kernel-3.10.0-862.2.3.el7
エラータID: AXSA:2018-3108:04
The kernel packages contain the Linux kernel, the core of any Linux operating system.
Security Fix(es):
* Kernel: KVM: error in exception handling leads to wrong debug stack value (CVE-2018-1087)
* Kernel: error in exception handling leads to DoS (CVE-2018-8897)
* Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation (CVE-2017-16939)
* kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c (CVE-2018-1068)
* kernel: ptrace() incorrect error handling leads to corruption and DoS (CVE-2018-1000199)
* kernel: guest kernel crash during core dump on POWER9 host (CVE-2018-1091)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Asianux would like to thank Andy Lutomirski for reporting CVE-2018-1087 and CVE-2018-1000199 and Nick Peterson (Everdox Tech LLC) and Andy Lutomirski for reporting CVE-2018-8897.
Bug Fix(es):
These updated kernel packages include also numerous bug fixes. Space precludes documenting all of these bug fixes in this advisory. See the bug fix descriptions in the related Knowledge Article: https://access.redhat.com/articles/3431641
CVE-2017-16939
The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages.
CVE-2018-1068
A flaw was found in the Linux 4.x kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory.
CVE-2018-1087
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.
CVE-2018-1091
In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c in the Linux kernel before 4.13.5, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service.
CVE-2018-8897
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.
CVE-2018-1000199
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be provided.
Update packages.
The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Linux kernel before 4.13.11 allows local users to gain privileges or cause a denial of service (use-after-free) via a crafted SO_RCVBUF setsockopt system call in conjunction with XFRM_MSG_GETPOLICY Netlink messages.
The Linux Kernel version 3.18 contains a dangerous feature vulnerability in modify_user_hw_breakpoint() that can result in crash and possibly memory corruption. This attack appear to be exploitable via local code execution and the ability to use ptrace. This vulnerability appears to have been fixed in git commit f67b15037a7a50c57f72e69a6d59941ad90a0f0f.
A flaw was found in the Linux 4.x kernel's implementation of 32-bit syscall interface for bridging. This allowed a privileged user to arbitrarily write to a limited range of kernel memory.
kernel KVM before versions kernel 4.16, kernel 4.16-rc7, kernel 4.17-rc1, kernel 4.17-rc2 and kernel 4.17-rc3 is vulnerable to a flaw in the way the Linux kernel's KVM hypervisor handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest.
In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c in the Linux kernel before 4.13.5, a guest kernel crash can be triggered from unprivileged userspace during a core dump on a POWER host due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path, leading to a denial of service.
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.
N/A
SRPMS
- kernel-3.10.0-862.2.3.el7.src.rpm
MD5: d5ea358f04158569f94c2fad377b3868
SHA-256: e975f48068d3e8cfe56e744b94d693a905383d7b65532e8849787021779c0baa
Size: 93.68 MB
Asianux Server 7 for x86_64
- kernel-3.10.0-862.2.3.el7.x86_64.rpm
MD5: c215c2078ac44e7e046d251454ef4f0f
SHA-256: 0ae35dbb803823ca0654f3486ab5265ceb88ce4b48392b5292c535dea7756a19
Size: 46.02 MB - kernel-abi-whitelists-3.10.0-862.2.3.el7.noarch.rpm
MD5: f76b7e6adf58b79771cdaaf6ecda9b34
SHA-256: eabf5d194d66ecf04816ee52f51349d8b79a15b3a5418359e6f3974188ab7b29
Size: 6.15 MB - kernel-debug-3.10.0-862.2.3.el7.x86_64.rpm
MD5: 0715f5f9282f1b59eb496dffcacb4654
SHA-256: c67747bbdcc4929907ebbc706f0f205ba830c09eaa319312dda0d3f9e4c01456
Size: 48.03 MB - kernel-debug-devel-3.10.0-862.2.3.el7.x86_64.rpm
MD5: 2302487d9de737b3a296df3f6ee86447
SHA-256: 3ae9f5879757426508d3058c6c9a06fdf2d42d35aca4e9f7c42fa41b9bc61e53
Size: 15.75 MB - kernel-devel-3.10.0-862.2.3.el7.x86_64.rpm
MD5: 0bfad2b7e05ef80d15d2218736628fae
SHA-256: 81c55fae2d63722bab369a0257ade1cf91e8c8bde69b9ad2b68179c2b7e492a4
Size: 15.68 MB - kernel-doc-3.10.0-862.2.3.el7.noarch.rpm
MD5: 56a20e05c649698d331bc96b185b6e32
SHA-256: 93b6c1361b912a187954854ceef9d5cde6d171c5ae9738ff7c6ec164152de08a
Size: 17.44 MB - kernel-headers-3.10.0-862.2.3.el7.x86_64.rpm
MD5: 571d45382a42b371143d32d46e0547a7
SHA-256: 950c39fd4883b1d0f2e385049dd5ac1ef234138f0b17a7d36af957b26064369d
Size: 7.10 MB - kernel-tools-3.10.0-862.2.3.el7.x86_64.rpm
MD5: 7fdafd7926bd57745a83489287c6fcd1
SHA-256: 897c835e446f77e38e04b839e34ca97e1245fa138d45dd5ab3f335b12dcb959c
Size: 6.24 MB - kernel-tools-libs-3.10.0-862.2.3.el7.x86_64.rpm
MD5: 1ee6c60f8dad72b07bfc6421e9daae9b
SHA-256: f55c922158f93148f16c042a4c213f0f05fdcb08a2533851e2a8957460863980
Size: 6.15 MB - perf-3.10.0-862.2.3.el7.x86_64.rpm
MD5: e33fc6d45d078ec5610fe9b78218e609
SHA-256: 06188856600a4da234ce3ba6b80b7b4b3e6762fc536cb90faad6526e6d8831c6
Size: 7.59 MB - python-perf-3.10.0-862.2.3.el7.x86_64.rpm
MD5: 87fc939cf2fdb11b98c492e1e88c606d
SHA-256: 30f649e3e1f2f50d6cb5fd40066a5e7f008c3bd3ae4e6868b4736e0ee3a57110
Size: 6.24 MB
日本語