Beta: CloudLinux 7 and CloudLinux 6 Hybrid kernel v.1.5-38 released

 

kernel-beta

CloudLinux 7 and CloudLinux 6 Hybrid kernel version 3.10.0-962.3.2.lve1.5.38 is now available for download from our updates-testing repository.

SRBDS System Information

The Linux kernel provides vulnerability status information through sysfs. For SRBDS this can be accessed by the following sysfs file: /sys/devices/system/cpu/vulnerabilities/srbds

The possible values contained in this file are:

Not affected  Processor is not vulnerable
Vulnerable Processor is vulnerable and mitigation is disabled
Vulnerable: No microcode Processor is vulnerable and microcode is missing mitigation
Mitigation: Microcode  Processor is vulnerable and mitigation is in effect
Mitigation: TSX disabled Processor is only vulnerable when TSX is enabled while this system was booted with TSX disabled
Unknown: Dependent on hypervisor status Running on virtual guest processor that is affected but with no way to know if the host processor is mitigated or vulnerable

                 

Mitigation Mechanism

Intel will release microcode updates that modify the RDRAND, RDSEED, and EGETKEY instructions to overwrite secret special register data in the shared staging buffer before the secret data can be accessed by another logical processor.

Changelog

  • CLKRN-597: ext4: wait for existing dio workers in ext4_alloc_file_blocks()
  • CLKRN-597: ext4: check for directory entries too close to block end
  • CLKRN-597: tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK
  • CLKRN-597: vfs: fix do_last() regression
  • CLKRN-597: do_last(): fetch directory ->i_mode and ->i_uid before it's too late
  • CLKRN-597: CVE-2000-1134: CVE-2007-3852: CVE-2008-0525: CVE-2009-0416: CVE-2011-4834: CVE-2015-1838: CVE-2015-7442: CVE-2016-7489: namei: allow restricted O_CREAT of FIFOs and regular files
  • CLKRN-601: make CONFIG_CL_* entries visible in "menuconfig"
  • CLKRN-597: mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
  • CLKRN-597: jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal
  • CLKRN-597: x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR
  • CLKRN-597: PCI: Don't disable bridge BARs when assigning bus resources
  • CLKRN-597: scsi: qla2xxx: Fix mtcp dump collection failure
  • CLKRN-597: CVE-2020-12114: fs/namespace.c: fix mountpoint reference counter race
  • CLKRN-597: tracing: Fix tracing_stat return values in error handling paths
  • CLKRN-597: tracing: Fix very unlikely race of registering two stat tracers
  • CLKRN-597: ext4, jbd2: ensure panic when aborting with zero errno
  • CLKRN-597: jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record
  • CLKRN-597: KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c
  • CLKRN-597: KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks
  • CLKRN-597: KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks
  • CLKRN-597: KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks
  • CLKRN-597: tcp: clear tp->total_retrans in tcp_disconnect()
  • CLKRN-597: mm/mempolicy.c: fix out of bounds write in mpol_parse_str()
  • CLKRN-597: net_sched: ematch: reject invalid TCF_EM_SIMPLE
  • CLKRN-607: random: always use batched entropy for get_random_u{32,64}
  • CLKRN-607: x86/speculation: Add Ivy Bridge to affected list
  • CLKRN-607: CVE-2020-0543: x86/speculation: Add SRBDS vulnerability and mitigation documentation
  • CLKRN-607: x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation
  • CLKRN-607: x86/cpu: Add 'table' argument to cpu_matches()
  • CLKRN-607: x86/cpu: Add a steppings field to struct x86_cpu_id
  • CLKRN-607: x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping
  • CLKRN-600: mm: don't clear __GFP_NOFAIL when matching against mask

Update

For CloudLinux 7, run the command:

yum install kernel-3.10.0-962.3.2.lve1.5.38.el7 --enablerepo=cloudlinux-updates-testing

For CloudLinux 6 Hybrid, run the command:

yum install kernel-3.10.0-962.3.2.lve1.5.38.el6h --enablerepo=cloudlinux-hybrid-testing

Beta: CloudLinux 7 and CloudLinux 6 Hybrid kernel v.1.5-38 released

 

kernel-beta

CloudLinux 7 and CloudLinux 6 Hybrid kernel version 3.10.0-962.3.2.lve1.5.38 is now available for download from our updates-testing repository.

