KernelCare Blog - KernelCare: Patches for CentOS/RHEL/CloudLinux 6 and PCS/Virtuozzo/OpenVZ kernels
KernelCare Blog

KernelCare: Patches for CentOS/RHEL/CloudLinux 6 and PCS/Virtuozzo/OpenVZ kernels

[This patchset was re-released on Oct 21st with a fix for people running e1000e cards]

CentOS/RHEL/CloudLinux 6 kernels, as well as PCS/Virtuozzo/OpenVZ and CloudLinux 5 hybrid kernels were patched against multiple vulnerabilities fixed in RHEL 2.6.32-504 kernel.

Systems with AUTO_UPDATE=True (DEFAULT) in /etc/sysconfig/kcare/kcare.conf will automatically update, and no action is needed for them.

You can manually update the server by running:
# /usr/bin/kcarectl --update

CVEs: CVE-2014-4608, CVE-2014-3122, CVE-2013-2596, CVE-2014-5045

Details:

  • CVE-2014-4608 lzo1x_decompress_safe() integer overflow
    The lzo decompressor can, if given some really crazy data, possibly overrun some variable types. Modify the checking logic to properly detect overruns before they happen.
  • CVE-2014-3122 mm: try_to_unmap_cluster() should lock_page() before mlocking
    It was found that the try_to_unmap_cluster() function in the Linux kernel's Memory Managment subsystem did not properly handle page locking in certain cases, which could potentially trigger the BUG_ON() macro in the mlock_vma_page() function. A local, unprivileged user could use this flaw to crash the system.
  • CVE-2013-2596 integer overflow in fb_mmap
    An integer overflow flaw was found in the way the Linux kernel's Frame Buffer device implementation mapped kernel memory to user space via the mmap syscall. A local user able to access a frame buffer device file (/dev/fb*) could possibly use this flaw to escalate their privileges on the system.
  • CVE-2014-5045 vfs: refcount issues during unmount on symlink
    A flaw was found in the way the Linux kernel's VFS subsystem handled reference counting when performing unmount operations on symbolic links. A local, unprivileged user could use this flaw to exhaust all available memory on the system or, potentially, trigger a use-after-free error, resulting in a system crash or privilege escalation.
Beta: Updated version of OptimumCache released
Alt-PHP update for beta & production
 

Comments 4

Guest - Ryan Smith on Friday, 17 October 2014 12:30

I'm getting the following error on multiple of my CL5 hybrid kernel servers when trying to apply the patch:

Unable to apply patch (/var/cache/kcare/65ddd11fc09946610af58d44aad7efb1e00a4cbd/3/kpatch.bin 3 255)

Any ideas?

I'm getting the following error on multiple of my CL5 hybrid kernel servers when trying to apply the patch: Unable to apply patch (/var/cache/kcare/65ddd11fc09946610af58d44aad7efb1e00a4cbd/3/kpatch.bin 3 255) Any ideas?
Guest - Sandro Moeller on Friday, 17 October 2014 16:41

/usr/bin/kcarectl --update
Unknown Kernel


What i can do?

/usr/bin/kcarectl --update Unknown Kernel What i can do?
Guest - Petar Petrov on Saturday, 18 October 2014 05:16

Just installed kernelcare and got:

Unknown Kernel

My kernel is:
2.6.32-531.23.3.lve1.3.6.el6.x86_64
Cloudlinux 6

Is this a known issue?

Just installed kernelcare and got: Unknown Kernel My kernel is: 2.6.32-531.23.3.lve1.3.6.el6.x86_64 Cloudlinux 6 Is this a known issue?
Guest - Igor Seletskiy on Saturday, 18 October 2014 15:35

This is still a beta kernel, we will start recognizing it later next week.

This is still a beta kernel, we will start recognizing it later next week.
Already Registered? Login Here
Guest
Friday, 20 September 2019

Captcha Image