Wim Coekaerts

Subscribe to Wim Coekaerts feed
Oracle Blogs
Updated: 3 weeks 3 days ago

ksplice

Fri, 2017-02-24 15:36
As many of you probably know by now, a few days ago there was a report of an old long-standing Linux bug that got fixed. Going back to kernels even down to 2.6.18 and possible earlier. This bug was recently fixed, see here.

Now, distribution vendors, including us, have released kernel updates that customers/users can download and install but as always a regular kernel upgrade requires a reboot. We have had ksplice as a service for Oracle Linux support customers for quite a few years now and we also support Ubuntu and Fedora for free for anyone (see here).

One thing that is not often talked about but, I believe is very powerful and I wanted to point out here, is the following:

Typically the distribution vendors (including us) will release an update kernel that's the 'latest' version with these CVEs fixed, but many customers run older versions of both the distribution and kernels. We now see some other vendors trying to provide the basics for some online patching but by and far it's based on one-offs and for specific kernels. A big part of the ksplice service is the backend infrastructure to easily build updates for literally a few 1000 kernels. This gives customers great flexibility. You can be on one of many dot-releases of the OS and you can use ksplice. Here is a list of example kernel versions for Oracle Linux that you could be running today and we provide updates for with ksplice,for ,for instance, this DCCP bug. That's a big difference with what other folks have been trying to mimic now that online patching has become more and more important for availability.

Here is an example kernel 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 08:34:17 PDT 2015 So that's a kernel built back in September of 2015, a random 'dot release' I run on one of my machines, and there's a ksplice patch available for these recent CVEs. I don't have to worry about having to install the 'latest' kernel, nor doing a reboot.

# uptrack-upgrade 
The following steps will be taken:
Install [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.
Install [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.

Go ahead [y/N]? y
Installing [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.
Installing [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.
Your kernel is fully up to date.
Effective kernel version is 2.6.32-642.15.1.el6

and done. That easy. My old 2.6.32-573.7.1 kernel looks like 2.6.32-642.15.1 in terms of critical fixes and CVEs.

# uptrack-show
Installed updates:
[cct5dnbf] Clear garbage data on the kernel stack when handling signals.
[ektd95cj] Reduce usage of reserved percpu memory.
[uuhgbl3e] Remote denial-of-service in Brocade Ethernet driver.
[kg3f16ii] CVE-2015-7872: Denial-of-service when garbage collecting uninstantiated keyring.
[36ng2h1l] CVE-2015-7613: Privilege escalation in IPC object initialization.
[33jwvtbb] CVE-2015-5307: KVM host denial-of-service in alignment check.
[38gzh9gl] CVE-2015-8104: KVM host denial-of-service in debug exception.
[6wvrdj93] CVE-2015-2925: Privilege escalation in bind mounts inside namespaces.
[1l4i9dfh] CVE-2016-0774: Information leak in the pipe system call on failed atomic read.
[xu4auj49] CVE-2015-5157: Disable modification of LDT by userspace processes.
[554ck5nl] CVE-2015-8767: Denial-of-service in SCTP heartbeat timeout.
[adgeye5p] CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.
[5ojkw9lv] CVE-2015-7550: Denial-of-service when reading and revoking a key concurrently.
[gfr93o7j] CVE-2015-8324: NULL pointer dereference in ext4 on mount error.
[ft01zrkg] CVE-2013-2015, CVE-2015-7509: Possible privilege escalation when mounting an non-journaled ext4 filesystem.
[87lw5yyy] CVE-2015-8215: Remote denial-of-service of network traffic when changing the MTU.
[2bby9cuy] CVE-2010-5313, CVE-2014-7842: Denial of service in KVM L1 guest from L2 guest.
[orjsp65y] CVE-2015-5156: Denial-of-service in Virtio network device.
[5j4hp0ot] Device Mapper logic error when reloading the block multi-queue.
[a1e5kxp6] CVE-2016-4565: Privilege escalation in Infiniband ioctl.
[gfpg64bh] CVE-2016-5696: Session hijacking in TCP connections.
[b4ljcwin] Message corruption in pseudo terminal output.
[prijjgt5] CVE-2016-4470: Denial-of-service in the keyring subsystem.
[4y2f30ch] CVE-2016-5829: Memory corruption in unknown USB HID devices.
[j1mivn4f] Denial-of-service when resetting a Fibre Channel over Ethernet interface.
[nawv8jdu] CVE-2016-5195: Privilege escalation when handling private mapping copy-on-write.
[97fe0h7s] CVE-2016-1583: Privilege escalation in eCryptfs.
[fdztfgcv] Denial-of-service when sending a TCP reset from the netfilter.
[gm4ldjjf] CVE-2016-6828: Use after free during TCP transmission.
[s8pymcf8] CVE-2016-7117: Denial-of-service in recvmmsg() error handling.
[1ktf7029] CVE-2016-4997, CVE-2016-4998: Privilege escalation in the Netfilter driver.
[f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.
[5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.

Effective kernel version is 2.6.32-642.15.1.el6

Here is the list of kernels we build modules for as part of Oracle Linux customers kernel choices:

