ID

VAR-201809-1153

CVE

CVE-2018-5391

TITLE

Linux kernel IP fragment re-assembly vulnerable to denial of service

DESCRIPTION

The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size. Service disruption as a result (DoS) There is a possibility of being attacked. Linux Kernel is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause a denial-of-service condition. (BZ#1625330) 4. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: kernel security, bug fix, and enhancement update Advisory ID: RHSA-2018:3083-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:3083 Issue date: 2018-10-30 CVE Names: CVE-2015-8830 CVE-2016-4913 CVE-2017-0861 CVE-2017-10661 CVE-2017-17805 CVE-2017-18208 CVE-2017-18232 CVE-2017-18344 CVE-2018-1092 CVE-2018-1094 CVE-2018-1118 CVE-2018-1120 CVE-2018-1130 CVE-2018-5344 CVE-2018-5391 CVE-2018-5803 CVE-2018-5848 CVE-2018-7740 CVE-2018-7757 CVE-2018-8781 CVE-2018-10322 CVE-2018-10878 CVE-2018-10879 CVE-2018-10881 CVE-2018-10883 CVE-2018-10902 CVE-2018-10940 CVE-2018-13405 CVE-2018-1000026 ==================================================================== 1. Summary: An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - noarch, ppc64le, s390x Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - ppc64le 3. Description: The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * A flaw named FragmentSmack was found in the way the Linux kernel handled reassembly of fragmented IPv4 and IPv6 packets. (CVE-2018-5391) * kernel: out-of-bounds access in the show_timer function in kernel/time/posix-timers.c (CVE-2017-18344) * kernel: Integer overflow in udl_fb_mmap() can allow attackers to execute code in kernel space (CVE-2018-8781) * kernel: MIDI driver race condition leads to a double-free (CVE-2018-10902) * kernel: Missing check in inode_init_owner() does not clear SGID bit on non-directories for non-members (CVE-2018-13405) * kernel: AIO write triggers integer overflow in some protocols (CVE-2015-8830) * kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation (CVE-2017-0861) * kernel: Handling of might_cancel queueing is not properly pretected against race (CVE-2017-10661) * kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial of service (CVE-2017-17805) * kernel: Inifinite loop vulnerability in madvise_willneed() function allows local denial of service (CVE-2017-18208) * kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service (CVE-2018-1120) * kernel: a null pointer dereference in dccp_write_xmit() leads to a system crash (CVE-2018-1130) * kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial of service (CVE-2018-5344) * kernel: Missing length check of payload in _sctp_make_chunk() function allows denial of service (CVE-2018-5803) * kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption (CVE-2018-5848) * kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image (CVE-2018-10878) * kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet (CVE-2018-1000026) * kernel: Information leak when handling NM entries containing NUL (CVE-2016-4913) * kernel: Mishandling mutex within libsas allowing local Denial of Service (CVE-2017-18232) * kernel: NULL pointer dereference in ext4_process_freed_data() when mounting crafted ext4 image (CVE-2018-1092) * kernel: NULL pointer dereference in ext4_xattr_inode_hash() causes crash with crafted ext4 image (CVE-2018-1094) * kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() (CVE-2018-1118) * kernel: