Important kernel security update: Virtuozzo ReadyKernel patch 14.0 for kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3)¶

1. Overview¶

The cumulative Virtuozzo ReadyKernel patch updated with security fixes. The patch applies to Virtuozzo versions 7.0.0, 7.0.1, and 7.0.3.

2. Security Fixes¶

• [Important] A use-after-free flaw was found in the way the Linux kernel’s Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system. (CVE-2017-6074)

• [Moderate] A syntax vulnerability was discovered in the kernel’s ASN1.1 DER decoder, which could lead to memory corruption or a complete local denial of service through x509 certificate DER files. A local system user could use a specially created key file to trigger BUG_ON() in the public_key_verify_signature() function (crypto/asymmetric_keys/public_key.c), to cause a kernel panic and crash the system. (CVE-2016-2053)

3. Installing the Update¶

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.

4. References¶

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-15.2-14.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-18.7-14.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-20.18-14.0-1.vl7/

• https://access.redhat.com/security/cve/CVE-2017-6074

• https://access.redhat.com/security/cve/CVE-2016-2053

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2017-017.json.