oracle-2.6.18-238.0.0.0.1.el5
oracle-2.6.18-238.1.1.0.1.el5
oracle-2.6.18-238.5.1.0.1.el5
oracle-2.6.18-238.9.1.0.1.el5
oracle-2.6.18-238.12.1.0.1.el5
oracle-2.6.18-238.19.1.0.1.el5
oracle-2.6.18-274.0.0.0.1.el5
oracle-2.6.18-274.3.1.0.1.el5
oracle-2.6.18-274.7.1.0.1.el5
oracle-2.6.18-274.12.1.0.1.el5
oracle-2.6.18-274.17.1.0.1.el5
oracle-2.6.18-274.18.1.0.1.el5
oracle-2.6.18-308.0.0.0.1.el5
oracle-2.6.18-308.1.1.0.1.el5
oracle-2.6.18-308.4.1.0.1.el5
oracle-2.6.18-308.8.1.0.1.el5
oracle-2.6.18-308.8.2.0.1.el5
oracle-2.6.18-308.11.1.0.1.el5
oracle-2.6.18-308.13.1.0.1.el5
oracle-2.6.18-308.16.1.0.1.el5
oracle-2.6.18-308.20.1.0.1.el5
oracle-2.6.18-308.24.1.0.1.el5
oracle-2.6.18-348.0.0.0.1.el5
oracle-2.6.18-348.1.1.0.1.el5
oracle-2.6.18-348.2.1.0.1.el5
oracle-2.6.18-348.3.1.0.1.el5
oracle-2.6.18-348.4.1.0.1.el5
oracle-2.6.18-348.6.1.0.1.el5
oracle-2.6.18-348.12.1.0.1.el5
oracle-2.6.18-348.16.1.0.1.el5
oracle-2.6.18-348.18.1.0.1.el5
oracle-2.6.18-371.0.0.0.1.el5
oracle-2.6.18-371.1.2.0.1.el5
oracle-2.6.18-371.3.1.0.1.el5
oracle-2.6.18-371.4.1.0.1.el5
oracle-2.6.18-371.6.1.0.1.el5
oracle-2.6.18-371.8.1.0.1.el5
oracle-2.6.18-371.9.1.0.1.el5
oracle-2.6.18-371.11.1.0.1.el5
oracle-2.6.18-371.12.1.0.1.el5
oracle-2.6.18-398.0.0.0.1.el5
oracle-2.6.18-400.0.0.0.1.el5
oracle-2.6.18-400.1.1.0.1.el5
oracle-2.6.18-402.0.0.0.1.el5
oracle-2.6.18-404.0.0.0.1.el5
oracle-2.6.18-406.0.0.0.1.el5
oracle-2.6.18-407.0.0.0.1.el5
oracle-2.6.18-408.0.0.0.1.el5
oracle-2.6.18-409.0.0.0.1.el5
oracle-2.6.18-410.0.0.0.1.el5
oracle-2.6.18-411.0.0.0.1.el5
oracle-2.6.18-412.0.0.0.1.el5
oracle-2.6.18-416.0.0.0.1.el5
oracle-2.6.18-417.0.0.0.1.el5
oracle-2.6.18-418.0.0.0.1.el5
oracle-2.6.32-642.0.0.0.1.el6
oracle-3.10.0-514.6.1.0.1.el7
oracle-3.10.0-514.6.2.0.1.el7
oracle-uek-2.6.39-100.5.1
oracle-uek-2.6.39-100.6.1
oracle-uek-2.6.39-100.7.1
oracle-uek-2.6.39-100.10.1
oracle-uek-2.6.39-200.24.1
oracle-uek-2.6.39-200.29.1
oracle-uek-2.6.39-200.29.2
oracle-uek-2.6.39-200.29.3
oracle-uek-2.6.39-200.31.1
oracle-uek-2.6.39-200.32.1
oracle-uek-2.6.39-200.33.1
oracle-uek-2.6.39-200.34.1
oracle-uek-2.6.39-300.17.1
oracle-uek-2.6.39-300.17.2
oracle-uek-2.6.39-300.17.3
oracle-uek-2.6.39-300.26.1
oracle-uek-2.6.39-300.28.1
oracle-uek-2.6.39-300.32.4
oracle-uek-2.6.39-400.17.1
oracle-uek-2.6.39-400.17.2
oracle-uek-2.6.39-400.21.1
oracle-uek-2.6.39-400.21.2
oracle-uek-2.6.39-400.23.1
oracle-uek-2.6.39-400.24.1
oracle-uek-2.6.39-400.109.1
oracle-uek-2.6.39-400.109.3
oracle-uek-2.6.39-400.109.4
oracle-uek-2.6.39-400.109.5
oracle-uek-2.6.39-400.109.6
oracle-uek-2.6.39-400.209.1
oracle-uek-2.6.39-400.209.2
oracle-uek-2.6.39-400.210.2
oracle-uek-2.6.39-400.211.1
oracle-uek-2.6.39-400.211.2
oracle-uek-2.6.39-400.211.3
oracle-uek-2.6.39-400.212.1
oracle-uek-2.6.39-400.214.1
oracle-uek-2.6.39-400.214.3
oracle-uek-2.6.39-400.214.4
oracle-uek-2.6.39-400.214.5
oracle-uek-2.6.39-400.214.6
oracle-uek-2.6.39-400.215.1
oracle-uek-2.6.39-400.215.2
oracle-uek-2.6.39-400.215.3
oracle-uek-2.6.39-400.215.4
oracle-uek-2.6.39-400.215.6
oracle-uek-2.6.39-400.215.7
oracle-uek-2.6.39-400.215.10
oracle-uek-2.6.39-400.215.11
oracle-uek-2.6.39-400.215.12
oracle-uek-2.6.39-400.215.13
oracle-uek-2.6.39-400.215.14
oracle-uek-2.6.39-400.215.15
oracle-uek-2.6.39-400.243.1
oracle-uek-2.6.39-400.245.1
oracle-uek-2.6.39-400.246.2
oracle-uek-2.6.39-400.247.1
oracle-uek-2.6.39-400.248.3
oracle-uek-2.6.39-400.249.1
oracle-uek-2.6.39-400.249.3
oracle-uek-2.6.39-400.249.4
oracle-uek-2.6.39-400.250.2
oracle-uek-2.6.39-400.250.4
oracle-uek-2.6.39-400.250.5
oracle-uek-2.6.39-400.250.6
oracle-uek-2.6.39-400.250.7
oracle-uek-2.6.39-400.250.9
oracle-uek-2.6.39-400.250.10
oracle-uek-2.6.39-400.250.11
oracle-uek-2.6.39-400.264.1
oracle-uek-2.6.39-400.264.4
oracle-uek-2.6.39-400.264.5
oracle-uek-2.6.39-400.264.6
oracle-uek-2.6.39-400.264.13
oracle-uek-2.6.39-400.276.1
oracle-uek-2.6.39-400.277.1
oracle-uek-2.6.39-400.278.1
oracle-uek-2.6.39-400.278.2
oracle-uek-2.6.39-400.278.3
oracle-uek-2.6.39-400.280.1
oracle-uek-2.6.39-400.281.1
oracle-uek-2.6.39-400.282.1
oracle-uek-2.6.39-400.283.1
oracle-uek-2.6.39-400.283.2
oracle-uek-2.6.39-400.284.1
oracle-uek-2.6.39-400.284.2
oracle-uek-2.6.39-400.286.2
oracle-uek-2.6.39-400.286.3
oracle-uek-2.6.39-400.290.1
oracle-uek-2.6.39-400.290.2
oracle-uek-2.6.39-400.293.1
oracle-uek-2.6.39-400.293.2
oracle-uek-2.6.39-400.294.1
oracle-uek-2.6.39-400.294.2
oracle-uek-2.6.39-400.128.21
oracle-uek-3.8.13-16
oracle-uek-3.8.13-16.1.1
oracle-uek-3.8.13-16.2.1
oracle-uek-3.8.13-16.2.2
oracle-uek-3.8.13-16.2.3
oracle-uek-3.8.13-16.3.1
oracle-uek-3.8.13-26
oracle-uek-3.8.13-26.1.1
oracle-uek-3.8.13-26.2.1
oracle-uek-3.8.13-26.2.2
oracle-uek-3.8.13-26.2.3
oracle-uek-3.8.13-26.2.4
oracle-uek-3.8.13-35
oracle-uek-3.8.13-35.1.1
oracle-uek-3.8.13-35.1.2
oracle-uek-3.8.13-35.1.3
oracle-uek-3.8.13-35.3.1
oracle-uek-3.8.13-35.3.2
oracle-uek-3.8.13-35.3.3
oracle-uek-3.8.13-35.3.4
oracle-uek-3.8.13-35.3.5
oracle-uek-3.8.13-44
oracle-uek-3.8.13-44.1.1
oracle-uek-3.8.13-44.1.3
oracle-uek-3.8.13-44.1.4
oracle-uek-3.8.13-44.1.5
oracle-uek-3.8.13-55
oracle-uek-3.8.13-55.1.1
oracle-uek-3.8.13-55.1.2
oracle-uek-3.8.13-55.1.5
oracle-uek-3.8.13-55.1.6
oracle-uek-3.8.13-55.1.8
oracle-uek-3.8.13-55.2.1
oracle-uek-3.8.13-68
oracle-uek-3.8.13-68.1.2
oracle-uek-3.8.13-68.1.3
oracle-uek-3.8.13-68.2.2
oracle-uek-3.8.13-68.2.2.1
oracle-uek-3.8.13-68.2.2.2
oracle-uek-3.8.13-68.3.1
oracle-uek-3.8.13-68.3.2
oracle-uek-3.8.13-68.3.3
oracle-uek-3.8.13-68.3.4
oracle-uek-3.8.13-68.3.5
oracle-uek-3.8.13-98
oracle-uek-3.8.13-98.1.1
oracle-uek-3.8.13-98.1.2
oracle-uek-3.8.13-98.2.1
oracle-uek-3.8.13-98.2.2
oracle-uek-3.8.13-98.4.1
oracle-uek-3.8.13-98.5.2
oracle-uek-3.8.13-98.6.1
oracle-uek-3.8.13-98.7.1
oracle-uek-3.8.13-98.8.1
oracle-uek-3.8.13-118
oracle-uek-3.8.13-118.2.1
oracle-uek-3.8.13-118.2.2
oracle-uek-3.8.13-118.2.4
oracle-uek-3.8.13-118.2.5
oracle-uek-3.8.13-118.3.1
oracle-uek-3.8.13-118.3.2
oracle-uek-3.8.13-118.4.1
oracle-uek-3.8.13-118.4.2
oracle-uek-3.8.13-118.6.1
oracle-uek-3.8.13-118.6.2
oracle-uek-3.8.13-118.7.1
oracle-uek-3.8.13-118.8.1
oracle-uek-3.8.13-118.9.1
oracle-uek-3.8.13-118.9.2
oracle-uek-3.8.13-118.10.2
oracle-uek-3.8.13-118.11.2
oracle-uek-3.8.13-118.13.2
oracle-uek-3.8.13-118.13.3
oracle-uek-3.8.13-118.14.1
oracle-uek-3.8.13-118.14.2
oracle-uek-3.8.13-118.15.1
oracle-uek-3.8.13-118.15.2
oracle-uek-3.8.13-118.15.3
oracle-uek-3.8.13-118.16.2
oracle-uek-3.8.13-118.16.3
oracle-uek-4.1.12-32
oracle-uek-4.1.12-32.1.2
oracle-uek-4.1.12-32.1.3
oracle-uek-4.1.12-32.2.1
oracle-uek-4.1.12-32.2.3
oracle-uek-4.1.12-37.2.1
oracle-uek-4.1.12-37.2.2
oracle-uek-4.1.12-37.3.1
oracle-uek-4.1.12-37.4.1
oracle-uek-4.1.12-37.5.1
oracle-uek-4.1.12-37.6.1
oracle-uek-4.1.12-37.6.2
oracle-uek-4.1.12-37.6.3
oracle-uek-4.1.12-61.1.6
oracle-uek-4.1.12-61.1.9
oracle-uek-4.1.12-61.1.10
oracle-uek-4.1.12-61.1.13
oracle-uek-4.1.12-61.1.14
oracle-uek-4.1.12-61.1.16
oracle-uek-4.1.12-61.1.17
oracle-uek-4.1.12-61.1.18
oracle-uek-4.1.12-61.1.19
oracle-uek-4.1.12-61.1.21
oracle-uek-4.1.12-61.1.22
oracle-uek-4.1.12-61.1.23
oracle-uek-4.1.12-61.1.24
oracle-uek-4.1.12-61.1.25
oracle-uek-4.1.12-61.1.27
rhel-2.6.32-71.el6
rhel-2.6.32-71.7.1.el6
rhel-2.6.32-71.14.1.el6
rhel-2.6.32-71.18.1.el6
rhel-2.6.32-71.18.2.el6
rhel-2.6.32-71.24.1.el6
rhel-2.6.32-71.29.1.el6
rhel-2.6.32-131.0.15.el6
rhel-2.6.32-131.2.1.el6
rhel-2.6.32-131.4.1.el6
rhel-2.6.32-131.6.1.el6
rhel-2.6.32-131.12.1.el6
rhel-2.6.32-131.17.1.el6
rhel-2.6.32-131.21.1.el6
rhel-2.6.32-220.el6
rhel-2.6.32-220.2.1.el6
rhel-2.6.32-220.4.1.el6
rhel-2.6.32-220.4.2.el6
rhel-2.6.32-220.7.1.el6
rhel-2.6.32-220.13.1.el6
rhel-2.6.32-220.17.1.el6
rhel-2.6.32-220.23.1.el6
rhel-2.6.32-279.el6
rhel-2.6.32-279.1.1.el6
rhel-2.6.32-279.2.1.el6
rhel-2.6.32-279.5.1.el6
rhel-2.6.32-279.5.2.el6
rhel-2.6.32-279.9.1.el6
rhel-2.6.32-279.11.1.el6
rhel-2.6.32-279.14.1.el6
rhel-2.6.32-279.19.1.el6
rhel-2.6.32-279.22.1.el6
rhel-2.6.32-358.el6
rhel-2.6.32-358.0.1.el6
rhel-2.6.32-358.2.1.el6
rhel-2.6.32-358.6.1.el6
rhel-2.6.32-358.6.2.el6
rhel-2.6.32-358.6.2.el6.x86_64.crt1
rhel-2.6.32-358.11.1.el6
rhel-2.6.32-358.14.1.el6
rhel-2.6.32-358.18.1.el6
rhel-2.6.32-358.23.2.el6
rhel-2.6.32-431.el6
rhel-2.6.32-431.1.2.el6
rhel-2.6.32-431.3.1.el6
rhel-2.6.32-431.5.1.el6
rhel-2.6.32-431.11.2.el6
rhel-2.6.32-431.17.1.el6
rhel-2.6.32-431.20.3.el6
rhel-2.6.32-431.20.5.el6
rhel-2.6.32-431.23.3.el6
rhel-2.6.32-431.29.2.el6
rhel-2.6.32-504.el6
rhel-2.6.32-504.1.3.el6
rhel-2.6.32-504.3.3.el6
rhel-2.6.32-504.8.1.el6
rhel-2.6.32-504.12.2.el6
rhel-2.6.32-504.16.2.el6
rhel-2.6.32-504.23.4.el6
rhel-2.6.32-504.30.3.el6
rhel-2.6.32-573.el6
rhel-2.6.32-573.1.1.el6
rhel-2.6.32-573.3.1.el6
rhel-2.6.32-573.7.1.el6
rhel-2.6.32-573.8.1.el6
rhel-2.6.32-573.12.1.el6
rhel-2.6.32-573.18.1.el6
rhel-2.6.32-573.22.1.el6
rhel-2.6.32-573.26.1.el6
rhel-2.6.32-642.el6
rhel-2.6.32-642.1.1.el6
rhel-2.6.32-642.3.1.el6
rhel-2.6.32-642.4.2.el6
rhel-2.6.32-642.6.1.el6
rhel-2.6.32-642.6.2.el6
rhel-2.6.32-642.11.1.el6
rhel-2.6.32-642.13.1.el6
rhel-2.6.32-642.13.2.el6
rhel-3.10.0-123.el7
rhel-3.10.0-123.1.2.el7
rhel-3.10.0-123.4.2.el7
rhel-3.10.0-123.4.4.el7
rhel-3.10.0-123.6.3.el7
rhel-3.10.0-123.8.1.el7
rhel-3.10.0-123.9.2.el7
rhel-3.10.0-123.9.3.el7
rhel-3.10.0-123.13.1.el7
rhel-3.10.0-123.13.2.el7
rhel-3.10.0-123.20.1.el7
rhel-3.10.0-229.el7
rhel-3.10.0-229.1.2.el7
rhel-3.10.0-229.4.2.el7
rhel-3.10.0-229.7.2.el7
rhel-3.10.0-229.11.1.el7
rhel-3.10.0-229.14.1.el7
rhel-3.10.0-229.20.1.el6.x86_64.knl2
rhel-3.10.0-229.20.1.el7
rhel-3.10.0-327.el7
rhel-3.10.0-327.3.1.el7
rhel-3.10.0-327.4.4.el7
rhel-3.10.0-327.4.5.el7
rhel-3.10.0-327.10.1.el7
rhel-3.10.0-327.13.1.el7
rhel-3.10.0-327.18.2.el7
rhel-3.10.0-327.22.2.el7
rhel-3.10.0-327.28.2.el7
rhel-3.10.0-327.28.3.el7
rhel-3.10.0-327.36.1.el7
rhel-3.10.0-327.36.2.el7
rhel-3.10.0-327.36.3.el7
rhel-3.10.0-514.el7
rhel-3.10.0-514.2.2.el7
rhel-3.10.0-514.6.1.el7
rhel-3.10.0-514.6.2.el7
rhel-2.6.18-92.1.10.el5
rhel-2.6.18-92.1.13.el5
rhel-2.6.18-92.1.17.el5
rhel-2.6.18-92.1.18.el5
rhel-2.6.18-92.1.22.el5
rhel-2.6.18-128.el5
rhel-2.6.18-128.1.1.el5
rhel-2.6.18-128.1.6.el5
rhel-2.6.18-128.1.10.el5
rhel-2.6.18-128.1.14.el5
rhel-2.6.18-128.1.16.el5
rhel-2.6.18-128.2.1.el5
rhel-2.6.18-128.4.1.el5
rhel-2.6.18-128.7.1.el5
rhel-2.6.18-149.el5
rhel-2.6.18-164.el5
rhel-2.6.18-164.2.1.el5
rhel-2.6.18-164.6.1.el5
rhel-2.6.18-164.9.1.el5
rhel-2.6.18-164.10.1.el5
rhel-2.6.18-164.11.1.el5
rhel-2.6.18-164.15.1.el5
rhel-2.6.18-194.el5
rhel-2.6.18-194.3.1.el5
rhel-2.6.18-194.8.1.el5
rhel-2.6.18-194.11.1.el5
rhel-2.6.18-194.11.3.el5
rhel-2.6.18-194.11.4.el5
rhel-2.6.18-194.17.1.el5
rhel-2.6.18-194.17.4.el5
rhel-2.6.18-194.26.1.el5
rhel-2.6.18-194.32.1.el5
rhel-2.6.18-238.el5
rhel-2.6.18-238.1.1.el5
rhel-2.6.18-238.5.1.el5
rhel-2.6.18-238.9.1.el5
rhel-2.6.18-238.12.1.el5
rhel-2.6.18-238.19.1.el5
rhel-2.6.18-274.el5
rhel-2.6.18-274.3.1.el5
rhel-2.6.18-274.7.1.el5
rhel-2.6.18-274.12.1.el5
rhel-2.6.18-274.17.1.el5
rhel-2.6.18-274.18.1.el5
rhel-2.6.18-308.el5
rhel-2.6.18-308.1.1.el5
rhel-2.6.18-308.4.1.el5
rhel-2.6.18-308.8.1.el5
rhel-2.6.18-308.8.2.el5
rhel-2.6.18-308.11.1.el5
rhel-2.6.18-308.13.1.el5
rhel-2.6.18-308.16.1.el5
rhel-2.6.18-308.20.1.el5
rhel-2.6.18-308.24.1.el5
rhel-2.6.18-348.el5
rhel-2.6.18-348.1.1.el5
rhel-2.6.18-348.2.1.el5
rhel-2.6.18-348.3.1.el5
rhel-2.6.18-348.4.1.el5
rhel-2.6.18-348.6.1.el5
rhel-2.6.18-348.12.1.el5
rhel-2.6.18-348.16.1.el5
rhel-2.6.18-348.18.1.el5
rhel-2.6.18-371.el5
rhel-2.6.18-371.1.2.el5
rhel-2.6.18-371.3.1.el5
rhel-2.6.18-371.4.1.el5
rhel-2.6.18-371.6.1.el5
rhel-2.6.18-371.8.1.el5
rhel-2.6.18-371.9.1.el5
rhel-2.6.18-371.11.1.el5
rhel-2.6.18-371.12.1.el5
rhel-2.6.18-398.el5
rhel-2.6.18-400.el5
rhel-2.6.18-400.1.1.el5
rhel-2.6.18-402.el5
rhel-2.6.18-404.el5
rhel-2.6.18-406.el5
rhel-2.6.18-407.el5
rhel-2.6.18-408.el5
rhel-2.6.18-409.el5
rhel-2.6.18-410.el5
rhel-2.6.18-411.el5
rhel-2.6.18-412.el5
rhel-2.6.18-416.el5
rhel-2.6.18-417.el5
rhel-2.6.18-418.el5