Denial of service in resv_map_release function in mm/hugetlb.c (CVE-2018-7740) * kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c (CVE-2018-7757) * kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service (CVE-2018-10322) * kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file (CVE-2018-10879) * kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image (CVE-2018-10881) * kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function (CVE-2018-10883) * kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c (CVE-2018-10940) Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391; Trend Micro Zero Day Initiative for reporting CVE-2018-10902; Qualys Research Labs for reporting CVE-2018-1120; Evgenii Shatokhin (Virtuozzo Team) for reporting CVE-2018-1130; and Wen Xu for reporting CVE-2018-1092 and CVE-2018-1094. 4. Solution: For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section. For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 The system must be rebooted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1314275 - CVE-2015-8830 kernel: AIO write triggers integer overflow in some protocols 1322930 - [RFE] Allow xfs to modify labels on mounted filesystem 1337528 - CVE-2016-4913 kernel: Information leak when handling NM entries containing NUL 1481136 - CVE-2017-10661 kernel: Handling of might_cancel queueing is not properly pretected against race 1488484 - GRE: IFLA_MTU ignored on NEWLINK 1504058 - kernel panic with nfsd while removing locks on file close 1507027 - [ESXi][RHEL7.6]x86/vmware: Add paravirt sched clock 1528312 - CVE-2017-17805 kernel: Salsa20 encryption algorithm does not correctly handle zero-length inputs allowing local attackers to cause denial-of-service 1533909 - CVE-2018-5344 kernel: drivers/block/loop.c mishandles lo_release serialization allowing denial-of-service 1541846 - CVE-2018-1000026 kernel: Improper validation in bnx2x network card driver can allow for denial of service attacks via crafted packet 1542494 - VMs with NVMe devices passed through sometimes fail to be launched 1551051 - CVE-2018-5803 kernel: Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp_make_chunk() function allows denial of service 1551565 - CVE-2017-18208 kernel: Inifinite loop vulnerability in mm/madvise.c:madvise_willneed() function allows local denial of service 1552867 - CVE-2018-7740 kernel: Denial of service in resv_map_release function in mm/hugetlb.c 1553361 - CVE-2018-7757 kernel: Memory leak in the sas_smp_get_phy_events function in drivers/scsi/libsas/sas_expander.c 1557434 - bio too big device md0 (1024 > 256) 1557599 - [RFE] Rebase ipset (kernel) to latest upstream 1558066 - CVE-2017-18232 kernel: Mishandling mutex within libsas allowing local Denial of Service 1558328 - Kernel data path test with OVS 2.9 + DPDK 17.11 fails with low throughput 1560777 - CVE-2018-1092 kernel: NULL pointer dereference in ext4/mballoc.c:ext4_process_freed_data() when mounting crafted ext4 image 1560788 - CVE-2018-1094 kernel: NULL pointer dereference in ext4/xattr.c:ext4_xattr_inode_hash() causes crash with crafted ext4 image 1561162 - [RHEL7.5] Extreme performance impact caused by raid resync 1563697 - Triming on full pool can trigger 'dm_pool_alloc_data_block' failed: error = -28 1563994 - CVE-2017-0861 kernel: Use-after-free in snd_pcm_info function in ALSA subsystem potentially leads to privilege escalation 1564186 - XFS may block endlessly