CloudLinux OS Blog - СloudLinux 7 and CloudLinux 6 Hybrid kernel with the fix for TCP SACK PANIC vulnerability is released
CloudLinux OS Blog

СloudLinux 7 and CloudLinux 6 Hybrid kernel with the fix for TCP SACK PANIC vulnerability is released

kernel_updated2

CloudLinux 7 and CloudLinux 6 Hybrid kernel version 3.10.0-962.3.2.lve1.5.25.11 is now available for download from our production repository.

You can find more about TCP SACK PANIC vulnerability in this post.

Changelog:

  • CLKRN-421: ratelimit memcg oom message entries to dmesg
  • CLKRN-482: CVE-2019-11477: SACK Panic
  • CLKRN-483: CVE-2019-11478: SACK Slowness or Excess Resource Usage
  • CLKRN-485: CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values

To update a kernel, please use the following command.

CloudLinux 7:

yum install kernel-3.10.0-962.3.2.lve1.5.25.11.el7

CloudLinux 6 Hybrid:

yum install kernel-3.10.0-962.3.2.lve1.5.25.11.el6h
Python Selector Backward Compatibility and Disable...
CloudLinux 6 kernel with the fix for TCP SACK PANI...
 

Comments 7

Fabian Marsiglione on Monday, 24 June 2019 20:58

Hello Inessa

I have few servers with the 1.25.10 kernel version.
I just tried to update to this one using : yum install kernel-3.10.0-962.3.2.lve1.5.25.11.el7

and i got :
No package kernel-3.10.0-962.3.2.lve1.5.25.11.el7 available.
Error: Nothing to do

Can you check me and help me?
Regards
Fabian

Hello Inessa I have few servers with the 1.25.10 kernel version. I just tried to update to this one using : yum install kernel-3.10.0-962.3.2.lve1.5.25.11.el7 and i got : No package kernel-3.10.0-962.3.2.lve1.5.25.11.el7 available. Error: Nothing to do Can you check me and help me? Regards Fabian
Ivan Zhmud on Tuesday, 25 June 2019 07:57

Hello, Fabian.
We've checked the package is available in the stable channel.
Try running the `yum clean all` command before updating.

Hello, Fabian. We've checked the package is available in the stable channel. Try running the `yum clean all` command before updating.
Fabian Marsiglione on Tuesday, 25 June 2019 14:45

Thanks Ivan!

Now the new kernel was installed

Regards
Fabian

Thanks Ivan! Now the new kernel was installed ;) Regards Fabian
Guest - spiffybrian on Tuesday, 25 June 2019 21:20

Beware!

This kernel update breaks the xtables support. Yet again, for the third time by my reckoning, we have a kernel update where the xtables modules are incomplete, missing, or broken when installing a new kernel.

Please, Cloud Linux, put some QA tests in your kernel build process to avoid breaking things. We are now at risk as we can't install the latest kernel update. This is not the service we are paying for!

Beware! This kernel update breaks the xtables support. Yet again, for the third time by my reckoning, we have a kernel update where the xtables modules are incomplete, missing, or broken when installing a new kernel. Please, Cloud Linux, put some QA tests in your kernel build process to avoid breaking things. We are now at risk as we can't install the latest kernel update. This is not the service we are paying for!
Inessa Atmachian on Wednesday, 26 June 2019 09:40

Hi spiffybrian,
We want to apologize for this kernel update that breaks the xtables support. Unfortunately, the issue wasn't caught by our test system. Now, we are working on fixing the issue and re-releasing the kernel Wednesday, 26 June.
We are also searching for other novel ways to prevent such issues and have already implemented the kABI checker that allows preventing this from happening ever again.
Once again, please accept our sincerest apologies and stay tuned for updates.

Hi spiffybrian, We want to apologize for this kernel update that breaks the xtables support. Unfortunately, the issue wasn't caught by our test system. Now, we are working on fixing the issue and re-releasing the kernel Wednesday, 26 June. We are also searching for other novel ways to prevent such issues and have already implemented the kABI checker that allows preventing this from happening ever again. Once again, please accept our sincerest apologies and stay tuned for updates.
Fabian Marsiglione on Wednesday, 26 June 2019 13:38

Hello

After update 3 of my servers to this last kernel the only issue i found for now :

Apparently the sites can´t open /cpanel nor /whm (2083 or 2087) i got empty_response error.

The solution :
From WHM --> Manage Service SSL Certificates
I reset the cpanel, whm webmail,etc, certificate
after this, i install again the certificate issued by cpanel for those services

and then.. all sites /cpanel and whm back online again.

This happened with 3 servers i updated to this last kernel.

Regards
Fabian

Hello After update 3 of my servers to this last kernel the only issue i found for now : Apparently the sites can´t open /cpanel nor /whm (2083 or 2087) i got empty_response error. The solution : From WHM --> Manage Service SSL Certificates I reset the cpanel, whm webmail,etc, certificate after this, i install again the certificate issued by cpanel for those services and then.. all sites /cpanel and whm back online again. This happened with 3 servers i updated to this last kernel. Regards Fabian
Ivan Zhmud on Thursday, 27 June 2019 19:48

Hello, spiffybrian!
We've fixed issue with xtables. Please update kernel to the latest version.
https://www.cloudlinux.com/cloudlinux-os-blog/entry/cloudlinux-7-and-cloudlinux-6-hybrid-kernel-updated-3

Hello, spiffybrian! We've fixed issue with xtables. Please update kernel to the latest version. https://www.cloudlinux.com/cloudlinux-os-blog/entry/cloudlinux-7-and-cloudlinux-6-hybrid-kernel-updated-3
Already Registered? Login Here
Guest
Monday, 22 July 2019

Captcha Image