Feed aggregator

My Oracle Support Upgrade Complete

Joshua Solomin - Thu, 2014-10-23 10:34
Untitled Document

GPIcon
We upgraded My Oracle Support on October 10, 2014. This upgrade brings changes to help you work more effectively with Oracle Support.

Among the areas you will notice enhancements are:

  • The My Oracle Support customer experience
  • My Oracle Support Chat
  • Knowledge Management
  • Cloud Portal
For details about the latest features visit the My Oracle Support User Resource Center.

 

 

OCP 12C – SQL Enhancements

DBA Scripts and Articles - Thu, 2014-10-23 09:20

Extended Character Data Type Columns In this release Oracle changed the maximum sixe of three data types  In Oracle 12c if you set a VARCHAR2 to 4000 bytes or less it is stored inline, if you set it to more than 4000 bytes then it is transformed in extended character data type and stored out … Continue reading OCP 12C – SQL Enhancements

The post OCP 12C – SQL Enhancements appeared first on Oracle DBA Scripts and Articles (Montreal).

Categories: DBA Blogs

Configure Oracle Exadata Write Back Flash Cache

VitalSoftTech - Thu, 2014-10-23 00:37
In addition to improving read I/Os, Oracle Exadata Write back flash cache also provides the ability to cache write I/Os directly to PCI flash. Exadata storage software version 11.2.3.2.1 is the minimum version required to use write back flash cache. Grid infrastructure and database homes must run 11.2.0.3.9 or later to use with Write-back Smart […]
Categories: DBA Blogs

ORA-16534 When Converting to/from Snapshot Standby with DataGuard Broker

Don Seiler - Wed, 2014-10-22 23:00
We here at Seilerwerks Industries (not really) have been using snapshot standby databases to refresh an array of unit test databases from a common primary. During the business day, these would be converted to snapshot standby databases for testing, then overnight they are converted back to physical standby and recovered up to the master again.

However we ran into one problem the other week. I noticed that the test3 database was still in physical standby mode well into the business day. Trying to manually convert returned this error:

DGMGRL> convert database test3 to snapshot standby
Converting database "test3" to a Snapshot Standby database, please wait...
Error:
ORA-16534: switchover, failover or convert operation in progress
ORA-06512: at "SYS.DBMS_DRS", line 157
ORA-06512: at line 1

A quick search of MOS yielded bug 13716797 (ORA-16534 from the broker when setting apply-off), which simply suggested restarting the problem database when encountering that error. However doing so did not get me any further. That's when the I checked the Data Guard Broker configuration:

DGMGRL> show configuration;

Configuration - testdb

  Protection Mode: MaxPerformance
  Databases:
    test1 - Primary database
    test5 - Physical standby database
    test6 - Snapshot standby database
    test3 - Physical standby database
    test4 - Snapshot standby database

Fast-Start Failover: DISABLED

Configuration Status:
ORA-16610: command "CONVERT DATABASE test6" in progress
DGM-17017: unable to determine configuration status

Looks like I have two databases stuck in physical standby mode, test3 and also test6. And the configuration is specifically complaining about test6. So I restarted that database and, sure enough, I was then able to convert both back to snapshots:

DGMGRL> show configuration;

Configuration - testdb

  Protection Mode: MaxPerformance
  Databases:
    test1 - Primary database
    test5 - Snapshot standby database
    test6 - Snapshot standby database
    test3 - Snapshot standby database
    test4 - Snapshot standby database

Fast-Start Failover: DISABLED

Configuration Status:
SUCCESS

It was very interesting to me to see one member of the Data Guard configuration prevent me from performing an operation on a different member. Hopefully this helps one of you in the future.

Categories: DBA Blogs

OCP 12C – DataPump, SQL*Loader, External Tables Enhancements

DBA Scripts and Articles - Wed, 2014-10-22 14:57

Oracle DataPump Enhancements Full Transportable Export and Import of Data In Oracle 12c you now have the possibility to create full transportable exports and imports. A full transportable export contains all objects and data needed to create a copy of the database. To create a fully transportable export of your database you need to specify … Continue reading OCP 12C – DataPump, SQL*Loader, External Tables Enhancements

The post OCP 12C – DataPump, SQL*Loader, External Tables Enhancements appeared first on Oracle DBA Scripts and Articles (Montreal).

Categories: DBA Blogs

Old Castles

Pete Scott - Mon, 2014-10-20 07:12
Living here on the Kent Coast we are quite blessed with the number of castles within half and hour’s drive of our cottage. English Heritage manages several nearby castles or forts. The nearest, Richborough, is out and out Roman. We had a lot of Romans roaming around here, they even strolled past my cottage along […]

Learning Spark Lightning-Fast Big Data Analytics by Holden Karau, Andy Konwinski, Patrick Wendell, Matei Zaharia; O'Reilly Media

Surachart Opun - Sat, 2014-10-18 13:45
Apache Spark started as a research project at UC Berkeley in the AMPLab, which focuses on big data analytics. Spark is an open source cluster computing platform designed to be fast and general-purpose for data analytics - It's both fast to run and write. Spark provides primitives for in-memory cluster computing: your job can load data into memory and query it repeatedly much quicker than with disk-based systems like Hadoop MapReduce. Users can write applications quickly in Java, Scala or Python. In additional, it's easy to run standalone or on EC2 or Mesos. It can read data from HDFS, HBase, Cassandra, and any Hadoop data source.
If you would like a book about Spark - Learning Spark Lightning-Fast Big Data Analytics by Holden Karau, Andy Konwinski, Patrick Wendell, Matei Zaharia. It's a great book for who is interested in Spark development and starting with it. Readers will learn how to express MapReduce jobs with just a few simple lines of Spark code and more...
  • Quickly dive into Spark capabilities such as collect, count, reduce, and save
  • Use one programming paradigm instead of mixing and matching tools such as Hive, Hadoop, Mahout, and S4/Storm
  • Learn how to run interactive, iterative, and incremental analyses
  • Integrate with Scala to manipulate distributed datasets like local collections
  • Tackle partitioning issues, data locality, default hash partitioning, user-defined partitioners, and custom serialization
  • Use other languages by means of pipe() to achieve the equivalent of Hadoop streaming
With Early Release - 7 chapters. Explained Apache Spark overview, downloading and commands that should know, programming with RDDS (+ more advance) as well as working with Key-Value Pairs, etc. Easy to read and Good examples in a book. For people who want to learn Apache Spark or use Spark for Data Analytic. It's a book, that should keep in shelf.

Book: Learning Spark Lightning-Fast Big Data Analytics
Authors: Holden KarauAndy KonwinskiPatrick WendellMatei Zaharia
Categories: DBA Blogs

My global view on Oracle OpenWorld 2014

Javier Delgado - Thu, 2014-10-16 07:41
For those who can read Spanish, I just posted in our company blog an entry describing a general overview of Oracle OpenWorld announcements. A couple of weeks ago I made a post on this blog describing the most important outcomes from a PeopleSoft point of view. This new post gives a broader view. 

Are you ready for Windows 10? Dodeca Is Ready!

Tim Tow - Wed, 2014-10-15 23:38
Microsoft recently released its first preview version of their next desktop operating system, Windows 10. In our business, we have seen many large companies just migrate to Windows 7 and the general consensus seems to be that Windows 8 is a 'consumer' operating system. In other words, it will be a while before you have to think about Windows 10, but it is our business to be thinking about this now. We have the Windows 10 preview downloaded and installed in our labs. We made a very smart decision years ago when we decided to write the Dodeca client layer in .NET technology because it works in Windows 10 unchanged!

We are ready. Will you be ready?
Categories: BI & Warehousing

Oracle Linux Containers and docker and the magic of ksplice becomes even more exciting

Wim Coekaerts - Wed, 2014-10-15 16:27
So, in my previous blogs I talked about the value of ksplice for applying updates and keeping your system current. Typical use case has been on physical servers running some application or in a VM running some application and it all keeps every system pretty isolated. Downtime on a single server is often, by a system admin, seen as no big deal, downtime of a bunch of servers because of a multi-tier application that goes down, however, by the application owner is a pretty big deal and can take some scheduling (and cost) to agree on downtime for reboots. If you have to patch a database server and reboot it, then you first have to bring down your application servers, then bring down the database, then reboot the server. So that 'single reboot' from a sysadmin point of view, is a nightmare and long downtime and potential risk for the application owner that has an application across many servers. Do keep that complexity in mind...

Anyway, we introduced support for Linux containers a year ago, back with Oracle Linux 6 and the release of UEKr3, no need to wait for OL7 (or rhel7...) we 've been doing this for almost a year and it was possible without having to reinstall servers and go from 6 to 7 and to systemd and have major changes. Just simply updating an OL6 environment and a reboot into uek3 and you were good to go, a year ago. So... with containers (and docker is very similar here)... you run one kernel. As opposed to running VMs where each VM is a completely isolated virtual environment with their own kernel and you can live migrate the VMs to another host if you need to update/patch the host, etc... So you run an OS that supports containers, you deploy your apps and isolate them nicely in a container each... and now you need to apply kernel security updates... well... that means, the host kernel on which all these containers environments are running... oops. my reboot now brings down a ton of containers. Well, not with ksplice. You run uptrack-update in the main environment and it nicely, online, without affecting your running apps in their containers or docker environments, updates to the latest fixes and CVEs. Done. No downtime, no scheduling issues with your application users... all set.

Supported.. since a year ago. Stable.

Oracle Linux Containers and docker and the magic of ksplice becomes even more exciting

Wim Coekaerts - Wed, 2014-10-15 16:27
So, in my previous blogs I talked about the value of ksplice for applying updates and keeping your system current. Typical use case has been on physical servers running some application or in a VM running some application and it all keeps every system pretty isolated. Downtime on a single server is often, by a system admin, seen as no big deal, downtime of a bunch of servers because of a multi-tier application that goes down, however, by the application owner is a pretty big deal and can take some scheduling (and cost) to agree on downtime for reboots. If you have to patch a database server and reboot it, then you first have to bring down your application servers, then bring down the database, then reboot the server. So that 'single reboot' from a sysadmin point of view, is a nightmare and long downtime and potential risk for the application owner that has an application across many servers. Do keep that complexity in mind...

Anyway, we introduced support for Linux containers a year ago, back with Oracle Linux 6 and the release of UEKr3, no need to wait for OL7 (or rhel7...) we 've been doing this for almost a year and it was possible without having to reinstall servers and go from 6 to 7 and to systemd and have major changes. Just simply updating an OL6 environment and a reboot into uek3 and you were good to go, a year ago. So... with containers (and docker is very similar here)... you run one kernel. As opposed to running VMs where each VM is a completely isolated virtual environment with their own kernel and you can live migrate the VMs to another host if you need to update/patch the host, etc... So you run an OS that supports containers, you deploy your apps and isolate them nicely in a container each... and now you need to apply kernel security updates... well... that means, the host kernel on which all these containers environments are running... oops. my reboot now brings down a ton of containers. Well, not with ksplice. You run uptrack-update in the main environment and it nicely, online, without affecting your running apps in their containers or docker environments, updates to the latest fixes and CVEs. Done. No downtime, no scheduling issues with your application users... all set.

Supported.. since a year ago. Stable.

The magic of ksplice continues...

Wim Coekaerts - Wed, 2014-10-15 16:15
My previous blog talked about some cool use cases of ksplice and I used Oracle Linux 5 as the example. In this blog entry I just wanted to add Oracle Linux 6 to it. For Oracle Linux 6, we go all the way back to the GA date of OL6. 2.6.32-71.el6 build date Wed Dec 15 12:36:54 EST 2010. And we support ksplice online updates from that point on, up to today. The same model, you can be on any Oracle Linux 6 kernel, an errata update, a specific kernel from an update release like 6.1,... 6.5,... and get current with CVEs and critical fixes from then on. After running uptrack-upgrade, I get to be current : 2.6.32-431.29.2.el6

I ran out of xterm buffer space ;-) so starting with the Installing part of the output of uptrack-upgrade -y :Installing [1y0hqxq7] Invalid memory access in dynamic debug entry listing.Installing [1f9nec9b] Clear garbage data on the kernel stack when handling signals.Installing [lrh0cfph] Reduce usage of reserved percpu memory.Installing [uo1fmxxr] CVE-2010-2962: Privilege escalation in i915 pread/pwrite ioctls.Installing [11ofaaud] CVE-2010-3084: Buffer overflow in ETHTOOL_GRXCLSRLALL command.Installing [8u4favcu] CVE-2010-3301: Privilege escalation in 32-bit syscall entry via ptrace.Installing [ayk01zir] CVE-2010-3432: Remote denial of service vulnerability in SCTP.Installing [p1o8wy3o] CVE-2010-3442: Heap corruption vulnerability in ALSA core.Installing [r1mlwooa] CVE-2010-3705: Remote memory corruption in SCTP HMAC handling.Installing [584zm6x2] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.Installing [vt03uggp] CVE-2010-2955: Information leak in wireless extensions.Installing [7rzgltfi] CVE-2010-3079: NULL pointer dereference in ftrace.Installing [oyaovezn] CVE-2010-3437: Information leak in pktcdvd driver.Installing [70cjk1y6] CVE-2010-3698: Denial of service vulnerability in KVM host.Installing [9dm5foy9] CVE-2010-3081: Privilege escalation through stack underflow in compat.Installing [mhsn7n2j] Memory corruption during KSM swapping.Installing [kn5l6sh5] KVM guest crashes due to unsupported model-specific registers.Installing [xmx98rz9] Erroneous merge of block write with block discard request.Installing [23nlxpse] CVE-2010-2803: Information leak in drm subsystem.Installing [mo9lbpsi] Memory leak in DRM buffer object LRU list handling.Installing [91hrmhbr] Memory leak in GEM drm_vma_entry handling.Installing [apryc0uo] CVE-2010-3865: Integer overflow in RDS rdma page counting.Installing [ur02tbrc] CVE-2010-4160: Privilege escalation in PPP over L2TP.Installing [5o3hvdgy] CVE-2010-4263: NULL pointer dereference in igb network driver.Installing [a3z3nda1] CVE-2010-3477: Information leak in tcf_act_police_dump.Installing [lsd1hzvx] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.Installing [z92iokkb] CVE-2010-3080: Privilege escalation in ALSA sound system OSS emulation.Installing [23yh7u1i] CVE-2010-3861: Information leak in ETHTOOL_GRXCLSRLALL ioctl.Installing [jxtltpyu] CVE-2010-4163 and CVE-2010-4668: Kernel panic in block subsystem.Installing [5fuyrpx3] CVE-2010-4162: Integer overflow in block I/O subsystem.Installing [ylkgl75m] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.Installing [ppawlabm] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.Installing [q4n7w8t6] CVE-2010-3067: Information leak in sys_io_submit.Installing [0w2s15ix] CVE-2010-3298: Information leak in hso_get_count().Installing [dfi8ncbj] CVE-2010-3876: Kernel information leak in packet subsystem.Installing [ahrdouix] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.Installing [wvbjfli8] CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers.Installing [pkhcqtro] CVE-2010-4075: Kernel information leak in serial subsystem.Installing [cwksn40u] CVE-2010-4077: Kernel information leak in nozomi driver.Installing [q4d3smds] CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.Installing [z4duwd7q] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.Installing [eajqjo74] CVE-2010-4082: Kernel information leak in VIAFB_GET_INFO.Installing [6hrf2a3e] CVE-2010-4083: Information leak in System V IPC.Installing [3xm2ly3f] CVE-2010-4158: Kernel information leak in socket filters.Installing [5y2oasdw] CVE-2010-4525: Information leak in KVM VCPU events ioctl.Installing [35e4qfr6] CVE-2010-2492: Privilege escalation in eCryptfs.Installing [rr12rtq3] Data corruption due to bad flags in break_lease and may_open.Installing [20cz9gp7] Kernel oops in network neighbour update.Installing [m650djkx] Deadlock on fsync during dm device resize.Installing [c19gus65] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.Installing [3e86rex1] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.Installing [cxb3m3ae] CVE-2010-4165: Denial of service in TCP from user MSS.Installing [dii4wm64] CVE-2010-4169: Use-after-free bug in mprotect system call.Installing [e465fr49] CVE-2010-4243: Denial of service due to wrong execve memory accounting.Installing [5s3fe1cn] Mitigate denial of service attacks with large argument lists.Installing [j8jwyth1] Memory corruption in multipath deactivation queueing.Installing [5qkkyd5m] Kernel panic in network bonding on ARP receipt.Installing [f9j8s6u6] Failure to recover NFSv4 client state on server reboot.Installing [qa379ag5] CVE-2011-0714: Remote denial of service in RPC server sockets.Installing [12q8wuvd] CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.Installing [tm68xsph] CVE-2011-0695: Remote denial of service in InfiniBand setup.Installing [fk2zg5ec] CVE-2010-4656: Buffer overflow in I/O-Warrior USB driver.Installing [bcfvwcux] CVE-2011-0716: Memory corruption in IGMP bridge snooping.Installing [smkv0oja] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.Installing [3eu2kr7i] CVE-2010-3296: Kernel information leak in cxgb driver.Installing [3skmaxct] CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.Installing [xuxi8p7r] CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver.Installing [7npiqvil] CVE-2010-4655: Information leak in ETHTOOL_GREGS ioctl.Installing [en0luyx8] Denial of service on empty virtio_console write.Installing [yv0cumoa] Denial of service in r8169 receive queue handling.Installing [j6vlp89e] Failure of virtio_net device on guest low-memory condition.Installing [q53j90kj] KVM guest crash due to stale memory on migration.Installing [ri498cnm] KVM guest crash due to unblocked NMIs on STI instruction.Installing [tlrgiz2i] CVE-2010-4526: Remote denial of service vulnerability in SCTP.Installing [9eta98wf] Use-after-free in CIFS session management.Installing [19wu4xr4] CVE-2011-0712: Buffer overflows in caiaq driver.Installing [3cxo6wrf] CVE-2011-1079: Denial of service in Bluetooth BNEP.Installing [kzieu2je] CVE-2011-1080: Information leak in netfilter.Installing [ekzp14u9] CVE-2010-4258: Failure to revert address limit override after oops.Installing [jd3cmfll] CVE-2011-0006: Unhandled error condition when adding security rules.Installing [jk52g3fx] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.Installing [z2ne1xi4] CVE-2011-1013: Signedness error in drm.Installing [gb4ntots] Cache allocation bug in DCCP.Installing [pe4f00pm] CVE-2011-1093: NULL pointer dereference in DCCP.Installing [yypibd1k] CVE-2011-1573: Denial of service in SCTP.Installing [02al7nxj] CVE-2011-0726: Address space leakage through /proc/pid/stat.Installing [00ahpz3z] CVE-2011-0711: Information leak in XFS filesystem.Installing [iczdh30p] CVE-2010-4250: Reference count leak in inotify failure path.Installing [ea8bohrp] Infinite loop in tty auditing.Installing [85iuyyyj] Buffer overflow in iptables CLUSTERIP target.Installing [8o0892h3] CVE-2010-4565: Information leak in Broadcast Manager CAN protocol.Installing [p3ck0dr6] CVE-2011-1019: Module loading restriction bypass with CAP_NET_ADMIN.Installing [w8sa7qie] CVE-2011-1016: Privilege escalation in radeon GPU driver.Installing [aqnhua0z] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.Installing [mla0f8wz] CVE-2011-1082: Denial of service in epoll.Installing [5dbkxjue] CVE-2011-1090: Denial of service in NFSv4 client.Installing [4qj7c7qc] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.Installing [3vf1zjzf] CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.Installing [a03rwxbz] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.Installing [7z04dctw] Incorrect interrupt handling on down e1000 interface.Installing [ep319ryq] CVE-2011-1770: Remote denial of service in DCCP options parsing.Installing [qp7al6tc] CVE-2010-3858: Denial of service vulnerability with large argument lists.Installing [85n0mc4q] CVE-2011-1598: Denial of service in CAN/BCM protocol.Installing [z8t1hsjb] CVE-2011-1748: Denial of service in CAN raw sockets.Installing [pvtdn3yd] CVE-2011-1767: Incorrect initialization order in ip_gre.Installing [xughs2jb] CVE-2011-1768: Incorrect initialization order in IP tunnel protocols.Installing [k6a6bqyr] CVE-2011-2479: Denial of service with transparent hugepages and /dev/zero.Installing [pmkvbrcc] CVE-2011-1776: Missing boundary checks in EFI partition table parsing.Installing [pb9pjnnn] CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.Installing [mnpd8mip] CVE-2011-1593: Missing bounds check in proc filesystem.Installing [d6vuea6w] CVE-2011-2213: Arbitrary code injection bug in IPv4 subsystem.Installing [zmfowuqn] CVE-2011-2491: Local denial of service in NLM subsystem.Installing [402w3brr] CVE-2011-2492: Information leak in bluetooth implementation.Installing [vi7qxs20] CVE-2011-2497: Buffer overflow in the Bluetooth subsystem.Installing [ql0oxrhk] CVE-2011-2517: Buffer overflow in nl80211 driver.Installing [0xcbigxp] CVE-2011-1576: Denial of service with VLAN packets and GRO.Installing [127f4d1u] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.Installing [w72wz6f4] CVE-2011-2495: Information leak in /proc/PID/io.Installing [c8v0sk8t] CVE-2011-1160: Information leak in tpm driver.Installing [1nt1dahj] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.Installing [bxqvqvef] CVE-2011-1746: Integer overflow in agp_allocate_memory.Installing [d4m9k310] CVE-2011-2484: Denial of service in taskstats subsystem.Installing [3vlbyy24] CVE-2011-2496: Local denial of service in mremap().Installing [e0lkqz3i] CVE-2011-2723: Remote denial of service vulnerability in gro.Installing [99r3sbjg] CVE-2011-2898: Information leak in packet subsystemInstalling [3ev4sw2b] CVE-2011-2918: Denial of service in event overflows in perf.Installing [ll9j5877] CVE-2011-1833: Information disclosure in eCryptfs.Installing [ww2gv7iv] CVE-2011-3359: Denial of service in Broadcom 43xx wireless driver.Installing [9x0ub4l1] CVE-2011-3363: Denial of service in CIFS via malicious DFS referrals.Installing [ggvpdbug] CVE-2011-3188: Weak TCP sequence number generation.Installing [z4pt0sai] CVE-2011-1577: Denial of service in GPT partition handling.Installing [omnzxxxr] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.Installing [o4xkg2el] CVE-2011-3191: Privilege escalation in CIFS directory reading.Installing [e2eyyaf9] CVE-2011-1162: Information leak in TPM driver.Installing [1fmgtd1b] CVE-2011-4326: Denial of service in IPv6 UDP Fragmentation Offload.Installing [ldjwxwd5] CVE-2011-2699: Predictable IPv6 fragment identification numbers.Installing [tnhvync5] CVE-2011-2494: Information leak in task/process statistics.Installing [gi4te905] CVE-2011-3593: Denial of service in VLAN with priority tagged frames.Installing [h1wiua6s] CVE-2011-4110: Denial of service in kernel key management facilities.Installing [4yrxpwih] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.Installing [gz5jfzi3] CVE-2011-1020: Missing access restrictions in /proc subsystem.Installing [o31erbbr] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.Installing [yqaa1zsp] Arithmetic overflow in clock source calculations.Installing [vxfxrncu] CVE-2011-4077: Buffer overflow in xfs_readlink.Installing [rnvy1bow] CVE-2011-4081: NULL pointer dereference in GHASH cryptographic algorithm.Installing [5bokjzmm] CVE-2011-4132: Denial of service in Journaling Block Device layer.Installing [q7t7hls4] CVE-2011-4347: Denial of service in KVM device assignment.Installing [wmeoffm9] CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.Installing [gu3picnz] CVE-2012-0038: In-memory corruption in XFS ACL processing.Installing [v2td9qse] CVE-2012-0045: Denial of service in KVM system call emulation.Installing [n2xairv0] CVE-2012-0879: Denial of service in CLONE_IO.Installing [2k2kq44h] Fix crash on discard in the software RAID driver.Installing [i244mlk5] CVE-2012-1097: NULL pointer dereference in the ptrace subsystem.Installing [2anjx00z] CVE-2012-1090: Denial of service in the CIFS filesystem reference counting.Installing [3ujb9j7q] Inode corruption in XFS inode lookup.Installing [01x2k6jv] Denial of service due to race condition in the scheduler subsystem.Installing [hfh1ug4u] CVE-2011-4086: Denial of service in journaling block device.Installing [4wb0i9tz] CVE-2012-1601: Denial of service in KVM VCPU creation.Installing [aqut3qai] CVE-2012-0044: Integer overflow and memory corruption in DRM CRTC support.Installing [0zkt2e47] CVE-2012-2123: Privilege escalation when assigning permissions using fcaps.Installing [pe6u1nwx] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.Installing [jqtlake1] CVE-2012-2121: Memory leak in KVM device assignment.Installing [u6ys5804] CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler.Installing [lr9cjz2p] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.Installing [nscqru85] CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service.Installing [j01o1nco] ext4 filesystem corruption on fallocate.Installing [p37lmn34] CVE-2012-2745: Denial-of-service in kernel key management.Installing [alprvnsv] CVE-2012-2744: Remote denial-of-service in IPv6 connection tracking.Installing [m06ws6vc] Unreliable futexes with read-only shared mappings.Installing [b7mpy2k1] CVE-2011-1078: Information leak in Bluetooth SCO link driver.Installing [pywfzhvz] CVE-2012-2384: Integer overflow in i915 execution buffer.Installing [2ibdnvmo] Livelock due to invalid locking strategy when adding a leap-second.Installing [oixf5hkj] CVE-2012-2384: Additional fix for integer overflow in i915 execution buffer.Installing [m4x7vdnl] CVE-2012-2390: Memory leak in hugetlbfs mmap() failure.Installing [o2a3jmox] CVE-2012-2313: Privilege escalation in the dl2k NIC.Installing [u3qpyl86] CVE-2012-3430: kernel information leak in RDS sockets.Installing [wr1of5oe] CVE-2012-3552: Denial-of-service in IP options handling.Installing [y40wlmcw] CVE-2012-3412: Remote denial of service through TCP MSS option in SFC NIC.Installing [dxshabnc] Use-after-free in USB.Installing [aovf4isj] Race condition in SUNRPC.Installing [trz9wa6p] CVE-2012-3400: Buffer overflow in UDF parsing.Installing [062ge0uf] CVE-2012-3511: Use-after-free due to race condition in madvise.Installing [tu585kp5] CVE-2012-1568: A predictable base address with shared libraries and ASLR.Installing [fky5li3t] CVE-2012-2133: Use-after-free in hugetlbfs quota handling.Installing [xtpg99y6] CVE-2012-5517: NULL pointer dereference in memory hotplug.Installing [ffehzdo8] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.Installing [u0d6ztl3] CVE-2012-4565: Divide by zero in TCP congestion control Algorithm.Installing [7au7wp12] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.Installing [80vrmgyk] CVE-2012-4530: Kernel information leak in binfmt execution.Installing [uytq1dk0] CVE-2012-4398: Denial-of-service in kernel module loading.Installing [3c5erej0] CVE-2013-0310: NULL pointer dereference in CIPSO socket options.Installing [j8x8j89y] CVE-2013-0311: Privilege escalation in vhost descriptor management.Installing [mkibg12j] CVE-2012-4508: Stale data exposure in ext4.Installing [daw7s3mo] CVE-2012-4542: SCSI command filter does not restrict access to read-only devices.Installing [nqlo7yy2] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.Installing [l6zf9mec] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.Installing [r88p6prz] CVE-2013-1798: Information leak in KVM APIC driver.Installing [tquaqo7o] CVE-2013-1792: Denial-of-service in user keyring management.Installing [ao71x17l] CVE-2012-6537: Kernel information leaks in network transformation subsystem.Installing [875umolk] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.Installing [4dr93r2j] CVE-2013-1827: Denial-of-service in DCCP socket options.Installing [cdrfdlrt] CVE-2013-0349: Kernel information leak in Bluetooth HIDP support.Installing [9j8xk8dz] CVE-2012-6546: Information leak in ATM sockets.Installing [4oeurjvw] CVE-2013-1767: Use-after-free in tmpfs mempolicy remount.Installing [yhprsmoc] CVE-2013-1773: Heap buffer overflow in VFAT Unicode handling.Installing [amh400jp] CVE-2012-6547: Kernel stack leak from TUN ioctls.Installing [532069fc] CVE-2013-1774: NULL pointer dereference in USB Inside Out Edgeport serial driver.Installing [uaslykxk] CVE-2013-2017: Double free in Virtual Ethernet Tunnel driver (veth).Installing [1vegmzxj] CVE-2013-1943: Local privilege escalation in KVM memory mappings.Installing [wddz9qxt] CVE-2012-6548: Information leak in UDF export.Installing [d51dm2vs] CVE-2013-0914: Information leak in signal handlers.Installing [sxb5x0pd] CVE-2013-2852: Invalid format string usage in Broadcom B43 wireless driver.Installing [vzlh2p9r] CVE-2013-3222: Kernel stack information leak in ATM sockets.Installing [l1wlz1f1] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.Installing [m0y7j4ra] CVE-2013-3225: Kernel stack information leak in Bluetooth rfcomm.Installing [3m5ckvvm] CVE-2013-3301: NULL pointer dereference in tracing sysfs files.Installing [o44ucnfs] CVE-2013-2634, 2635: Kernel leak in data center bridging and netlink.Installing [0m3a5xq8] CVE-2013-2128: Denial of service in TCP splice.Installing [2fg4nowt] CVE-2013-2232: Memory corruption in IPv6 routing cache.Installing [m4a0xb93] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.Installing [pqfoprcp] CVE-2013-2237: Information leak on IPSec key socket.Installing [i1ha5yp7] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.Installing [aqfegdn1] CVE-2013-4299: Information leak in device mapper persistent snapshots.Installing [oojymn3l] CVE-2013-4387: Memory corruption in IPv6 UDP fragmentation offload.Installing [kb7zovzd] CVE-2013-0343: Denial of service in IPv6 privacy extensions.Installing [7ew8svwd] Off-by-one error causes reduced entropy in kernel PRNG.Installing [v3hs5diu] CVE-2013-2888: Memory corruption in Human Input Device processing.Installing [aew2tmdl] CVE-2013-2889: Memory corruption in Zeroplus HID driver.Installing [ox2wqeva] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.Installing [w9rhkfub] CVE-2013-1928: Kernel information leak in compat_ioctl/VIDEO_SET_SPU_PALETTE.Installing [r55nqyci] CVE-2013-2164: Kernel information leak in the CDROM driver.Installing [1vgf62zi] CVE-2013-2234: Information leak in IPsec key management.Installing [hc532irb] CVE-2013-2851: Format string vulnerability is software RAID device names.Installing [e129vh8h] CVE-2013-4592: Denial-of-service in KVM IOMMU mappings.Installing [9wzwcaep] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.Installing [ufm8ladu] CVE-2013-4470: Memory corruption in IPv4 and IPv6 networking corking with UFO.Installing [5rh9jkmi] CVE-2013-6367: Divide-by-zero in KVM LAPIC.Installing [ur8700aj] CVE-2013-6368: Memory corruption in KVM virtual APIC accesses.Installing [nyg2e0m1] Error in the tag insertion logic of the bonding network device.Installing [1ekik21n] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.Installing [m8de4fmg] CVE-2013-7263, CVE-2013-7265: Information leak in IPv4, IPv6 and PhoNet socket recvmsg.Installing [p4ufjdr0] CVE-2014-0101: NULL pointer dereference in SCTP protocol.Installing [o86dh6ww] Use-after-free in EDAC Intel E752X driver.Installing [b2h8hej4] Deadlock in XFS filesystem when removing a inode from namespace.Installing [nvhmnvp6] Memory leak in GFS2 filesystem for files with short lifespan.Installing [7brqevk0] CVE-2013-1860: Buffer overflow in Wireless Device Management driver.Installing [4nh0vuhi] Missing check in selinux for IPSec TCP SYN-ACK packets.Installing [zvvk1k2q] Logic error in selinux when checking permissions on recv socket.Installing [2mxh0jvn] CVE-2013-(726[6789], 727[01], 322[89], 3231): Information leaks in recvmsg.Installing [1r5tw9sm] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.Installing [z4k7xryp] CVE-2014-2523: Remote crash via DCCP conntrack.Installing [pi89wa2j] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.Installing [b4x8o44g] CVE-2014-0196: Pseudo TTY device write buffer handling race.Installing [s8s7tfsm] CVE-2014-3153: Local privilege escalation in futex requeueing.Installing [bqk9mi1j] CVE-2013-6378: Denial-of-service in Marvell 8xxx Libertas WLAN driver.Installing [rokmr7ey] CVE-2014-1874: Denial-of-service in SELinux on empty security context.Installing [hxq9cdju] CVE-2014-0203: Memory corruption on listing procfs symbolic links.Installing [n6kpf53d] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.Installing [pbab6ibn] CVE-2014-4943: Privilege escalation in PPP over L2TP setsockopt/getsockopt.Installing [8n932y6h] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.Installing [yfh1rar2] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.Installing [5z4hhyp3] CVE-2013-7339: NULL pointer dereference in RDS socket binding.Installing [1vpc7i76] CVE-2012-6647: NULL pointer dereference in non-pi futexes.Installing [ruu6bc4r] CVE-2014-3144, CVE-2014-3145: Multiple local denial of service vulnerabilities in netlink.Installing [hgeqfh2x] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.Installing [345v5a2z] CVE-2014-4667: Denial-of-service in SCTP stack when unpacking a COOKIE_ECHO chunk.Installing [92st5y9o] CVE-2014-0205: Use-after-free in futex refcounting.Your kernel is fully up to date.Effective kernel version is 2.6.32-431.29.2.el6real

1m26.960suser

0m39.562ssys

0m34.806sAnd now, 1min 27seconds for 267 patches. both CVEs and critical fixes...

The magic of ksplice continues...

Wim Coekaerts - Wed, 2014-10-15 16:15
My previous blog talked about some cool use cases of ksplice and I used Oracle Linux 5 as the example. In this blog entry I just wanted to add Oracle Linux 6 to it. For Oracle Linux 6, we go all the way back to the GA date of OL6. 2.6.32-71.el6 build date Wed Dec 15 12:36:54 EST 2010. And we support ksplice online updates from that point on, up to today. The same model, you can be on any Oracle Linux 6 kernel, an errata update, a specific kernel from an update release like 6.1,... 6.5,... and get current with CVEs and critical fixes from then on. After running uptrack-upgrade, I get to be current : 2.6.32-431.29.2.el6

I ran out of xterm buffer space ;-) so starting with the Installing part of the output of uptrack-upgrade -y :

Installing [1y0hqxq7] Invalid memory access in dynamic debug entry listing.
Installing [1f9nec9b] Clear garbage data on the kernel stack when handling signals.
Installing [lrh0cfph] Reduce usage of reserved percpu memory.
Installing [uo1fmxxr] CVE-2010-2962: Privilege escalation in i915 pread/pwrite ioctls.
Installing [11ofaaud] CVE-2010-3084: Buffer overflow in ETHTOOL_GRXCLSRLALL command.
Installing [8u4favcu] CVE-2010-3301: Privilege escalation in 32-bit syscall entry via ptrace.
Installing [ayk01zir] CVE-2010-3432: Remote denial of service vulnerability in SCTP.
Installing [p1o8wy3o] CVE-2010-3442: Heap corruption vulnerability in ALSA core.
Installing [r1mlwooa] CVE-2010-3705: Remote memory corruption in SCTP HMAC handling.
Installing [584zm6x2] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.
Installing [vt03uggp] CVE-2010-2955: Information leak in wireless extensions.
Installing [7rzgltfi] CVE-2010-3079: NULL pointer dereference in ftrace.
Installing [oyaovezn] CVE-2010-3437: Information leak in pktcdvd driver.
Installing [70cjk1y6] CVE-2010-3698: Denial of service vulnerability in KVM host.
Installing [9dm5foy9] CVE-2010-3081: Privilege escalation through stack underflow in compat.
Installing [mhsn7n2j] Memory corruption during KSM swapping.
Installing [kn5l6sh5] KVM guest crashes due to unsupported model-specific registers.
Installing [xmx98rz9] Erroneous merge of block write with block discard request.
Installing [23nlxpse] CVE-2010-2803: Information leak in drm subsystem.
Installing [mo9lbpsi] Memory leak in DRM buffer object LRU list handling.
Installing [91hrmhbr] Memory leak in GEM drm_vma_entry handling.
Installing [apryc0uo] CVE-2010-3865: Integer overflow in RDS rdma page counting.
Installing [ur02tbrc] CVE-2010-4160: Privilege escalation in PPP over L2TP.
Installing [5o3hvdgy] CVE-2010-4263: NULL pointer dereference in igb network driver.
Installing [a3z3nda1] CVE-2010-3477: Information leak in tcf_act_police_dump.
Installing [lsd1hzvx] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.
Installing [z92iokkb] CVE-2010-3080: Privilege escalation in ALSA sound system OSS emulation.
Installing [23yh7u1i] CVE-2010-3861: Information leak in ETHTOOL_GRXCLSRLALL ioctl.
Installing [jxtltpyu] CVE-2010-4163 and CVE-2010-4668: Kernel panic in block subsystem.
Installing [5fuyrpx3] CVE-2010-4162: Integer overflow in block I/O subsystem.
Installing [ylkgl75m] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
Installing [ppawlabm] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
Installing [q4n7w8t6] CVE-2010-3067: Information leak in sys_io_submit.
Installing [0w2s15ix] CVE-2010-3298: Information leak in hso_get_count().
Installing [dfi8ncbj] CVE-2010-3876: Kernel information leak in packet subsystem.
Installing [ahrdouix] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Installing [wvbjfli8] CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers.
Installing [pkhcqtro] CVE-2010-4075: Kernel information leak in serial subsystem.
Installing [cwksn40u] CVE-2010-4077: Kernel information leak in nozomi driver.
Installing [q4d3smds] CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.
Installing [z4duwd7q] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
Installing [eajqjo74] CVE-2010-4082: Kernel information leak in VIAFB_GET_INFO.
Installing [6hrf2a3e] CVE-2010-4083: Information leak in System V IPC.
Installing [3xm2ly3f] CVE-2010-4158: Kernel information leak in socket filters.
Installing [5y2oasdw] CVE-2010-4525: Information leak in KVM VCPU events ioctl.
Installing [35e4qfr6] CVE-2010-2492: Privilege escalation in eCryptfs.
Installing [rr12rtq3] Data corruption due to bad flags in break_lease and may_open.
Installing [20cz9gp7] Kernel oops in network neighbour update.
Installing [m650djkx] Deadlock on fsync during dm device resize.
Installing [c19gus65] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
Installing [3e86rex1] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
Installing [cxb3m3ae] CVE-2010-4165: Denial of service in TCP from user MSS.
Installing [dii4wm64] CVE-2010-4169: Use-after-free bug in mprotect system call.
Installing [e465fr49] CVE-2010-4243: Denial of service due to wrong execve memory accounting.
Installing [5s3fe1cn] Mitigate denial of service attacks with large argument lists.
Installing [j8jwyth1] Memory corruption in multipath deactivation queueing.
Installing [5qkkyd5m] Kernel panic in network bonding on ARP receipt.
Installing [f9j8s6u6] Failure to recover NFSv4 client state on server reboot.
Installing [qa379ag5] CVE-2011-0714: Remote denial of service in RPC server sockets.
Installing [12q8wuvd] CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.
Installing [tm68xsph] CVE-2011-0695: Remote denial of service in InfiniBand setup.
Installing [fk2zg5ec] CVE-2010-4656: Buffer overflow in I/O-Warrior USB driver.
Installing [bcfvwcux] CVE-2011-0716: Memory corruption in IGMP bridge snooping.
Installing [smkv0oja] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.
Installing [3eu2kr7i] CVE-2010-3296: Kernel information leak in cxgb driver.
Installing [3skmaxct] CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.
Installing [xuxi8p7r] CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver.
Installing [7npiqvil] CVE-2010-4655: Information leak in ETHTOOL_GREGS ioctl.
Installing [en0luyx8] Denial of service on empty virtio_console write.
Installing [yv0cumoa] Denial of service in r8169 receive queue handling.
Installing [j6vlp89e] Failure of virtio_net device on guest low-memory condition.
Installing [q53j90kj] KVM guest crash due to stale memory on migration.
Installing [ri498cnm] KVM guest crash due to unblocked NMIs on STI instruction.
Installing [tlrgiz2i] CVE-2010-4526: Remote denial of service vulnerability in SCTP.
Installing [9eta98wf] Use-after-free in CIFS session management.
Installing [19wu4xr4] CVE-2011-0712: Buffer overflows in caiaq driver.
Installing [3cxo6wrf] CVE-2011-1079: Denial of service in Bluetooth BNEP.
Installing [kzieu2je] CVE-2011-1080: Information leak in netfilter.
Installing [ekzp14u9] CVE-2010-4258: Failure to revert address limit override after oops.
Installing [jd3cmfll] CVE-2011-0006: Unhandled error condition when adding security rules.
Installing [jk52g3fx] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Installing [z2ne1xi4] CVE-2011-1013: Signedness error in drm.
Installing [gb4ntots] Cache allocation bug in DCCP.
Installing [pe4f00pm] CVE-2011-1093: NULL pointer dereference in DCCP.
Installing [yypibd1k] CVE-2011-1573: Denial of service in SCTP.
Installing [02al7nxj] CVE-2011-0726: Address space leakage through /proc/pid/stat.
Installing [00ahpz3z] CVE-2011-0711: Information leak in XFS filesystem.
Installing [iczdh30p] CVE-2010-4250: Reference count leak in inotify failure path.
Installing [ea8bohrp] Infinite loop in tty auditing.
Installing [85iuyyyj] Buffer overflow in iptables CLUSTERIP target.
Installing [8o0892h3] CVE-2010-4565: Information leak in Broadcast Manager CAN protocol.
Installing [p3ck0dr6] CVE-2011-1019: Module loading restriction bypass with CAP_NET_ADMIN.
Installing [w8sa7qie] CVE-2011-1016: Privilege escalation in radeon GPU driver.
Installing [aqnhua0z] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.
Installing [mla0f8wz] CVE-2011-1082: Denial of service in epoll.
Installing [5dbkxjue] CVE-2011-1090: Denial of service in NFSv4 client.
Installing [4qj7c7qc] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.
Installing [3vf1zjzf] CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Installing [a03rwxbz] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Installing [7z04dctw] Incorrect interrupt handling on down e1000 interface.
Installing [ep319ryq] CVE-2011-1770: Remote denial of service in DCCP options parsing.
Installing [qp7al6tc] CVE-2010-3858: Denial of service vulnerability with large argument lists.
Installing [85n0mc4q] CVE-2011-1598: Denial of service in CAN/BCM protocol.
Installing [z8t1hsjb] CVE-2011-1748: Denial of service in CAN raw sockets.
Installing [pvtdn3yd] CVE-2011-1767: Incorrect initialization order in ip_gre.
Installing [xughs2jb] CVE-2011-1768: Incorrect initialization order in IP tunnel protocols.
Installing [k6a6bqyr] CVE-2011-2479: Denial of service with transparent hugepages and /dev/zero.
Installing [pmkvbrcc] CVE-2011-1776: Missing boundary checks in EFI partition table parsing.
Installing [pb9pjnnn] CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.
Installing [mnpd8mip] CVE-2011-1593: Missing bounds check in proc filesystem.
Installing [d6vuea6w] CVE-2011-2213: Arbitrary code injection bug in IPv4 subsystem.
Installing [zmfowuqn] CVE-2011-2491: Local denial of service in NLM subsystem.
Installing [402w3brr] CVE-2011-2492: Information leak in bluetooth implementation.
Installing [vi7qxs20] CVE-2011-2497: Buffer overflow in the Bluetooth subsystem.
Installing [ql0oxrhk] CVE-2011-2517: Buffer overflow in nl80211 driver.
Installing [0xcbigxp] CVE-2011-1576: Denial of service with VLAN packets and GRO.
Installing [127f4d1u] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.
Installing [w72wz6f4] CVE-2011-2495: Information leak in /proc/PID/io.
Installing [c8v0sk8t] CVE-2011-1160: Information leak in tpm driver.
Installing [1nt1dahj] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Installing [bxqvqvef] CVE-2011-1746: Integer overflow in agp_allocate_memory.
Installing [d4m9k310] CVE-2011-2484: Denial of service in taskstats subsystem.
Installing [3vlbyy24] CVE-2011-2496: Local denial of service in mremap().
Installing [e0lkqz3i] CVE-2011-2723: Remote denial of service vulnerability in gro.
Installing [99r3sbjg] CVE-2011-2898: Information leak in packet subsystem
Installing [3ev4sw2b] CVE-2011-2918: Denial of service in event overflows in perf.
Installing [ll9j5877] CVE-2011-1833: Information disclosure in eCryptfs.
Installing [ww2gv7iv] CVE-2011-3359: Denial of service in Broadcom 43xx wireless driver.
Installing [9x0ub4l1] CVE-2011-3363: Denial of service in CIFS via malicious DFS referrals.
Installing [ggvpdbug] CVE-2011-3188: Weak TCP sequence number generation.
Installing [z4pt0sai] CVE-2011-1577: Denial of service in GPT partition handling.
Installing [omnzxxxr] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.
Installing [o4xkg2el] CVE-2011-3191: Privilege escalation in CIFS directory reading.
Installing [e2eyyaf9] CVE-2011-1162: Information leak in TPM driver.
Installing [1fmgtd1b] CVE-2011-4326: Denial of service in IPv6 UDP Fragmentation Offload.
Installing [ldjwxwd5] CVE-2011-2699: Predictable IPv6 fragment identification numbers.
Installing [tnhvync5] CVE-2011-2494: Information leak in task/process statistics.
Installing [gi4te905] CVE-2011-3593: Denial of service in VLAN with priority tagged frames.
Installing [h1wiua6s] CVE-2011-4110: Denial of service in kernel key management facilities.
Installing [4yrxpwih] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.
Installing [gz5jfzi3] CVE-2011-1020: Missing access restrictions in /proc subsystem.
Installing [o31erbbr] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Installing [yqaa1zsp] Arithmetic overflow in clock source calculations.
Installing [vxfxrncu] CVE-2011-4077: Buffer overflow in xfs_readlink.
Installing [rnvy1bow] CVE-2011-4081: NULL pointer dereference in GHASH cryptographic algorithm.
Installing [5bokjzmm] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Installing [q7t7hls4] CVE-2011-4347: Denial of service in KVM device assignment.
Installing [wmeoffm9] CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.
Installing [gu3picnz] CVE-2012-0038: In-memory corruption in XFS ACL processing.
Installing [v2td9qse] CVE-2012-0045: Denial of service in KVM system call emulation.
Installing [n2xairv0] CVE-2012-0879: Denial of service in CLONE_IO.
Installing [2k2kq44h] Fix crash on discard in the software RAID driver.
Installing [i244mlk5] CVE-2012-1097: NULL pointer dereference in the ptrace subsystem.
Installing [2anjx00z] CVE-2012-1090: Denial of service in the CIFS filesystem reference counting.
Installing [3ujb9j7q] Inode corruption in XFS inode lookup.
Installing [01x2k6jv] Denial of service due to race condition in the scheduler subsystem.
Installing [hfh1ug4u] CVE-2011-4086: Denial of service in journaling block device.
Installing [4wb0i9tz] CVE-2012-1601: Denial of service in KVM VCPU creation.
Installing [aqut3qai] CVE-2012-0044: Integer overflow and memory corruption in DRM CRTC support.
Installing [0zkt2e47] CVE-2012-2123: Privilege escalation when assigning permissions using fcaps.
Installing [pe6u1nwx] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.
Installing [jqtlake1] CVE-2012-2121: Memory leak in KVM device assignment.
Installing [u6ys5804] CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler.
Installing [lr9cjz2p] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.
Installing [nscqru85] CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service.
Installing [j01o1nco] ext4 filesystem corruption on fallocate.
Installing [p37lmn34] CVE-2012-2745: Denial-of-service in kernel key management.
Installing [alprvnsv] CVE-2012-2744: Remote denial-of-service in IPv6 connection tracking.
Installing [m06ws6vc] Unreliable futexes with read-only shared mappings.
Installing [b7mpy2k1] CVE-2011-1078: Information leak in Bluetooth SCO link driver.
Installing [pywfzhvz] CVE-2012-2384: Integer overflow in i915 execution buffer.
Installing [2ibdnvmo] Livelock due to invalid locking strategy when adding a leap-second.
Installing [oixf5hkj] CVE-2012-2384: Additional fix for integer overflow in i915 execution buffer.
Installing [m4x7vdnl] CVE-2012-2390: Memory leak in hugetlbfs mmap() failure.
Installing [o2a3jmox] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Installing [u3qpyl86] CVE-2012-3430: kernel information leak in RDS sockets.
Installing [wr1of5oe] CVE-2012-3552: Denial-of-service in IP options handling.
Installing [y40wlmcw] CVE-2012-3412: Remote denial of service through TCP MSS option in SFC NIC.
Installing [dxshabnc] Use-after-free in USB.
Installing [aovf4isj] Race condition in SUNRPC.
Installing [trz9wa6p] CVE-2012-3400: Buffer overflow in UDF parsing.
Installing [062ge0uf] CVE-2012-3511: Use-after-free due to race condition in madvise.
Installing [tu585kp5] CVE-2012-1568: A predictable base address with shared libraries and ASLR.
Installing [fky5li3t] CVE-2012-2133: Use-after-free in hugetlbfs quota handling.
Installing [xtpg99y6] CVE-2012-5517: NULL pointer dereference in memory hotplug.
Installing [ffehzdo8] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.
Installing [u0d6ztl3] CVE-2012-4565: Divide by zero in TCP congestion control Algorithm.
Installing [7au7wp12] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.
Installing [80vrmgyk] CVE-2012-4530: Kernel information leak in binfmt execution.
Installing [uytq1dk0] CVE-2012-4398: Denial-of-service in kernel module loading.
Installing [3c5erej0] CVE-2013-0310: NULL pointer dereference in CIPSO socket options.
Installing [j8x8j89y] CVE-2013-0311: Privilege escalation in vhost descriptor management.
Installing [mkibg12j] CVE-2012-4508: Stale data exposure in ext4.
Installing [daw7s3mo] CVE-2012-4542: SCSI command filter does not restrict access to read-only devices.
Installing [nqlo7yy2] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.
Installing [l6zf9mec] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.
Installing [r88p6prz] CVE-2013-1798: Information leak in KVM APIC driver.
Installing [tquaqo7o] CVE-2013-1792: Denial-of-service in user keyring management.
Installing [ao71x17l] CVE-2012-6537: Kernel information leaks in network transformation subsystem.
Installing [875umolk] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.
Installing [4dr93r2j] CVE-2013-1827: Denial-of-service in DCCP socket options.
Installing [cdrfdlrt] CVE-2013-0349: Kernel information leak in Bluetooth HIDP support.
Installing [9j8xk8dz] CVE-2012-6546: Information leak in ATM sockets.
Installing [4oeurjvw] CVE-2013-1767: Use-after-free in tmpfs mempolicy remount.
Installing [yhprsmoc] CVE-2013-1773: Heap buffer overflow in VFAT Unicode handling.
Installing [amh400jp] CVE-2012-6547: Kernel stack leak from TUN ioctls.
Installing [532069fc] CVE-2013-1774: NULL pointer dereference in USB Inside Out Edgeport serial driver.
Installing [uaslykxk] CVE-2013-2017: Double free in Virtual Ethernet Tunnel driver (veth).
Installing [1vegmzxj] CVE-2013-1943: Local privilege escalation in KVM memory mappings.
Installing [wddz9qxt] CVE-2012-6548: Information leak in UDF export.
Installing [d51dm2vs] CVE-2013-0914: Information leak in signal handlers.
Installing [sxb5x0pd] CVE-2013-2852: Invalid format string usage in Broadcom B43 wireless driver.
Installing [vzlh2p9r] CVE-2013-3222: Kernel stack information leak in ATM sockets.
Installing [l1wlz1f1] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.
Installing [m0y7j4ra] CVE-2013-3225: Kernel stack information leak in Bluetooth rfcomm.
Installing [3m5ckvvm] CVE-2013-3301: NULL pointer dereference in tracing sysfs files.
Installing [o44ucnfs] CVE-2013-2634, 2635: Kernel leak in data center bridging and netlink.
Installing [0m3a5xq8] CVE-2013-2128: Denial of service in TCP splice.
Installing [2fg4nowt] CVE-2013-2232: Memory corruption in IPv6 routing cache.
Installing [m4a0xb93] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.
Installing [pqfoprcp] CVE-2013-2237: Information leak on IPSec key socket.
Installing [i1ha5yp7] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.
Installing [aqfegdn1] CVE-2013-4299: Information leak in device mapper persistent snapshots.
Installing [oojymn3l] CVE-2013-4387: Memory corruption in IPv6 UDP fragmentation offload.
Installing [kb7zovzd] CVE-2013-0343: Denial of service in IPv6 privacy extensions.
Installing [7ew8svwd] Off-by-one error causes reduced entropy in kernel PRNG.
Installing [v3hs5diu] CVE-2013-2888: Memory corruption in Human Input Device processing.
Installing [aew2tmdl] CVE-2013-2889: Memory corruption in Zeroplus HID driver.
Installing [ox2wqeva] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.
Installing [w9rhkfub] CVE-2013-1928: Kernel information leak in compat_ioctl/VIDEO_SET_SPU_PALETTE.
Installing [r55nqyci] CVE-2013-2164: Kernel information leak in the CDROM driver.
Installing [1vgf62zi] CVE-2013-2234: Information leak in IPsec key management.
Installing [hc532irb] CVE-2013-2851: Format string vulnerability is software RAID device names.
Installing [e129vh8h] CVE-2013-4592: Denial-of-service in KVM IOMMU mappings.
Installing [9wzwcaep] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.
Installing [ufm8ladu] CVE-2013-4470: Memory corruption in IPv4 and IPv6 networking corking with UFO.
Installing [5rh9jkmi] CVE-2013-6367: Divide-by-zero in KVM LAPIC.
Installing [ur8700aj] CVE-2013-6368: Memory corruption in KVM virtual APIC accesses.
Installing [nyg2e0m1] Error in the tag insertion logic of the bonding network device.
Installing [1ekik21n] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.
Installing [m8de4fmg] CVE-2013-7263, CVE-2013-7265: Information leak in IPv4, IPv6 and PhoNet socket recvmsg.
Installing [p4ufjdr0] CVE-2014-0101: NULL pointer dereference in SCTP protocol.
Installing [o86dh6ww] Use-after-free in EDAC Intel E752X driver.
Installing [b2h8hej4] Deadlock in XFS filesystem when removing a inode from namespace.
Installing [nvhmnvp6] Memory leak in GFS2 filesystem for files with short lifespan.
Installing [7brqevk0] CVE-2013-1860: Buffer overflow in Wireless Device Management driver.
Installing [4nh0vuhi] Missing check in selinux for IPSec TCP SYN-ACK packets.
Installing [zvvk1k2q] Logic error in selinux when checking permissions on recv socket.
Installing [2mxh0jvn] CVE-2013-(726[6789], 727[01], 322[89], 3231): Information leaks in recvmsg.
Installing [1r5tw9sm] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.
Installing [z4k7xryp] CVE-2014-2523: Remote crash via DCCP conntrack.
Installing [pi89wa2j] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.
Installing [b4x8o44g] CVE-2014-0196: Pseudo TTY device write buffer handling race.
Installing [s8s7tfsm] CVE-2014-3153: Local privilege escalation in futex requeueing.
Installing [bqk9mi1j] CVE-2013-6378: Denial-of-service in Marvell 8xxx Libertas WLAN driver.
Installing [rokmr7ey] CVE-2014-1874: Denial-of-service in SELinux on empty security context.
Installing [hxq9cdju] CVE-2014-0203: Memory corruption on listing procfs symbolic links.
Installing [n6kpf53d] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.
Installing [pbab6ibn] CVE-2014-4943: Privilege escalation in PPP over L2TP setsockopt/getsockopt.
Installing [8n932y6h] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.
Installing [yfh1rar2] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.
Installing [5z4hhyp3] CVE-2013-7339: NULL pointer dereference in RDS socket binding.
Installing [1vpc7i76] CVE-2012-6647: NULL pointer dereference in non-pi futexes.
Installing [ruu6bc4r] CVE-2014-3144, CVE-2014-3145: Multiple local denial of service vulnerabilities in netlink.
Installing [hgeqfh2x] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.
Installing [345v5a2z] CVE-2014-4667: Denial-of-service in SCTP stack when unpacking a COOKIE_ECHO chunk.
Installing [92st5y9o] CVE-2014-0205: Use-after-free in futex refcounting.
Your kernel is fully up to date.
Effective kernel version is 2.6.32-431.29.2.el6

real	1m26.960s
user	0m39.562s
sys	0m34.806s
And now, 1min 27seconds for 267 patches. both CVEs and critical fixes...

The magic of ksplice

Wim Coekaerts - Wed, 2014-10-15 16:09
I love talking about Oracle Ksplice and how cool a technology and feature it is. Whenever I explain to customers how much they can do with it, they often just can't believe the capabilities until I show them, in a matter of literally 5 seconds that it actually really -just works-.

During Oracle OpenWorld, we talked about it a lot, of course, and I wanted to show you how far back these ksplice updates can go. How much flexibility it gives a system administrator in terms of which kernel to use, how easy and fast it is, etc...

One of the main advantages of the ksplice technology is the ability for us to build these updates for many, many, yes many,... kernels and have a highly automated and scalable build infrastructure. When we publish a ksplice update, we build the update for -every kernel errata- released since the first kernel for that given major distribution release we started to support. What does this mean? Well, in the case of Oracle Linux 5, we currently support ksplice updates starting with Oracle Linux 5 update 4's kernel. The base-kernel being the Red Hat Compatible kernel : 2.6.18-164.el5 built, Thu Sep 3 04:15:13 EDT 2009. Yes, you read that right, September 2009. So during the lifetime of Oracle Linux 5, starting with that kernel, we publish ksplice updates for every kernel since then to today (and forward, of course). So no matter what errata kernel you are on, since -164, or major Oracle Linux 5 release, ksplice updates released after that date will be available for all those kernels. A simple uptrack-upgrade will take that running version up to the latest updates. While the main focus of the ksplice online updates is around CVEs, we also add critical fixes to it as well, so it's a combination of both.

So back to OL5.4. running uname shows 2.6.18-164.el5. After uptrack-upgrade -y it will say 2.6.18-398.el5 (which by the way is the latest kernel for OL5 for 2.6.18). You can see the output below, you can also see how many 'minutes' it took, without reboot, all current and active right away, and you can follow the timeframe by looking at the year right behind CVE. You will see CVEs from 2009, 2010, 2011, 2012, 2013 and 2014. Completely current.

Now, this can be done on a running system, to install ksplice and start using it, you don't need to reboot, just install the uptrack tools and you're good to go. You can be current with CVEs and critical bugs without rebooting for years. You can be current, even though you run an older update release of Oracle Linux, and you are not required to take new kernels with potentially (in the RHCK case) new features backported, introducing new code beyond just bugfixes, introduce new device drivers, which on a system that's stable, you don't necessarily want or need. So it's always good to update to newer kernels when you get new hardware and you need new device drivers, but for existing stable production systems, you don't really want or need that, nor do you necessarily need to get stuff from new kernels backported into older versions (again, in particular in the RHCK case) which will introduce a lot of change, I will show you a lines of code change in another blog entry. ksplice let's you stick with an older version, yet, anything critical and CVE related will be there for you and this for any errata kernel you start with since, in the OL5 case, update 4... Not just one update earlier, or but any kernel at any point in time.

If you do have periodic scheduled reboots, fine, install the kernel rpms so that the next time you reboot, it boots into the latest kernel, if you want, but you don't have to. You have complete flexibility if and when you need it.

I hope that the output of this and a follow up blog I will do on OL6 as a similar example, shows how scalable this is, how much use this has had, how many updates we have done and can do, how complex these updates are (not just a one liner change in some file) not just a one off for one customer case but scalable. Also, with tons of checks in place so that it works for kernel modules, so that it won't lock up your box, we validate that it's the right kernel, that these updates are safe to apply, etc, etc.. proven, 7+ years old technology. And completely supported by us. You can run your database or middleware software and run uptrack-upgrade while it's up and running and humming along... perfectly OK.

time uptrack-upgrade -yThe following steps will be taken:Install [v5267zuo] Clear garbage data on the kernel stack when handling signals.Install [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.Install [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.Install [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.Install [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.Install [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.Install [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.Install [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.Install [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.Install [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.Install [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.Install [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.Install [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6Install [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.Install [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.Install [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.Install [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().Install [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.Install [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.Install [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.Install [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.Install [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.Install [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.Install [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.Install [qdlkztzx] Kernel crash forwarding network traffic.Install [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.Install [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.Install [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pagesInstall [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.Install [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.Install [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.Install [xem0m4sg] Floating point state corruption after signal.Install [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.Install [3ulklysv] CVE-2010-0307: Denial of service on amd64Install [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 serverInstall [trws48lp] CVE-2010-1087: Oops when truncating a file in NFSInstall [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinksInstall [gmqqylxv] CVE-2010-1187: Denial of service in TIPCInstall [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremapInstall [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTPInstall [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruptionInstall [l5qljcxc] CVE-2010-1437: Privilege escalation in key managementInstall [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2Install [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.Install [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.Install [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.Install [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.Install [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.Install [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.Install [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.Install [59car2zc] CVE-2010-2798: Denial of service in GFS2.Install [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.Install [5mgd1si0] Improved fix to CVE-2010-1173.Install [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.Install [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.Install [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.Install [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.Install [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.Install [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.Install [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.Install [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.Install [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.Install [ff1wrijq] Buffer overflow in icmpmsg_put.Install [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.Install [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.Install [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.Install [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.Install [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.Install [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.Install [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.Install [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.Install [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.Install [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.Install [usukkznh] Mitigate denial of service attacks with large argument lists.Install [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.Install [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.Install [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.Install [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.Install [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.Install [hnbz3ppf] Integer overflow in sys_remap_file_pages.Install [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.Install [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.Install [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.Install [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.Install [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.Install [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.Install [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.Install [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.Install [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.Install [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.Install [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.Install [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.Install [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.Install [ifgdet83] Use-after-free in MPT driver.Install [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.Install [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.Install [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.Install [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.Install [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.Install [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.Install [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.Install [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.Install [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.Install [jz43fdgc] Denial of service in NFS server via reference count leak.Install [h860edrq] Fix a packet flood when initializing a bridge device without STP.Install [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.Install [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.Install [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.Install [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.Install [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.Install [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.Install [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.Install [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.Install [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.Install [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.Install [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.Install [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.Install [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.Install [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.Install [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.Install [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler APIInstall [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.Install [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.Install [ofrder8l] Hangs using direct I/O with XFS filesystem.Install [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.Install [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.Install [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.Install [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.Install [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().Install [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.Install [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.Install [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.Install [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.Install [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.Install [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.Install [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.Install [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.Install [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.Install [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.Install [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.Install [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.Install [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.Install [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.Install [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.Install [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.Install [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.Install [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.Install [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.Install [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.Install [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.Install [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.Install [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.Install [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.Install [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.Install [uknrp2eo] Denial of service in filesystem unmounting.Install [97u6urvt] Soft lockup in USB ACM driver.Install [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.Install [loizuvxu] Kernel crash in Ethernet bridging netfilter module.Install [yc146ytc] Unresponsive I/O using QLA2XXX driver.Install [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.Install [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.Install [bvoz27gv] Arithmetic overflow in clock source calculations.Install [lzwurn1u] ext4 filesystem corruption on fallocate.Install [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.Install [9do532u6] Kernel panic when overcommiting memory with NFSd.Install [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.Install [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.Install [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.Install [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.Install [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.Install [l093jvcl] Kernel panic in SMB extended attributes.Install [qlzoyvty] Kernel panic in ext3 indirect blocks.Install [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.Install [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.Install [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.Install [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.Install [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.Install [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.Install [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.Install [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.Install [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.Install [2zzz6cqb] Data corruption on NFSv3/v2 short reads.Install [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.Install [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.Install [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.Install [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.Install [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.Install [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.Install [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.Install [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.Install [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.Install [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.Install [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.Install [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.Install [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.Install [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.Install [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.Install [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.Install [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.Install [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.Install [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.Install [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.Install [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.Install [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.Install [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.Install [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.Install [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.Install [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.Install [pz65qqpk] Panic in GFS2 filesystem locking code.Install [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.Install [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.Install [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.Install [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.Install [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.Install [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.Installing [v5267zuo] Clear garbage data on the kernel stack when handling signals.Installing [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.Installing [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.Installing [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.Installing [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.Installing [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.Installing [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.Installing [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.Installing [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.Installing [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.Installing [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.Installing [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.Installing [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6Installing [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.Installing [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.Installing [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.Installing [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().Installing [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.Installing [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.Installing [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.Installing [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.Installing [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.Installing [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.Installing [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.Installing [qdlkztzx] Kernel crash forwarding network traffic.Installing [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.Installing [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.Installing [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pagesInstalling [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.Installing [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.Installing [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.Installing [xem0m4sg] Floating point state corruption after signal.Installing [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.Installing [3ulklysv] CVE-2010-0307: Denial of service on amd64Installing [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 serverInstalling [trws48lp] CVE-2010-1087: Oops when truncating a file in NFSInstalling [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinksInstalling [gmqqylxv] CVE-2010-1187: Denial of service in TIPCInstalling [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremapInstalling [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTPInstalling [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruptionInstalling [l5qljcxc] CVE-2010-1437: Privilege escalation in key managementInstalling [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2Installing [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.Installing [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.Installing [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.Installing [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.Installing [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.Installing [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.Installing [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.Installing [59car2zc] CVE-2010-2798: Denial of service in GFS2.Installing [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.Installing [5mgd1si0] Improved fix to CVE-2010-1173.Installing [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.Installing [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.Installing [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.Installing [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.Installing [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.Installing [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.Installing [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.Installing [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.Installing [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.Installing [ff1wrijq] Buffer overflow in icmpmsg_put.Installing [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.Installing [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.Installing [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.Installing [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.Installing [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.Installing [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.Installing [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.Installing [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.Installing [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.Installing [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.Installing [usukkznh] Mitigate denial of service attacks with large argument lists.Installing [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.Installing [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.Installing [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.Installing [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.Installing [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.Installing [hnbz3ppf] Integer overflow in sys_remap_file_pages.Installing [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.Installing [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.Installing [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.Installing [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.Installing [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.Installing [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.Installing [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.Installing [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.Installing [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.Installing [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.Installing [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.Installing [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.Installing [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.Installing [ifgdet83] Use-after-free in MPT driver.Installing [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.Installing [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.Installing [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.Installing [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.Installing [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.Installing [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.Installing [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.Installing [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.Installing [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.Installing [jz43fdgc] Denial of service in NFS server via reference count leak.Installing [h860edrq] Fix a packet flood when initializing a bridge device without STP.Installing [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.Installing [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.Installing [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.Installing [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.Installing [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.Installing [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.Installing [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.Installing [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.Installing [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.Installing [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.Installing [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.Installing [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.Installing [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.Installing [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.Installing [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.Installing [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler APIInstalling [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.Installing [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.Installing [ofrder8l] Hangs using direct I/O with XFS filesystem.Installing [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.Installing [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.Installing [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.Installing [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.Installing [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().Installing [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.Installing [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.Installing [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.Installing [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.Installing [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.Installing [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.Installing [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.Installing [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.Installing [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.Installing [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.Installing [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.Installing [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.Installing [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.Installing [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.Installing [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.Installing [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.Installing [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.Installing [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.Installing [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.Installing [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.Installing [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.Installing [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.Installing [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.Installing [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.Installing [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.Installing [uknrp2eo] Denial of service in filesystem unmounting.Installing [97u6urvt] Soft lockup in USB ACM driver.Installing [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.Installing [loizuvxu] Kernel crash in Ethernet bridging netfilter module.Installing [yc146ytc] Unresponsive I/O using QLA2XXX driver.Installing [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.Installing [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.Installing [bvoz27gv] Arithmetic overflow in clock source calculations.Installing [lzwurn1u] ext4 filesystem corruption on fallocate.Installing [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.Installing [9do532u6] Kernel panic when overcommiting memory with NFSd.Installing [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.Installing [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.Installing [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.Installing [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.Installing [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.Installing [l093jvcl] Kernel panic in SMB extended attributes.Installing [qlzoyvty] Kernel panic in ext3 indirect blocks.Installing [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.Installing [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.Installing [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.Installing [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.Installing [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.Installing [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.Installing [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.Installing [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.Installing [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.Installing [2zzz6cqb] Data corruption on NFSv3/v2 short reads.Installing [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.Installing [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.Installing [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.Installing [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.Installing [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.Installing [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.Installing [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.Installing [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.Installing [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.Installing [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.Installing [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.Installing [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.Installing [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.Installing [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.Installing [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.Installing [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.Installing [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.Installing [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.Installing [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.Installing [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.Installing [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.Installing [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.Installing [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.Installing [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.Installing [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.Installing [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.Installing [pz65qqpk] Panic in GFS2 filesystem locking code.Installing [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.Installing [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.Installing [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.Installing [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.Installing [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.Installing [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.Your kernel is fully up to date.Effective kernel version is 2.6.18-398.el5real

0m59.447suser

0m22.640ssys

0m22.611s1 minute for 215 updates. And this isn't one minute of hang, it applies each patch and just takes a few microseconds to apply. So your applications or users won't experience hangs or hickups at all.