in xlog_wait() on IO error 1568167 - crypto aesni-intel aes(gcm) is broken for IPsec 1571062 - CVE-2018-8781 kernel: Integer overflow in drivers/gpu/drm/udl/udl_fb.c:udl_fb_mmap() can allow attackers to execute code in kernel space 1571623 - CVE-2018-10322 kernel: Invalid pointer dereference in xfs_ilock_attr_map_shared() when mounting crafted xfs image allowing denial of service 1572983 - conntrack doesn't track packets in specific network namespace if those packets were processed by CT --notrack target in other network namespace 1573699 - CVE-2018-1118 kernel: vhost: Information disclosure in vhost/vhost.c:vhost_new_msg() 1575472 - CVE-2018-1120 kernel: fuse-backed file mmap-ed onto process cmdline arguments causes denial of service 1576419 - CVE-2018-1130 kernel: a null pointer dereference in net/dccp/output.c:dccp_write_xmit() leads to a system crash 1577408 - CVE-2018-10940 kernel: incorrect memory bounds check in drivers/cdrom/cdrom.c 1584775 - VMs hung after migration 1590720 - CVE-2018-10902 kernel: MIDI driver race condition leads to a double-free 1590799 - CVE-2018-5848 kernel: buffer overflow in drivers/net/wireless/ath/wil6210/wmi.c:wmi_set_ie() may lead to memory corruption 1592654 - [NVMe Device Assignment] Guest reboot failed from the NVMe assigned which os installed on 1596802 - CVE-2018-10878 kernel: out-of-bound write in ext4_init_block_bitmap function with a crafted ext4 image 1596806 - CVE-2018-10879 kernel: use-after-free detected in ext4_xattr_set_entry with a crafted file 1596828 - CVE-2018-10881 kernel: out-of-bound access in ext4_get_group_info() when mounting and operating a crafted ext4 image 1596846 - CVE-2018-10883 kernel: stack-out-of-bounds write in jbd2_journal_dirty_metadata function 1599161 - CVE-2018-13405 kernel: Missing check in fs/inode.c:inode_init_owner() does not clear SGID bit on non-directories for non-members 1609664 - CVE-2018-5391 kernel: IP fragments with random offsets allow a remote denial of service (FragmentSmack) 1609717 - [unwinder] CPU spins indefinitely in __save_stack_trace() call chain 1610958 - CVE-2017-18344 kernel: out-of-bounds access in the show_timer function in kernel/time/posix-timers.c 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: kernel-3.10.0-957.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-957.el7.noarch.rpm kernel-doc-3.10.0-957.el7.noarch.rpm x86_64: bpftool-3.10.0-957.el7.x86_64.rpm kernel-3.10.0-957.el7.x86_64.rpm kernel-debug-3.10.0-957.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debug-devel-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-957.el7.x86_64.rpm kernel-devel-3.10.0-957.el7.x86_64.rpm kernel-headers-3.10.0-957.el7.x86_64.rpm kernel-tools-3.10.0-957.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-tools-libs-3.10.0-957.el7.x86_64.rpm perf-3.10.0-957.el7.x86_64.rpm perf-debuginfo-3.10.0-957.el7.x86_64.rpm python-perf-3.10.0-957.el7.x86_64.rpm python-perf-debuginfo-3.10.0-957.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: kernel-debug-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-957.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-957.el7.x86_64.rpm perf-debuginfo-3.10.0-957.el7.x86_64.rpm python-perf-debuginfo-3.10.0-957.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: kernel-3.10.0-957.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-957.el7.noarch.rpm kernel-doc-3.10.0-957.el7.noarch.rpm x86_64: bpftool-3.10.0-957.el7.x86_64.rpm kernel-3.10.0-957.el7.x86_64.rpm kernel-debug-3.10.0-957.