RHSA-2018:3540 Important: kernel security, bug fix and enhancement update

Updated

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Security Fixes are described in RHSA-2018:3540.

This update fixes the following bugs:

  • Previously, the t4_get_flash_params() function failed if the flash part was not recognized. As a consequence, the Network Interface Card (NIC) driver requested an update of various flash parts. With this update, if the flash part is not recognized, it is assumed to be 4MB in size. As a result, the NIC no longer requests an update of various flash parts in the described scenario. (This content is not included.BZ#1620553)

  • On systems running Red Hat Enterprise Linux 7.4 with Red Hat OpenShift Container Platform 3.5, a node sometimes got into "NodeNotReady" state after a CPU softlockup. Consequently, the node was not available. This update fixes some scheduling latency sources in memory compaction and in the inodes memory reclaim. As a result, nodes no longer get into "NodeNotReady" state under the described circumstances. (This content is not included.BZ#1625867)

  • Previously, a kernel panic occurred when the kernel tried to make an out of bound access to the array that describes the L1 Terminal Fault (L1TF) mitigation state on systems without Extended Page Tables (EPT) support. This update extends the array of mitigation states to cover all the states, which effectively prevents out of bound array access. Also, this update enables rejecting invalid, irrelevant values, that might be erroneously provided by the userspace. As a result, the kernel no longer panics in the described scenario. (This content is not included.BZ#1629567)

  • Previously, a packet was missing the User Datagram Protocol (UDP) payload checksum during a full checksum computation, if the hardware checksum was not applied. As a consequence, a packet with an incorrect checksum was dropped by a peer. With this update, the kernel includes the UDP payload checksum during the full checksum computation. As a result, the checksum is computed correctly and the packet can be received by the peer. (This content is not included.BZ#1635795)

Article Type