compare that to kpatch or kgraft or so.

Yes

Fri, 2016-11-04 16:22
More Linux work :)

Yes

Fri, 2016-11-04 16:22
More Linux work :)

glibc CVE re: getaddrinfo() and userspace ksplice

Sat, 2016-02-20 17:48
I have my own server with Oracle Linux 6 (of course) where I host a ton of personal stuff and this server was also affected by the nasty DNS bug from last week (see : CVE-2015-7547 ). Everyone really should update glibc and make sure their system is patched (any distribution) by the way - this is a very serious vulnerability... The nice thing, however, was that this is a perfect example for user space ksplice patching. A quick ksplice update for glibc on this box, and it was patched, no restarting the system no restarting sshd or any other app for that matter. A split microsecond and life goes on happily. Nothing affected, no downtime, no pauses, no hiccups. That's the way to patch these things.

userspace ksplice

Most awesomely cool stuff. Solving real world problems. Imagine running a few 100 docker instances or a couple of Linux containers and you have to update the host's glibc and bring all that down... talk about impact.

kernel patches ... check

critical OS libraries like SSL and GLIBC ... check.

Oracle Linux 6 and 7 support ... check

glibc CVE re: getaddrinfo() and userspace ksplice

Sat, 2016-02-20 17:48
I have my own server with Oracle Linux 6 (of course) where I host a ton of personal stuff and this server was also affected by the nasty DNS bug from last week (see : CVE-2015-7547 ). Everyone really should update glibc and make sure their system is patched (any distribution) by the way - this is a very serious vulnerability... The nice thing, however, was that this is a perfect example for user space ksplice patching. A quick ksplice update for glibc on this box, and it was patched, no restarting the system no restarting sshd or any other app for that matter. A split microsecond and life goes on happily. Nothing affected, no downtime, no pauses, no hiccups. That's the way to patch these things.

userspace ksplice

Most awesomely cool stuff. Solving real world problems. Imagine running a few 100 docker instances or a couple of Linux containers and you have to update the host's glibc and bring all that down... talk about impact.

kernel patches ... check

critical OS libraries like SSL and GLIBC ... check.

Oracle Linux 6 and 7 support ... check

Secure Boot support with Oracle Linux 7.1

Fri, 2015-03-13 13:04
Update : as my PM team pointed out to me - it's listed as Tech Preview for OL7.1 not GA/production in the release notes - just making sure I add this disclaimer ;)

Another feature introduced with Oracle Linux 7.1 is support for Secure Boot.

If Secure Boot is enabled on a system (typically desktop, but in some cases also servers) - the system can have an embedded certificate (in firmware). This certificate can be one that's uploaded to the system by the admin or it could be one provided by the OEM/OS vendor. In many cases, in particular newer desktops, the system already contains the Microsoft key. (there can be more than one certificate uploaded...). When the firmware loads the boot loader, it verifies/checks the signature of this bootloader with the key stored in firmware before continuing. This signed bootloader (at this point trusted to continue) will then load a signed kernel, or signed second stage boot loader and verify it before starting and continuing the boot process. This creates what is called a chain of trust through the boot process.

We ship a 1st stage bootloader with Oracle Linux 7.1 which is a tiny "shim" layer that is signed by both Microsoft and Oracle. So if a system comes with Secure Boot support, and already ships the microsoft PK, then the shim layer will be started, verified, and if it passes verification, it will then load grub2 (the real bootloader). grub2 is signed by us (Oracle). The signed/verified shim layer contains the Oracle key and will validate that grub2 is ours (signed), if verification passes, grub2 will load the Oracle Linux kernel, and the same process takes place, our kernel is signed by us (Oracle) and grub2 will validate the signature prior to allowing execution of the kernel. Once the kernel is running, all kernel modules that we ship as part of Oracle Linux whether it's standard included kernel modules as part of the kernel RPM or external kernel modules used with Oracle Ksplice, are also signed by Oracle and the kernel will validate the signature prior to loading these kernel modules.

Enabling loading and verification of signed kernel modules is done by adding enforcemodulesig=1 to the grub kernel option line. In enforcing mode, any kernel module that is attempted to be loaded that's not signed by Oracle will fail to load.

If a system has Secure Boot support but a sysadmin wants to use the Oracle signature instead, we will make our certificate available to be downloaded securely from Oracle and then this can be uploaded into the firmware key database.

Secure Boot support with Oracle Linux 7.1

Fri, 2015-03-13 13:04
Update : as my PM team pointed out to me - it's listed as Tech Preview for OL7.1 not GA/production in the release notes - just making sure I add this disclaimer ;)

Another feature introduced with Oracle Linux 7.1 is support for Secure Boot.

