Updated kernel-rt packages that fix multiple security issues, several bugs,and add various enhancements are now available for Red Hat Enterprise MRG2.5.Red Hat Product Security has rated this update as having Important securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

The kernel-rt packages contain the Linux kernel, the core of any Linuxoperating system.* A flaw was found in the way the Linux kernel’s XFS file system handledreplacing of remote attributes under certain conditions. A local user withaccess to XFS file system mount could potentially use this flaw to escalatetheir privileges on the system. (CVE-2015-0274, Important)* A flaw was found in the way the Linux kernel’s splice() system callvalidated its parameters. On certain file systems, a local, unprivilegeduser could use this flaw to write past the maximum file size, and thuscrash the system. (CVE-2014-7822, Moderate)* A race condition flaw was found in the Linux kernel’s ext4 file systemimplementation that allowed a local, unprivileged user to crash the systemby simultaneously writing to a file and toggling the O_DIRECT flag usingfcntl(F_SETFL) on that file. (CVE-2014-8086, Moderate)* It was found that due to excessive files_lock locking, a soft lockupcould be triggered in the Linux kernel when performing asynchronous I/Ooperations. A local, unprivileged user could use this flaw to crash thesystem. (CVE-2014-8172, Moderate)* A NULL pointer dereference flaw was found in the way the Linux kernel’smadvise MADV_WILLNEED functionality handled page table locking. A local,unprivileged user could use this flaw to crash the system. (CVE-2014-8173,Moderate)Red Hat would like to thank Eric Windisch of the Docker project forreporting CVE-2015-0274, and Akira Fujita of NEC for reportingCVE-2014-7822.Bug fixes:* A patch removing the xt_connlimit revision zero ABI was not reverted inthe kernel-rt package, which caused problems because the iptables packagerequires this revision. A patch to remove the xt_connlimit revision 0 wasreverted from the kernel-rt sources to allow the iptables command toexecute correctly. (BZ#1169755)* With an older Mellanox Connect-IB (mlx4) driver present in the MRGRealtime kernel, a race condition could occur that would cause a loss ofconnection. The mlx4 driver was updated, resolving the race condition andallowing proper connectivity. (BZ#1182246)* The MRG Realtime kernel did not contain the appropriate code to resumeafter a device failed, causing the volume status after a repair to not beproperly updated. A “refresh needed” was still listed in the “lvs” outputafter executing the “lvchange –refresh” command. A patch was added thatadds the ability to correctly restore a transiently failed device uponresume. (BZ#1159803)* The sosreport executable would hang when reading/proc/net/rpc/use-gss-proxy because of faulty wait_queue logic in the prochandler. This wait_queue logic was removed from the proc handler, allowingthe reads to correctly return the current state. (BZ#1169900)Enhancements:* The MRG Realtime kernel-rt sources have been modified to take advantageof the updated 3.10 kernel sources that are available with the Red HatEnterprise Linux 7 releases. (BZ#1172844)* The MRG Realtime version of the e1000e driver has been updated to providesupport for the Intel I218-LM network adapter. (BZ#1191767)* The MRG Realtime kernel was updated to provide support for theMellanox Connect-IB (mlx5). (BZ#1171363)* The rt-firmware package has been updated to provide additional firmwarefiles required by the new version of the Red Hat Enterprise MRG 2.5 kernel(BZ#1184251)All kernel-rt users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues and add theseenhancements. The system must be rebooted for this update to take effect.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.For details on how to apply this update, refer to:https://access.redhat.com/articles/11258Red Hat Enterprise MRG v2 for Red Hat Enterprise Linux (version 6)

    MD5: be0cbb7eda20cb9f74def6fac55ea9c3SHA-256: ceb7b4247984ac951fa0b8b85c28a3c758b50665e475b739f72b12d013281654
    MD5: 374c7baa3870e4a22cfa11ce74ff04f2SHA-256: 78dfe401892b934d58fc8fcdb69c6e53d26eac52e729c9f1c5514f20536646be
    MD5: 1110d74e7088b2ef83470ac0383f4636SHA-256: 3e413a908267160f315d2b1cdbfb99d47c0c97c84290eeb73fe2e580d1662f50
    MD5: 5181a7cc21cc59d74939dac46eca74ebSHA-256: a69cf5b2fa0732cb10c318a7493c6926f07473e827fefa8489da943e92467c9d
    MD5: 56fc5c2a4124cd7eb6996ea4d90cfceaSHA-256: 158859e692a05b67fcc15da3ce62ea113007d63cb24f13e84c889e46782606af
    MD5: c65c52b66e3cfb040681e1dee045c5c8SHA-256: d2991b4a387c764723b3719c64982e87acedfcc5771adc5018d997bf3c50db97
    MD5: 4d2eeb72cc8085d7c73b380a7b47ad59SHA-256: 6c81ed536867696ec0647acfce24750d23f4b0c1158c063ed56db80bb0f5a9db
    MD5: b75b01969f191f92eb48c0a6043df1f0SHA-256: f3f220ea0e201b255346c0063d1e509e3a0703a35b646bed84c54ac92ab25e25
    MD5: f9f298dacfd38c1ba47bd15885a5e3e4SHA-256: f079da02e0b1b073c9bf3c35cceb0afe7cf7dcad8acd71ebf6d52d98d434226b
    MD5: 4ab896969eb7857f93d1f20d183b1ea1SHA-256: 274c132d8d76dfd05bae9148a25b3f944aec1fe95ed4574702de969bda4dccd0
    MD5: 7f17391ce9e249111004e69af7d56e28SHA-256: 97ea7faffae547dd48cccda83c6e8b8344bb083a6a2beeb60493aac3ab5791a1
    MD5: d20d3d21eb041db266d7011dabf54170SHA-256: ec4076bdd49fe55ca79ef881ab5d301dd9d586fd65efc085467c1ad74c0d1776
    MD5: 72ec6febf5ddfc8db67ac6747288690eSHA-256: ffdf06f3c54f796a6fd68d3b6e59fd14872ad8e20dd454236b9be798ce36de86
    MD5: de297d84a4ddd73b185018cd9756ef73SHA-256: 925aa3667e29e2af1bc4efa72e50f13a4319c9059d74c7c10f05b7854d092579
    MD5: 04b949fcedddf9a7f335c88fa4562635SHA-256: 90d422731c60a311066135d7624c76d5c8a0818d97e602a71ab27ff921a6e15a
    MD5: 61c3f46b63fc1cd3df56616a1bd8f9bdSHA-256: ae67f87ef00a3d73acf86198de5969425b06d65d2e1c3a223a61a6915dac3aff
(The unlinked packages above are only available from the Red Hat Network)
1151353 – CVE-2014-8086 Kernel: fs: ext4 race condition1163792 – CVE-2014-7822 kernel: splice: lack of generic write checks1169755 – iptables: Protocol wrong type for socket (regression, bisected)1171363 – realtime kernel does not support Mellanox Connect-IB(mlx5)1172844 – RFE: rebase the 3.10 kernel-rt1195248 – CVE-2015-0274 kernel: xfs: replacing remote attributes memory corruption1198457 – CVE-2014-8173 kernel: NULL pointer dereference in madvise(MADV_WILLNEED) support1198503 – CVE-2014-8172 kernel: soft lockup on aio

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply