Wim Coekaerts

Subscribe to Wim Coekaerts feed
Oracle Blogs
Updated: 3 hours 21 min ago

CVE-2017-1000364

Thu, 2017-06-29 02:00

As I am sure many of you have heard/read about CVE-2017-1000364.

If not, you can find some information here:

https://blog.qualys.com/tag/cve-2017-1000364

https://nvd.nist.gov/vuln/detail/CVE-2017-1000364

http://www.securityfocus.com/bid/99130

An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).

This CVE has a very high CVSS score of 9.8.

There are a number of packages release for Oracle Linux to deal with this CVE.

An updated glibc: https://linux.oracle.com/cve/CVE-2017-1000366.html

An updated kernel:  https://linux.oracle.com/cve/CVE-2017-1000364.html

A very important additional detail is that we also have an online fix available through Ksplice. So for Oracle Linux users/customers with a support subscription, you can simply run uptrack-upgrade on a running kernel. No reboot required.

# uptrack-upgrade
The following steps will be taken:
Install [8cpcuyra] CVE-2017-1000364: Increase stack guard size to 1 MiB.

Go ahead [y/N]? y
Installing [8cpcuyra] CVE-2017-1000364: Increase stack guard size to 1 MiB.
Your kernel is fully up to date.
Effective kernel version is 4.1.12-94.3.7.el7uek

 

 

Oracle Ksplice on Oracle Linux in Bare Metal Cloud

Wed, 2017-06-21 09:58

One of the great advantages of using Oracle Cloud is the fact that it includes full Oracle Linux support. All the services that you get with Oracle Linux Premier support are included without additional cost when you use Oracle Cloud.

Oracle Ksplice is such a service. (see: http://www.ksplice.com/ ). In order to use Oracle Ksplice outside of Oracle Cloud you configure it at install time when registering your Oracle Linux server with ULN (http://linux.oracle.com ) and you then use the generated access key to configure the uptrack tools.

With Oracle Cloud, both Oracle Public Cloud and Oracle Bare Metal Cloud Services ( http://cloud.oracle.com ), we have made it very easy. Any instance that runs inside our infrastructure has immediate access to the ksplice servers.

For customers or users with existing Oracle Linux instances in BMCS, you have to do a few simple steps to enable Ksplice. We are in the process of adding the uptrack tools to the image by default so, soon, you don't have to do any configuration at all.

Enable Ksplice today:

Log into your Oracle Linux instance as user opc (or as root)

# sudo bash

Download the uptrack client:

# wget -N https://www.ksplice.com/uptrack/install-uptrack

or if you prefer to use curl

# curl -O https://www.ksplice.com/uptrack/install-uptrack

Install the client, make sure you use this exact key, it will only work inside BMCS and is a generic identifier.

# sh install-uptrack dfc21b3ced9af52f6a8760c1b1860f928ba240970a3612bb354c84bb0ce5903e --autoinstall
 

This command unpacks the downloaded script and install the uptrack utilities (Ksplice client tools). Ignore the connect error, you need the step below.

One more step. In order for the above key to work, you have to point the uptrack tools to a specific update server.

edit /etc/uptrack/uptrack.conf:

# The location of the Uptrack updates repository.

update_repo_url=https://oraclecloud-updates-ksplice.oracle.com/update-repository

and that's it.

# uptrack-upgrade
Nothing to be done.
Your kernel is fully up to date.
Effective kernel version is 4.1.12-94.3.6.el6uek

 

For instances that are Bring Your Own we will automate the above steps as well. But at least this gets you going right away.

 

Introducing UEK4 and DTrace on Oracle Linux for SPARC

Fri, 2017-05-26 13:18

About 2 months ago we released the first version of Oracle Linux 6, Update 7 for SPARC. That was the same version of Oracle Linux used in Exadata SL6. OL6 installed on T4, T5 and T7 systems but it did not yet support the S7 processors/systems. It contained support for the various M7 processor features (DAX, ADI, crypto,...), gcc optimizations to support better code generation for SPARC, important optimizations in functions like memcpy() etc.

We also introduced support for Linux as the control domain (guest domain worked before). So this was the first time one could use Linux as the control domain with a vdiskserver, vswitch and virtual console driver. For this release we based the kernel on UEK2 (2.6.39).

The development team has been hard at work doing a number of things:

- continue to work with upstream Linux  and gcc/glibc/binutils development to submit all the code changes for inclusion. Many SPARC features have already been committed upstream and many are pending/Work in Progress.

- part of the work is  to forward port, so to speak, a lot of the uek2/sparc/exadata features into uek4, alongside upstream/mainline development.

- performance work, both in kernel and userspace (glibc, gcc in particular)

Today, we released an updated version of the ISO image that contains UEK4 QU4 (4.1.12-94.3.2). The main reason for updating the ISO is to introduce support for the S7 processor and S7-based servers. It contains a ton of improvements over UEK2,  we also added support for DTrace.

You can download the latest version of the ISO here :  http://www.oracle.com/technetwork/server-storage/linux/downloads/oracle-linux-sparc-3665558.html

The DTrace utilities can be downloaded here : http://www.oracle.com/technetwork/server-storage/linux/downloads/linux-dtrace-2800968.html

As we add more features we will update the kernel and we will also publish a new version of the software collections for Oracle Linux for SPARC with newer versions of gcc (6.x etc) so more coming!

We are working on things like gccgo, valgrind, node... and the yum repo on http://yum.oracle.com/ contains about 5000 RPMs.

Download it, play with it, have fun.

 

Oracle Linux 6 for SPARC

Fri, 2017-03-31 16:06
Oracle Linux 6 for SPARC is now available for download from OTN and the released notes can be found here.

This version of Oracle Linux 6 uses UEK2 (there is no RHCK here of course as there is no corresponding release on SPARC) and this OS release can be installed on T4, T5 and T7 (M7,M5) but not yet on the S7 platform. OL6 for SPARC contains all the packages (binary and -devel) for DAX, ADI (SSM), an updated version of openssl with support of on-chip crypto features.

We also provide the SPARC LDOM Manager code (both source and binary). With LDOM manager installed you can run Oracle Linux as a control domain for both Linux and Solaris guests. You can of course also install Linux as s guest domain on top of Solaris. The kernel supports vswitch and vdiskserver etc. A native (linux only) installation is also supported.

Our yum repo will have the OL6/sparc channels later today. The repo also contains -devel packages and the toolchains for gcc etc ... BTW of course, gcc supports M7 (cpu) optimizations. We have optimized memcpy and tons of other stuff.

Lots of SPARC Linux kernel code is already in upstream Linux but a bunch of stuff is in progress of going in. The same goes for user space code. glib and gcc patches have for the most part been submitted upstream and committed, some are pending.

A newer ISO with UEK(4) is on its way (we have builds and are testing). This update will also support the S7 systems/chip.

OL6 for SPARC doesn't yet contain -all- the RPMs that are part of Oracle Linux on x86. Right now, it is just a subset however we will be expanding it over time.

I will blog about some Dax and ADI/SSM samples in a few days :) some ldom control domain tips etc...

have fun

Oracle Linux 6 for SPARC

Fri, 2017-03-31 16:06
Oracle Linux 6 for SPARC is now available for download from OTN and the released notes can be found here.

This version of Oracle Linux 6 uses UEK2 (there is no RHCK here of course as there is no corresponding release on SPARC) and this OS release can be installed on T4, T5 and T7 (M7,M5) but not yet on the S7 platform. OL6 for SPARC contains all the packages (binary and -devel) for DAX, ADI (SSM), an updated version of openssl with support of on-chip crypto features.

We also provide the SPARC LDOM Manager code (both source and binary). With LDOM manager installed you can run Oracle Linux as a control domain for both Linux and Solaris guests. You can of course also install Linux as s guest domain on top of Solaris. The kernel supports vswitch and vdiskserver etc. A native (linux only) installation is also supported.

Our yum repo will have the OL6/sparc channels later today. The repo also contains -devel packages and the toolchains for gcc etc ... BTW of course, gcc supports M7 (cpu) optimizations. We have optimized memcpy and tons of other stuff.

Lots of SPARC Linux kernel code is already in upstream Linux but a bunch of stuff is in progress of going in. The same goes for user space code. glib and gcc patches have for the most part been submitted upstream and committed, some are pending.

A newer ISO with UEK(4) is on its way (we have builds and are testing). This update will also support the S7 systems/chip.

OL6 for SPARC doesn't yet contain -all- the RPMs that are part of Oracle Linux on x86. Right now, it is just a subset however we will be expanding it over time.

I will blog about some Dax and ADI/SSM samples in a few days :) some ldom control domain tips etc...

have fun

Oracle Linux 6 update 9

Tue, 2017-03-28 15:56
We just released Oracle Linux 6 update 9. The channels are on ULN and on our yum repo. The ISOs are available for download through MOS and in the next few days also on the software delivery cloud page, as customary. The release notes with changes are published and so on.

One thing we discovered during testing of OL6.9 was that a recent change in "upstream" glibc can cause memory corruption resulting in a database start-up failure every now and then.

Since we caught this prior to release, we have, of course, fixed the bug.

The following code change introduced the bug (glibc-rh1012343.patch)

char newmode[modelen + 2];

- memcpy (mempcpy (newmode, mode, modelen), "c", 2);

+ memcpy (mempcpy (newmode, mode, modelen), "ce", 2);

FILE *result = fopen (file, newmode);
As you can see, someone added e to newmode (c to ce) but forgot to increase the size of newmode (2 to 3) so there is no null character at the end.
The correct patch that we have in glibc as part of OL6.9 is:

- char newmode[modelen + 2];

- memcpy (mempcpy (newmode, mode, modelen), "ce", 2);

+ char newmode[modelen + 3];

+ memcpy (mempcpy (newmode, mode, modelen), "ce", 3);
The Oracle bug id is 25609196. The patch for this is in the glibc src rpm. The customer symptom would be a failed start of the database because of fopen() failing.
Something like this:
Wed Mar 22 *17:19:51* 2017 *ORA-00210: cannot open the specified control file* ORA-00202: control file:'/opt/oracle/oltest/.srchome/single-database/nas/12.1.0.2.0-8192-72G/control_001' ORA-27054: NFS file system where the file is created or resides is not mounted with correct options *Linux-x86_64 Error: 13: Permission denied* Additional information: 2 ORA-205 signalled during: ALTER DATABASE MOUNT... Shutting down instance (abort)

Oracle Linux 6 update 9

Tue, 2017-03-28 15:56
We just released Oracle Linux 6 update 9. The channels are on ULN and on our yum repo. The ISOs are available for download through MOS and in the next few days also on the software delivery cloud page, as customary. The release notes with changes are published and so on.