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debug-devel-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-957.el7.x86_64.rpm kernel-devel-3.10.0-957.el7.x86_64.rpm kernel-headers-3.10.0-957.el7.x86_64.rpm kernel-tools-3.10.0-957.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-tools-libs-3.10.0-957.el7.x86_64.rpm perf-3.10.0-957.el7.x86_64.rpm perf-debuginfo-3.10.0-957.el7.x86_64.rpm python-perf-3.10.0-957.el7.x86_64.rpm python-perf-debuginfo-3.10.0-957.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: kernel-debug-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-957.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-957.el7.x86_64.rpm perf-debuginfo-3.10.0-957.el7.x86_64.rpm python-perf-debuginfo-3.10.0-957.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: kernel-3.10.0-957.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-957.el7.noarch.rpm kernel-doc-3.10.0-957.el7.noarch.rpm ppc64: kernel-3.10.0-957.el7.ppc64.rpm kernel-bootwrapper-3.10.0-957.el7.ppc64.rpm kernel-debug-3.10.0-957.el7.ppc64.rpm kernel-debug-debuginfo-3.10.0-957.el7.ppc64.rpm kernel-debug-devel-3.10.0-957.el7.ppc64.rpm kernel-debuginfo-3.10.0-957.el7.ppc64.rpm kernel-debuginfo-common-ppc64-3.10.0-957.el7.ppc64.rpm kernel-devel-3.10.0-957.el7.ppc64.rpm kernel-headers-3.10.0-957.el7.ppc64.rpm kernel-tools-3.10.0-957.el7.ppc64.rpm kernel-tools-debuginfo-3.10.0-957.el7.ppc64.rpm kernel-tools-libs-3.10.0-957.el7.ppc64.rpm perf-3.10.0-957.el7.ppc64.rpm perf-debuginfo-3.10.0-957.el7.ppc64.rpm python-perf-3.10.0-957.el7.ppc64.rpm python-perf-debuginfo-3.10.0-957.el7.ppc64.rpm ppc64le: kernel-3.10.0-957.el7.ppc64le.rpm kernel-bootwrapper-3.10.0-957.el7.ppc64le.rpm kernel-debug-3.10.0-957.el7.ppc64le.rpm kernel-debug-debuginfo-3.10.0-957.el7.ppc64le.rpm kernel-debuginfo-3.10.0-957.el7.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-957.el7.ppc64le.rpm kernel-devel-3.10.0-957.el7.ppc64le.rpm kernel-headers-3.10.0-957.el7.ppc64le.rpm kernel-tools-3.10.0-957.el7.ppc64le.rpm kernel-tools-debuginfo-3.10.0-957.el7.ppc64le.rpm kernel-tools-libs-3.10.0-957.el7.ppc64le.rpm perf-3.10.0-957.el7.ppc64le.rpm perf-debuginfo-3.10.0-957.el7.ppc64le.rpm python-perf-3.10.0-957.el7.ppc64le.rpm python-perf-debuginfo-3.10.0-957.el7.ppc64le.rpm s390x: kernel-3.10.0-957.el7.s390x.rpm kernel-debug-3.10.0-957.el7.s390x.rpm kernel-debug-debuginfo-3.10.0-957.el7.s390x.rpm kernel-debug-devel-3.10.0-957.el7.s390x.rpm kernel-debuginfo-3.10.0-957.el7.s390x.rpm kernel-debuginfo-common-s390x-3.10.0-957.el7.s390x.rpm kernel-devel-3.10.0-957.el7.s390x.rpm kernel-headers-3.10.0-957.el7.s390x.rpm kernel-kdump-3.10.0-957.el7.s390x.rpm kernel-kdump-debuginfo-3.10.0-957.el7.s390x.rpm kernel-kdump-devel-3.10.0-957.el7.s390x.rpm perf-3.10.0-957.el7.s390x.rpm perf-debuginfo-3.10.0-957.el7.s390x.rpm python-perf-3.10.0-957.el7.s390x.rpm python-perf-debuginfo-3.10.0-957.el7.s390x.rpm x86_64: bpftool-3.10.0-957.el7.x86_64.rpm kernel-3.10.0-957.el7.x86_64.rpm kernel-debug-3.10.0-957.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debug-devel-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-957.el7.x86_64.rpm kernel-devel-3.10.0-957.el7.x86_64.rpm kernel-headers-3.10.0-957.el7.x86_64.rpm kernel-tools-3.10.0-957.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-tools-libs-3.10.0-957.el7.x86_64.rpm perf-3.10.0-957.el7.x86_64.rpm perf-debuginfo-3.10.0-957.el7.x86_64.rpm python-perf-3.10.0-957.el7.x86_64.rpm python-perf-debuginfo-3.10.0-957.el7.x86_64.