If Secure Boot is enabled on a system (typically desktop, but in some cases also servers) - the system can have an embedded certificate (in firmware). This certificate can be one that's uploaded to the system by the admin or it could be one provided by the OEM/OS vendor. In many cases, in particular newer desktops, the system already contains the Microsoft key. (there can be more than one certificate uploaded...). When the firmware loads the boot loader, it verifies/checks the signature of this bootloader with the key stored in firmware before continuing. This signed bootloader (at this point trusted to continue) will then load a signed kernel, or signed second stage boot loader and verify it before starting and continuing the boot process. This creates what is called a chain of trust through the boot process.

We ship a 1st stage bootloader with Oracle Linux 7.1 which is a tiny "shim" layer that is signed by both Microsoft and Oracle. So if a system comes with Secure Boot support, and already ships the microsoft PK, then the shim layer will be started, verified, and if it passes verification, it will then load grub2 (the real bootloader). grub2 is signed by us (Oracle). The signed/verified shim layer contains the Oracle key and will validate that grub2 is ours (signed), if verification passes, grub2 will load the Oracle Linux kernel, and the same process takes place, our kernel is signed by us (Oracle) and grub2 will validate the signature prior to allowing execution of the kernel. Once the kernel is running, all kernel modules that we ship as part of Oracle Linux whether it's standard included kernel modules as part of the kernel RPM or external kernel modules used with Oracle Ksplice, are also signed by Oracle and the kernel will validate the signature prior to loading these kernel modules.

Enabling loading and verification of signed kernel modules is done by adding enforcemodulesig=1 to the grub kernel option line. In enforcing mode, any kernel module that is attempted to be loaded that's not signed by Oracle will fail to load.

If a system has Secure Boot support but a sysadmin wants to use the Oracle signature instead, we will make our certificate available to be downloaded securely from Oracle and then this can be uploaded into the firmware key database.

Oracle Linux 7.1 and MySQL 5.6

Thu, 2015-03-12 22:47
Yesterday we released Oracle Linux 7 update 1. The individual RPM updates are available from both public-yum (our free, open, public yum repo site) and Oracle Linux Network. The install ISOs can be downloaded from My Oracle Support right away and the public downloadable ISOs will be made available in the next few days from the usual e-delivery site. The ISOs will also, as usual, be mirrored to other mirror sites that also make Oracle Linux freely available.

One update in Oracle linux 7 update 1 that I wanted to point out is the convenience of upgrading to MySQL 5.6 at install time. Oracle Linux 7 GA includes MariaDB 5.5 (due to our compatibility commitment in terms of exact packages and the same packages) and we added MySQL 5.6 RPMs on the ISO image (and in the yum repo channels online). So while it was easy for someone to download and upgrade from MariaDB 5.5 to MySQL 5.6 there was no install option. Now with 7.1 we included an installation option for MySQL. So you can decide which database to install in the installer or through kickstart with @mariadb or @mysql as a group. Again, MariaDB 5.5 is also part of Oracle Linux 7.1 and any users that are looking for strict package compatibility will see that we are very much that. All we have done is make it easy to have a better alternative option (1) conveniently available and integrated (2) without any compatibility risks whatsoever so you can easily run the real standard that is MySQL. A bug fix if you will.

I have a little screenshot available here.

Enjoy.

Oracle Linux 7.1 and MySQL 5.6

Thu, 2015-03-12 22:47
Yesterday we released Oracle Linux 7 update 1. The individual RPM updates are available from both public-yum (our free, open, public yum repo site) and Oracle Linux Network. The install ISOs can be downloaded from My Oracle Support right away and the public downloadable ISOs will be made available in the next few days from the usual e-delivery site. The ISOs will also, as usual, be mirrored to other mirror sites that also make Oracle Linux freely available.

One update in Oracle linux 7 update 1 that I wanted to point out is the convenience of upgrading to MySQL 5.6 at install time. Oracle Linux 7 GA includes MariaDB 5.5 (due to our compatibility commitment in terms of exact packages and the same packages) and we added MySQL 5.6 RPMs on the ISO image (and in the yum repo channels online). So while it was easy for someone to download and upgrade from MariaDB 5.5 to MySQL 5.6 there was no install option. Now with 7.1 we included an installation option for MySQL. So you can decide which database to install in the installer or through kickstart with @mariadb or @mysql as a group. Again, MariaDB 5.5 is also part of Oracle Linux 7.1 and any users that are looking for strict package compatibility will see that we are very much that. All we have done is make it easy to have a better alternative option (1) conveniently available and integrated (2) without any compatibility risks whatsoever so you can easily run the real standard that is MySQL. A bug fix if you will.

I have a little screenshot available here.

Enjoy.

Oracle Linux and Database Smart Flash Cache

Tue, 2015-02-24 14:07
One, sometimes overlooked, cool feature of the Oracle Database running on Oracle Linux is called Database Smart Flash Cache.

You can find an overview of the feature in the Oracle Database Administrator's Guide. Basically, if you have flash devices attached to your server, you can use this flash memory to increase the size of the buffer cache. So instead of aging blocks out of the buffer cache and having to go back to reading them from disk, they move to the much, much faster flash storage as a secondary fast buffer cache (for reads, not writes).

Some scenarios where this is very useful : you have huge tables and huge amounts of data, a very, very large database with tons of query activity (let's say many TB) and your server is limited to a relatively small amount of main RAM - (let's say 128 or 256G). In this case, if you were to purchase and add a flash storage device of 256G or 512G (example), you can attach this device to the database with the Database Smart Flash Cache feature and increase the buffercache of your database from like 100G or 200G to 300-700G on that same server. In a good number of cases this will give you a significant performance improvement without having to purchase a new server that handles more memory or purchase flash storage that can handle your many TB of storage to live in flash instead of rotational storage.

It is also incredibly easy to configure.

-1 install Oracle Linux (I installed Oracle Linux 6 with UEK3)
-2 install Oracle Database 12c (this would also work with 11g - I installed 12.1.0.2.0 EE)
-3 add a flash device to your system (for the example I just added a 1GB device showing up as /dev/sdb)
-4 attach the storage to the database in sqlplus
Done.

$ ls /dev/sdb/dev/sdb$ sqlplus '/ as sysdba'SQL*Plus: Release 12.1.0.2.0 Production on Tue Feb 24 05:46:08 2015Copyright (c) 1982, 2014, Oracle. All rights reserved.Connected to:Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit ProductionWith the Partitioning, OLAP, Advanced Analytics and Real Application Testing optionsSQL> alter system set db_flash_cache_file='/dev/sdb' scope=spfile;System altered.SQL> alter system set db_flash_cache_size=1G scope=spfile;System altered.SQL> shutdown immediate;Database closed.Database dismounted.ORACLE instance shut down.SQL> startupORACLE instance started.Total System Global Area 4932501504 bytesFixed Size

2934456 bytesVariable Size

1023412552 bytesDatabase Buffers

3892314112 bytesRedo Buffers

13840384 bytesDatabase mounted.Database opened.SQL> show parameters flashNAME

TYPE

VALUE------------------------------------ ----------- ------------------------------db_flash_cache_file

string

/dev/sdbdb_flash_cache_size

big integer 1Gdb_flashback_retention_target

integer

1440SQL> select * from v$flashfilestat; FLASHFILE#----------NAME-------------------------------------------------------------------------------- BYTES ENABLED SINGLEBLKRDS SINGLEBLKRDTIM_MICRO CON_ID---------- ---------- ------------ -------------------- ----------

1/dev/sdb1073741824

1

0

0

0

You can get more information on configuration and guidelines/tuning here.If you want selective control of which tables can use or will use the Database Smart Flash Cache, you can use the ALTER TABLE command. See here. Specifically the STORAGE clause. By default, the tables are aged out into the flash cache but if you don't want certain tables to be cached you can use the NONE option. alter table foo storage (flash_cache none);This feature can really make a big difference in a number of database environments and I highly recommend taking a look at how Oracle Linux and Oracle Database 12c can help you enhance your setup. It's included with the database running on Oracle Linux.

Here is a link to a white paper that gives a bit of a performance overview.

Oracle Linux and Database Smart Flash Cache

Tue, 2015-02-24 14:07
One, sometimes overlooked, cool feature of the Oracle Database running on Oracle Linux is called Database Smart Flash Cache.

You can find an overview of the feature in the Oracle Database Administrator's Guide. Basically, if you have flash devices attached to your server, you can use this flash memory to increase the size of the buffer cache. So instead of aging blocks out of the buffer cache and having to go back to reading them from disk, they move to the much, much faster flash storage as a secondary fast buffer cache (for reads, not writes).

Some scenarios where this is very useful : you have huge tables and huge amounts of data, a very, very large database with tons of query activity (let's say many TB) and your server is limited to a relatively small amount of main RAM - (let's say 128 or 256G). In this case, if you were to purchase and add a flash storage device of 256G or 512G (example), you can attach this device to the database with the Database Smart Flash Cache feature and increase the buffercache of your database from like 100G or 200G to 300-700G on that same server. In a good number of cases this will give you a significant performance improvement without having to purchase a new server that handles more memory or purchase flash storage that can handle your many TB of storage to live in flash instead of rotational storage.

It is also incredibly easy to configure.

-1 install Oracle Linux (I installed Oracle Linux 6 with UEK3)
-2 install Oracle Database 12c (this would also work with 11g - I installed 12.1.0.2.0 EE)
-3 add a flash device to your system (for the example I just added a 1GB device showing up as /dev/sdb)
-4 attach the storage to the database in sqlplus
Done.

$ ls /dev/sdb
/dev/sdb

$ sqlplus '/ as sysdba'

SQL*Plus: Release 12.1.0.2.0 Production on Tue Feb 24 05:46:08 2015

Copyright (c) 1982, 2014, Oracle.  All rights reserved.


Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL>  alter system set db_flash_cache_file='/dev/sdb' scope=spfile;

System altered.

SQL> alter system set db_flash_cache_size=1G scope=spfile;

System altered.

SQL> shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.

SQL> startup
ORACLE instance started.

Total System Global Area 4932501504 bytes
Fixed Size		    2934456 bytes
Variable Size		 1023412552 bytes
Database Buffers	 3892314112 bytes
Redo Buffers		   13840384 bytes
Database mounted.
Database opened.

