- Issued:
- 2018-05-08
- Updated:
- 2018-05-08
RHSA-2018:1355 - Security Advisory
Synopsis
Important: kernel-rt security and bug fix update
Type/Severity
Security Advisory: Important
Topic
An update for kernel-rt is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.
Security Fix(es):
- Kernel: KVM: error in exception handling leads to wrong debug stack value (CVE-2018-1087)
- Kernel: error in exception handling leads to DoS (CVE-2018-8897)
- Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation (CVE-2017-16939)
- kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c (CVE-2018-1068)
- kernel: ptrace() incorrect error handling leads to corruption and DoS (CVE-2018-1000199)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Andy Lutomirski for reporting CVE-2018-1087 and CVE-2018-1000199 and Nick Peterson (Everdox Tech LLC) and Andy Lutomirski for reporting CVE-2018-8897.
Bug Fix(es):
- The kernel-rt packages have been upgraded to the 3.10.0-862.2.3 source tree, which provides a number of bug fixes over the previous version. (BZ#1549768)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
The system must be rebooted for this update to take effect.
Affected Products
- Red Hat Enterprise Linux for Real Time 7 x86_64
- Red Hat Enterprise Linux for Real Time for NFV 7 x86_64
Fixes
- BZ - 1517220 - CVE-2017-16939 Kernel: ipsec: xfrm: use-after-free leading to potential privilege escalation
- BZ - 1549768 - kernel-rt: update to the RHEL7.5.z batch#1 source tree
- BZ - 1552048 - CVE-2018-1068 kernel: Out-of-bounds write via userland offsets in ebt_entry struct in netfilter/ebtables.c
- BZ - 1566837 - CVE-2018-1087 Kernel: KVM: error in exception handling leads to wrong debug stack value
- BZ - 1567074 - CVE-2018-8897 Kernel: error in exception handling leads to DoS
- BZ - 1568477 - CVE-2018-1000199 kernel: ptrace() incorrect error handling leads to corruption and DoS
CVEs
References
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Enterprise Linux for Real Time 7
| SRPM | |
|---|---|
| kernel-rt-3.10.0-862.2.3.rt56.806.el7.src.rpm | SHA-256: 142be0ed54ae8b6ef150bd70aa81224145e6caa509ecad84dd76551f53309d5d |
| x86_64 | |
| kernel-rt-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 7f78234035e265d7e424065acd23d554996a4b539aac0bf52471bd5638b184c3 |
| kernel-rt-debug-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 503d83fc5ca69ba39aabf880d7a1afe1645820664ee64965882ac1ab87e9033a |
| kernel-rt-debug-debuginfo-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: b0c98c9d724cde6183ad3c41a3a6944c2b6b7834006b330470ca43681d5811c0 |
| kernel-rt-debug-devel-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: c0477c08a95925170f66794f188beab351640a5ecea465315a7937358e6ab44c |
| kernel-rt-debug-kvm-debuginfo-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 80ac503edf84b4c9f860005724de1dd9fff198b79bfe3cfa177d910c7f7ded1d |
| kernel-rt-debuginfo-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 32d64c40951eae11dcc27783e57794f604a0fd1492e30c1d0766f8646b9276a4 |
| kernel-rt-debuginfo-common-x86_64-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: b4ee15a0a50daa070e1e9c45b862b32a84aff4b157a993dd8b3e648a3836c948 |
| kernel-rt-devel-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 9c664744a78239386a3dcc60a21bf5240ebb33d172ac49336891337e75c24898 |
| kernel-rt-doc-3.10.0-862.2.3.rt56.806.el7.noarch.rpm | SHA-256: cdba6369f8022896552e703b8fb5650538c2d97506dd7d21260fe13d21e75188 |
| kernel-rt-kvm-debuginfo-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 6ea52cc3a2e73a8bc69f6feffa21c39ba3104077f8f0e9b96c96bbd0522a11ba |
| kernel-rt-trace-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: e113fdeff4cb2d40d79a164c247de54c5389489aed1ee7dde7575d7cdb2fd2cd |
| kernel-rt-trace-debuginfo-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 26d4daeb54efdb5f5786a877aba4c75e444bb9bbad99eae542f26b88d125ec93 |
| kernel-rt-trace-devel-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 1d94dcd5f6860f6c93e7e19854214ad7f41abe9208148315b8c2e33b5f478780 |
| kernel-rt-trace-kvm-debuginfo-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: bdf4beb788cfa4c307fe0e9733b2570ad7a53cdc60341160bad32f316ce1211d |
Red Hat Enterprise Linux for Real Time for NFV 7
| SRPM | |
|---|---|
| kernel-rt-3.10.0-862.2.3.rt56.806.el7.src.rpm | SHA-256: 142be0ed54ae8b6ef150bd70aa81224145e6caa509ecad84dd76551f53309d5d |
| x86_64 | |
| kernel-rt-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 7f78234035e265d7e424065acd23d554996a4b539aac0bf52471bd5638b184c3 |
| kernel-rt-debug-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 503d83fc5ca69ba39aabf880d7a1afe1645820664ee64965882ac1ab87e9033a |
| kernel-rt-debug-debuginfo-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: b0c98c9d724cde6183ad3c41a3a6944c2b6b7834006b330470ca43681d5811c0 |
| kernel-rt-debug-devel-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: c0477c08a95925170f66794f188beab351640a5ecea465315a7937358e6ab44c |
| kernel-rt-debug-kvm-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 196e4a1dec627fb6d96eb7b1da89680bdbd18b639fdac78594c358e72f8ad517 |
| kernel-rt-debug-kvm-debuginfo-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 80ac503edf84b4c9f860005724de1dd9fff198b79bfe3cfa177d910c7f7ded1d |
| kernel-rt-debuginfo-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 32d64c40951eae11dcc27783e57794f604a0fd1492e30c1d0766f8646b9276a4 |
| kernel-rt-debuginfo-common-x86_64-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: b4ee15a0a50daa070e1e9c45b862b32a84aff4b157a993dd8b3e648a3836c948 |
| kernel-rt-devel-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 9c664744a78239386a3dcc60a21bf5240ebb33d172ac49336891337e75c24898 |
| kernel-rt-doc-3.10.0-862.2.3.rt56.806.el7.noarch.rpm | SHA-256: cdba6369f8022896552e703b8fb5650538c2d97506dd7d21260fe13d21e75188 |
| kernel-rt-kvm-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: c92a961e5f6a6ea979ee34be8934a6715c96f42485d81bc45dc11adefc1b4fdf |
| kernel-rt-kvm-debuginfo-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 6ea52cc3a2e73a8bc69f6feffa21c39ba3104077f8f0e9b96c96bbd0522a11ba |
| kernel-rt-trace-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: e113fdeff4cb2d40d79a164c247de54c5389489aed1ee7dde7575d7cdb2fd2cd |
| kernel-rt-trace-debuginfo-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 26d4daeb54efdb5f5786a877aba4c75e444bb9bbad99eae542f26b88d125ec93 |
| kernel-rt-trace-devel-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 1d94dcd5f6860f6c93e7e19854214ad7f41abe9208148315b8c2e33b5f478780 |
| kernel-rt-trace-kvm-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: 06cee4a27c01d569f39900063a1af309ef0e9b4599275b22419792daa0350c23 |
| kernel-rt-trace-kvm-debuginfo-3.10.0-862.2.3.rt56.806.el7.x86_64.rpm | SHA-256: bdf4beb788cfa4c307fe0e9733b2570ad7a53cdc60341160bad32f316ce1211d |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.