RHSA-2015:1565

Affecting kernel-rt-trace package, versions centos:7: <0:3.10.0-229.11.1.rt56.141.11.el7_1

medium severity
Do your applications use this vulnerable package? Test your applications

Overview

The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. * An integer overflow flaw was found in the way the Linux kernel's netfilter connection tracking implementation loaded extensions. An attacker on a local network could potentially send a sequence of specially crafted packets that would initiate the loading of a large number of extensions, causing the targeted system in that network to crash. (CVE-2014-9715, Moderate) * A stack-based buffer overflow flaw was found in the Linux kernel's early load microcode functionality. On a system with UEFI Secure Boot enabled, a local, privileged user could use this flaw to increase their privileges to the kernel (ring0) level, bypassing intended restrictions in place. (CVE-2015-2666, Moderate) * It was found that the Linux kernel's ping socket implementation did not properly handle socket unhashing during spurious disconnects, which could lead to a use-after-free flaw. On x86-64 architecture systems, a local user able to create ping sockets could use this flaw to crash the system. On non-x86-64 architecture systems, a local user able to create ping sockets could use this flaw to escalate their privileges on the system. (CVE-2015-3636, Moderate) * It was found that the Linux kernel's TCP/IP protocol suite implementation for IPv6 allowed the Hop Limit value to be set to a smaller value than the default one. An attacker on a local network could use this flaw to prevent systems on that network from sending or receiving network packets. (CVE-2015-2922, Low) Red Hat would like to thank Nathan Hoad for reporting the CVE-2014-9715 issue. The kernel-rt packages have been upgraded to version 3.10.0-229.11.1, which provides a number of bug fixes and enhancements over the previous version, including: * drbg: Add stdrng alias and increase priority * seqiv / eseqiv / chainiv: Move IV seeding into init function * ipv4: kABI fix for 0bbf87d backport * ipv4: Convert ipv4.ip_local_port_range to be per netns * libceph: tcp_nodelay support * ipr: Increase default adapter init stage change timeout * fix use-after-free bug in usb_hcd_unlink_urb() * libceph: fix double _remove_osd() problem * ext4: fix data corruption caused by unwritten and delayed extents * sunrpc: Add missing support for RPC_CLNT_CREATE_NO_RETRANS_TIMEOUT * nfs: Fixing lease renewal (Benjamin Coddington) * control hard lockup detection default * Fix print-once on enable * watchdog: update watchdog_thresh properly and watchdog attributes atomically * module: Call module notifier on failure after complete_formation() (BZ#1234470) This update also fixes the following bugs: * The megasas driver used the smp_processor_id() function within a preemptible context, which caused warning messages to be returned to the console. The function has been changed to raw_smp_processor_id() so that a lock is held while getting the processor ID. As a result, correct operations are now allowed without any console warnings being produced. (BZ#1235304) * In the NFSv4 file system, non-standard usage of the write_seqcount{begin,end}() functions were used, which caused the realtime code to try to sleep while locks were held. As a consequence, the "scheduling while atomic" error messages were returned. The underlying source code has been modified to use the _write_seqcount{begin,end}() functions that do not hold any locks, allowing correct execution of realtime. (BZ#1235301) All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect.

CVE
RHSA-2015:1565
Snyk ID
SNYK-LINUX-KERNELRTTRACE-149151
Published
27 Jun, 2018