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7): noarch: kernel-abi-whitelists-3.10.0-957.el7.noarch.rpm kernel-doc-3.10.0-957.el7.noarch.rpm ppc64le: kernel-3.10.0-957.el7.ppc64le.rpm kernel-bootwrapper-3.10.0-957.el7.ppc64le.rpm kernel-debug-3.10.0-957.el7.ppc64le.rpm kernel-debug-debuginfo-3.10.0-957.el7.ppc64le.rpm kernel-debuginfo-3.10.0-957.el7.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-957.el7.ppc64le.rpm kernel-devel-3.10.0-957.el7.ppc64le.rpm kernel-headers-3.10.0-957.el7.ppc64le.rpm kernel-tools-3.10.0-957.el7.ppc64le.rpm kernel-tools-debuginfo-3.10.0-957.el7.ppc64le.rpm kernel-tools-libs-3.10.0-957.el7.ppc64le.rpm perf-3.10.0-957.el7.ppc64le.rpm perf-debuginfo-3.10.0-957.el7.ppc64le.rpm python-perf-3.10.0-957.el7.ppc64le.rpm python-perf-debuginfo-3.10.0-957.el7.ppc64le.rpm s390x: kernel-3.10.0-957.el7.s390x.rpm kernel-debug-3.10.0-957.el7.s390x.rpm kernel-debug-debuginfo-3.10.0-957.el7.s390x.rpm kernel-debug-devel-3.10.0-957.el7.s390x.rpm kernel-debuginfo-3.10.0-957.el7.s390x.rpm kernel-debuginfo-common-s390x-3.10.0-957.el7.s390x.rpm kernel-devel-3.10.0-957.el7.s390x.rpm kernel-headers-3.10.0-957.el7.s390x.rpm kernel-kdump-3.10.0-957.el7.s390x.rpm kernel-kdump-debuginfo-3.10.0-957.el7.s390x.rpm kernel-kdump-devel-3.10.0-957.el7.s390x.rpm perf-3.10.0-957.el7.s390x.rpm perf-debuginfo-3.10.0-957.el7.s390x.rpm python-perf-3.10.0-957.el7.s390x.rpm python-perf-debuginfo-3.10.0-957.el7.s390x.rpm Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7): ppc64le: kernel-debug-debuginfo-3.10.0-957.el7.ppc64le.rpm kernel-debug-devel-3.10.0-957.el7.ppc64le.rpm kernel-debuginfo-3.10.0-957.el7.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-957.el7.ppc64le.rpm kernel-tools-debuginfo-3.10.0-957.el7.ppc64le.rpm kernel-tools-libs-devel-3.10.0-957.el7.ppc64le.rpm perf-debuginfo-3.10.0-957.el7.ppc64le.rpm python-perf-debuginfo-3.10.0-957.el7.ppc64le.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: kernel-debug-debuginfo-3.10.0-957.el7.ppc64.rpm kernel-debuginfo-3.10.0-957.el7.ppc64.rpm kernel-debuginfo-common-ppc64-3.10.0-957.el7.ppc64.rpm kernel-tools-debuginfo-3.10.0-957.el7.ppc64.rpm kernel-tools-libs-devel-3.10.0-957.el7.ppc64.rpm perf-debuginfo-3.10.0-957.el7.ppc64.rpm python-perf-debuginfo-3.10.0-957.el7.ppc64.rpm ppc64le: kernel-debug-debuginfo-3.10.0-957.el7.ppc64le.rpm kernel-debug-devel-3.10.0-957.el7.ppc64le.rpm kernel-debuginfo-3.10.0-957.el7.ppc64le.rpm kernel-debuginfo-common-ppc64le-3.10.0-957.el7.ppc64le.rpm kernel-tools-debuginfo-3.10.0-957.el7.ppc64le.rpm kernel-tools-libs-devel-3.10.0-957.el7.ppc64le.rpm perf-debuginfo-3.10.0-957.el7.ppc64le.rpm python-perf-debuginfo-3.10.0-957.el7.ppc64le.rpm x86_64: kernel-debug-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-957.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-957.el7.x86_64.rpm perf-debuginfo-3.10.0-957.el7.x86_64.rpm python-perf-debuginfo-3.10.0-957.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: kernel-3.10.0-957.el7.src.rpm noarch: kernel-abi-whitelists-3.10.0-957.el7.noarch.rpm kernel-doc-3.10.0-957.el7.noarch.rpm x86_64: bpftool-3.10.0-957.el7.x86_64.rpm kernel-3.10.0-957.el7.x86_64.rpm kernel-debug-3.10.0-957.el7.x86_64.rpm kernel-debug-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debug-devel-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-957.el7.x86_64.rpm kernel-devel-3.10.0-957.el7.x86_64.rpm kernel-headers-3.10.0-957.el7.x86_64.rpm kernel-tools-3.10.0-957.