix Advisory ELBA-2018-2407
http://linux.oracle.com/errata/ELBA-2018-2407.html
The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:
i386:
389-ds-base-1.2.11.15-97.el6_10.i686.rpm
389-ds-base-devel-1.2.11.15-97.el6_10.i686.rpm
389-ds-base-libs-1.2.11.15-97.el6_10.i686.rpm
x86_64:
389-ds-base-1.2.11.15-97.el6_10.x86_64.rpm
389-ds-base-devel-1.2.11.15-97.el6_10.i686.rpm
389-ds-base-devel-1.2.11.15-97.el6_10.x86_64.rpm
389-ds-base-libs-1.2.11.15-97.el6_10.i686.rpm
389-ds-base-libs-1.2.11.15-97.el6_10.x86_64.rpm
SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/389-ds-base-1.2.11.15-97.el6_10.src.rpm
Description of changes:
[1.2.11.15-97]
- Bump version to 1.2.11.15-97
- Resolves: Bug 1563539 - acl_copyEval_context double free (fix spec
file patch)
[1.2.11.15-96]
- Bump version to 1.2.11.15-96
- Resolves: Bug 1563539 - acl_copyEval_context double free
ELSA-2018-2384 Important: Oracle Linux 7 kernel security and bug fix update
Oracle Linux Security Advisory ELSA-2018-2384
http://linux.oracle.com/errata/ELSA-2018-2384.html
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
x86_64:
kernel-3.10.0-862.11.6.el7.x86_64.rpm
kernel-abi-whitelists-3.10.0-862.11.6.el7.noarch.rpm
kernel-debug-3.10.0-862.11.6.el7.x86_64.rpm
kernel-debug-devel-3.10.0-862.11.6.el7.x86_64.rpm
kernel-devel-3.10.0-862.11.6.el7.x86_64.rpm
kernel-doc-3.10.0-862.11.6.el7.noarch.rpm
kernel-headers-3.10.0-862.11.6.el7.x86_64.rpm
kernel-tools-3.10.0-862.11.6.el7.x86_64.rpm
kernel-tools-libs-3.10.0-862.11.6.el7.x86_64.rpm
kernel-tools-libs-devel-3.10.0-862.11.6.el7.x86_64.rpm
perf-3.10.0-862.11.6.el7.x86_64.rpm
python-perf-3.10.0-862.11.6.el7.x86_64.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-3.10.0-862.11.6.el7.src.rpm
Description of changes:
[3.10.0-862.11.6.el7.OL7]
- Oracle Linux certificates (Alexey Petrenko)
- Oracle Linux RHCK Module Signing Key was compiled into kernel
(olkmod_signing_key.x509)(alexey.petrenko@oracle.com)
- Update x509.genkey [bug 24817676]
ELSA-2018-2390 Important: Oracle Linux 6 kernel security and bug fix update
Oracle Linux Security Advisory ELSA-2018-2390
http://linux.oracle.com/errata/ELSA-2018-2390.html
The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:
i386:
kernel-2.6.32-754.3.5.el6.i686.rpm
kernel-abi-whitelists-2.6.32-754.3.5.el6.noarch.rpm
kernel-debug-2.6.32-754.3.5.el6.i686.rpm
kernel-debug-devel-2.6.32-754.3.5.el6.i686.rpm
kernel-devel-2.6.32-754.3.5.el6.i686.rpm
kernel-doc-2.6.32-754.3.5.el6.noarch.rpm
kernel-firmware-2.6.32-754.3.5.el6.noarch.rpm
kernel-headers-2.6.32-754.3.5.el6.i686.rpm
perf-2.6.32-754.3.5.el6.i686.rpm
python-perf-2.6.32-754.3.5.el6.i686.rpm
x86_64:
kernel-2.6.32-754.3.5.el6.x86_64.rpm
kernel-abi-whitelists-2.6.32-754.3.5.el6.noarch.rpm
kernel-debug-2.6.32-754.3.5.el6.x86_64.rpm
kernel-debug-devel-2.6.32-754.3.5.el6.i686.rpm
kernel-debug-devel-2.6.32-754.3.5.el6.x86_64.rpm
kernel-devel-2.6.32-754.3.5.el6.x86_64.rpm
kernel-doc-2.6.32-754.3.5.el6.noarch.rpm
kernel-firmware-2.6.32-754.3.5.el6.noarch.rpm
kernel-headers-2.6.32-754.3.5.el6.x86_64.rpm
perf-2.6.32-754.3.5.el6.x86_64.rpm
python-perf-2.6.32-754.3.5.el6.x86_64.rpm
SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/kernel-2.6.32-754.3.5.el6.src.rpm
Description of changes:
[2.6.32-754.3.5.el6.OL6]
- Update genkey [bug 25599697]
ELSA-2018-4195 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
Oracle Linux Security Advisory ELSA-2018-4195
http://linux.oracle.com/errata/ELSA-2018-4195.html
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
x86_64:
kernel-uek-4.14.35-1818.1.6.el7uek.x86_64.rpm
kernel-uek-debug-4.14.35-1818.1.6.el7uek.x86_64.rpm
kernel-uek-debug-devel-4.14.35-1818.1.6.el7uek.x86_64.rpm
kernel-uek-devel-4.14.35-1818.1.6.el7uek.x86_64.rpm
kernel-uek-tools-4.14.35-1818.1.6.el7uek.x86_64.rpm
kernel-uek-doc-4.14.35-1818.1.6.el7uek.noarch.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-4.14.35-1818.1.6.el7uek.src.rpm
Description of changes:
[4.14.35-1818.1.6.el7uek]
- ipv4: frags: handle possible skb truesize change (Eric Dumazet)
[Orabug: 28481663] {CVE-2018-5391}
ELSA-2018-4195 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update (aarch64)
Oracle Linux Security Advisory ELSA-2018-4195
http://linux.oracle.com/errata/ELSA-2018-4195.html
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
aarch64:
kernel-uek-4.14.35-1818.1.6.el7uek.aarch64.rpm
kernel-uek-debug-4.14.35-1818.1.6.el7uek.aarch64.rpm
kernel-uek-debug-devel-4.14.35-1818.1.6.el7uek.aarch64.rpm
kernel-uek-devel-4.14.35-1818.1.6.el7uek.aarch64.rpm
kernel-uek-tools-4.14.35-1818.1.6.el7uek.aarch64.rpm
kernel-uek-headers-4.14.35-1818.1.6.el7uek.aarch64.rpm
kernel-uek-tools-libs-4.14.35-1818.1.6.el7uek.aarch64.rpm
kernel-uek-tools-libs-devel-4.14.35-1818.1.6.el7uek.aarch64.rpm
perf-4.14.35-1818.1.6.el7uek.aarch64.rpm
python-perf-4.14.35-1818.1.6.el7uek.aarch64.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-4.14.35-1818.1.6.el7uek.src.rpm
Description of changes:
[4.14.35-1818.1.6.el7uek]
- ipv4: frags: handle possible skb truesize change (Eric Dumazet)
[Orabug: 28481663] {CVE-2018-5391}
ELSA-2018-4196 Important: Oracle Linux 6 Unbreakable Enterprise kernel security update
Oracle Linux Security Advisory ELSA-2018-4196
http://linux.oracle.com/errata/ELSA-2018-4196.html
The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:
x86_64:
kernel-uek-doc-4.1.12-124.18.5.el6uek.noarch.rpm
kernel-uek-firmware-4.1.12-124.18.5.el6uek.noarch.rpm
kernel-uek-4.1.12-124.18.5.el6uek.x86_64.rpm
kernel-uek-devel-4.1.12-124.18.5.el6uek.x86_64.rpm
kernel-uek-debug-4.1.12-124.18.5.el6uek.x86_64.rpm
kernel-uek-debug-devel-4.1.12-124.18.5.el6uek.x86_64.rpm
SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/kernel-uek-4.1.12-124.18.5.el6uek.src.rpm
Description of changes:
[4.1.12-124.18.5.el6uek]
- inet: frag: enforce memory limits earlier (Eric Dumazet) [Orabug:
28450977]
- x86/mm/pageattr.c: fix page prot mask (Mihai Carabas) [Orabug: 28492122]
- x86/pgtable.h: fix PMD/PUD mask (Mihai Carabas) [Orabug: 28492122]
- x86/asm: Add pud/pmd mask interfaces to handle large PAT bit (Toshi
Kani) [Orabug: 28492122]
ELSA-2018-4196 Important: Oracle Linux 7 Unbreakable Enterprise kernel security update
Oracle Linux Security Advisory ELSA-2018-4196
http://linux.oracle.com/errata/ELSA-2018-4196.html
