Kernel security update: Virtuozzo ReadyKernel patch 11.0 for kernel 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3)¶

1. Overview¶

The cumulative Virtuozzo ReadyKernel patch updated with security fixes as well as a usability bug fix. The patch applies to Virtuozzo 7.0.3.

2. Security Fixes¶

• [Moderate] A double free vulnerability was found in netlink_dump, which could cause a denial of service or possibly other unspecified impact. (CVE-2016-9806)

• [Moderate] It was discovered that the Linux kernel since 3.6-rc1 with ‘net.ipv4.tcp_fastopen’ set to 1 can hit BUG() statement in tcp_collapse() function after making a number of certain syscalls leading to a possible system crash. (CVE-2016-8645)

• [Moderate] A flaw was found in the way nfnetlink validated length of batch messages that could allow a user logged in to a container as root to cause a general protection fault and crash the host. (PSBM-57511)

• [Moderate] A flaw was found in the way nfnetlink handled errors while processing batch messages that could allow a user logged in to a container as root to trigger use after free and crash the host. (PSBM-57499)

• [Low] A security flaw was found in the Linux kernel that an attempt to move page mapped by AIO ring buffer to the other node triggers NULL pointer dereference at trace_writeback_dirty_page(), because aio_fs_backing_dev_info.dev is 0. (CVE-2016-3070)

3. Bug Fixes¶

• It was not possible to set up port forwarding in containers for which the ‘–netfilter’ option was set to ‘full’. (PSBM-59983)

4. Installing the Update¶

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.

5. References¶

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-20.18-11.0-1.vl7/

• https://access.redhat.com/security/cve/cve-2016-9806

• https://access.redhat.com/security/cve/cve-2016-8645

• https://access.redhat.com/security/cve/cve-2016-3070

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2017-007.json.