One thing we discovered during testing of OL6.9 was that a recent change in "upstream" glibc can cause memory corruption resulting in a database start-up failure every now and then.

Since we caught this prior to release, we have, of course, fixed the bug.

The following code change introduced the bug (glibc-rh1012343.patch)

 	
	     char newmode[modelen + 2];
	  -  memcpy (mempcpy (newmode, mode, modelen), "c", 2);
	  +  memcpy (mempcpy (newmode, mode, modelen), "ce", 2);
	     FILE *result = fopen (file, newmode);

As you can see, someone added e to newmode (c to ce) but forgot to increase the size of newmode (2 to 3) so there is no null character at the end.
The correct patch that we have in glibc as part of OL6.9 is:
	-  char newmode[modelen + 2];
	-  memcpy (mempcpy (newmode, mode, modelen), "ce", 2);
	+  char newmode[modelen + 3];
	+  memcpy (mempcpy (newmode, mode, modelen), "ce", 3);

The Oracle bug id is 25609196. The patch for this is in the glibc src rpm. The customer symptom would be a failed start of the database because of fopen() failing.
Something like this:
  Wed Mar 22 *17:19:51* 2017
  *ORA-00210: cannot open the specified control file*
  ORA-00202: control file:
  
'/opt/oracle/oltest/.srchome/single-database/nas/12.1.0.2.0-8192-72G/control_0
01'
  ORA-27054: NFS file system where the file is created or resides is
  not mounted with correct options
  *Linux-x86_64 Error: 13: Permission denied*
  Additional information: 2
  ORA-205 signalled during: ALTER DATABASE   MOUNT...
  Shutting down instance (abort) 


Oracle Linux and Software Collections make it a great 'current' developer platform

Tue, 2017-03-14 10:57
Oracle Linux major releases happen every few years. Oracle Linux 7 is the current version and this was released back in 2014, Oracle Linux 6 is from 2011, etc... When a major release goes out the door, it sort of freezes the various packages at a point in time as well. It locks down which major version of glibc, etc.

Now, that doesn't mean that there won't be anything new added over time, of course security fixes and critical bugfixes get backported from new versions into these various packages and a good number of enhancements/features also get backported over the years. Very much so on the kernel side but in some cases or in a number of cases also in the various userspace packages. However for the most part the focus is on stability and consistency. This is also the case with the different tools and compiler/languages. A concrete example would be, OL7 provides Python 2.7.5. This base release of python will not change in OL7 in newer updates, doing a big chance would break compatibility etc so it's kept stable at 2.7.5.

A very important thing to keep reminding people of, however, again, is the fact that CVEs do get backported into these versions. I often hear someone ask if we ship a newer version of, say, openssl, because some CVE or other is fixed in that newer version - but typically that CVE would also be fixed in the versions we ship with OL. There is a difference between openssl the open source project and CVE's fixed 'upstream' and openssl shipped as part of Oracle Linux versions and maintained and bug fixed overtime with backports from upstream. We take care of critical bugs and security fixes in the current shipping versions.

Anyway - there are other Linux distributions out there that 'evolve' much more frequently and by doing so, out of the box tend to come with newer versions of libraries and tools and packages and that makes it very attractive for developers that are not bound to longer term stability and compatibility. So the developer goes off and installs the latest version of everything and writes their apps using that. That's a fine model in some cases but when you have enterprise apps that might be deployed for many years and have a dependency on certain versions of scripting languages or libraries or what have you, you can't just replace those with something that's much newer, in particular much newer major versions. I am sure many people will agree that if you have an application written in python using 2.7.5 and run that in production, you're not going to let the sysadmin or so just go rip that out and replace it with python 3.5 and assume it all just works and is transparently compatible....

So does that mean we are stuck? No... there is a yum repository called Software Collections Library which we make available to everyone on our freely accessible yum server. That Library gets updated on a regular basis, we are at version 2.3 right now, and it containers newer versions of many popular packages, typically newer compilers, toolkits etc, (such as GCC, Python, PHP, Ruby...) Things that developers want to use and are looking for more recent versions.

The channel is not enabled by default, you have to go in and edit /etc/yum.repos.d/public-yum-ol7.repo and set the ol7_software_collections' repo to enabled=1. When you do that, you can then go and install the different versions that are offered. You can just browse the repo using yum or just look online. (similar channels exist for Oracle Linux 6). When you go and install these different versions, they get installed in /opt and they won't replace the existing versions. So if you have python installed by default with OL7 (2.7.5) and install Python 3.5 from the software collections, this new version goes into /opt/rh/rh-python35. You can then use the scl utility to selectively enable which application uses which version.
An example :scl enable rh-python35 -- bash

One little caveat to keep in mind, if you have an early version of OL7 or OL6 installed, we do not modify the /etc/yum.repo.d/public-yum-ol7.repo file after initial installation (because we might overwrite changes you made) so it is always a good idea to get the latest version from our yum server. (You can find them here.) The channel/repo name might have changed or a new one could have been added or so...

As you can see, Oracle Linux is/can be a very current developer platform. The packages are there, they are just provided in a model that keeps stability and consistency. There is no need to go download upstream package source code and compile it yourself and replacing system toolkits/compilers that can cause incompatibilities.

Oracle Linux and Software Collections make it a great 'current' developer platform

Tue, 2017-03-14 10:57
Oracle Linux major releases happen every few years. Oracle Linux 7 is the current version and this was released back in 2014, Oracle Linux 6 is from 2011, etc... When a major release goes out the door, it sort of freezes the various packages at a point in time as well. It locks down which major version of glibc, etc.

Now, that doesn't mean that there won't be anything new added over time, of course security fixes and critical bugfixes get backported from new versions into these various packages and a good number of enhancements/features also get backported over the years. Very much so on the kernel side but in some cases or in a number of cases also in the various userspace packages. However for the most part the focus is on stability and consistency. This is also the case with the different tools and compiler/languages. A concrete example would be, OL7 provides Python 2.7.5. This base release of python will not change in OL7 in newer updates, doing a big chance would break compatibility etc so it's kept stable at 2.7.5.

A very important thing to keep reminding people of, however, again, is the fact that CVEs do get backported into these versions. I often hear someone ask if we ship a newer version of, say, openssl, because some CVE or other is fixed in that newer version - but typically that CVE would also be fixed in the versions we ship with OL. There is a difference between openssl the open source project and CVE's fixed 'upstream' and openssl shipped as part of Oracle Linux versions and maintained and bug fixed overtime with backports from upstream. We take care of critical bugs and security fixes in the current shipping versions.

Anyway - there are other Linux distributions out there that 'evolve' much more frequently and by doing so, out of the box tend to come with newer versions of libraries and tools and packages and that makes it very attractive for developers that are not bound to longer term stability and compatibility. So the developer goes off and installs the latest version of everything and writes their apps using that. That's a fine model in some cases but when you have enterprise apps that might be deployed for many years and have a dependency on certain versions of scripting languages or libraries or what have you, you can't just replace those with something that's much newer, in particular much newer major versions. I am sure many people will agree that if you have an application written in python using 2.7.5 and run that in production, you're not going to let the sysadmin or so just go rip that out and replace it with python 3.5 and assume it all just works and is transparently compatible....

So does that mean we are stuck? No... there is a yum repository called Software Collections Library which we make available to everyone on our freely accessible yum server. That Library gets updated on a regular basis, we are at version 2.3 right now, and it containers newer versions of many popular packages, typically newer compilers, toolkits etc, (such as GCC, Python, PHP, Ruby...) Things that developers want to use and are looking for more recent versions.

The channel is not enabled by default, you have to go in and edit /etc/yum.repos.d/public-yum-ol7.repo and set the ol7_software_collections' repo to enabled=1. When you do that, you can then go and install the different versions that are offered. You can just browse the repo using yum or just look online. (similar channels exist for Oracle Linux 6). When you go and install these different versions, they get installed in /opt and they won't replace the existing versions. So if you have python installed by default with OL7 (2.7.5) and install Python 3.5 from the software collections, this new version goes into /opt/rh/rh-python35. You can then use the scl utility to selectively enable which application uses which version.
An example :

scl enable rh-python35 -- bash 

One little caveat to keep in mind, if you have an early version of OL7 or OL6 installed, we do not modify the /etc/yum.repo.d/public-yum-ol7.repo file after initial installation (because we might overwrite changes you made) so it is always a good idea to get the latest version from our yum server. (You can find them here.) The channel/repo name might have changed or a new one could have been added or so...

As you can see, Oracle Linux is/can be a very current developer platform. The packages are there, they are just provided in a model that keeps stability and consistency. There is no need to go download upstream package source code and compile it yourself and replacing system toolkits/compilers that can cause incompatibilities.

ksplice

Fri, 2017-02-24 15:36
As many of you probably know by now, a few days ago there was a report of an old long-standing Linux bug that got fixed. Going back to kernels even down to 2.6.18 and possible earlier. This bug was recently fixed, see here.

Now, distribution vendors, including us, have released kernel updates that customers/users can download and install but as always a regular kernel upgrade requires a reboot. We have had ksplice as a service for Oracle Linux support customers for quite a few years now and we also support Ubuntu and Fedora for free for anyone (see here).

One thing that is not often talked about but, I believe is very powerful and I wanted to point out here, is the following:

Typically the distribution vendors (including us) will release an update kernel that's the 'latest' version with these CVEs fixed, but many customers run older versions of both the distribution and kernels. We now see some other vendors trying to provide the basics for some online patching but by and far it's based on one-offs and for specific kernels. A big part of the ksplice service is the backend infrastructure to easily build updates for literally a few 1000 kernels. This gives customers great flexibility. You can be on one of many dot-releases of the OS and you can use ksplice. Here is a list of example kernel versions for Oracle Linux that you could be running today and we provide updates for with ksplice,for ,for instance, this DCCP bug. That's a big difference with what other folks have been trying to mimic now that online patching has become more and more important for availability.

Here is an example kernel 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 08:34:17 PDT 2015 So that's a kernel built back in September of 2015, a random 'dot release' I run on one of my machines, and there's a ksplice patch available for these recent CVEs. I don't have to worry about having to install the 'latest' kernel, nor doing a reboot.