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-tools-libs-3.10.0-957.el7.x86_64.rpm perf-3.10.0-957.el7.x86_64.rpm perf-debuginfo-3.10.0-957.el7.x86_64.rpm python-perf-3.10.0-957.el7.x86_64.rpm python-perf-debuginfo-3.10.0-957.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: kernel-debug-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-debuginfo-common-x86_64-3.10.0-957.el7.x86_64.rpm kernel-tools-debuginfo-3.10.0-957.el7.x86_64.rpm kernel-tools-libs-devel-3.10.0-957.el7.x86_64.rpm perf-debuginfo-3.10.0-957.el7.x86_64.rpm python-perf-debuginfo-3.10.0-957.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-8830 https://access.redhat.com/security/cve/CVE-2016-4913 https://access.redhat.com/security/cve/CVE-2017-0861 https://access.redhat.com/security/cve/CVE-2017-10661 https://access.redhat.com/security/cve/CVE-2017-17805 https://access.redhat.com/security/cve/CVE-2017-18208 https://access.redhat.com/security/cve/CVE-2017-18232 https://access.redhat.com/security/cve/CVE-2017-18344 https://access.redhat.com/security/cve/CVE-2018-1092 https://access.redhat.com/security/cve/CVE-2018-1094 https://access.redhat.com/security/cve/CVE-2018-1118 https://access.redhat.com/security/cve/CVE-2018-1120 https://access.redhat.com/security/cve/CVE-2018-1130 https://access.redhat.com/security/cve/CVE-2018-5344 https://access.redhat.com/security/cve/CVE-2018-5391 https://access.redhat.com/security/cve/CVE-2018-5803 https://access.redhat.com/security/cve/CVE-2018-5848 https://access.redhat.com/security/cve/CVE-2018-7740 https://access.redhat.com/security/cve/CVE-2018-7757 https://access.redhat.com/security/cve/CVE-2018-8781 https://access.redhat.com/security/cve/CVE-2018-10322 https://access.redhat.com/security/cve/CVE-2018-10878 https://access.redhat.com/security/cve/CVE-2018-10879 https://access.redhat.com/security/cve/CVE-2018-10881 https://access.redhat.com/security/cve/CVE-2018-10883 https://access.redhat.com/security/cve/CVE-2018-10902 https://access.redhat.com/security/cve/CVE-2018-10940 https://access.redhat.com/security/cve/CVE-2018-13405 https://access.redhat.com/security/cve/CVE-2018-1000026 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/articles/3553061 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/index 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW9gSCNzjgjWX9erEAQgpqw/8DyLe13g3SkrL6Mem7I/zcrJkZ3n8FB++ q4ewa71pzsPl5pZHDVPF0696m9WsMlaRDtnJGtKBxBmpUbjKTnMqxNp/xYyPqMBC BSHEF/njMwEEa0XPWv2UikNGFR9bM4NlVdxWktgeC6UVuX3iqnkIm/CvPEiKq13D GycbTIdnazhugeu/Rh6qVUgxVWd4ljc+HGBUrnWn6Rhw8DhKWm/S8xgpDpw86qEl 8CxnEjP00QMLo9nHmSVkm8ZobJV3MNhX8iO/UnRkvYGAZ3kl8/VnVmgs5sXHGqM2 aLzkDrgRf0zIVbcoaae1O26Rs4OwRL2DXDBxJ/3I6KASFzCYBcmtpjTsNyL8GX+D 76gKiCzhezunu4b8ErADGDcxLCU4W9LGs9repXNDEjdqY4qJ0kFTpmM4wm3Zpn0Z lyb17zxoXHATGPCgDFVyuL+g8TmOgUdhemNTLAQJXrVRsMxA06l446G3i66UwvQL qmSiknOs7Dzpt+8DdkGqPMJOA6t1ismtk9CO9BstYzxU1ebS6zUusHo0Iavw2v2D gPxsHl2GehMf9M2JHUygJTevcoyBB6OEZtmRdTmIRU9m8d8+90Cig8YwIk1kzZlq XrbwWjP8Mk+g21YGMMi+ksN0LFWf5rVYTRnvKMq7QLrSpjiravS7+gF6ZOH49XRs 0B91wOl3vSo=yaM6 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 6) - i386, x86_64 3. Red Hat would like to thank Juha-Matti Tilli (Aalto University - Department of Communications and Networking and Nokia Bell Labs) for reporting CVE-2018-5391 and Qualys Research Labs for reporting CVE-2018-14634. Bug