Important kernel security update: New kernel 2.6.32-042stab144.1 for Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Issue date: 2020-05-21

Applies to: Virtuozzo Containers for Linux 4.7, Server Bare Metal 5.0

Virtuozzo Advisory ID: VZA-2020-036

1. Overview

This update provides a new kernel 2.6.32-042stab144.1 for Virtuozzo Containers for Linux 4.7 and Server Bare Metal 5.0. It is based on the RHEL 6.10 kernel 2.6.32-754.29.2.el6 and inherits security and stability fixes from it. The new kernel also provides internal security and stability fixes.

2. Security Fixes

  • [Important] Kernel: NetLabel: null pointer dereference while receiving CIPSO packet with null category may cause kernel panic. (CVE-2020-10711)

  • [Important] kernel: rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel lacks a certain upper-bound check, leading to a buffer overflow. (CVE-2019-17666)

  • [Important] kernel: buffer overflow in cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c. (CVE-2019-17133)

  • [Moderate] kernel: out-of-bounds write in mpol_parse_str function in mm/mempolicy.c. (CVE-2020-11565)

  • [Moderate] kernel: use-after-free in n_tty_receive_buf_common function in drivers/tty/n_tty.c. (CVE-2020-8648)

  • [Moderate] kernel: unprivileged users able to create RAW sockets in AF_ISDN network protocol. (CVE-2019-17055)

  • [Moderate] kernel: memory leak in register_queue_kobjects() in net/core/net-sysfs.c leads to denial of service. (CVE-2019-15916)

  • [Low] kernel: offset2lib allows for the stack guard page to be jumped over. (CVE-2017-1000371)

3. Bug Fixes

  • Do not force memory reclaim during per-netns memory allocation for conntrack hash table. (PSBM-102730)

4. Installing the Update

The update is only available for customers subscribed to the Extended Lifecycle Support (ELS) program. Download and install the update using the vzup2date utility included in the distribution. Reboot the host and switch to the new kernel.