# uptrack-upgrade The following steps will be taken:Install [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.Install [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.Go ahead [y/N]? yInstalling [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.Installing [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.Your kernel is fully up to date.Effective kernel version is 2.6.32-642.15.1.el6

and done. That easy. My old 2.6.32-573.7.1 kernel looks like 2.6.32-642.15.1 in terms of critical fixes and CVEs.# uptrack-showInstalled updates:[cct5dnbf] Clear garbage data on the kernel stack when handling signals.[ektd95cj] Reduce usage of reserved percpu memory.[uuhgbl3e] Remote denial-of-service in Brocade Ethernet driver.[kg3f16ii] CVE-2015-7872: Denial-of-service when garbage collecting uninstantiated keyring.[36ng2h1l] CVE-2015-7613: Privilege escalation in IPC object initialization.[33jwvtbb] CVE-2015-5307: KVM host denial-of-service in alignment check.[38gzh9gl] CVE-2015-8104: KVM host denial-of-service in debug exception.[6wvrdj93] CVE-2015-2925: Privilege escalation in bind mounts inside namespaces.[1l4i9dfh] CVE-2016-0774: Information leak in the pipe system call on failed atomic read.[xu4auj49] CVE-2015-5157: Disable modification of LDT by userspace processes.[554ck5nl] CVE-2015-8767: Denial-of-service in SCTP heartbeat timeout.[adgeye5p] CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.[5ojkw9lv] CVE-2015-7550: Denial-of-service when reading and revoking a key concurrently.[gfr93o7j] CVE-2015-8324: NULL pointer dereference in ext4 on mount error.[ft01zrkg] CVE-2013-2015, CVE-2015-7509: Possible privilege escalation when mounting an non-journaled ext4 filesystem.[87lw5yyy] CVE-2015-8215: Remote denial-of-service of network traffic when changing the MTU.[2bby9cuy] CVE-2010-5313, CVE-2014-7842: Denial of service in KVM L1 guest from L2 guest.[orjsp65y] CVE-2015-5156: Denial-of-service in Virtio network device.[5j4hp0ot] Device Mapper logic error when reloading the block multi-queue.[a1e5kxp6] CVE-2016-4565: Privilege escalation in Infiniband ioctl.[gfpg64bh] CVE-2016-5696: Session hijacking in TCP connections.[b4ljcwin] Message corruption in pseudo terminal output.[prijjgt5] CVE-2016-4470: Denial-of-service in the keyring subsystem.[4y2f30ch] CVE-2016-5829: Memory corruption in unknown USB HID devices.[j1mivn4f] Denial-of-service when resetting a Fibre Channel over Ethernet interface.[nawv8jdu] CVE-2016-5195: Privilege escalation when handling private mapping copy-on-write.[97fe0h7s] CVE-2016-1583: Privilege escalation in eCryptfs.[fdztfgcv] Denial-of-service when sending a TCP reset from the netfilter.[gm4ldjjf] CVE-2016-6828: Use after free during TCP transmission.[s8pymcf8] CVE-2016-7117: Denial-of-service in recvmmsg() error handling.[1ktf7029] CVE-2016-4997, CVE-2016-4998: Privilege escalation in the Netfilter driver.[f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.[5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.Effective kernel version is 2.6.32-642.15.1.el6

Here is the list of kernels we build modules for as part of Oracle Linux customers kernel choices:

oracle-2.6.18-238.0.0.0.1.el5oracle-2.6.18-238.1.1.0.1.el5oracle-2.6.18-238.5.1.0.1.el5oracle-2.6.18-238.9.1.0.1.el5oracle-2.6.18-238.12.1.0.1.el5oracle-2.6.18-238.19.1.0.1.el5oracle-2.6.18-274.0.0.0.1.el5oracle-2.6.18-274.3.1.0.1.el5oracle-2.6.18-274.7.1.0.1.el5oracle-2.6.18-274.12.1.0.1.el5oracle-2.6.18-274.17.1.0.1.el5oracle-2.6.18-274.18.1.0.1.el5oracle-2.6.18-308.0.0.0.1.el5oracle-2.6.18-308.1.1.0.1.el5oracle-2.6.18-308.4.1.0.1.el5oracle-2.6.18-308.8.1.0.1.el5oracle-2.6.18-308.8.2.0.1.el5oracle-2.6.18-308.11.1.0.1.el5oracle-2.6.18-308.13.1.0.1.el5oracle-2.6.18-308.16.1.0.1.el5oracle-2.6.18-308.20.1.0.1.el5oracle-2.6.18-308.24.1.0.1.el5oracle-2.6.18-348.0.0.0.1.el5oracle-2.6.18-348.1.1.0.1.el5oracle-2.6.18-348.2.1.0.1.el5oracle-2.6.18-348.3.1.0.1.el5oracle-2.6.18-348.4.1.0.1.el5oracle-2.6.18-348.6.1.0.1.el5oracle-2.6.18-348.12.1.0.1.el5oracle-2.6.18-348.16.1.0.1.el5oracle-2.6.18-348.18.1.0.1.el5oracle-2.6.18-371.0.0.0.1.el5oracle-2.6.18-371.1.2.0.1.el5oracle-2.6.18-371.3.1.0.1.el5oracle-2.6.18-371.4.1.0.1.el5oracle-2.6.18-371.6.1.0.1.el5oracle-2.6.18-371.8.1.0.1.el5oracle-2.6.18-371.9.1.0.1.el5oracle-2.6.18-371.11.1.0.1.el5oracle-2.6.18-371.12.1.0.1.el5oracle-2.6.18-398.0.0.0.1.el5oracle-2.6.18-400.0.0.0.1.el5oracle-2.6.18-400.1.1.0.1.el5oracle-2.6.18-402.0.0.0.1.el5oracle-2.6.18-404.0.0.0.1.el5oracle-2.6.18-406.0.0.0.1.el5oracle-2.6.18-407.0.0.0.1.el5oracle-2.6.18-408.0.0.0.1.el5oracle-2.6.18-409.0.0.0.1.el5oracle-2.6.18-410.0.0.0.1.el5oracle-2.6.18-411.0.0.0.1.el5oracle-2.6.18-412.0.0.0.1.el5oracle-2.6.18-416.0.0.0.1.el5oracle-2.6.18-417.0.0.0.1.el5oracle-2.6.18-418.0.0.0.1.el5oracle-2.6.32-642.0.0.0.1.el6oracle-3.10.0-514.6.1.0.1.el7oracle-3.10.0-514.6.2.0.1.el7oracle-uek-2.6.39-100.5.1oracle-uek-2.6.39-100.6.1oracle-uek-2.6.39-100.7.1oracle-uek-2.6.39-100.10.1oracle-uek-2.6.39-200.24.1oracle-uek-2.6.39-200.29.1oracle-uek-2.6.39-200.29.2oracle-uek-2.6.39-200.29.3oracle-uek-2.6.39-200.31.1oracle-uek-2.6.39-200.32.1oracle-uek-2.6.39-200.33.1oracle-uek-2.6.39-200.34.1oracle-uek-2.6.39-300.17.1oracle-uek-2.6.39-300.17.2oracle-uek-2.6.39-300.17.3oracle-uek-2.6.39-300.26.1oracle-uek-2.6.39-300.28.1oracle-uek-2.6.39-300.32.4oracle-uek-2.6.39-400.17.1oracle-uek-2.6.39-400.17.2oracle-uek-2.6.39-400.21.1oracle-uek-2.6.39-400.21.2oracle-uek-2.6.39-400.23.1oracle-uek-2.6.39-400.24.1oracle-uek-2.6.39-400.109.1oracle-uek-2.6.39-400.109.3oracle-uek-2.6.39-400.109.4oracle-uek-2.6.39-400.109.5oracle-uek-2.6.39-400.109.6oracle-uek-2.6.39-400.209.1oracle-uek-2.6.39-400.209.2oracle-uek-2.6.39-400.210.2oracle-uek-2.6.39-400.211.1oracle-uek-2.6.39-400.211.2oracle-uek-2.6.39-400.211.3oracle-uek-2.6.39-400.212.1oracle-uek-2.6.39-400.214.1oracle-uek-2.6.39-400.214.3oracle-uek-2.6.39-400.214.4oracle-uek-2.6.39-400.214.5oracle-uek-2.6.39-400.214.6oracle-uek-2.6.39-400.215.1oracle-uek-2.6.39-400.215.2oracle-uek-2.6.39-400.215.3oracle-uek-2.6.39-400.215.4oracle-uek-2.6.39-400.215.6oracle-uek-2.6.39-400.215.7oracle-uek-2.6.39-400.215.10oracle-uek-2.6.39-400.215.11oracle-uek-2.6.39-400.215.12oracle-uek-2.6.39-400.215.13oracle-uek-2.6.39-400.215.14oracle-uek-2.6.39-400.215.15oracle-uek-2.6.39-400.243.1oracle-uek-2.6.39-400.245.1oracle-uek-2.6.39-400.246.2oracle-uek-2.6.39-400.247.1oracle-uek-2.6.39-400.248.3oracle-uek-2.6.39-400.249.1oracle-uek-2.6.39-400.249.3oracle-uek-2.6.39-400.249.4oracle-uek-2.6.39-400.250.2oracle-uek-2.6.39-400.250.4oracle-uek-2.6.39-400.250.5oracle-uek-2.6.39-400.250.6oracle-uek-2.6.39-400.250.7oracle-uek-2.6.39-400.250.9oracle-uek-2.6.39-400.250.10oracle-uek-2.6.39-400.250.11oracle-uek-2.6.39-400.264.1oracle-uek-2.6.39-400.264.4oracle-uek-2.6.39-400.264.5oracle-uek-2.6.39-400.264.6oracle-uek-2.6.39-400.264.13oracle-uek-2.6.39-400.276.1oracle-uek-2.6.39-400.277.1oracle-uek-2.6.39-400.278.1oracle-uek-2.6.39-400.278.2oracle-uek-2.6.39-400.278.3oracle-uek-2.6.39-400.280.1oracle-uek-2.6.39-400.281.1oracle-uek-2.6.39-400.282.1oracle-uek-2.6.39-400.283.1oracle-uek-2.6.39-400.283.2oracle-uek-2.6.39-400.284.1oracle-uek-2.6.39-400.284.2oracle-uek-2.6.39-400.286.2oracle-uek-2.6.39-400.286.3oracle-uek-2.6.39-400.290.1oracle-uek-2.6.39-400.290.2oracle-uek-2.6.39-400.293.1oracle-uek-2.6.39-400.293.2oracle-uek-2.6.39-400.294.1oracle-uek-2.6.39-400.294.2oracle-uek-2.6.39-400.128.21oracle-uek-3.8.13-16oracle-uek-3.8.13-16.1.1oracle-uek-3.8.13-16.2.1oracle-uek-3.8.13-16.2.2oracle-uek-3.8.13-16.2.3oracle-uek-3.8.13-16.3.1oracle-uek-3.8.13-26oracle-uek-3.8.13-26.1.1oracle-uek-3.8.13-26.2.1oracle-uek-3.8.13-26.2.2oracle-uek-3.8.13-26.2.3oracle-uek-3.8.13-26.2.4oracle-uek-3.8.13-35oracle-uek-3.8.13-35.1.1oracle-uek-3.8.13-35.1.2oracle-uek-3.8.13-35.1.3oracle-uek-3.8.13-35.3.1oracle-uek-3.8.13-35.3.2oracle-uek-3.8.13-35.3.3oracle-uek-3.8.13-35.3.4oracle-uek-3.8.13-35.3.5oracle-uek-3.8.13-44oracle-uek-3.8.13-44.1.1oracle-uek-3.8.13-44.1.3oracle-uek-3.8.13-44.1.4oracle-uek-3.8.13-44.1.5oracle-uek-3.8.13-55oracle-uek-3.8.13-55.1.1oracle-uek-3.8.13-55.1.2oracle-uek-3.8.13-55.1.5oracle-uek-3.8.13-55.1.6oracle-uek-3.8.13-55.1.8oracle-uek-3.8.13-55.2.1oracle-uek-3.8.13-68oracle-uek-3.8.13-68.1.2oracle-uek-3.8.13-68.1.3oracle-uek-3.8.13-68.2.2oracle-uek-3.8.13-68.2.2.1oracle-uek-3.8.13-68.2.2.2oracle-uek-3.8.13-68.3.1oracle-uek-3.8.13-68.3.2oracle-uek-3.8.13-68.3.3oracle-uek-3.8.13-68.3.4oracle-uek-3.8.13-68.3.5oracle-uek-3.8.13-98oracle-uek-3.8.13-98.1.1oracle-uek-3.8.13-98.1.2oracle-uek-3.8.13-98.2.1oracle-uek-3.8.13-98.2.2oracle-uek-3.8.13-98.4.1oracle-uek-3.8.13-98.5.2oracle-uek-3.8.13-98.6.1oracle-uek-3.8.13-98.7.1oracle-uek-3.8.13-98.8.1oracle-uek-3.8.13-118oracle-uek-3.8.13-118.2.1oracle-uek-3.8.13-118.2.2oracle-uek-3.8.13-118.2.4oracle-uek-3.8.13-118.2.5oracle-uek-3.8.13-118.3.1oracle-uek-3.8.13-118.3.2oracle-uek-3.8.13-118.4.1oracle-uek-3.8.13-118.4.2oracle-uek-3.8.13-118.6.1oracle-uek-3.8.13-118.6.2oracle-uek-3.8.13-118.7.1oracle-uek-3.8.13-118.8.1oracle-uek-3.8.13-118.9.1oracle-uek-3.8.13-118.9.2oracle-uek-3.8.13-118.10.2oracle-uek-3.8.13-118.11.2oracle-uek-3.8.13-118.13.2oracle-uek-3.8.13-118.13.3oracle-uek-3.8.13-118.14.1oracle-uek-3.8.13-118.14.2oracle-uek-3.8.13-118.15.1oracle-uek-3.8.13-118.15.2oracle-uek-3.8.13-118.15.3oracle-uek-3.8.13-118.16.2oracle-uek-3.8.13-118.16.3oracle-uek-4.1.12-32oracle-uek-4.1.12-32.1.2oracle-uek-4.1.12-32.1.3oracle-uek-4.1.12-32.2.1oracle-uek-4.1.12-32.2.3oracle-uek-4.1.12-37.2.1oracle-uek-4.1.12-37.2.2oracle-uek-4.1.12-37.3.1oracle-uek-4.1.12-37.4.1oracle-uek-4.1.12-37.5.1oracle-uek-4.1.12-37.6.1oracle-uek-4.1.12-37.6.2oracle-uek-4.1.12-37.6.3oracle-uek-4.1.12-61.1.6oracle-uek-4.1.12-61.1.9oracle-uek-4.1.12-61.1.10oracle-uek-4.1.12-61.1.13oracle-uek-4.1.12-61.1.14oracle-uek-4.1.12-61.1.16oracle-uek-4.1.12-61.1.17oracle-uek-4.1.12-61.1.18oracle-uek-4.1.12-61.1.19oracle-uek-4.1.12-61.1.21oracle-uek-4.1.12-61.1.22oracle-uek-4.1.12-61.1.23oracle-uek-4.1.12-61.1.24oracle-uek-4.1.12-61.1.25oracle-uek-4.1.12-61.1.27rhel-2.6.32-71.el6rhel-2.6.32-71.7.1.el6rhel-2.6.32-71.14.1.el6rhel-2.6.32-71.18.1.el6rhel-2.6.32-71.18.2.el6rhel-2.6.32-71.24.1.el6rhel-2.6.32-71.29.1.el6rhel-2.6.32-131.0.15.el6rhel-2.6.32-131.2.1.el6rhel-2.6.32-131.4.1.el6rhel-2.6.32-131.6.1.el6rhel-2.6.32-131.12.1.el6rhel-2.6.32-131.17.1.el6rhel-2.6.32-131.21.1.el6rhel-2.6.32-220.el6rhel-2.6.32-220.2.1.el6rhel-2.6.32-220.4.1.el6rhel-2.6.32-220.4.2.el6rhel-2.6.32-220.7.1.el6rhel-2.6.32-220.13.1.el6rhel-2.6.32-220.17.1.el6rhel-2.6.32-220.23.1.el6rhel-2.6.32-279.el6rhel-2.6.32-279.1.1.el6rhel-2.6.32-279.2.1.el6rhel-2.6.32-279.5.1.el6rhel-2.6.32-279.5.2.el6rhel-2.6.32-279.9.1.el6rhel-2.6.32-279.11.1.el6rhel-2.6.32-279.14.1.el6rhel-2.6.32-279.19.1.el6rhel-2.6.32-279.22.1.el6rhel-2.6.32-358.el6rhel-2.6.32-358.0.1.el6rhel-2.6.32-358.2.1.el6rhel-2.6.32-358.6.1.el6rhel-2.6.32-358.6.2.el6rhel-2.6.32-358.6.2.el6.x86_64.crt1rhel-2.6.32-358.11.1.el6rhel-2.6.32-358.14.1.el6rhel-2.6.32-358.18.1.el6rhel-2.6.32-358.23.2.el6rhel-2.6.32-431.el6rhel-2.6.32-431.1.2.el6rhel-2.6.32-431.3.1.el6rhel-2.6.32-431.5.1.el6rhel-2.6.32-431.11.2.el6rhel-2.6.32-431.17.1.el6rhel-2.6.32-431.20.3.el6rhel-2.6.32-431.20.5.el6rhel-2.6.32-431.23.3.el6rhel-2.6.32-431.29.2.el6rhel-2.6.32-504.el6rhel-2.6.32-504.1.3.el6rhel-2.6.32-504.3.3.el6rhel-2.6.32-504.8.1.el6rhel-2.6.32-504.12.2.el6rhel-2.6.32-504.16.2.el6rhel-2.6.32-504.23.4.el6rhel-2.6.32-504.30.3.el6rhel-2.6.32-573.el6rhel-2.6.32-573.1.1.el6rhel-2.6.32-573.3.1.el6rhel-2.6.32-573.7.1.el6rhel-2.6.32-573.8.1.el6rhel-2.6.32-573.12.1.el6rhel-2.6.32-573.18.1.el6rhel-2.6.32-573.22.1.el6rhel-2.6.32-573.26.1.el6rhel-2.6.32-642.el6rhel-2.6.32-642.1.1.el6rhel-2.6.32-642.3.1.el6rhel-2.6.32-642.4.2.el6rhel-2.6.32-642.6.1.el6rhel-2.6.32-642.6.2.el6rhel-2.6.32-642.11.1.el6rhel-2.6.32-642.13.1.el6rhel-2.6.32-642.13.2.el6rhel-3.10.0-123.el7rhel-3.10.0-123.1.2.el7rhel-3.10.0-123.4.2.el7rhel-3.10.0-123.4.4.el7rhel-3.10.0-123.6.3.el7rhel-3.10.0-123.8.1.el7rhel-3.10.0-123.9.2.el7rhel-3.10.0-123.9.3.el7rhel-3.10.0-123.13.1.el7rhel-3.10.0-123.13.2.el7rhel-3.10.0-123.20.1.el7rhel-3.10.0-229.el7rhel-3.10.0-229.1.2.el7rhel-3.10.0-229.4.2.el7rhel-3.10.0-229.7.2.el7rhel-3.10.0-229.11.1.el7rhel-3.10.0-229.14.1.el7rhel-3.10.0-229.20.1.el6.x86_64.knl2rhel-3.10.0-229.20.1.el7rhel-3.10.0-327.el7rhel-3.10.0-327.3.1.el7rhel-3.10.0-327.4.4.el7rhel-3.10.0-327.4.5.el7rhel-3.10.0-327.10.1.el7rhel-3.10.0-327.13.1.el7rhel-3.10.0-327.18.2.el7rhel-3.10.0-327.22.2.el7rhel-3.10.0-327.28.2.el7rhel-3.10.0-327.28.3.el7rhel-3.10.0-327.36.1.el7rhel-3.10.0-327.36.2.el7rhel-3.10.0-327.36.3.el7rhel-3.10.0-514.el7rhel-3.10.0-514.2.2.el7rhel-3.10.0-514.6.1.el7rhel-3.10.0-514.6.2.el7rhel-2.6.18-92.1.10.el5rhel-2.6.18-92.1.13.el5rhel-2.6.18-92.1.17.el5rhel-2.6.18-92.1.18.el5rhel-2.6.18-92.1.22.el5rhel-2.6.18-128.el5rhel-2.6.18-128.1.1.el5rhel-2.6.18-128.1.6.el5rhel-2.6.18-128.1.10.el5rhel-2.6.18-128.1.14.el5rhel-2.6.18-128.1.16.el5rhel-2.6.18-128.2.1.el5rhel-2.6.18-128.4.1.el5rhel-2.6.18-128.7.1.el5rhel-2.6.18-149.el5rhel-2.6.18-164.el5rhel-2.6.18-164.2.1.el5rhel-2.6.18-164.6.1.el5rhel-2.6.18-164.9.1.el5rhel-2.6.18-164.10.1.el5rhel-2.6.18-164.11.1.el5rhel-2.6.18-164.15.1.el5rhel-2.6.18-194.el5rhel-2.6.18-194.3.1.el5rhel-2.6.18-194.8.1.el5rhel-2.6.18-194.11.1.el5rhel-2.6.18-194.11.3.el5rhel-2.6.18-194.11.4.el5rhel-2.6.18-194.17.1.el5rhel-2.6.18-194.17.4.el5rhel-2.6.18-194.26.1.el5rhel-2.6.18-194.32.1.el5rhel-2.6.18-238.el5rhel-2.6.18-238.1.1.el5rhel-2.6.18-238.5.1.el5rhel-2.6.18-238.9.1.el5rhel-2.6.18-238.12.1.el5rhel-2.6.18-238.19.1.el5rhel-2.6.18-274.el5rhel-2.6.18-274.3.1.el5rhel-2.6.18-274.7.1.el5rhel-2.6.18-274.12.1.el5rhel-2.6.18-274.17.1.el5rhel-2.6.18-274.18.1.el5rhel-2.6.18-308.el5rhel-2.6.18-308.1.1.el5rhel-2.6.18-308.4.1.el5rhel-2.6.18-308.8.1.el5rhel-2.6.18-308.8.2.el5rhel-2.6.18-308.11.1.el5rhel-2.6.18-308.13.1.el5rhel-2.6.18-308.16.1.el5rhel-2.6.18-308.20.1.el5rhel-2.6.18-308.24.1.el5rhel-2.6.18-348.el5rhel-2.6.18-348.1.1.el5rhel-2.6.18-348.2.1.el5rhel-2.6.18-348.3.1.el5rhel-2.6.18-348.4.1.el5rhel-2.6.18-348.6.1.el5rhel-2.6.18-348.12.1.el5rhel-2.6.18-348.16.1.el5rhel-2.6.18-348.18.1.el5rhel-2.6.18-371.el5rhel-2.6.18-371.1.2.el5rhel-2.6.18-371.3.1.el5rhel-2.6.18-371.4.1.el5rhel-2.6.18-371.6.1.el5rhel-2.6.18-371.8.1.el5rhel-2.6.18-371.9.1.el5rhel-2.6.18-371.11.1.el5rhel-2.6.18-371.12.1.el5rhel-2.6.18-398.el5rhel-2.6.18-400.el5rhel-2.6.18-400.1.1.el5rhel-2.6.18-402.el5rhel-2.6.18-404.el5rhel-2.6.18-406.el5rhel-2.6.18-407.el5rhel-2.6.18-408.el5rhel-2.6.18-409.el5rhel-2.6.18-410.el5rhel-2.6.18-411.el5rhel-2.6.18-412.el5rhel-2.6.18-416.el5rhel-2.6.18-417.el5rhel-2.6.18-418.el5

compare that to kpatch or kgraft or so.

ksplice

Fri, 2017-02-24 15:36
As many of you probably know by now, a few days ago there was a report of an old long-standing Linux bug that got fixed. Going back to kernels even down to 2.6.18 and possible earlier. This bug was recently fixed, see here.

Now, distribution vendors, including us, have released kernel updates that customers/users can download and install but as always a regular kernel upgrade requires a reboot. We have had ksplice as a service for Oracle Linux support customers for quite a few years now and we also support Ubuntu and Fedora for free for anyone (see here).

One thing that is not often talked about but, I believe is very powerful and I wanted to point out here, is the following:

Typically the distribution vendors (including us) will release an update kernel that's the 'latest' version with these CVEs fixed, but many customers run older versions of both the distribution and kernels. We now see some other vendors trying to provide the basics for some online patching but by and far it's based on one-offs and for specific kernels. A big part of the ksplice service is the backend infrastructure to easily build updates for literally a few 1000 kernels. This gives customers great flexibility. You can be on one of many dot-releases of the OS and you can use ksplice. Here is a list of example kernel versions for Oracle Linux that you could be running today and we provide updates for with ksplice,for ,for instance, this DCCP bug. That's a big difference with what other folks have been trying to mimic now that online patching has become more and more important for availability.

Here is an example kernel 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 08:34:17 PDT 2015 So that's a kernel built back in September of 2015, a random 'dot release' I run on one of my machines, and there's a ksplice patch available for these recent CVEs. I don't have to worry about having to install the 'latest' kernel, nor doing a reboot.

# uptrack-upgrade 
The following steps will be taken:
Install [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.
Install [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.

Go ahead [y/N]? y
Installing [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.
Installing [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.
Your kernel is fully up to date.
Effective kernel version is 2.6.32-642.15.1.el6

and done. That easy. My old 2.6.32-573.7.1 kernel looks like 2.6.32-642.15.1 in terms of critical fixes and CVEs.

# uptrack-show
Installed updates:
[cct5dnbf] Clear garbage data on the kernel stack when handling signals.
[ektd95cj] Reduce usage of reserved percpu memory.
[uuhgbl3e] Remote denial-of-service in Brocade Ethernet driver.
[kg3f16ii] CVE-2015-7872: Denial-of-service when garbage collecting uninstantiated keyring.
[36ng2h1l] CVE-2015-7613: Privilege escalation in IPC object initialization.
[33jwvtbb] CVE-2015-5307: KVM host denial-of-service in alignment check.
[38gzh9gl] CVE-2015-8104: KVM host denial-of-service in debug exception.
[6wvrdj93] CVE-2015-2925: Privilege escalation in bind mounts inside namespaces.
[1l4i9dfh] CVE-2016-0774: Information leak in the pipe system call on failed atomic read.
[xu4auj49] CVE-2015-5157: Disable modification of LDT by userspace processes.
[554ck5nl] CVE-2015-8767: Denial-of-service in SCTP heartbeat timeout.
[adgeye5p] CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.
[5ojkw9lv] CVE-2015-7550: Denial-of-service when reading and revoking a key concurrently.
[gfr93o7j] CVE-2015-8324: NULL pointer dereference in ext4 on mount error.
[ft01zrkg] CVE-2013-2015, CVE-2015-7509: Possible privilege escalation when mounting an non-journaled ext4 filesystem.
[87lw5yyy] CVE-2015-8215: Remote denial-of-service of network traffic when changing the MTU.
[2bby9cuy] CVE-2010-5313, CVE-2014-7842: Denial of service in KVM L1 guest from L2 guest.
[orjsp65y] CVE-2015-5156: Denial-of-service in Virtio network device.
[5j4hp0ot] Device Mapper logic error when reloading the block multi-queue.
[a1e5kxp6] CVE-2016-4565: Privilege escalation in Infiniband ioctl.
[gfpg64bh] CVE-2016-5696: Session hijacking in TCP connections.
[b4ljcwin] Message corruption in pseudo terminal output.
[prijjgt5] CVE-2016-4470: Denial-of-service in the keyring subsystem.
[4y2f30ch] CVE-2016-5829: Memory corruption in unknown USB HID devices.
[j1mivn4f] Denial-of-service when resetting a Fibre Channel over Ethernet interface.
[nawv8jdu] CVE-2016-5195: Privilege escalation when handling private mapping copy-on-write.
[97fe0h7s] CVE-2016-1583: Privilege escalation in eCryptfs.
[fdztfgcv] Denial-of-service when sending a TCP reset from the netfilter.
[gm4ldjjf] CVE-2016-6828: Use after free during TCP transmission.
[s8pymcf8] CVE-2016-7117: Denial-of-service in recvmmsg() error handling.
[1ktf7029] CVE-2016-4997, CVE-2016-4998: Privilege escalation in the Netfilter driver.
[f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.
[5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.

Effective kernel version is 2.6.32-642.15.1.el6

Here is the list of kernels we build modules for as part of Oracle Linux customers kernel choices:

oracle-2.6.18-238.0.0.0.1.el5
oracle-2.6.18-238.1.1.0.1.el5
oracle-2.6.18-238.5.1.0.1.el5
oracle-2.6.18-238.9.1.0.1.el5
oracle-2.6.18-238.12.1.0.1.el5
oracle-2.6.18-238.19.1.0.1.el5
oracle-2.6.18-274.0.0.0.1.el5
oracle-2.6.18-274.3.1.0.1.el5
oracle-2.6.18-274.7.1.0.1.el5
oracle-2.6.18-274.12.1.0.1.el5
oracle-2.6.18-274.17.1.0.1.el5
oracle-2.6.18-274.18.1.0.1.el5
oracle-2.6.18-308.0.0.0.1.el5
oracle-2.6.18-308.1.1.0.1.el5
oracle-2.6.18-308.4.1.0.1.el5
oracle-2.6.18-308.8.1.0.1.el5
oracle-2.6.18-308.8.2.0.1.el5
oracle-2.6.18-308.11.1.0.1.el5
oracle-2.6.18-308.13.1.0.1.el5
oracle-2.6.18-308.16.1.0.1.el5
oracle-2.6.18-308.20.1.0.1.el5
oracle-2.6.18-308.24.1.0.1.el5
oracle-2.6.18-348.0.0.0.1.el5
oracle-2.6.18-348.1.1.0.1.el5
oracle-2.6.18-348.2.1.0.1.el5
oracle-2.6.18-348.3.1.0.1.el5
oracle-2.6.18-348.4.1.0.1.el5
oracle-2.6.18-348.6.1.0.1.el5
oracle-2.6.18-348.12.1.0.1.el5
oracle-2.6.18-348.16.1.0.1.el5
oracle-2.6.18-348.18.1.0.1.el5
oracle-2.6.18-371.0.0.0.1.el5
oracle-2.6.18-371.1.2.0.1.el5
oracle-2.6.18-371.3.1.0.1.el5
oracle-2.6.18-371.4.1.0.1.el5
oracle-2.6.18-371.6.1.0.1.el5
oracle-2.6.18-371.8.1.0.1.el5
oracle-2.6.18-371.9.1.0.1.el5
oracle-2.6.18-371.11.1.0.1.el5
oracle-2.6.18-371.12.1.0.1.el5
oracle-2.6.18-398.0.0.0.1.el5
oracle-2.6.18-400.0.0.0.1.el5
oracle-2.6.18-400.1.1.0.1.el5
oracle-2.6.18-402.0.0.0.1.el5
oracle-2.6.18-404.0.0.0.1.el5
oracle-2.6.18-406.0.0.0.1.el5
oracle-2.6.18-407.0.0.0.1.el5
oracle-2.6.18-408.0.0.0.1.el5
oracle-2.6.18-409.0.0.0.1.el5
oracle-2.6.18-410.0.0.0.1.el5
oracle-2.6.18-411.0.0.0.1.el5
oracle-2.6.18-412.0.0.0.1.el5
oracle-2.6.18-416.0.0.0.1.el5
oracle-2.6.18-417.0.0.0.1.el5
oracle-2.6.18-418.0.0.0.1.el5
oracle-2.6.32-642.0.0.0.1.el6
oracle-3.10.0-514.6.1.0.1.el7
oracle-3.10.0-514.6.2.0.1.el7
oracle-uek-2.6.39-100.5.1
oracle-uek-2.6.39-100.6.1
oracle-uek-2.6.39-100.7.1
oracle-uek-2.6.39-100.10.1
oracle-uek-2.6.39-200.24.1
oracle-uek-2.6.39-200.29.1
oracle-uek-2.6.39-200.29.2
oracle-uek-2.6.39-200.29.3
oracle-uek-2.6.39-200.31.1
oracle-uek-2.6.39-200.32.1
oracle-uek-2.6.39-200.33.1
oracle-uek-2.6.39-200.34.1
oracle-uek-2.6.39-300.17.1
oracle-uek-2.6.39-300.17.2
oracle-uek-2.6.39-300.17.3
oracle-uek-2.6.39-300.26.1
oracle-uek-2.6.39-300.28.1
oracle-uek-2.6.39-300.32.4
oracle-uek-2.6.39-400.17.1
oracle-uek-2.6.39-400.17.2
oracle-uek-2.6.39-400.21.1
oracle-uek-2.6.39-400.21.2
oracle-uek-2.6.39-400.23.1
oracle-uek-2.6.39-400.24.1
oracle-uek-2.6.39-400.109.1
oracle-uek-2.6.39-400.109.3
oracle-uek-2.6.39-400.109.4
oracle-uek-2.6.39-400.109.5
oracle-uek-2.6.39-400.109.6
oracle-uek-2.6.39-400.209.1
oracle-uek-2.6.39-400.209.2
oracle-uek-2.6.39-400.210.2
oracle-uek-2.6.39-400.211.1
oracle-uek-2.6.39-400.211.2
oracle-uek-2.6.39-400.211.3
oracle-uek-2.6.39-400.212.1
oracle-uek-2.6.39-400.214.1
oracle-uek-2.6.39-400.214.3
oracle-uek-2.6.39-400.214.4
oracle-uek-2.6.39-400.214.5
oracle-uek-2.6.39-400.214.6
oracle-uek-2.6.39-400.215.1
oracle-uek-2.6.39-400.215.2
oracle-uek-2.6.39-400.215.3
oracle-uek-2.6.39-400.215.4
oracle-uek-2.6.39-400.215.6
oracle-uek-2.6.39-400.215.7
oracle-uek-2.6.39-400.215.10
oracle-uek-2.6.39-400.215.11
oracle-uek-2.6.39-400.215.12
oracle-uek-2.6.39-400.215.13
oracle-uek-2.6.39-400.215.14
oracle-uek-2.6.39-400.215.15
oracle-uek-2.6.39-400.243.1
oracle-uek-2.6.39-400.245.1
oracle-uek-2.6.39-400.246.2
oracle-uek-2.6.39-400.247.1
oracle-uek-2.6.39-400.248.3
oracle-uek-2.6.39-400.249.1
oracle-uek-2.6.39-400.249.3
oracle-uek-2.6.39-400.249.4
oracle-uek-2.6.39-400.250.2
oracle-uek-2.6.39-400.250.4
oracle-uek-2.6.39-400.250.5
oracle-uek-2.6.39-400.250.6
oracle-uek-2.6.39-400.250.7
oracle-uek-2.6.39-400.250.9
oracle-uek-2.6.39-400.250.10
oracle-uek-2.6.39-400.250.11
oracle-uek-2.6.39-400.264.1
oracle-uek-2.6.39-400.264.4
oracle-uek-2.6.39-400.264.5
oracle-uek-2.6.39-400.264.6
oracle-uek-2.6.39-400.264.13
oracle-uek-2.6.39-400.276.1
oracle-uek-2.6.39-400.277.1
oracle-uek-2.6.39-400.278.1
oracle-uek-2.6.39-400.278.2
oracle-uek-2.6.39-400.278.3
oracle-uek-2.6.39-400.280.1
oracle-uek-2.6.39-400.281.1
oracle-uek-2.6.39-400.282.1
oracle-uek-2.6.39-400.283.1
oracle-uek-2.6.39-400.283.2
oracle-uek-2.6.39-400.284.1
oracle-uek-2.6.39-400.284.2
oracle-uek-2.6.39-400.286.2
oracle-uek-2.6.39-400.286.3
oracle-uek-2.6.39-400.290.1
oracle-uek-2.6.39-400.290.2
oracle-uek-2.6.39-400.293.1
oracle-uek-2.6.39-400.293.2
oracle-uek-2.6.39-400.294.1
oracle-uek-2.6.39-400.294.2
oracle-uek-2.6.39-400.128.21
oracle-uek-3.8.13-16
oracle-uek-3.8.13-16.1.1
oracle-uek-3.8.13-16.2.1
oracle-uek-3.8.13-16.2.2
oracle-uek-3.8.13-16.2.3
oracle-uek-3.8.13-16.3.1
oracle-uek-3.8.13-26
oracle-uek-3.8.13-26.1.1
oracle-uek-3.8.13-26.2.1
oracle-uek-3.8.13-26.2.2
oracle-uek-3.8.13-26.2.3
oracle-uek-3.8.13-26.2.4
oracle-uek-3.8.13-35
oracle-uek-3.8.13-35.1.1
oracle-uek-3.8.13-35.1.2
oracle-uek-3.8.13-35.1.3
oracle-uek-3.8.13-35.3.1
oracle-uek-3.8.13-35.3.2
oracle-uek-3.8.13-35.3.3
oracle-uek-3.8.13-35.3.4
oracle-uek-3.8.13-35.3.5
oracle-uek-3.8.13-44
oracle-uek-3.8.13-44.1.1
oracle-uek-3.8.13-44.1.3
oracle-uek-3.8.13-44.1.4
oracle-uek-3.8.13-44.1.5
oracle-uek-3.8.13-55
oracle-uek-3.8.13-55.1.1
oracle-uek-3.8.13-55.1.2
oracle-uek-3.8.13-55.1.5
oracle-uek-3.8.13-55.1.6
oracle-uek-3.8.13-55.1.8
oracle-uek-3.8.13-55.2.1
oracle-uek-3.8.13-68
oracle-uek-3.8.13-68.1.2
oracle-uek-3.8.13-68.1.3
oracle-uek-3.8.13-68.2.2
oracle-uek-3.8.13-68.2.2.1
oracle-uek-3.8.13-68.2.2.2
oracle-uek-3.8.13-68.3.1
oracle-uek-3.8.13-68.3.2
oracle-uek-3.8.13-68.3.3
oracle-uek-3.8.13-68.3.4
oracle-uek-3.8.13-68.3.5
oracle-uek-3.8.13-98
oracle-uek-3.8.13-98.1.1
oracle-uek-3.8.13-98.1.2
oracle-uek-3.8.13-98.2.1
oracle-uek-3.8.13-98.2.2
oracle-uek-3.8.13-98.4.1
oracle-uek-3.8.13-98.5.2
oracle-uek-3.8.13-98.6.1
oracle-uek-3.8.13-98.7.1
oracle-uek-3.8.13-98.8.1
oracle-uek-3.8.13-118
oracle-uek-3.8.13-118.2.1
oracle-uek-3.8.13-118.2.2
oracle-uek-3.8.13-118.2.4
oracle-uek-3.8.13-118.2.5
oracle-uek-3.8.13-118.3.1
oracle-uek-3.8.13-118.3.2
oracle-uek-3.8.13-118.4.1
oracle-uek-3.8.13-118.4.2
oracle-uek-3.8.13-118.6.1
oracle-uek-3.8.13-118.6.2
oracle-uek-3.8.13-118.7.1
oracle-uek-3.8.13-118.8.1
oracle-uek-3.8.13-118.9.1
oracle-uek-3.8.13-118.9.2
oracle-uek-3.8.13-118.10.2
oracle-uek-3.8.13-118.11.2
oracle-uek-3.8.13-118.13.2
oracle-uek-3.8.13-118.13.3
oracle-uek-3.8.13-118.14.1
oracle-uek-3.8.13-118.14.2
oracle-uek-3.8.13-118.15.1
oracle-uek-3.8.13-118.15.2
oracle-uek-3.8.13-118.15.3
oracle-uek-3.8.13-118.16.2
oracle-uek-3.8.13-118.16.3
oracle-uek-4.1.12-32
oracle-uek-4.1.12-32.1.2
oracle-uek-4.1.12-32.1.3
oracle-uek-4.1.12-32.2.1
oracle-uek-4.1.12-32.2.3
oracle-uek-4.1.12-37.2.1
oracle-uek-4.1.12-37.2.2
oracle-uek-4.1.12-37.3.1
oracle-uek-4.1.12-37.4.1
oracle-uek-4.1.12-37.5.1
oracle-uek-4.1.12-37.6.1
oracle-uek-4.1.12-37.6.2
oracle-uek-4.1.12-37.6.3
oracle-uek-4.1.12-61.1.6
oracle-uek-4.1.12-61.1.9
oracle-uek-4.1.12-61.1.10
oracle-uek-4.1.12-61.1.13
oracle-uek-4.1.12-61.1.14
oracle-uek-4.1.12-61.1.16
oracle-uek-4.1.12-61.1.17
oracle-uek-4.1.12-61.1.18
oracle-uek-4.1.12-61.1.19
oracle-uek-4.1.12-61.1.21
oracle-uek-4.1.12-61.1.22
oracle-uek-4.1.12-61.1.23
oracle-uek-4.1.12-61.1.24
oracle-uek-4.1.12-61.1.25
oracle-uek-4.1.12-61.1.27
rhel-2.6.32-71.el6
rhel-2.6.32-71.7.1.el6
rhel-2.6.32-71.14.1.el6
rhel-2.6.32-71.18.1.el6
rhel-2.6.32-71.18.2.el6
rhel-2.6.32-71.24.1.el6
rhel-2.6.32-71.29.1.el6
rhel-2.6.32-131.0.15.el6
rhel-2.6.32-131.2.1.el6
rhel-2.6.32-131.4.1.el6
rhel-2.6.32-131.6.1.el6
rhel-2.6.32-131.12.1.el6
rhel-2.6.32-131.17.1.el6
rhel-2.6.32-131.21.1.el6
rhel-2.6.32-220.el6
rhel-2.6.32-220.2.1.el6
rhel-2.6.32-220.4.1.el6
rhel-2.6.32-220.4.2.el6
rhel-2.6.32-220.7.1.el6
rhel-2.6.32-220.13.1.el6
rhel-2.6.32-220.17.1.el6
rhel-2.6.32-220.23.1.el6
rhel-2.6.32-279.el6
rhel-2.6.32-279.1.1.el6
rhel-2.6.32-279.2.1.el6
rhel-2.6.32-279.5.1.el6
rhel-2.6.32-279.5.2.el6
rhel-2.6.32-279.9.1.el6
rhel-2.6.32-279.11.1.el6
rhel-2.6.32-279.14.1.el6
rhel-2.6.32-279.19.1.el6
rhel-2.6.32-279.22.1.el6
rhel-2.6.32-358.el6
rhel-2.6.32-358.0.1.el6
rhel-2.6.32-358.2.1.el6
rhel-2.6.32-358.6.1.el6
rhel-2.6.32-358.6.2.el6
rhel-2.6.32-358.6.2.el6.x86_64.crt1
rhel-2.6.32-358.11.1.el6
rhel-2.6.32-358.14.1.el6
rhel-2.6.32-358.18.1.el6
rhel-2.6.32-358.23.2.el6
rhel-2.6.32-431.el6
rhel-2.6.32-431.1.2.el6
rhel-2.6.32-431.3.1.el6
rhel-2.6.32-431.5.1.el6
rhel-2.6.32-431.11.2.el6
rhel-2.6.32-431.17.1.el6
rhel-2.6.32-431.20.3.el6
rhel-2.6.32-431.20.5.el6
rhel-2.6.32-431.23.3.el6
rhel-2.6.32-431.29.2.el6
rhel-2.6.32-504.el6
rhel-2.6.32-504.1.3.el6
rhel-2.6.32-504.3.3.el6
rhel-2.6.32-504.8.1.el6
rhel-2.6.32-504.12.2.el6
rhel-2.6.32-504.16.2.el6
rhel-2.6.32-504.23.4.el6
rhel-2.6.32-504.30.3.el6
rhel-2.6.32-573.el6
rhel-2.6.32-573.1.1.el6
rhel-2.6.32-573.3.1.el6
rhel-2.6.32-573.7.1.el6
rhel-2.6.32-573.8.1.el6
rhel-2.6.32-573.12.1.el6
rhel-2.6.32-573.18.1.el6
rhel-2.6.32-573.22.1.el6
rhel-2.6.32-573.26.1.el6
rhel-2.6.32-642.el6
rhel-2.6.32-642.1.1.el6
rhel-2.6.32-642.3.1.el6
rhel-2.6.32-642.4.2.el6
rhel-2.6.32-642.6.1.el6
rhel-2.6.32-642.6.2.el6
rhel-2.6.32-642.11.1.el6
rhel-2.6.32-642.13.1.el6
rhel-2.6.32-642.13.2.el6
rhel-3.10.0-123.el7
rhel-3.10.0-123.1.2.el7
rhel-3.10.0-123.4.2.el7
rhel-3.10.0-123.4.4.el7
rhel-3.10.0-123.6.3.el7
rhel-3.10.0-123.8.1.el7
rhel-3.10.0-123.9.2.el7
rhel-3.10.0-123.9.3.el7
rhel-3.10.0-123.13.1.el7
rhel-3.10.0-123.13.2.el7
rhel-3.10.0-123.20.1.el7
rhel-3.10.0-229.el7
rhel-3.10.0-229.1.2.el7
rhel-3.10.0-229.4.2.el7
rhel-3.10.0-229.7.2.el7
rhel-3.10.0-229.11.1.el7
rhel-3.10.0-229.14.1.el7
rhel-3.10.0-229.20.1.el6.x86_64.knl2
rhel-3.10.0-229.20.1.el7
rhel-3.10.0-327.el7
rhel-3.10.0-327.3.1.el7
rhel-3.10.0-327.4.4.el7
rhel-3.10.0-327.4.5.el7
rhel-3.10.0-327.10.1.el7
rhel-3.10.0-327.13.1.el7
rhel-3.10.0-327.18.2.el7
rhel-3.10.0-327.22.2.el7
rhel-3.10.0-327.28.2.el7
rhel-3.10.0-327.28.3.el7
rhel-3.10.0-327.36.1.el7
rhel-3.10.0-327.36.2.el7
rhel-3.10.0-327.36.3.el7
rhel-3.10.0-514.el7
rhel-3.10.0-514.2.2.el7
rhel-3.10.0-514.6.1.el7
rhel-3.10.0-514.6.2.el7
rhel-2.6.18-92.1.10.el5
rhel-2.6.18-92.1.13.el5
rhel-2.6.18-92.1.17.el5
rhel-2.6.18-92.1.18.el5
rhel-2.6.18-92.1.22.el5
rhel-2.6.18-128.el5
rhel-2.6.18-128.1.1.el5
rhel-2.6.18-128.1.6.el5
rhel-2.6.18-128.1.10.el5
rhel-2.6.18-128.1.14.el5
rhel-2.6.18-128.1.16.el5
rhel-2.6.18-128.2.1.el5
rhel-2.6.18-128.4.1.el5
rhel-2.6.18-128.7.1.el5
rhel-2.6.18-149.el5
rhel-2.6.18-164.el5
rhel-2.6.18-164.2.1.el5
rhel-2.6.18-164.6.1.el5
rhel-2.6.18-164.9.1.el5
rhel-2.6.18-164.10.1.el5
rhel-2.6.18-164.11.1.el5
rhel-2.6.18-164.15.1.el5
rhel-2.6.18-194.el5
rhel-2.6.18-194.3.1.el5
rhel-2.6.18-194.8.1.el5
rhel-2.6.18-194.11.1.el5
rhel-2.6.18-194.11.3.el5
rhel-2.6.18-194.11.4.el5
rhel-2.6.18-194.17.1.el5
rhel-2.6.18-194.17.4.el5
rhel-2.6.18-194.26.1.el5
rhel-2.6.18-194.32.1.el5
rhel-2.6.18-238.el5
rhel-2.6.18-238.1.1.el5
rhel-2.6.18-238.5.1.el5
rhel-2.6.18-238.9.1.el5
rhel-2.6.18-238.12.1.el5
rhel-2.6.18-238.19.1.el5
rhel-2.6.18-274.el5
rhel-2.6.18-274.3.1.el5
rhel-2.6.18-274.7.1.el5
rhel-2.6.18-274.12.1.el5
rhel-2.6.18-274.17.1.el5
rhel-2.6.18-274.18.1.el5
rhel-2.6.18-308.el5
rhel-2.6.18-308.1.1.el5
rhel-2.6.18-308.4.1.el5
rhel-2.6.18-308.8.1.el5
rhel-2.6.18-308.8.2.el5
rhel-2.6.18-308.11.1.el5
rhel-2.6.18-308.13.1.el5
rhel-2.6.18-308.16.1.el5
rhel-2.6.18-308.20.1.el5
rhel-2.6.18-308.24.1.el5
rhel-2.6.18-348.el5
rhel-2.6.18-348.1.1.el5
rhel-2.6.18-348.2.1.el5
rhel-2.6.18-348.3.1.el5
rhel-2.6.18-348.4.1.el5
rhel-2.6.18-348.6.1.el5
rhel-2.6.18-348.12.1.el5
rhel-2.6.18-348.16.1.el5
rhel-2.6.18-348.18.1.el5
rhel-2.6.18-371.el5
rhel-2.6.18-371.1.2.el5
rhel-2.6.18-371.3.1.el5
rhel-2.6.18-371.4.1.el5
rhel-2.6.18-371.6.1.el5
rhel-2.6.18-371.8.1.el5
rhel-2.6.18-371.9.1.el5
rhel-2.6.18-371.11.1.el5
rhel-2.6.18-371.12.1.el5
rhel-2.6.18-398.el5
rhel-2.6.18-400.el5
rhel-2.6.18-400.1.1.el5
rhel-2.6.18-402.el5
rhel-2.6.18-404.el5
rhel-2.6.18-406.el5
rhel-2.6.18-407.el5
rhel-2.6.18-408.el5
rhel-2.6.18-409.el5
rhel-2.6.18-410.el5
rhel-2.6.18-411.el5
rhel-2.6.18-412.el5
rhel-2.6.18-416.el5
rhel-2.6.18-417.el5
rhel-2.6.18-418.el5