Fix(es): These updated kernel packages include also numerous bug fixes. Space precludes documenting all of the bug fixes in this advisory. See the descriptions in the related Knowledge Article: https://access.redhat.com/articles/3635371 4. Bugs fixed (https://bugzilla.redhat.com/): 1609664 - CVE-2018-5391 kernel: IP fragments with random offsets allow a remote denial of service (FragmentSmack) 1616397 - kernel-2.6.32-754.3.5.el6.x86_64 crash on Dell Inc. PowerEdge 1950 1624498 - CVE-2018-14634 kernel: Integer overflow in Linux's create_elf_tables function 6. ========================================================================== Ubuntu Security Notice USN-3742-3 August 21, 2018 linux-lts-trusty regressions ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 ESM Summary: USN-3742-2 introduced regressions in the Linux Hardware Enablement (HWE) kernel for Ubuntu 12.04 ESM. Software Description: - linux-lts-trusty: Linux hardware enablement kernel from Trusty for Precise ESM Details: USN-3742-2 introduced mitigations in the Linux Hardware Enablement (HWE) kernel for Ubuntu 12.04 ESM to address L1 Terminal Fault (L1TF) vulnerabilities (CVE-2018-3620, CVE-2018-3646). Unfortunately, the update introduced regressions that caused kernel panics when booting in some environments as well as preventing Java applications from starting. We apologize for the inconvenience. Original advisory details: It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS). (CVE-2018-3646) It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker could use this to expose sensitive information (memory from the kernel or other processes). (CVE-2018-3620) Andrey Konovalov discovered an out-of-bounds read in the POSIX timers subsystem in the Linux kernel. (CVE-2018-5391) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 ESM: linux-image-3.13.0-156-generic 3.13.0-156.206~precise1 linux-image-3.13.0-156-generic-lpae 3.13.0-156.206~precise1 linux-image-generic-lpae-lts-trusty 3.13.0.156.146 linux-image-generic-lts-trusty 3.13.0.156.146 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. 6.5) - x86_64 3. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses. Bug Fix(es): * Previously, invalid headers in the sk_buff struct led to an indefinite loop in the tcp_collapse() function. As a consequence, the system became unresponsive. This update backports the upstream changes that remove the problematic code in tcp_collapse(). As a result, the system no longer hangs in the described scenario. (BZ#1619630) * After updating the system to prevent the L1 Terminal Fault (L1TF) vulnerability, only one thread was detected on systems that offer processing of two threads on a single processor core. With this update, the "__max_smt_threads()" function has been fixed. As a result, both threads are now detected correctly in the described situation. (BZ#1625333) * Previously, a kernel panic occurred when the kernel tried to make an out of bound access to the array that describes the L1 Terminal Fault (L1TF) mitigation state on systems without Extended Page Tables (EPT) support. This update extends the array of mitigation states to cover all the states, which effectively prevents out of bound array access. Also, this update enables rejecting invalid, irrelevant values, that might be erroneously provided by the userspace. As a result, the kernel no longer panics in the described scenario. (BZ#1629632) 4

AFFECTED PRODUCTS