CloudLinux 7 and CloudLinux 6 Hybrid kernel version 3.10.0-793.21.1.lve1.5.20 is now available for download from our updates-testing repository.
- KASLR support.
Kernel address space layout randomization (KASLR), which was previously available as a Technology Preview, is fully supported in Red Hat Enterprise Linux 7.5 on the AMD64 and Intel 64 architectures. KASLR is a kernel feature that contains two parts, kernel text KASLR and mm KASLR.
These two parts work together to enhance the security of the Linux kernel.
- Retpoline support.
A retpoline is designed to protect against the branch target injection (CVE-2017-5715) exploit. This is an attack where an indirect branch instruction in the kernel is used to force the speculative execution of an arbitrary chunk of code. The chosen code is a "gadget" that is somehow useful to an attacker. For example, a code can be chosen so that it will leak kernel data through how it affects the cache. The retpoline prevents this exploit by simply replacing all indirect branch instructions with a return instruction.
- CLKRN-290: fixed CVE-2018-3665.
The security flaw takes advantage of one of the ways the Linux kernel saves and restores the state of the Floating Point Unit (FPU) when switching tasks – specifically the Lazy FPU Restore scheme. Malware or malicious users can take advantage of the vulnerability to grab encryption keys.
- CLKRN-272: added a workaround to avoid crash with 32bit binary;
- CLKRN-314: fixed boot on Xen in PV mode;
- CLKRN-319: fixed assertion on XFS partition file removal;
- CLKRN-320: fixed CVE-2017-18344.
To install a new kernel, please use the following command:
yum install kernel-3.10.0-793.21.1.lve1.5.20.el7 --enablerepo=cloudlinux-updates-testing
CloudLinux 6 Hybrid:
yum install kernel-3.10.0-793.21.1.lve1.5.20.el6h --enablerepo=cloudlinux-hybrid-testing