SQL> show parameters flash

NAME				     TYPE	 VALUE
------------------------------------ ----------- ------------------------------
db_flash_cache_file		     string	 /dev/sdb
db_flash_cache_size		     big integer 1G
db_flashback_retention_target	     integer	 1440

SQL> select * from v$flashfilestat; 

FLASHFILE#
----------
NAME
--------------------------------------------------------------------------------
     BYTES    ENABLED SINGLEBLKRDS SINGLEBLKRDTIM_MICRO     CON_ID
---------- ---------- ------------ -------------------- ----------
	 1
/dev/sdb
1073741824	    1		 0		      0 	 0

You can get more information on configuration and guidelines/tuning here. If you want selective control of which tables can use or will use the Database Smart Flash Cache, you can use the ALTER TABLE command. See here. Specifically the STORAGE clause. By default, the tables are aged out into the flash cache but if you don't want certain tables to be cached you can use the NONE option.

alter table foo storage (flash_cache none);
This feature can really make a big difference in a number of database environments and I highly recommend taking a look at how Oracle Linux and Oracle Database 12c can help you enhance your setup. It's included with the database running on Oracle Linux.

Here is a link to a white paper that gives a bit of a performance overview.

New features in ksplice uptrack-upgrade tools for Oracle Linux

Mon, 2014-12-22 14:03
We have many, many happy Oracle Linux customers that use and rely on the Oracle Ksplice service to keep their kernels up to date with all the critical CVEs/bugfixes that we release as zero downtime patches.

There are 2 ways to use the Ksplice service :

  • Online edition/client
  • The uptrack tools (the Ksplice utilities you install on an Oracle Linux server to start applying ksplice updates) connect directly with the Oracle server to download updates. This model gives the most flexibility in terms of providing information of patches and detail of what is installed because we have a website on which you can find your servers and detailed patch status.

  • Offline edition/client
  • Many companies cannot or do not register all servers remotely with our system so they can rely on the offline client to apply updates. In this mode, the ksplice patches are packaged in RPMs for convenience. For each kernel that is shipped by Oracle for Oracle Linux, we provide a corresponding uptrack-update RPM for that specific kernel version. This RPM contains all the updates that have been released since that version was released.

    The RPM is updated whenever a new ksplice patch becomes available. So you always have 1 RPM installed for a given kernel, and this RPM gets updated. This was standard yum / rpm commands can be used to update your server(s) with ksplice patches as well and everything is nicely integrated.

    The standard model is that an uptrack-upgrade command will apply all updates to current/latest on your server. This is of course the preferred way of applying security fixes on your running system, it's best to be on the latest version. However, in some cases, customers want more fine-grained control than latest.

    We just did an update of the ksplice offline tools to add support for updating to a specific "kernel version". This way, if you are on kernel version x, you would like to go to kernel version y (effective patches/security fixes) but latest is kernel version z, you can tell uptrack-upgrade to go to kernel version y. Let me give a quick and simple example below. I hope this is a useful addition to the tools.

    happy holidays and happy ksplicing!

    To install the tools, make sure that your server(s) has access to the ol6_x86_64_ksplice channel (if it's OL6) :$ yum install uptrack-offline

    Now, in my example, I have Oracle Linux 6 installed with the following version of UEK3 :

    $ uname -r3.8.13-44.1.1.el6uek.x86_64

    Let's check if updates are available :

    $ yum search uptrack-updates-3.8.13-44.1.1Loaded plugins: rhnplugin, securityThis system is receiving updates from ULN.=========== N/S Matched: uptrack-updates-3.8.13-44.1.1.el6uek.x86_64 ===========uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch : Rebootless updates for the ...: Ksplice Uptrack rebootless kernel update service

    As I mentioned earlier, for each kernel there's a corresponding ksplice update RPM. Just install that. In this case, I run 3.8.13-44.1.1.

    $ yum install uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarchLoaded plugins: rhnplugin, securityThis system is receiving updates from ULN.Setting up Install ProcessResolving Dependencies--> Running transaction check---> Package uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch 0:20141216-0 will be installed--> Finished Dependency ResolutionDependencies Resolved================================================================================ Package Arch Version Repository Size================================================================================Installing: uptrack-updates-3.8.13-44.1.1.el6uek.x86_64 noarch 20141216-0 ol6_x86_64_ksplice 39 MTransaction Summary================================================================================Install 1 Package(s)Total download size: 39 MInstalled size: 40 MIs this ok [y/N]: yDownloading Packages:uptrack-updates-3.8.13-44.1.1.el6uek.x86_64-20141216-0.n | 39 MB 00:29 Running rpm_check_debugRunning Transaction TestTransaction Test SucceededRunning Transaction Installing : uptrack-updates-3.8.13-44.1.1.el6uek.x86_64-20141216-0.noa 1/1 The following steps will be taken:Install [b9hqohyk] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.......Installing [vtujkei9] CVE-2014-6410: Denial of service in UDF filesystem parsing.Your kernel is fully up to date.Effective kernel version is 3.8.13-55.1.1.el6uek Verifying : uptrack-updates-3.8.13-44.1.1.el6uek.x86_64-20141216-0.noa 1/1 Installed: uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch 0:20141216-0 Complete!

    There have been a ton of updates released since 44.1.1, and the above update gets me to effectively running 3.8.13-55.1.1. Of course, without a reboot.

    $ uptrack-uname -r3.8.13-55.1.1.el6uek.x86_64

    Now we get to the new feature. There's a new option in uptrack-upgrade that lists all effective kernel versions from the installed kernel to the latest based on the ksplice rpm installed.

    $ uptrack-upgrade --list-effectiveAvailable effective kernel versions:3.8.13-44.1.1.el6uek.x86_64/#2 SMP Wed Sep 10 06:10:25 PDT 20143.8.13-44.1.3.el6uek.x86_64/#2 SMP Wed Oct 15 19:53:10 PDT 20143.8.13-44.1.4.el6uek.x86_64/#2 SMP Wed Oct 29 23:58:06 PDT 20143.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 PST 20143.8.13-55.el6uek.x86_64/#2 SMP Mon Dec 1 11:32:40 PST 20143.8.13-55.1.1.el6uek.x86_64/#2 SMP Thu Dec 11 00:20:49 PST 2014

    So as an example, let's say I want to update from 44.1.1 to 44.1.5 instead of to 55.1.1 (for whatever reason I might have). All I have to do, is run uptrack-upgrade to go to that effective kernel version.

    Let's start with removing the installed updates and go back from 55.1.1 to 44.1.1 and then upgrade again to 44.1.5 :

    $ uptrack-remove --all...$ uptrack-upgrade --effective="3.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 PST 2014"......Effective kernel version is 3.8.13-44.1.5.el6uek

    And that's it.

    New features in ksplice uptrack-upgrade tools for Oracle Linux

    Mon, 2014-12-22 14:03
    We have many, many happy Oracle Linux customers that use and rely on the Oracle Ksplice service to keep their kernels up to date with all the critical CVEs/bugfixes that we release as zero downtime patches.

    There are 2 ways to use the Ksplice service :

  • Online edition/client
  • The uptrack tools (the Ksplice utilities you install on an Oracle Linux server to start applying ksplice updates) connect directly with the Oracle server to download updates. This model gives the most flexibility in terms of providing information of patches and detail of what is installed because we have a website on which you can find your servers and detailed patch status.

  • Offline edition/client
  • Many companies cannot or do not register all servers remotely with our system so they can rely on the offline client to apply updates. In this mode, the ksplice patches are packaged in RPMs for convenience. For each kernel that is shipped by Oracle for Oracle Linux, we provide a corresponding uptrack-update RPM for that specific kernel version. This RPM contains all the updates that have been released since that version was released.

    The RPM is updated whenever a new ksplice patch becomes available. So you always have 1 RPM installed for a given kernel, and this RPM gets updated. This was standard yum / rpm commands can be used to update your server(s) with ksplice patches as well and everything is nicely integrated.

    The standard model is that an uptrack-upgrade command will apply all updates to current/latest on your server. This is of course the preferred way of applying security fixes on your running system, it's best to be on the latest version. However, in some cases, customers want more fine-grained control than latest.

    We just did an update of the ksplice offline tools to add support for updating to a specific "kernel version". This way, if you are on kernel version x, you would like to go to kernel version y (effective patches/security fixes) but latest is kernel version z, you can tell uptrack-upgrade to go to kernel version y. Let me give a quick and simple example below. I hope this is a useful addition to the tools.

    happy holidays and happy ksplicing!

    To install the tools, make sure that your server(s) has access to the ol6_x86_64_ksplice channel (if it's OL6) :

    $ yum install uptrack-offline
    

    Now, in my example, I have Oracle Linux 6 installed with the following version of UEK3 :

    $ uname -r
    3.8.13-44.1.1.el6uek.x86_64
    

    Let's check if updates are available :

    $ yum search uptrack-updates-3.8.13-44.1.1
    Loaded plugins: rhnplugin, security
    This system is receiving updates from ULN.
    =========== N/S Matched: uptrack-updates-3.8.13-44.1.1.el6uek.x86_64 ===========
    uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch : Rebootless updates for the
         ...: Ksplice Uptrack rebootless kernel update service
    

    As I mentioned earlier, for each kernel there's a corresponding ksplice update RPM. Just install that. In this case, I run 3.8.13-44.1.1.

    $ yum install uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch
    Loaded plugins: rhnplugin, security
    This system is receiving updates from ULN.
    Setting up Install Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch 0:20141216-0 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ================================================================================
     Package                             Arch   Version    Repository          Size
    ================================================================================
    Installing:
     uptrack-updates-3.8.13-44.1.1.el6uek.x86_64
                                         noarch 20141216-0 ol6_x86_64_ksplice  39 M
    
    Transaction Summary
    ================================================================================
    Install       1 Package(s)
    
    Total download size: 39 M
    Installed size: 40 M
    Is this ok [y/N]: y
    Downloading Packages:
    uptrack-updates-3.8.13-44.1.1.el6uek.x86_64-20141216-0.n |  39 MB     00:29     
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
      Installing : uptrack-updates-3.8.13-44.1.1.el6uek.x86_64-20141216-0.noa   1/1 
    The following steps will be taken:
    Install [b9hqohyk] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.
    ...
    ...
    Installing [vtujkei9] CVE-2014-6410: Denial of service in UDF filesystem parsing.
    Your kernel is fully up to date.
    Effective kernel version is 3.8.13-55.1.1.el6uek
      Verifying  : uptrack-updates-3.8.13-44.1.1.el6uek.x86_64-20141216-0.noa   1/1 
    
    Installed:
      uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch 0:20141216-0               
    
    Complete!
    