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
x86_64:
kernel-uek-doc-4.1.12-124.18.5.el7uek.noarch.rpm
kernel-uek-firmware-4.1.12-124.18.5.el7uek.noarch.rpm
kernel-uek-4.1.12-124.18.5.el7uek.x86_64.rpm
kernel-uek-devel-4.1.12-124.18.5.el7uek.x86_64.rpm
kernel-uek-debug-4.1.12-124.18.5.el7uek.x86_64.rpm
kernel-uek-debug-devel-4.1.12-124.18.5.el7uek.x86_64.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/kernel-uek-4.1.12-124.18.5.el7uek.src.rpm
Description of changes:
[4.1.12-124.18.5.el7uek]
- inet: frag: enforce memory limits earlier (Eric Dumazet) [Orabug:
28450977]
- x86/mm/pageattr.c: fix page prot mask (Mihai Carabas) [Orabug: 28492122]
- x86/pgtable.h: fix PMD/PUD mask (Mihai Carabas) [Orabug: 28492122]
- x86/asm: Add pud/pmd mask interfaces to handle large PAT bit (Toshi
Kani) [Orabug: 28492122]
New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2018-4196)
Synopsis: ELSA-2018-4196 can now be patched using Ksplice
CVEs: CVE-2017-18344 CVE-2018-3620 CVE-2018-3646 CVE-2018-5391
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4196.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
Note: CVE-2018-3620, CVE-2018-3646 mitigations are available on
4.1.12-112.14.5 and later as these build upon the January Spectre and Meltdown
mitigations. Users running kernels before 4.1.12-112.14.5 are advised to
reboot into an updated kernel.
DESCRIPTION
* CVE-2018-3620, CVE-2018-3646: Information leak in Intel CPUs under terminal fault.
A flaw in terminal fault handling on Intel CPUs could result in
information leaks across privilege boundaries including between
processes on a system or between virtual machines.
Mitigations for these CVEs include disabling SMT (HyperThreading) on
affected Intel CPUs, extra L1 data cache flushing when running virtual
machines when EPT is supported. Both of these mitigations have workload
dependent performance implications and can be tuned by the
administrator. This update will immediately enable L1 data cache
flushes on Intel CPUs if KVM is in use. Where untrusted guests are in
use it is recommended to disable SMT.
SMT disable:
/sys/devices/system/cpu/smt/control: write "on" to enable SMT, "off" to
disable SMT. Default: on.
L1D flushing:
/sys/module/kvm_intel/parameters/vmentry_l1d_flush, write:
- "never": disable L1D flushing, leaving CVE-2018-3620 unmitigated but
no noticeable performance impact
- "cond": flush only in high risk transfers, mitigates CVE-2018-3620
with the minimum number of flushes
- "always": flush on every VM entry, fully mitigates CVE-2018-3620
with the most overhead.
Default: "always"
* CVE-2018-5391: Remote denial-of-service in IP fragment handling.
A malicious remote user can use a flaw in IP fragment handling to starve
IP processing on the system causing loss of connectivity.
Orabug: 28450977
* CVE-2017-18344: Information disclosure in POSIX timers.
Incorrect validation of POSIX timers could allow a local, unprivileged
user to leak the contents of arbitrary memory through /proc/$PID/timers.
Orabug: 28481412
SUPPORT
Ksplice support is available at ksplice-support_ww@oracle.com.