Kernel security update: CVE-2017-9242 and other; Virtuozzo ReadyKernel patch 30.3 for Virtuozzo 7.0.0, 7.0.1, and 7.0.3¶

1. Overview¶

The cumulative Virtuozzo ReadyKernel patch was updated with security and stability fixes. The patch applies to Virtuozzo kernels 3.10.0-327.18.2.vz7.15.2 (Virtuozzo 7.0.0), 3.10.0-327.36.1.vz7.18.7 (Virtuozzo 7.0.1), and 3.10.0-327.36.1.vz7.20.18 (Virtuozzo 7.0.3).

2. Security Fixes¶

• [Moderate] The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel through 4.11.3 is too late in checking whether an overwrite of an skb data structure may occur, which allows local users to cause a denial of service (system crash) via crafted system calls. (CVE-2017-9242)

• [Moderate] A divide-by-zero vulnerability was found in the __tcp_select_window function in the Linux kernel. This can result in a kernel panic causing a local denial-of-service. (CVE-2017-14106)

3. Bug Fixes¶

• If transparent huge pages were enabled, certain processes could enter an infinite loop in __get_user_pages() and become unkillable, preventing the container from stopping. (PSBM-70151)

4. Installing the Update¶

Download, install, and instantly apply the patch to the current kernel by running ‘readykernel update’.

5. References¶

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-15.2-30.3-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-18.7-30.3-1.vl7/

• https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-20.18-30.3-1.vl7/

• https://access.redhat.com/security/cve/CVE-2017-9242

• https://access.redhat.com/security/cve/CVE-2017-14106

The JSON file with the list of new and updated packages is available at http://docs.virtuozzo.com/vza/VZA-2017-077.json.