    There have been a ton of updates released since 44.1.1, and the above update gets me to effectively running 3.8.13-55.1.1. Of course, without a reboot.

    $ uptrack-uname -r
    3.8.13-55.1.1.el6uek.x86_64
    

    Now we get to the new feature. There's a new option in uptrack-upgrade that lists all effective kernel versions from the installed kernel to the latest based on the ksplice rpm installed.

    $ uptrack-upgrade --list-effective
    Available effective kernel versions:
    
    3.8.13-44.1.1.el6uek.x86_64/#2 SMP Wed Sep 10 06:10:25 PDT 2014
    3.8.13-44.1.3.el6uek.x86_64/#2 SMP Wed Oct 15 19:53:10 PDT 2014
    3.8.13-44.1.4.el6uek.x86_64/#2 SMP Wed Oct 29 23:58:06 PDT 2014
    3.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 PST 2014
    3.8.13-55.el6uek.x86_64/#2 SMP Mon Dec 1 11:32:40 PST 2014
    3.8.13-55.1.1.el6uek.x86_64/#2 SMP Thu Dec 11 00:20:49 PST 2014
    

    So as an example, let's say I want to update from 44.1.1 to 44.1.5 instead of to 55.1.1 (for whatever reason I might have). All I have to do, is run uptrack-upgrade to go to that effective kernel version.

    Let's start with removing the installed updates and go back from 55.1.1 to 44.1.1 and then upgrade again to 44.1.5 :

    $ uptrack-remove --all
    ...
    $ uptrack-upgrade --effective="3.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 
    PST 2014"
    ...
    ...
    Effective kernel version is 3.8.13-44.1.5.el6uek
    

    And that's it.

    EBS VMs explained

    Thu, 2014-12-04 16:59
    A great blog entry from the EBS team explaining the various Oracle VM appliances for EBS :

    https://blogs.oracle.com/stevenChan/entry/e_business_suite_virtual_machines

    EBS VMs explained

    Thu, 2014-12-04 16:59
    A great blog entry from the EBS team explaining the various Oracle VM appliances for EBS :

    https://blogs.oracle.com/stevenChan/entry/e_business_suite_virtual_machines

    SAP certification for Oracle's Virtual Compute Appliance X4-2 (VCA X4-2)

    Wed, 2014-12-03 12:17
    We have been working with SAP to certify their products, based on SAP NetWeaver 7.x (specifically on the following OS versions : Oracle Linux 5, Oracle Linux 6, Oracle Solaris 10, Oracle Solaris 11), in a Virtual Compute Appliance Environment. It is also possible to run 2-tier and 3-tier configurations/installations of Oracle Database and SAP applications on VCA.

    For more detail you can go to SAP Note 2052912.

    The Virtual Compute Appliance is a great, cost effective, easy to deploy converged infrastructure solution. Installations can be done by the customer, it takes just a few hours to bring up and start using a VCA system and deploy applications. The entire setup is pre-wired, pre-installed, pre-configured, using our best practices. All the software and hardware components in VCA are standard off the shelf, proven, products. Oracle Linux for the management node OS, Oracle VM for the compute nodes. Any application or product certified with Oracle VM will work without change or without the need for re-certification inside a VCA environment.

    It is very exciting to have the SAP certification for VCA published.

    SAP certification for Oracle's Virtual Compute Appliance X4-2 (VCA X4-2)

    Wed, 2014-12-03 12:17
    We have been working with SAP to certify their products, based on SAP NetWeaver 7.x (specifically on the following OS versions : Oracle Linux 5, Oracle Linux 6, Oracle Solaris 10, Oracle Solaris 11), in a Virtual Compute Appliance Environment. It is also possible to run 2-tier and 3-tier configurations/installations of Oracle Database and SAP applications on VCA.

    For more detail you can go to SAP Note 2052912.

    The Virtual Compute Appliance is a great, cost effective, easy to deploy converged infrastructure solution. Installations can be done by the customer, it takes just a few hours to bring up and start using a VCA system and deploy applications. The entire setup is pre-wired, pre-installed, pre-configured, using our best practices. All the software and hardware components in VCA are standard off the shelf, proven, products. Oracle Linux for the management node OS, Oracle VM for the compute nodes. Any application or product certified with Oracle VM will work without change or without the need for re-certification inside a VCA environment.

    It is very exciting to have the SAP certification for VCA published.

    Oracle Linux Containers and docker and the magic of ksplice becomes even more exciting

    Wed, 2014-10-15 16:27
    So, in my previous blogs I talked about the value of ksplice for applying updates and keeping your system current. Typical use case has been on physical servers running some application or in a VM running some application and it all keeps every system pretty isolated. Downtime on a single server is often, by a system admin, seen as no big deal, downtime of a bunch of servers because of a multi-tier application that goes down, however, by the application owner is a pretty big deal and can take some scheduling (and cost) to agree on downtime for reboots. If you have to patch a database server and reboot it, then you first have to bring down your application servers, then bring down the database, then reboot the server. So that 'single reboot' from a sysadmin point of view, is a nightmare and long downtime and potential risk for the application owner that has an application across many servers. Do keep that complexity in mind...

    Anyway, we introduced support for Linux containers a year ago, back with Oracle Linux 6 and the release of UEKr3, no need to wait for OL7 (or rhel7...) we 've been doing this for almost a year and it was possible without having to reinstall servers and go from 6 to 7 and to systemd and have major changes. Just simply updating an OL6 environment and a reboot into uek3 and you were good to go, a year ago. So... with containers (and docker is very similar here)... you run one kernel. As opposed to running VMs where each VM is a completely isolated virtual environment with their own kernel and you can live migrate the VMs to another host if you need to update/patch the host, etc... So you run an OS that supports containers, you deploy your apps and isolate them nicely in a container each... and now you need to apply kernel security updates... well... that means, the host kernel on which all these containers environments are running... oops. my reboot now brings down a ton of containers. Well, not with ksplice. You run uptrack-update in the main environment and it nicely, online, without affecting your running apps in their containers or docker environments, updates to the latest fixes and CVEs. Done. No downtime, no scheduling issues with your application users... all set.

    Supported.. since a year ago. Stable.

    Oracle Linux Containers and docker and the magic of ksplice becomes even more exciting

    Wed, 2014-10-15 16:27
    So, in my previous blogs I talked about the value of ksplice for applying updates and keeping your system current. Typical use case has been on physical servers running some application or in a VM running some application and it all keeps every system pretty isolated. Downtime on a single server is often, by a system admin, seen as no big deal, downtime of a bunch of servers because of a multi-tier application that goes down, however, by the application owner is a pretty big deal and can take some scheduling (and cost) to agree on downtime for reboots. If you have to patch a database server and reboot it, then you first have to bring down your application servers, then bring down the database, then reboot the server. So that 'single reboot' from a sysadmin point of view, is a nightmare and long downtime and potential risk for the application owner that has an application across many servers. Do keep that complexity in mind...

    Anyway, we introduced support for Linux containers a year ago, back with Oracle Linux 6 and the release of UEKr3, no need to wait for OL7 (or rhel7...) we 've been doing this for almost a year and it was possible without having to reinstall servers and go from 6 to 7 and to systemd and have major changes. Just simply updating an OL6 environment and a reboot into uek3 and you were good to go, a year ago. So... with containers (and docker is very similar here)... you run one kernel. As opposed to running VMs where each VM is a completely isolated virtual environment with their own kernel and you can live migrate the VMs to another host if you need to update/patch the host, etc... So you run an OS that supports containers, you deploy your apps and isolate them nicely in a container each... and now you need to apply kernel security updates... well... that means, the host kernel on which all these containers environments are running... oops. my reboot now brings down a ton of containers. Well, not with ksplice. You run uptrack-update in the main environment and it nicely, online, without affecting your running apps in their containers or docker environments, updates to the latest fixes and CVEs. Done. No downtime, no scheduling issues with your application users... all set.

    Supported.. since a year ago. Stable.

    The magic of ksplice continues...

    Wed, 2014-10-15 16:15
    My previous blog talked about some cool use cases of ksplice and I used Oracle Linux 5 as the example. In this blog entry I just wanted to add Oracle Linux 6 to it. For Oracle Linux 6, we go all the way back to the GA date of OL6. 2.6.32-71.el6 build date Wed Dec 15 12:36:54 EST 2010. And we support ksplice online updates from that point on, up to today. The same model, you can be on any Oracle Linux 6 kernel, an errata update, a specific kernel from an update release like 6.1,... 6.5,... and get current with CVEs and critical fixes from then on. After running uptrack-upgrade, I get to be current : 2.6.32-431.29.2.el6