compare that to kpatch or kgraft or so.

Yes

Fri, 2016-11-04 16:22
More Linux work :)

Yes

Fri, 2016-11-04 16:22
More Linux work :)

glibc CVE re: getaddrinfo() and userspace ksplice

Sat, 2016-02-20 17:48
I have my own server with Oracle Linux 6 (of course) where I host a ton of personal stuff and this server was also affected by the nasty DNS bug from last week (see : CVE-2015-7547 ). Everyone really should update glibc and make sure their system is patched (any distribution) by the way - this is a very serious vulnerability... The nice thing, however, was that this is a perfect example for user space ksplice patching. A quick ksplice update for glibc on this box, and it was patched, no restarting the system no restarting sshd or any other app for that matter. A split microsecond and life goes on happily. Nothing affected, no downtime, no pauses, no hiccups. That's the way to patch these things.

userspace ksplice

Most awesomely cool stuff. Solving real world problems. Imagine running a few 100 docker instances or a couple of Linux containers and you have to update the host's glibc and bring all that down... talk about impact.

kernel patches ... check

critical OS libraries like SSL and GLIBC ... check.

Oracle Linux 6 and 7 support ... check

glibc CVE re: getaddrinfo() and userspace ksplice

Sat, 2016-02-20 17:48
I have my own server with Oracle Linux 6 (of course) where I host a ton of personal stuff and this server was also affected by the nasty DNS bug from last week (see : CVE-2015-7547 ). Everyone really should update glibc and make sure their system is patched (any distribution) by the way - this is a very serious vulnerability... The nice thing, however, was that this is a perfect example for user space ksplice patching. A quick ksplice update for glibc on this box, and it was patched, no restarting the system no restarting sshd or any other app for that matter. A split microsecond and life goes on happily. Nothing affected, no downtime, no pauses, no hiccups. That's the way to patch these things.

userspace ksplice

Most awesomely cool stuff. Solving real world problems. Imagine running a few 100 docker instances or a couple of Linux containers and you have to update the host's glibc and bring all that down... talk about impact.

kernel patches ... check

critical OS libraries like SSL and GLIBC ... check.

Oracle Linux 6 and 7 support ... check

Secure Boot support with Oracle Linux 7.1

Fri, 2015-03-13 13:04
Update : as my PM team pointed out to me - it's listed as Tech Preview for OL7.1 not GA/production in the release notes - just making sure I add this disclaimer ;)

Another feature introduced with Oracle Linux 7.1 is support for Secure Boot.

If Secure Boot is enabled on a system (typically desktop, but in some cases also servers) - the system can have an embedded certificate (in firmware). This certificate can be one that's uploaded to the system by the admin or it could be one provided by the OEM/OS vendor. In many cases, in particular newer desktops, the system already contains the Microsoft key. (there can be more than one certificate uploaded...). When the firmware loads the boot loader, it verifies/checks the signature of this bootloader with the key stored in firmware before continuing. This signed bootloader (at this point trusted to continue) will then load a signed kernel, or signed second stage boot loader and verify it before starting and continuing the boot process. This creates what is called a chain of trust through the boot process.

We ship a 1st stage bootloader with Oracle Linux 7.1 which is a tiny "shim" layer that is signed by both Microsoft and Oracle. So if a system comes with Secure Boot support, and already ships the microsoft PK, then the shim layer will be started, verified, and if it passes verification, it will then load grub2 (the real bootloader). grub2 is signed by us (Oracle). The signed/verified shim layer contains the Oracle key and will validate that grub2 is ours (signed), if verification passes, grub2 will load the Oracle Linux kernel, and the same process takes place, our kernel is signed by us (Oracle) and grub2 will validate the signature prior to allowing execution of the kernel. Once the kernel is running, all kernel modules that we ship as part of Oracle Linux whether it's standard included kernel modules as part of the kernel RPM or external kernel modules used with Oracle Ksplice, are also signed by Oracle and the kernel will validate the signature prior to loading these kernel modules.

Enabling loading and verification of signed kernel modules is done by adding enforcemodulesig=1 to the grub kernel option line. In enforcing mode, any kernel module that is attempted to be loaded that's not signed by Oracle will fail to load.

If a system has Secure Boot support but a sysadmin wants to use the Oracle signature instead, we will make our certificate available to be downloaded securely from Oracle and then this can be uploaded into the firmware key database.

Secure Boot support with Oracle Linux 7.1

Fri, 2015-03-13 13:04
Update : as my PM team pointed out to me - it's listed as Tech Preview for OL7.1 not GA/production in the release notes - just making sure I add this disclaimer ;)

Another feature introduced with Oracle Linux 7.1 is support for Secure Boot.

If Secure Boot is enabled on a system (typically desktop, but in some cases also servers) - the system can have an embedded certificate (in firmware). This certificate can be one that's uploaded to the system by the admin or it could be one provided by the OEM/OS vendor. In many cases, in particular newer desktops, the system already contains the Microsoft key. (there can be more than one certificate uploaded...). When the firmware loads the boot loader, it verifies/checks the signature of this bootloader with the key stored in firmware before continuing. This signed bootloader (at this point trusted to continue) will then load a signed kernel, or signed second stage boot loader and verify it before starting and continuing the boot process. This creates what is called a chain of trust through the boot process.

We ship a 1st stage bootloader with Oracle Linux 7.1 which is a tiny "shim" layer that is signed by both Microsoft and Oracle. So if a system comes with Secure Boot support, and already ships the microsoft PK, then the shim layer will be started, verified, and if it passes verification, it will then load grub2 (the real bootloader). grub2 is signed by us (Oracle). The signed/verified shim layer contains the Oracle key and will validate that grub2 is ours (signed), if verification passes, grub2 will load the Oracle Linux kernel, and the same process takes place, our kernel is signed by us (Oracle) and grub2 will validate the signature prior to allowing execution of the kernel. Once the kernel is running, all kernel modules that we ship as part of Oracle Linux whether it's standard included kernel modules as part of the kernel RPM or external kernel modules used with Oracle Ksplice, are also signed by Oracle and the kernel will validate the signature prior to loading these kernel modules.

Enabling loading and verification of signed kernel modules is done by adding enforcemodulesig=1 to the grub kernel option line. In enforcing mode, any kernel module that is attempted to be loaded that's not signed by Oracle will fail to load.

If a system has Secure Boot support but a sysadmin wants to use the Oracle signature instead, we will make our certificate available to be downloaded securely from Oracle and then this can be uploaded into the firmware key database.

Oracle Linux 7.1 and MySQL 5.6

Thu, 2015-03-12 22:47
Yesterday we released Oracle Linux 7 update 1. The individual RPM updates are available from both public-yum (our free, open, public yum repo site) and Oracle Linux Network. The install ISOs can be downloaded from My Oracle Support right away and the public downloadable ISOs will be made available in the next few days from the usual e-delivery site. The ISOs will also, as usual, be mirrored to other mirror sites that also make Oracle Linux freely available.

One update in Oracle linux 7 update 1 that I wanted to point out is the convenience of upgrading to MySQL 5.6 at install time. Oracle Linux 7 GA includes MariaDB 5.5 (due to our compatibility commitment in terms of exact packages and the same packages) and we added MySQL 5.6 RPMs on the ISO image (and in the yum repo channels online). So while it was easy for someone to download and upgrade from MariaDB 5.5 to MySQL 5.6 there was no install option. Now with 7.1 we included an installation option for MySQL. So you can decide which database to install in the installer or through kickstart with @mariadb or @mysql as a group. Again, MariaDB 5.5 is also part of Oracle Linux 7.1 and any users that are looking for strict package compatibility will see that we are very much that. All we have done is make it easy to have a better alternative option (1) conveniently available and integrated (2) without any compatibility risks whatsoever so you can easily run the real standard that is MySQL. A bug fix if you will.

I have a little screenshot available here.

Enjoy.

Oracle Linux 7.1 and MySQL 5.6

Thu, 2015-03-12 22:47
Yesterday we released Oracle Linux 7 update 1. The individual RPM updates are available from both public-yum (our free, open, public yum repo site) and Oracle Linux Network. The install ISOs can be downloaded from My Oracle Support right away and the public downloadable ISOs will be made available in the next few days from the usual e-delivery site. The ISOs will also, as usual, be mirrored to other mirror sites that also make Oracle Linux freely available.

One update in Oracle linux 7 update 1 that I wanted to point out is the convenience of upgrading to MySQL 5.6 at install time. Oracle Linux 7 GA includes MariaDB 5.5 (due to our compatibility commitment in terms of exact packages and the same packages) and we added MySQL 5.6 RPMs on the ISO image (and in the yum repo channels online). So while it was easy for someone to download and upgrade from MariaDB 5.5 to MySQL 5.6 there was no install option. Now with 7.1 we included an installation option for MySQL. So you can decide which database to install in the installer or through kickstart with @mariadb or @mysql as a group. Again, MariaDB 5.5 is also part of Oracle Linux 7.1 and any users that are looking for strict package compatibility will see that we are very much that. All we have done is make it easy to have a better alternative option (1) conveniently available and integrated (2) without any compatibility risks whatsoever so you can easily run the real standard that is MySQL. A bug fix if you will.

I have a little screenshot available here.

Enjoy.

Oracle Linux and Database Smart Flash Cache

Tue, 2015-02-24 14:07
One, sometimes overlooked, cool feature of the Oracle Database running on Oracle Linux is called Database Smart Flash Cache.

You can find an overview of the feature in the Oracle Database Administrator's Guide. Basically, if you have flash devices attached to your server, you can use this flash memory to increase the size of the buffer cache. So instead of aging blocks out of the buffer cache and having to go back to reading them from disk, they move to the much, much faster flash storage as a secondary fast buffer cache (for reads, not writes).

Some scenarios where this is very useful : you have huge tables and huge amounts of data, a very, very large database with tons of query activity (let's say many TB) and your server is limited to a relatively small amount of main RAM - (let's say 128 or 256G). In this case, if you were to purchase and add a flash storage device of 256G or 512G (example), you can attach this device to the database with the Database Smart Flash Cache feature and increase the buffercache of your database from like 100G or 200G to 300-700G on that same server. In a good number of cases this will give you a significant performance improvement without having to purchase a new server that handles more memory or purchase flash storage that can handle your many TB of storage to live in flash instead of rotational storage.

It is also incredibly easy to configure.

-1 install Oracle Linux (I installed Oracle Linux 6 with UEK3)
-2 install Oracle Database 12c (this would also work with 11g - I installed 12.1.0.2.0 EE)
-3 add a flash device to your system (for the example I just added a 1GB device showing up as /dev/sdb)
-4 attach the storage to the database in sqlplus
Done.

$ ls /dev/sdb/dev/sdb$ sqlplus '/ as sysdba'SQL*Plus: Release 12.1.0.2.0 Production on Tue Feb 24 05:46:08 2015Copyright (c) 1982, 2014, Oracle. All rights reserved.Connected to:Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit ProductionWith the Partitioning, OLAP, Advanced Analytics and Real Application Testing optionsSQL> alter system set db_flash_cache_file='/dev/sdb' scope=spfile;System altered.SQL> alter system set db_flash_cache_size=1G scope=spfile;System altered.SQL> shutdown immediate;Database closed.Database dismounted.ORACLE instance shut down.SQL> startupORACLE instance started.Total System Global Area 4932501504 bytesFixed Size

2934456 bytesVariable Size

1023412552 bytesDatabase Buffers

3892314112 bytesRedo Buffers

13840384 bytesDatabase mounted.Database opened.SQL> show parameters flashNAME

TYPE

VALUE------------------------------------ ----------- ------------------------------db_flash_cache_file

string

/dev/sdbdb_flash_cache_size

big integer 1Gdb_flashback_retention_target

integer

1440SQL> select * from v$flashfilestat; FLASHFILE#----------NAME-------------------------------------------------------------------------------- BYTES ENABLED SINGLEBLKRDS SINGLEBLKRDTIM_MICRO CON_ID---------- ---------- ------------ -------------------- ----------

1/dev/sdb1073741824

1

0

0

0

You can get more information on configuration and guidelines/tuning here.If you want selective control of which tables can use or will use the Database Smart Flash Cache, you can use the ALTER TABLE command. See here. Specifically the STORAGE clause. By default, the tables are aged out into the flash cache but if you don't want certain tables to be cached you can use the NONE option. alter table foo storage (flash_cache none);This feature can really make a big difference in a number of database environments and I highly recommend taking a look at how Oracle Linux and Oracle Database 12c can help you enhance your setup. It's included with the database running on Oracle Linux.

Here is a link to a white paper that gives a bit of a performance overview.

Pages