The magic of ksplice

Wim Coekaerts - Wed, 2014-10-15 16:09
I love talking about Oracle Ksplice and how cool a technology and feature it is. Whenever I explain to customers how much they can do with it, they often just can't believe the capabilities until I show them, in a matter of literally 5 seconds that it actually really -just works-.

During Oracle OpenWorld, we talked about it a lot, of course, and I wanted to show you how far back these ksplice updates can go. How much flexibility it gives a system administrator in terms of which kernel to use, how easy and fast it is, etc...

One of the main advantages of the ksplice technology is the ability for us to build these updates for many, many, yes many,... kernels and have a highly automated and scalable build infrastructure. When we publish a ksplice update, we build the update for -every kernel errata- released since the first kernel for that given major distribution release we started to support. What does this mean? Well, in the case of Oracle Linux 5, we currently support ksplice updates starting with Oracle Linux 5 update 4's kernel. The base-kernel being the Red Hat Compatible kernel : 2.6.18-164.el5 built, Thu Sep 3 04:15:13 EDT 2009. Yes, you read that right, September 2009. So during the lifetime of Oracle Linux 5, starting with that kernel, we publish ksplice updates for every kernel since then to today (and forward, of course). So no matter what errata kernel you are on, since -164, or major Oracle Linux 5 release, ksplice updates released after that date will be available for all those kernels. A simple uptrack-upgrade will take that running version up to the latest updates. While the main focus of the ksplice online updates is around CVEs, we also add critical fixes to it as well, so it's a combination of both.

So back to OL5.4. running uname shows 2.6.18-164.el5. After uptrack-upgrade -y it will say 2.6.18-398.el5 (which by the way is the latest kernel for OL5 for 2.6.18). You can see the output below, you can also see how many 'minutes' it took, without reboot, all current and active right away, and you can follow the timeframe by looking at the year right behind CVE. You will see CVEs from 2009, 2010, 2011, 2012, 2013 and 2014. Completely current.

Now, this can be done on a running system, to install ksplice and start using it, you don't need to reboot, just install the uptrack tools and you're good to go. You can be current with CVEs and critical bugs without rebooting for years. You can be current, even though you run an older update release of Oracle Linux, and you are not required to take new kernels with potentially (in the RHCK case) new features backported, introducing new code beyond just bugfixes, introduce new device drivers, which on a system that's stable, you don't necessarily want or need. So it's always good to update to newer kernels when you get new hardware and you need new device drivers, but for existing stable production systems, you don't really want or need that, nor do you necessarily need to get stuff from new kernels backported into older versions (again, in particular in the RHCK case) which will introduce a lot of change, I will show you a lines of code change in another blog entry. ksplice let's you stick with an older version, yet, anything critical and CVE related will be there for you and this for any errata kernel you start with since, in the OL5 case, update 4... Not just one update earlier, or but any kernel at any point in time.

If you do have periodic scheduled reboots, fine, install the kernel rpms so that the next time you reboot, it boots into the latest kernel, if you want, but you don't have to. You have complete flexibility if and when you need it.

I hope that the output of this and a follow up blog I will do on OL6 as a similar example, shows how scalable this is, how much use this has had, how many updates we have done and can do, how complex these updates are (not just a one liner change in some file) not just a one off for one customer case but scalable. Also, with tons of checks in place so that it works for kernel modules, so that it won't lock up your box, we validate that it's the right kernel, that these updates are safe to apply, etc, etc.. proven, 7+ years old technology. And completely supported by us. You can run your database or middleware software and run uptrack-upgrade while it's up and running and humming along... perfectly OK.

time uptrack-upgrade -y
The following steps will be taken:
Install [v5267zuo] Clear garbage data on the kernel stack when handling signals.
Install [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.
Install [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.
Install [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.
Install [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.
Install [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.
Install [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.
Install [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.
Install [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.
Install [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.
Install [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.
Install [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.
Install [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6
Install [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.
Install [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.
Install [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.
Install [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().
Install [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.
Install [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.
Install [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.
Install [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.
Install [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.
Install [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.
Install [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.
Install [qdlkztzx] Kernel crash forwarding network traffic.
Install [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.
Install [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.
Install [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pages
Install [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.
Install [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.
Install [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.
Install [xem0m4sg] Floating point state corruption after signal.
Install [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.
Install [3ulklysv] CVE-2010-0307: Denial of service on amd64
Install [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 server
Install [trws48lp] CVE-2010-1087: Oops when truncating a file in NFS
Install [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinks
Install [gmqqylxv] CVE-2010-1187: Denial of service in TIPC
Install [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremap
Install [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTP
Install [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruption
Install [l5qljcxc] CVE-2010-1437: Privilege escalation in key management
Install [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2
Install [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.
Install [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.
Install [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.
Install [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.
Install [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.
Install [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.
Install [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.
Install [59car2zc] CVE-2010-2798: Denial of service in GFS2.
Install [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.
Install [5mgd1si0] Improved fix to CVE-2010-1173.
Install [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.
Install [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.
Install [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.
Install [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.
Install [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.
Install [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.
Install [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.
Install [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.
Install [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.
Install [ff1wrijq] Buffer overflow in icmpmsg_put.
Install [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.
Install [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.
Install [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.
Install [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.
Install [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.
Install [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
Install [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
Install [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.
Install [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
Install [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.
Install [usukkznh] Mitigate denial of service attacks with large argument lists.
Install [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.
Install [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.
Install [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.
Install [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.
Install [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Install [hnbz3ppf] Integer overflow in sys_remap_file_pages.
Install [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.
Install [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.
Install [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
Install [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.
Install [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.
Install [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.
Install [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.
Install [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
Install [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.
Install [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.
Install [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.
Install [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.
Install [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.
Install [ifgdet83] Use-after-free in MPT driver.
Install [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.
Install [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.
Install [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.
Install [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.
Install [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.
Install [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Install [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.
Install [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.
Install [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.
Install [jz43fdgc] Denial of service in NFS server via reference count leak.
Install [h860edrq] Fix a packet flood when initializing a bridge device without STP.
Install [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.
Install [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.
Install [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Install [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.
Install [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.
Install [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.
Install [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.
Install [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.
Install [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Install [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Install [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.
Install [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.
Install [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.
Install [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.
Install [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.
Install [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler API
Install [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.
Install [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.
Install [ofrder8l] Hangs using direct I/O with XFS filesystem.
Install [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.
Install [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.
Install [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.
Install [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.
Install [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().
Install [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.
Install [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.
Install [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.
Install [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.
Install [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.
Install [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.
Install [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.
Install [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.
Install [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.
Install [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.
Install [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.
Install [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.
Install [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.
Install [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.
Install [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Install [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.
Install [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.
Install [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.
Install [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.
Install [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.
Install [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.
Install [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.
Install [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.
Install [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Install [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.
Install [uknrp2eo] Denial of service in filesystem unmounting.
Install [97u6urvt] Soft lockup in USB ACM driver.
Install [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.
Install [loizuvxu] Kernel crash in Ethernet bridging netfilter module.
Install [yc146ytc] Unresponsive I/O using QLA2XXX driver.
Install [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.
Install [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.
Install [bvoz27gv] Arithmetic overflow in clock source calculations.
Install [lzwurn1u] ext4 filesystem corruption on fallocate.
Install [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Install [9do532u6] Kernel panic when overcommiting memory with NFSd.
Install [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.
Install [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.
Install [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.
Install [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.
Install [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.
Install [l093jvcl] Kernel panic in SMB extended attributes.
Install [qlzoyvty] Kernel panic in ext3 indirect blocks.
Install [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.
Install [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.
Install [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.
Install [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.
Install [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.
Install [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.
Install [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.
Install [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.
Install [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.
Install [2zzz6cqb] Data corruption on NFSv3/v2 short reads.
Install [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.
Install [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.
Install [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.
Install [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.
Install [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.
Install [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.
Install [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.
Install [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.
Install [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.
Install [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.
Install [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.
Install [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.
Install [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.
Install [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.
Install [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.
Install [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.
Install [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.
Install [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.
Install [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.
Install [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.
Install [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.
Install [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.
Install [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.
Install [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.
Install [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.
Install [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.
Install [pz65qqpk] Panic in GFS2 filesystem locking code.
Install [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.
Install [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.
Install [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.
Install [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.
Install [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.
Install [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.
Installing [v5267zuo] Clear garbage data on the kernel stack when handling signals.
Installing [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.
Installing [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.
Installing [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.
Installing [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.
Installing [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.
Installing [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.
Installing [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.
Installing [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.
Installing [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.
Installing [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.
Installing [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.
Installing [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6
Installing [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.
Installing [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.
Installing [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.
Installing [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().
Installing [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.
Installing [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.
Installing [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.
Installing [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.
Installing [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.
Installing [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.
Installing [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.
Installing [qdlkztzx] Kernel crash forwarding network traffic.
Installing [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.
Installing [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.
Installing [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pages
Installing [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.
Installing [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.
Installing [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.
Installing [xem0m4sg] Floating point state corruption after signal.
Installing [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.
Installing [3ulklysv] CVE-2010-0307: Denial of service on amd64
Installing [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 server
Installing [trws48lp] CVE-2010-1087: Oops when truncating a file in NFS
Installing [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinks
Installing [gmqqylxv] CVE-2010-1187: Denial of service in TIPC
Installing [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremap
Installing [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTP
Installing [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruption
Installing [l5qljcxc] CVE-2010-1437: Privilege escalation in key management
Installing [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2
Installing [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.
Installing [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.
Installing [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.
Installing [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.
Installing [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.
Installing [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.
Installing [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.
Installing [59car2zc] CVE-2010-2798: Denial of service in GFS2.
Installing [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.
Installing [5mgd1si0] Improved fix to CVE-2010-1173.
Installing [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.
Installing [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.
Installing [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.
Installing [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.
Installing [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.
Installing [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.
Installing [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.
Installing [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.
Installing [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.
Installing [ff1wrijq] Buffer overflow in icmpmsg_put.
Installing [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.
Installing [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.
Installing [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.
Installing [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.
Installing [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.
Installing [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
Installing [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
Installing [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.
Installing [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
Installing [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.
Installing [usukkznh] Mitigate denial of service attacks with large argument lists.
Installing [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.
Installing [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.
Installing [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.
Installing [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.
Installing [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Installing [hnbz3ppf] Integer overflow in sys_remap_file_pages.
Installing [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.
Installing [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.
Installing [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
Installing [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.
Installing [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.
Installing [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.
Installing [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.
Installing [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
Installing [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.
Installing [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.
Installing [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.
Installing [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.
Installing [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.
Installing [ifgdet83] Use-after-free in MPT driver.
Installing [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.
Installing [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.
Installing [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.
Installing [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.
Installing [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.
Installing [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Installing [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.
Installing [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.
Installing [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.
Installing [jz43fdgc] Denial of service in NFS server via reference count leak.
Installing [h860edrq] Fix a packet flood when initializing a bridge device without STP.
Installing [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.
Installing [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.
Installing [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Installing [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.
Installing [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.
Installing [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.
Installing [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.
Installing [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.
Installing [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Installing [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Installing [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.
Installing [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.
Installing [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.
Installing [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.
Installing [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.
Installing [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler API
Installing [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.
Installing [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.
Installing [ofrder8l] Hangs using direct I/O with XFS filesystem.
Installing [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.
Installing [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.
Installing [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.
Installing [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.
Installing [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().
Installing [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.
Installing [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.
Installing [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.
Installing [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.
Installing [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.
Installing [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.
Installing [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.
Installing [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.
Installing [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.
Installing [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.
Installing [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.
Installing [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.
Installing [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.
Installing [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.
Installing [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Installing [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.
Installing [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.
Installing [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.
Installing [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.
Installing [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.
Installing [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.
Installing [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.
Installing [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.
Installing [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Installing [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.
Installing [uknrp2eo] Denial of service in filesystem unmounting.
Installing [97u6urvt] Soft lockup in USB ACM driver.
Installing [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.
Installing [loizuvxu] Kernel crash in Ethernet bridging netfilter module.
Installing [yc146ytc] Unresponsive I/O using QLA2XXX driver.
Installing [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.
Installing [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.
Installing [bvoz27gv] Arithmetic overflow in clock source calculations.
Installing [lzwurn1u] ext4 filesystem corruption on fallocate.
Installing [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Installing [9do532u6] Kernel panic when overcommiting memory with NFSd.
Installing [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.
Installing [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.
Installing [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.
Installing [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.
Installing [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.
Installing [l093jvcl] Kernel panic in SMB extended attributes.
Installing [qlzoyvty] Kernel panic in ext3 indirect blocks.
Installing [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.
Installing [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.
Installing [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.
Installing [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.
Installing [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.
Installing [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.
Installing [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.
Installing [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.
Installing [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.
Installing [2zzz6cqb] Data corruption on NFSv3/v2 short reads.
Installing [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.
Installing [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.
Installing [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.
Installing [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.
Installing [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.
Installing [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.
Installing [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.
Installing [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.
Installing [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.
Installing [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.
Installing [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.
Installing [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.
Installing [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.
Installing [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.
Installing [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.
Installing [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.
Installing [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.
Installing [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.
Installing [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.
Installing [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.
Installing [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.
Installing [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.
Installing [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.
Installing [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.
Installing [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.
Installing [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.
Installing [pz65qqpk] Panic in GFS2 filesystem locking code.
Installing [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.
Installing [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.
Installing [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.
Installing [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.
Installing [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.
Installing [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.
Your kernel is fully up to date.
Effective kernel version is 2.6.18-398.el5