    I ran out of xterm buffer space ;-) so starting with the Installing part of the output of uptrack-upgrade -y :Installing [1y0hqxq7] Invalid memory access in dynamic debug entry listing.Installing [1f9nec9b] Clear garbage data on the kernel stack when handling signals.Installing [lrh0cfph] Reduce usage of reserved percpu memory.Installing [uo1fmxxr] CVE-2010-2962: Privilege escalation in i915 pread/pwrite ioctls.Installing [11ofaaud] CVE-2010-3084: Buffer overflow in ETHTOOL_GRXCLSRLALL command.Installing [8u4favcu] CVE-2010-3301: Privilege escalation in 32-bit syscall entry via ptrace.Installing [ayk01zir] CVE-2010-3432: Remote denial of service vulnerability in SCTP.Installing [p1o8wy3o] CVE-2010-3442: Heap corruption vulnerability in ALSA core.Installing [r1mlwooa] CVE-2010-3705: Remote memory corruption in SCTP HMAC handling.Installing [584zm6x2] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.Installing [vt03uggp] CVE-2010-2955: Information leak in wireless extensions.Installing [7rzgltfi] CVE-2010-3079: NULL pointer dereference in ftrace.Installing [oyaovezn] CVE-2010-3437: Information leak in pktcdvd driver.Installing [70cjk1y6] CVE-2010-3698: Denial of service vulnerability in KVM host.Installing [9dm5foy9] CVE-2010-3081: Privilege escalation through stack underflow in compat.Installing [mhsn7n2j] Memory corruption during KSM swapping.Installing [kn5l6sh5] KVM guest crashes due to unsupported model-specific registers.Installing [xmx98rz9] Erroneous merge of block write with block discard request.Installing [23nlxpse] CVE-2010-2803: Information leak in drm subsystem.Installing [mo9lbpsi] Memory leak in DRM buffer object LRU list handling.Installing [91hrmhbr] Memory leak in GEM drm_vma_entry handling.Installing [apryc0uo] CVE-2010-3865: Integer overflow in RDS rdma page counting.Installing [ur02tbrc] CVE-2010-4160: Privilege escalation in PPP over L2TP.Installing [5o3hvdgy] CVE-2010-4263: NULL pointer dereference in igb network driver.Installing [a3z3nda1] CVE-2010-3477: Information leak in tcf_act_police_dump.Installing [lsd1hzvx] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.Installing [z92iokkb] CVE-2010-3080: Privilege escalation in ALSA sound system OSS emulation.Installing [23yh7u1i] CVE-2010-3861: Information leak in ETHTOOL_GRXCLSRLALL ioctl.Installing [jxtltpyu] CVE-2010-4163 and CVE-2010-4668: Kernel panic in block subsystem.Installing [5fuyrpx3] CVE-2010-4162: Integer overflow in block I/O subsystem.Installing [ylkgl75m] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.Installing [ppawlabm] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.Installing [q4n7w8t6] CVE-2010-3067: Information leak in sys_io_submit.Installing [0w2s15ix] CVE-2010-3298: Information leak in hso_get_count().Installing [dfi8ncbj] CVE-2010-3876: Kernel information leak in packet subsystem.Installing [ahrdouix] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.Installing [wvbjfli8] CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers.Installing [pkhcqtro] CVE-2010-4075: Kernel information leak in serial subsystem.Installing [cwksn40u] CVE-2010-4077: Kernel information leak in nozomi driver.Installing [q4d3smds] CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.Installing [z4duwd7q] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.Installing [eajqjo74] CVE-2010-4082: Kernel information leak in VIAFB_GET_INFO.Installing [6hrf2a3e] CVE-2010-4083: Information leak in System V IPC.Installing [3xm2ly3f] CVE-2010-4158: Kernel information leak in socket filters.Installing [5y2oasdw] CVE-2010-4525: Information leak in KVM VCPU events ioctl.Installing [35e4qfr6] CVE-2010-2492: Privilege escalation in eCryptfs.Installing [rr12rtq3] Data corruption due to bad flags in break_lease and may_open.Installing [20cz9gp7] Kernel oops in network neighbour update.Installing [m650djkx] Deadlock on fsync during dm device resize.Installing [c19gus65] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.Installing [3e86rex1] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.Installing [cxb3m3ae] CVE-2010-4165: Denial of service in TCP from user MSS.Installing [dii4wm64] CVE-2010-4169: Use-after-free bug in mprotect system call.Installing [e465fr49] CVE-2010-4243: Denial of service due to wrong execve memory accounting.Installing [5s3fe1cn] Mitigate denial of service attacks with large argument lists.Installing [j8jwyth1] Memory corruption in multipath deactivation queueing.Installing [5qkkyd5m] Kernel panic in network bonding on ARP receipt.Installing [f9j8s6u6] Failure to recover NFSv4 client state on server reboot.Installing [qa379ag5] CVE-2011-0714: Remote denial of service in RPC server sockets.Installing [12q8wuvd] CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.Installing [tm68xsph] CVE-2011-0695: Remote denial of service in InfiniBand setup.Installing [fk2zg5ec] CVE-2010-4656: Buffer overflow in I/O-Warrior USB driver.Installing [bcfvwcux] CVE-2011-0716: Memory corruption in IGMP bridge snooping.Installing [smkv0oja] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.Installing [3eu2kr7i] CVE-2010-3296: Kernel information leak in cxgb driver.Installing [3skmaxct] CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.Installing [xuxi8p7r] CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver.Installing [7npiqvil] CVE-2010-4655: Information leak in ETHTOOL_GREGS ioctl.Installing [en0luyx8] Denial of service on empty virtio_console write.Installing [yv0cumoa] Denial of service in r8169 receive queue handling.Installing [j6vlp89e] Failure of virtio_net device on guest low-memory condition.Installing [q53j90kj] KVM guest crash due to stale memory on migration.Installing [ri498cnm] KVM guest crash due to unblocked NMIs on STI instruction.Installing [tlrgiz2i] CVE-2010-4526: Remote denial of service vulnerability in SCTP.Installing [9eta98wf] Use-after-free in CIFS session management.Installing [19wu4xr4] CVE-2011-0712: Buffer overflows in caiaq driver.Installing [3cxo6wrf] CVE-2011-1079: Denial of service in Bluetooth BNEP.Installing [kzieu2je] CVE-2011-1080: Information leak in netfilter.Installing [ekzp14u9] CVE-2010-4258: Failure to revert address limit override after oops.Installing [jd3cmfll] CVE-2011-0006: Unhandled error condition when adding security rules.Installing [jk52g3fx] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.Installing [z2ne1xi4] CVE-2011-1013: Signedness error in drm.Installing [gb4ntots] Cache allocation bug in DCCP.Installing [pe4f00pm] CVE-2011-1093: NULL pointer dereference in DCCP.Installing [yypibd1k] CVE-2011-1573: Denial of service in SCTP.Installing [02al7nxj] CVE-2011-0726: Address space leakage through /proc/pid/stat.Installing [00ahpz3z] CVE-2011-0711: Information leak in XFS filesystem.Installing [iczdh30p] CVE-2010-4250: Reference count leak in inotify failure path.Installing [ea8bohrp] Infinite loop in tty auditing.Installing [85iuyyyj] Buffer overflow in iptables CLUSTERIP target.Installing [8o0892h3] CVE-2010-4565: Information leak in Broadcast Manager CAN protocol.Installing [p3ck0dr6] CVE-2011-1019: Module loading restriction bypass with CAP_NET_ADMIN.Installing [w8sa7qie] CVE-2011-1016: Privilege escalation in radeon GPU driver.Installing [aqnhua0z] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.Installing [mla0f8wz] CVE-2011-1082: Denial of service in epoll.Installing [5dbkxjue] CVE-2011-1090: Denial of service in NFSv4 client.Installing [4qj7c7qc] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.Installing [3vf1zjzf] CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.Installing [a03rwxbz] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.Installing [7z04dctw] Incorrect interrupt handling on down e1000 interface.Installing [ep319ryq] CVE-2011-1770: Remote denial of service in DCCP options parsing.Installing [qp7al6tc] CVE-2010-3858: Denial of service vulnerability with large argument lists.Installing [85n0mc4q] CVE-2011-1598: Denial of service in CAN/BCM protocol.Installing [z8t1hsjb] CVE-2011-1748: Denial of service in CAN raw sockets.Installing [pvtdn3yd] CVE-2011-1767: Incorrect initialization order in ip_gre.Installing [xughs2jb] CVE-2011-1768: Incorrect initialization order in IP tunnel protocols.Installing [k6a6bqyr] CVE-2011-2479: Denial of service with transparent hugepages and /dev/zero.Installing [pmkvbrcc] CVE-2011-1776: Missing boundary checks in EFI partition table parsing.Installing [pb9pjnnn] CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.Installing [mnpd8mip] CVE-2011-1593: Missing bounds check in proc filesystem.Installing [d6vuea6w] CVE-2011-2213: Arbitrary code injection bug in IPv4 subsystem.Installing [zmfowuqn] CVE-2011-2491: Local denial of service in NLM subsystem.Installing [402w3brr] CVE-2011-2492: Information leak in bluetooth implementation.Installing [vi7qxs20] CVE-2011-2497: Buffer overflow in the Bluetooth subsystem.Installing [ql0oxrhk] CVE-2011-2517: Buffer overflow in nl80211 driver.Installing [0xcbigxp] CVE-2011-1576: Denial of service with VLAN packets and GRO.Installing [127f4d1u] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.Installing [w72wz6f4] CVE-2011-2495: Information leak in /proc/PID/io.Installing [c8v0sk8t] CVE-2011-1160: Information leak in tpm driver.Installing [1nt1dahj] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.Installing [bxqvqvef] CVE-2011-1746: Integer overflow in agp_allocate_memory.Installing [d4m9k310] CVE-2011-2484: Denial of service in taskstats subsystem.Installing [3vlbyy24] CVE-2011-2496: Local denial of service in mremap().Installing [e0lkqz3i] CVE-2011-2723: Remote denial of service vulnerability in gro.Installing [99r3sbjg] CVE-2011-2898: Information leak in packet subsystemInstalling [3ev4sw2b] CVE-2011-2918: Denial of service in event overflows in perf.Installing [ll9j5877] CVE-2011-1833: Information disclosure in eCryptfs.Installing [ww2gv7iv] CVE-2011-3359: Denial of service in Broadcom 43xx wireless driver.Installing [9x0ub4l1] CVE-2011-3363: Denial of service in CIFS via malicious DFS referrals.Installing [ggvpdbug] CVE-2011-3188: Weak TCP sequence number generation.Installing [z4pt0sai] CVE-2011-1577: Denial of service in GPT partition handling.Installing [omnzxxxr] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.Installing [o4xkg2el] CVE-2011-3191: Privilege escalation in CIFS directory reading.Installing [e2eyyaf9] CVE-2011-1162: Information leak in TPM driver.Installing [1fmgtd1b] CVE-2011-4326: Denial of service in IPv6 UDP Fragmentation Offload.Installing [ldjwxwd5] CVE-2011-2699: Predictable IPv6 fragment identification numbers.Installing [tnhvync5] CVE-2011-2494: Information leak in task/process statistics.Installing [gi4te905] CVE-2011-3593: Denial of