SRBDS System Information

The Linux kernel provides vulnerability status information through sysfs. For SRBDS this can be accessed by the following sysfs file: /sys/devices/system/cpu/vulnerabilities/srbds

The possible values contained in this file are:

Not affected  Processor is not vulnerable
Vulnerable Processor is vulnerable and mitigation is disabled
Vulnerable: No microcode Processor is vulnerable and microcode is missing mitigation
Mitigation: Microcode  Processor is vulnerable and mitigation is in effect
Mitigation: TSX disabled Processor is only vulnerable when TSX is enabled while this system was booted with TSX disabled
Unknown: Dependent on hypervisor status Running on virtual guest processor that is affected but with no way to know if the host processor is mitigated or vulnerable

                 

Mitigation Mechanism

Intel will release microcode updates that modify the RDRAND, RDSEED, and EGETKEY instructions to overwrite secret special register data in the shared staging buffer before the secret data can be accessed by another logical processor.

Changelog

  • CLKRN-597: ext4: wait for existing dio workers in ext4_alloc_file_blocks()
  • CLKRN-597: ext4: check for directory entries too close to block end
  • CLKRN-597: tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK
  • CLKRN-597: vfs: fix do_last() regression
  • CLKRN-597: do_last(): fetch directory ->i_mode and ->i_uid before it's too late
  • CLKRN-597: CVE-2000-1134: CVE-2007-3852: CVE-2008-0525: CVE-2009-0416: CVE-2011-4834: CVE-2015-1838: CVE-2015-7442: CVE-2016-7489: namei: allow restricted O_CREAT of FIFOs and regular files
  • CLKRN-601: make CONFIG_CL_* entries visible in "menuconfig"
  • CLKRN-597: mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
  • CLKRN-597: jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal
  • CLKRN-597: x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR
  • CLKRN-597: PCI: Don't disable bridge BARs when assigning bus resources
  • CLKRN-597: scsi: qla2xxx: Fix mtcp dump collection failure
  • CLKRN-597: CVE-2020-12114: fs/namespace.c: fix mountpoint reference counter race
  • CLKRN-597: tracing: Fix tracing_stat return values in error handling paths
  • CLKRN-597: tracing: Fix very unlikely race of registering two stat tracers
  • CLKRN-597: ext4, jbd2: ensure panic when aborting with zero errno
  • CLKRN-597: jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record
  • CLKRN-597: KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c
  • CLKRN-597: KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks
  • CLKRN-597: KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks
  • CLKRN-597: KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks
  • CLKRN-597: tcp: clear tp->total_retrans in tcp_disconnect()
  • CLKRN-597: mm/mempolicy.c: fix out of bounds write in mpol_parse_str()
  • CLKRN-597: net_sched: ematch: reject invalid TCF_EM_SIMPLE
  • CLKRN-607: random: always use batched entropy for get_random_u{32,64}
  • CLKRN-607: x86/speculation: Add Ivy Bridge to affected list
  • CLKRN-607: CVE-2020-0543: x86/speculation: Add SRBDS vulnerability and mitigation documentation
  • CLKRN-607: x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation
  • CLKRN-607: x86/cpu: Add 'table' argument to cpu_matches()
  • CLKRN-607: x86/cpu: Add a steppings field to struct x86_cpu_id
  • CLKRN-607: x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping
  • CLKRN-600: mm: don't clear __GFP_NOFAIL when matching against mask

Update

For CloudLinux 7, run the command:

yum install kernel-3.10.0-962.3.2.lve1.5.38.el7 --enablerepo=cloudlinux-updates-testing

For CloudLinux 6 Hybrid, run the command:

yum install kernel-3.10.0-962.3.2.lve1.5.38.el6h --enablerepo=cloudlinux-hybrid-testing
imunify-logo

WEB SERVER SECURITY BLOG

Subscribe to CloudLinux Newsletter