Kernel security update: Virtuozzo ReadyKernel patch 11.0 for kernel 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3)

Issue date: 2017-02-21

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2017-007

1. Overview

The cumulative Virtuozzo ReadyKernel patch updated with security fixes as well as a usability bug fix. The patch applies to Virtuozzo 7.0.3.

2. Security Fixes

  • [Moderate] A double free vulnerability was found in netlink_dump, which could cause a denial of service or possibly other unspecified impact. (CVE-2016-9806)

  • [Moderate] It was discovered that the Linux kernel since 3.6-rc1 with ‘net.ipv4.tcp_fastopen’ set to 1 can hit BUG() statement in tcp_collapse() function after making a number of certain syscalls leading to a possible system crash. (CVE-2016-8645)

  • [Moderate] A flaw was found in the way nfnetlink validated length of batch messages that could allow a user logged in to a container as root to cause a general protection fault and crash the host. (PSBM-57511)

  • [Moderate] A flaw was found in the way nfnetlink handled errors while processing batch messages that could allow a user logged in to a container as root to trigger use after free and crash the host. (PSBM-57499)

  • [Low] A security flaw was found in the Linux kernel that an attempt to move page mapped by AIO ring buffer to the other node triggers NULL pointer dereference at trace_writeback_dirty_page(), because aio_fs_backing_dev_info.dev is 0. (CVE-2016-3070)

3. Bug Fixes

  • It was not possible to set up port forwarding in containers for which the ‘–netfilter’ option was set to ‘full’. (PSBM-59983)

4. Installing the Update

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.