Important kernel security update: CVE-2017-1000111 and other; Virtuozzo ReadyKernel patch 29.0 for Virtuozzo 7.0.4 and 7.0.4 HF3¶

1. Overview¶

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-514.16.1.vz7.30.10 (Virtuozzo 7.0.4) and 3.10.0-514.16.1.vz7.30.15 (Virtuozzo 7.0.4 HF3).

2. Security Fixes¶

• [Important] A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets are implemented in the Linux kernel networking subsystem handling synchronization. A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system. (CVE-2017-1000111)

• [Important] Andrey Konovalov discovered a race condition in the UDP Fragmentation Offload (UFO) code in the Linux kernel. A local attacker could use this to cause a denial of service or execute arbitrary code. (CVE-2017-1000112)

3. Bug Fixes¶

• Ploop could use inconsistent values for iblock and the corresponding delta for IO because of a race over map->levels[]. This could result in incorrect read and write operations for ploop devices. (PSBM-70063)

• It was found that memcg_numa_isolate_pages() used unsafe operations with lists, which could lead to kernel crashes in memcg_numa_migrate_write() during NUMA balancing. (PSBM-69999)

4. Installing the Update¶

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.

5. References¶

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.10-29.0-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-30.15-29.0-1.vl7/

• https://access.redhat.com/security/cve/CVE-2017-1000111

• https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000112.html

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2017-072.json.