real	0m59.447s
user	0m22.640s
sys	0m22.611s
1 minute for 215 updates. And this isn't one minute of hang, it applies each patch and just takes a few microseconds to apply. So your applications or users won't experience hangs or hickups at all.

Information about SSL “Poodle” vulnerability CVE-2014-3566

Oracle Security Team - Wed, 2014-10-15 13:09

Hello, this is Eric Maurice.

A security vulnerability affecting Secure Socket Layer (SSL) v3.0 was recently publicly disclosed (Padding Oracle On Downgraded Legacy Encryption, or “Poodle”). This vulnerability is the result of a design flaw in SSL v3.0. Note that this vulnerability does not affect TLS and is limited to SSL 3.0, which is generally considered an obsolete protocol. A number of organizations, including OWASP previously advised against using this protocol, as weaknesses affecting it have been known for some time.

This “Poodle” vulnerability has received the identifier CVE-2014-3566.

A number of Oracle products do not support SSL v3.0 out of the box, while some Oracle products do provide for enabling SSL v3.0. Based on this vulnerability as well as the existence of other issues with this protocol, in instances when SSL v3.0 is supported but not needed, Oracle recommends permanently disabling SSL v3.0.

Normal 0 false false false EN-US X-NONE X-NONE

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Furthermore, Oracle is assessing the use of SSL v3.0 across its corporate systems and those managed on behalf of Oracle customers (e.g., Oracle Cloud). Oracle is actively deprecating the use of this protocol. In instances where Oracle identifies a possible impact to cloud customers, Oracle will work with the affected customers to determine the best course of action. Oracle recommends that cloud customers investigate their use of SSL v3.0 and discontinue to the extent possible the use of this protocol.

For more information, see the "Poodle Vulnerability CVE-2014-3566" page located on OTN at http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Patching Time

Jeremy Schneider - Wed, 2014-10-15 10:17

Just a quick note to point out that the October PSU was just released. The database has a few more vulnerabilities than usual (31), but they are mostly related to Java and the high CVSS score of 9 only applies to people running Oracle on windows. (On other operating systems, the highest score is 6.5.)

I did happen to glance at the announcement on the security blog, and I thought this short blurb was worth repeating:

In today’s Critical Patch Update Advisory, you will see a stronger than previously-used statement about the importance of applying security patches. Even though Oracle has consistently tried to encourage customers to apply Critical Patch Updates on a timely basis and recommended customers remain on actively-supported versions, Oracle continues to receive credible reports of attempts to exploit vulnerabilities for which fixes have been already published by Oracle. In many instances, these fixes were published by Oracle years ago, but their non-application by customers, particularly against Internet-facing systems, results in dangerous exposure for these customers. Keeping up with security releases is a good security practice and good IT governance.

The Oracle Database was first released in a different age than we live in today. Ordering physical parts involved navigating paper catalogs and faxing order sheets to the supplier. Physical inventory management relied heavily on notebooks and clipboards. Mainframes were processing data but manufacturing and supply chain had not yet been revolutionized by technology. Likewise, software base installs and upgrades were shipped on CDs through the mail and installed via physical consoles. The feedback cycle incorporating customer requests into software features took years.

Today, manufacturing is lean and the supply chain is digitized. Inventory is managed with the help of scanners and real-time analytics. Customer communication is more streamlined than ever before and developers respond quickly to the market. Bugs are exploited maliciously as soon as they’re discovered and the software development and delivery process has been optimized for fast response and rapid digital delivery of fixes.

Here’s the puzzle: Cell phones, web browsers and laptop operating systems all get security updates installed frequently. Even the linux OS running on your servers is easy to update with security patches. Oracle is no exception – they have streamlined delivery of database patches through the quarterly PSU program. Why do so many people simply ignore the whole area of Oracle database patches? Are we stuck in the old age of infrequent patching activity even though Oracle themselves have moved on?

Repetition

For many, it just seems overwhelming to think about patching. And honestly – it is. At first. The key is actually a little counter-intuitive: it’s painful, so you should in fact do it a lot! Believe it or not, it will actually become very easy once you get over the initial hump.

In my experience working at one small org (two dba’s), the key is doing it regularly. Lots of practice. You keep decent notes and setup scripts/tools where it makes sense and then you start to get a lot faster after several times around. By the way, my thinking has been influenced quite a bit here by the devops movement (like Jez Humble’s ’12 berlin talk and John Allspaw’s ’09 velocity talk). I think they have a nice articulation of this basic repetition principle. And it is very relevant to people who have Oracle databases.

So with all that said, happy patching! I know that I’ll be working with these PSUs over the next week or two. I hope that you’ll be working with them too!

October 2014 Critical Patch Update Released

Oracle Security Team - Tue, 2014-10-14 14:49
Normal 0 false false false EN-US X-NONE X-NONE

Hello, this is Eric Maurice again.

Oracle today released the October 2014 Critical Patch Update. This Critical Patch Update provides fixes for 154 vulnerabilities across a number of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Product Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards EnterpriseOne, Oracle Communications Industry Suite, Oracle Retail Industry Suite, Oracle Health Sciences Industry Suite, Oracle Primavera, Oracle Java SE, Oracle and Sun Systems Product Suite, Oracle Linux and Virtualization, and Oracle MySQL.

In today’s Critical Patch Update Advisory, you will see a stronger than previously-used statement about the importance of applying security patches. Even though Oracle has consistently tried to encourage customers to apply Critical Patch Updates on a timely basis and recommended customers remain on actively-supported versions, Oracle continues to receive credible reports of attempts to exploit vulnerabilities for which fixes have been already published by Oracle. In many instances, these fixes were published by Oracle years ago, but their non-application by customers, particularly against Internet-facing systems, results in dangerous exposure for these customers. Keeping up with security releases is a good security practice and good IT governance.

Out of the 154 vulnerabilities fixed with today’s Critical Patch Update release, 31 are for the Oracle Database. All but 3 of these database vulnerabilities are related to features implemented using Java in the Database, and a number of these vulnerabilities have received a CVSS Base Score of 9.0.

This CVSS 9.0 Base Score reflects instances where the user running the database has administrative privileges (as is typical with pre-12 Database versions on Windows). When the database user has limited (or non-root) privilege, then the CVSS Base Score is 6.5 to denote that a successful compromise would be limited to the database and not extend to the underlying Operating System. Regardless of this decrease in the CVSS Base Score for these vulnerabilities for most recent versions of the database on Windows and all versions on Unix and Linux, Oracle recommends that these patches be applied as soon as possible because a wide compromise of the database is possible.

The Java Virtual Machine (Java VM) was added to the database with the release of Oracle 8i in early 1999. The inclusion of Java VM in the database kernel allows Java stored procedures to be executed by the database. In other words, by running Java in the database server, Java applications can benefit from direct access to relational data. Not all customers implement Java stored procedures; however support for Java stored procedures is required for the proper operation of the Oracle Database as certain features are implemented using Java. Due to the nature of the fixes required, Oracle development was not able to produce a normal RAC-rolling fix for these issues. To help protect customers until they can apply the Oracle JavaVM component Database PSU, which requires downtime, Oracle produced a script that introduces new controls to prevent new Java classes from being deployed or new calls from being made to existing Java classes, while preserving the ability of the database to execute the existing Java stored procedures that customers may rely on.

As a mitigation measure, Oracle did consider revoking all Public Grant to Java Classes, but such approach is not feasible with a static script. Due to the dynamic nature of Java, it is not possible to identify all the classes that may be needed by an individual customer. Oracle’s script is designed to provide effective mitigation against malicious exploitation of Java in the database to customers who are not deploying new Java code or creating Java code dynamically.

Customers who regularly develop in Java in the Oracle Database can take advantage of a new feature introduced in Oracle 12.1. By running their workloads with Privilege Analysis enabled, these customers can determine which Java classes are actually needed and remove unnecessary Grants.

18 of the 154 fixes released today are for Oracle Fusion Middleware. Half of these fixes are pass-through fixes to address vulnerabilities in third-party components included in Oracle Fusion Middleware distributions. The most severe CVSS Base Score reported for these Oracle Fusion Middleware vulnerabilities is 7.5.

This Critical Patch Update also provides fixes for 25 new Java SE vulnerabilities. The highest reported CVSS Base Score for these Java SE vulnerabilities is 10.0. This score affects one Java SE vulnerability. Out of these 25 Java vulnerabilities, 20 affect client-only deployments of Java SE (and 2 of these vulnerabilities are browser-specific). 4 vulnerabilities affect client and server deployments of Java SE. One vulnerability affects client and server deployments of JSSE.

Rounding up this Critical Patch Update release are 15 fixes for Oracle and Sun Systems Product Suite, and 24 fixes for Oracle MySQL.

Note that on September 26th 2014, Oracle released Security Alert CVE-2014-7169 to deal with a number of publicly-disclosed vulnerabilities affecting GNU Bash, a popular open source command line shell incorporated into Linux and other widely used operating systems. Customers should check out this Security Alert and apply relevant security fixes for the affected systems as its publication so close to the publication of the October 2014 Critical Patch Update did not allow for inclusion on these Security Alert fixes in the Critical Patch Update release.

For More Information:

The October 2014 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Security Alert CVE-2014-7169 is located at http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html. Furthermore, a list of Oracle products using GNU Bash is located at http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html.

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Uber won't want drivers in the future

Steve Jones - Tue, 2014-10-14 10:30
I'm an Uber user, its a great service outside of cities with decent public transport.  But I have been thinking about where they will justify the $17bn valuation and give people a return on that $1.2bn investment.  At the same time I've been following the autonomous car pieces with interest and I think there is a pretty clear way this can end, especially as Uber have already said they are going
Categories: Fusion Middleware

Pages

Subscribe to Oracle FAQ aggregator