Important kernel security update: new kernel 2.6.18-028stab122.1 for Virtuozzo Containers for Linux 4.6

Issue date: 2017-03-15

Applies to: Virtuozzo Containers for Linux 4.6

Virtuozzo Advisory ID: VZA-2017-016

1. Overview

This update provides a new Virtuozzo Containers for Linux 4.6 kernel 2.6.18-028stab122.1 based on the Red Hat Enterprise Linux 5 kernel 2.6.18-419.el5. This update is a rebase to a new Red Hat Enterprise Linux kernel. It provides security fixes inherited from the RHEL kernel and no internal fixes.

IMPORTANT: The security vulnerabilities mentioned in this advisory only affect the host but not the containers on it because DCCP is disabled in containers.

2. Security Fixes

• [Important] A use-after-free flaw was found in the way the Linux kernel’s Datagram Congestion Control Protocol (DCCP) implementation freed SKB (socket buffer) resources for a DCCP_PKT_REQUEST packet when the IPV6_RECVPKTINFO option is set on the socket. A local, unprivileged user could use this flaw to alter the kernel memory, allowing them to escalate their privileges on the system. (CVE-2017-6074)
• [Moderate] It was found that the Linux kernel’s Datagram Congestion Control Protocol (DCCP) implementation used the IPv4-only inet_sk_rebuild_header() function for both IPv4 and IPv6 DCCP connections, which could result in memory corruptions. A remote attacker could use this flaw to crash the system. (CVE-2017-2634)

3. Installing the Update

Install the update with the ‘vzup2date’ utility included in the Virtuozzo Containers for Linux 4.6 distribution.

4. References

• https://www.redhat.com/security/data/cve/CVE-2017-6074.html
• https://www.redhat.com/security/data/cve/CVE-2017-2634.html
• https://rhn.redhat.com/errata/RHSA-2017-0323.html
• https://rhn.redhat.com/errata/RHBA-2017-0274.html

The JSON file with the list of new and updated packages is available at JSON file.