service in VLAN with priority tagged frames.Installing [h1wiua6s] CVE-2011-4110: Denial of service in kernel key management facilities.Installing [4yrxpwih] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.Installing [gz5jfzi3] CVE-2011-1020: Missing access restrictions in /proc subsystem.Installing [o31erbbr] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.Installing [yqaa1zsp] Arithmetic overflow in clock source calculations.Installing [vxfxrncu] CVE-2011-4077: Buffer overflow in xfs_readlink.Installing [rnvy1bow] CVE-2011-4081: NULL pointer dereference in GHASH cryptographic algorithm.Installing [5bokjzmm] CVE-2011-4132: Denial of service in Journaling Block Device layer.Installing [q7t7hls4] CVE-2011-4347: Denial of service in KVM device assignment.Installing [wmeoffm9] CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.Installing [gu3picnz] CVE-2012-0038: In-memory corruption in XFS ACL processing.Installing [v2td9qse] CVE-2012-0045: Denial of service in KVM system call emulation.Installing [n2xairv0] CVE-2012-0879: Denial of service in CLONE_IO.Installing [2k2kq44h] Fix crash on discard in the software RAID driver.Installing [i244mlk5] CVE-2012-1097: NULL pointer dereference in the ptrace subsystem.Installing [2anjx00z] CVE-2012-1090: Denial of service in the CIFS filesystem reference counting.Installing [3ujb9j7q] Inode corruption in XFS inode lookup.Installing [01x2k6jv] Denial of service due to race condition in the scheduler subsystem.Installing [hfh1ug4u] CVE-2011-4086: Denial of service in journaling block device.Installing [4wb0i9tz] CVE-2012-1601: Denial of service in KVM VCPU creation.Installing [aqut3qai] CVE-2012-0044: Integer overflow and memory corruption in DRM CRTC support.Installing [0zkt2e47] CVE-2012-2123: Privilege escalation when assigning permissions using fcaps.Installing [pe6u1nwx] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.Installing [jqtlake1] CVE-2012-2121: Memory leak in KVM device assignment.Installing [u6ys5804] CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler.Installing [lr9cjz2p] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.Installing [nscqru85] CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service.Installing [j01o1nco] ext4 filesystem corruption on fallocate.Installing [p37lmn34] CVE-2012-2745: Denial-of-service in kernel key management.Installing [alprvnsv] CVE-2012-2744: Remote denial-of-service in IPv6 connection tracking.Installing [m06ws6vc] Unreliable futexes with read-only shared mappings.Installing [b7mpy2k1] CVE-2011-1078: Information leak in Bluetooth SCO link driver.Installing [pywfzhvz] CVE-2012-2384: Integer overflow in i915 execution buffer.Installing [2ibdnvmo] Livelock due to invalid locking strategy when adding a leap-second.Installing [oixf5hkj] CVE-2012-2384: Additional fix for integer overflow in i915 execution buffer.Installing [m4x7vdnl] CVE-2012-2390: Memory leak in hugetlbfs mmap() failure.Installing [o2a3jmox] CVE-2012-2313: Privilege escalation in the dl2k NIC.Installing [u3qpyl86] CVE-2012-3430: kernel information leak in RDS sockets.Installing [wr1of5oe] CVE-2012-3552: Denial-of-service in IP options handling.Installing [y40wlmcw] CVE-2012-3412: Remote denial of service through TCP MSS option in SFC NIC.Installing [dxshabnc] Use-after-free in USB.Installing [aovf4isj] Race condition in SUNRPC.Installing [trz9wa6p] CVE-2012-3400: Buffer overflow in UDF parsing.Installing [062ge0uf] CVE-2012-3511: Use-after-free due to race condition in madvise.Installing [tu585kp5] CVE-2012-1568: A predictable base address with shared libraries and ASLR.Installing [fky5li3t] CVE-2012-2133: Use-after-free in hugetlbfs quota handling.Installing [xtpg99y6] CVE-2012-5517: NULL pointer dereference in memory hotplug.Installing [ffehzdo8] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.Installing [u0d6ztl3] CVE-2012-4565: Divide by zero in TCP congestion control Algorithm.Installing [7au7wp12] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.Installing [80vrmgyk] CVE-2012-4530: Kernel information leak in binfmt execution.Installing [uytq1dk0] CVE-2012-4398: Denial-of-service in kernel module loading.Installing [3c5erej0] CVE-2013-0310: NULL pointer dereference in CIPSO socket options.Installing [j8x8j89y] CVE-2013-0311: Privilege escalation in vhost descriptor management.Installing [mkibg12j] CVE-2012-4508: Stale data exposure in ext4.Installing [daw7s3mo] CVE-2012-4542: SCSI command filter does not restrict access to read-only devices.Installing [nqlo7yy2] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.Installing [l6zf9mec] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.Installing [r88p6prz] CVE-2013-1798: Information leak in KVM APIC driver.Installing [tquaqo7o] CVE-2013-1792: Denial-of-service in user keyring management.Installing [ao71x17l] CVE-2012-6537: Kernel information leaks in network transformation subsystem.Installing [875umolk] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.Installing [4dr93r2j] CVE-2013-1827: Denial-of-service in DCCP socket options.Installing [cdrfdlrt] CVE-2013-0349: Kernel information leak in Bluetooth HIDP support.Installing [9j8xk8dz] CVE-2012-6546: Information leak in ATM sockets.Installing [4oeurjvw] CVE-2013-1767: Use-after-free in tmpfs mempolicy remount.Installing [yhprsmoc] CVE-2013-1773: Heap buffer overflow in VFAT Unicode handling.Installing [amh400jp] CVE-2012-6547: Kernel stack leak from TUN ioctls.Installing [532069fc] CVE-2013-1774: NULL pointer dereference in USB Inside Out Edgeport serial driver.Installing [uaslykxk] CVE-2013-2017: Double free in Virtual Ethernet Tunnel driver (veth).Installing [1vegmzxj] CVE-2013-1943: Local privilege escalation in KVM memory mappings.Installing [wddz9qxt] CVE-2012-6548: Information leak in UDF export.Installing [d51dm2vs] CVE-2013-0914: Information leak in signal handlers.Installing [sxb5x0pd] CVE-2013-2852: Invalid format string usage in Broadcom B43 wireless driver.Installing [vzlh2p9r] CVE-2013-3222: Kernel stack information leak in ATM sockets.Installing [l1wlz1f1] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.Installing [m0y7j4ra] CVE-2013-3225: Kernel stack information leak in Bluetooth rfcomm.Installing [3m5ckvvm] CVE-2013-3301: NULL pointer dereference in tracing sysfs files.Installing [o44ucnfs] CVE-2013-2634, 2635: Kernel leak in data center bridging and netlink.Installing [0m3a5xq8] CVE-2013-2128: Denial of service in TCP splice.Installing [2fg4nowt] CVE-2013-2232: Memory corruption in IPv6 routing cache.Installing [m4a0xb93] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.Installing [pqfoprcp] CVE-2013-2237: Information leak on IPSec key socket.Installing [i1ha5yp7] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.Installing [aqfegdn1] CVE-2013-4299: Information leak in device mapper persistent snapshots.Installing [oojymn3l] CVE-2013-4387: Memory corruption in IPv6 UDP fragmentation offload.Installing [kb7zovzd] CVE-2013-0343: Denial of service in IPv6 privacy extensions.Installing [7ew8svwd] Off-by-one error causes reduced entropy in kernel PRNG.Installing [v3hs5diu] CVE-2013-2888: Memory corruption in Human Input Device processing.Installing [aew2tmdl] CVE-2013-2889: Memory corruption in Zeroplus HID driver.Installing [ox2wqeva] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.Installing [w9rhkfub] CVE-2013-1928: Kernel information leak in compat_ioctl/VIDEO_SET_SPU_PALETTE.Installing [r55nqyci] CVE-2013-2164: Kernel information leak in the CDROM driver.Installing [1vgf62zi] CVE-2013-2234: Information leak in IPsec key management.Installing [hc532irb] CVE-2013-2851: Format string vulnerability is software RAID device names.Installing [e129vh8h] CVE-2013-4592: Denial-of-service in KVM IOMMU mappings.Installing [9wzwcaep] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.Installing [ufm8ladu] CVE-2013-4470: Memory corruption in IPv4 and IPv6 networking corking with UFO.Installing [5rh9jkmi] CVE-2013-6367: Divide-by-zero in KVM LAPIC.Installing [ur8700aj] CVE-2013-6368: Memory corruption in KVM virtual APIC accesses.Installing [nyg2e0m1] Error in the tag insertion logic of the bonding network device.Installing [1ekik21n] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.Installing [m8de4fmg] CVE-2013-7263, CVE-2013-7265: Information leak in IPv4, IPv6 and PhoNet socket recvmsg.Installing [p4ufjdr0] CVE-2014-0101: NULL pointer dereference in SCTP protocol.Installing [o86dh6ww] Use-after-free in EDAC Intel E752X driver.Installing [b2h8hej4] Deadlock in XFS filesystem when removing a inode from namespace.Installing [nvhmnvp6] Memory leak in GFS2 filesystem for files with short lifespan.Installing [7brqevk0] CVE-2013-1860: Buffer overflow in Wireless Device Management driver.Installing [4nh0vuhi] Missing check in selinux for IPSec TCP SYN-ACK packets.Installing [zvvk1k2q] Logic error in selinux when checking permissions on recv socket.Installing [2mxh0jvn] CVE-2013-(726[6789], 727[01], 322[89], 3231): Information leaks in recvmsg.Installing [1r5tw9sm] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.Installing [z4k7xryp] CVE-2014-2523: Remote crash via DCCP conntrack.Installing [pi89wa2j] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.Installing [b4x8o44g] CVE-2014-0196: Pseudo TTY device write buffer handling race.Installing [s8s7tfsm] CVE-2014-3153: Local privilege escalation in futex requeueing.Installing [bqk9mi1j] CVE-2013-6378: Denial-of-service in Marvell 8xxx Libertas WLAN driver.Installing [rokmr7ey] CVE-2014-1874: Denial-of-service in SELinux on empty security context.Installing [hxq9cdju] CVE-2014-0203: Memory corruption on listing procfs symbolic links.Installing [n6kpf53d] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.Installing [pbab6ibn] CVE-2014-4943: Privilege escalation in PPP over L2TP setsockopt/getsockopt.Installing [8n932y6h] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.Installing [yfh1rar2] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.Installing [5z4hhyp3] CVE-2013-7339: NULL pointer dereference in RDS socket binding.Installing [1vpc7i76] CVE-2012-6647: NULL pointer dereference in non-pi futexes.Installing [ruu6bc4r] CVE-2014-3144, CVE-2014-3145: Multiple local denial of service vulnerabilities in netlink.Installing [hgeqfh2x] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.Installing [345v5a2z] CVE-2014-4667: Denial-of-service in SCTP stack when unpacking a COOKIE_ECHO chunk.Installing [92st5y9o] CVE-2014-0205: Use-after-free in futex refcounting.Your kernel is fully up to date.Effective kernel version is 2.6.32-431.29.2.el6real

    1m26.960suser

    0m39.562ssys

    0m34.806sAnd now, 1min 27seconds for 267 patches. both CVEs and critical fixes...

    Pages