CloudLinux 7 and CloudLinux 6 Hybrid kernel version 3.10.0-962.3.2.lve1.5.38 has been scheduled for gradual rollout from our production repository.
Rollout slot: 3
Rolled out to: 0.4%
ETA for 100% rollout: July, 8th
SRBDS System Information
The Linux kernel provides vulnerability status information through sysfs. For SRBDS this can be accessed by the following sysfs file: /sys/devices/system/cpu/vulnerabilities/srbds
The possible values contained in this file are:
Not affected |
Processor is not vulnerable |
Vulnerable |
Processor is vulnerable and mitigation is disabled |
Vulnerable: No microcode |
Processor is vulnerable and microcode is missing mitigation |
Mitigation: Microcode |
Processor is vulnerable and mitigation is in effect |
Mitigation: TSX disabled |
Processor is only vulnerable when TSX is enabled while this system was booted with TSX disabled |
Unknown: Dependent on hypervisor status |
Running on virtual guest processor that is affected but with no way to know if the host processor is mitigated or vulnerable |
Mitigation Mechanism
Intel will release microcode updates that modify the RDRAND, RDSEED, and EGETKEY instructions to overwrite secret special register data in the shared staging buffer before the secret data can be accessed by another logical processor.
Changelog
- CLKRN-597: ext4: wait for existing dio workers in ext4_alloc_file_blocks()
- CLKRN-597: ext4: check for directory entries too close to block end
- CLKRN-597: tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK
- CLKRN-597: vfs: fix do_last() regression
- CLKRN-597: do_last(): fetch directory ->i_mode and ->i_uid before it's too late
- CLKRN-597: CVE-2000-1134: CVE-2007-3852: CVE-2008-0525: CVE-2009-0416: CVE-2011-4834: CVE-2015-1838: CVE-2015-7442: CVE-2016-7489: namei: allow restricted O_CREAT of FIFOs and regular files
- CLKRN-601: make CONFIG_CL_* entries visible in "menuconfig"
- CLKRN-597: mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
- CLKRN-597: jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal
- CLKRN-597: x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR
- CLKRN-597: PCI: Don't disable bridge BARs when assigning bus resources
- CLKRN-597: scsi: qla2xxx: Fix mtcp dump collection failure
- CLKRN-597: CVE-2020-12114: fs/namespace.c: fix mountpoint reference counter race
- CLKRN-597: tracing: Fix tracing_stat return values in error handling paths
- CLKRN-597: tracing: Fix very unlikely race of registering two stat tracers
- CLKRN-597: ext4, jbd2: ensure panic when aborting with zero errno
- CLKRN-597: jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record
- CLKRN-597: KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c
- CLKRN-597: KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks
- CLKRN-597: KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks
- CLKRN-597: KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks
- CLKRN-597: tcp: clear tp->total_retrans in tcp_disconnect()
- CLKRN-597: mm/mempolicy.c: fix out of bounds write in mpol_parse_str()
- CLKRN-597: net_sched: ematch: reject invalid TCF_EM_SIMPLE
- CLKRN-607: random: always use batched entropy for get_random_u{32,64}
- CLKRN-607: x86/speculation: Add Ivy Bridge to affected list
- CLKRN-607: CVE-2020-0543: x86/speculation: Add SRBDS vulnerability and mitigation documentation
- CLKRN-607: x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation
- CLKRN-607: x86/cpu: Add 'table' argument to cpu_matches()
- CLKRN-607: x86/cpu: Add a steppings field to struct x86_cpu_id
- CLKRN-607: x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping
- CLKRN-600: mm: don't clear __GFP_NOFAIL when matching against mask
Update
For CloudLinux 7, run the command:
yum install kernel-3.10.0-962.3.2.lve1.5.38.el7
For CloudLinux 6 Hybrid, run the command:
yum install kernel-3.10.0-962.3.2.lve1.5.38.el6h
Immediate update (via bypass)
For CloudLinux 7, run the command:
yum install kernel-3.10.0-962.3.2.lve1.5.38.el7 --enablerepo=cloudlinux-rollout-3-bypass
For CloudLinux 6 Hybrid, run the command:
yum install kernel-3.10.0-962.3.2.lve1.5.38.el6h --enablerepo=cloudlinux-rollout-3-bypass