The following commits (included in 4.9.57) fix the CVE:
commit 28955b03fac36829831e185e3ec2793f8eb18689 (KVM: nVMX: update
last_nonleaf_level when initializing nested EPT).
commit 3610c4a7838df867d1b9d83a38c87042859ff896 (KVM: MMU: always
terminate page walks at level 1).
So update to the latest stable kernel (4.9.60) to get these fixes.
Change-Id: I962ed0f479f80a213978ce580d9fa89d94280878
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4221
Reviewed-by: Sharath George
Tested-by: Sharath George
... | ... |
@@ -1,6 +1,6 @@ |
1 | 1 |
Summary: Linux API header files |
2 | 2 |
Name: linux-api-headers |
3 |
-Version: 4.9.53 |
|
3 |
+Version: 4.9.60 |
|
4 | 4 |
Release: 1%{?dist} |
5 | 5 |
License: GPLv2 |
6 | 6 |
URL: http://www.kernel.org/ |
... | ... |
@@ -8,7 +8,7 @@ Group: System Environment/Kernel |
8 | 8 |
Vendor: VMware, Inc. |
9 | 9 |
Distribution: Photon |
10 | 10 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
11 |
-%define sha1 linux=b3e6e5608b6684d103fea702cd08b498162a4c96 |
|
11 |
+%define sha1 linux=1f30f2da710d5dcb63f15f69fdb2c90e96064179 |
|
12 | 12 |
BuildArch: noarch |
13 | 13 |
%description |
14 | 14 |
The Linux API Headers expose the kernel's API for use by Glibc. |
... | ... |
@@ -25,6 +25,8 @@ find /%{buildroot}%{_includedir} \( -name .install -o -name ..install.cmd \) -de |
25 | 25 |
%defattr(-,root,root) |
26 | 26 |
%{_includedir}/* |
27 | 27 |
%changelog |
28 |
+* Mon Nov 06 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.60-1 |
|
29 |
+- Version update |
|
28 | 30 |
* Thu Oct 05 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-1 |
29 | 31 |
- Version update |
30 | 32 |
* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1 |
... | ... |
@@ -1,15 +1,15 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-esx |
4 |
-Version: 4.9.53 |
|
5 |
-Release: 5%{?dist} |
|
4 |
+Version: 4.9.60 |
|
5 |
+Release: 1%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=b3e6e5608b6684d103fea702cd08b498162a4c96 |
|
12 |
+%define sha1 linux=1f30f2da710d5dcb63f15f69fdb2c90e96064179 |
|
13 | 13 |
Source1: config-esx |
14 | 14 |
Source2: initramfs.trigger |
15 | 15 |
# common |
... | ... |
@@ -198,6 +198,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
198 | 198 |
/usr/src/linux-headers-%{uname_r} |
199 | 199 |
|
200 | 200 |
%changelog |
201 |
+* Mon Nov 06 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.60-1 |
|
202 |
+- Version update |
|
201 | 203 |
* Wed Oct 25 2017 Anish Swaminathan <anishs@vmware.com> 4.9.53-5 |
202 | 204 |
- Enable x86 vsyscall emulation |
203 | 205 |
* Tue Oct 17 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.53-4 |
... | ... |
@@ -1,15 +1,15 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux-secure |
4 |
-Version: 4.9.53 |
|
5 |
-Release: 3%{?dist} |
|
4 |
+Version: 4.9.60 |
|
5 |
+Release: 1%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=b3e6e5608b6684d103fea702cd08b498162a4c96 |
|
12 |
+%define sha1 linux=1f30f2da710d5dcb63f15f69fdb2c90e96064179 |
|
13 | 13 |
Source1: config-secure |
14 | 14 |
Source2: aufs4.9.tar.gz |
15 | 15 |
%define sha1 aufs=ebe716ce4b638a3772c7cd3161abbfe11d584906 |
... | ... |
@@ -264,6 +264,8 @@ ln -sf linux-%{uname_r}.cfg /boot/photon.cfg |
264 | 264 |
/usr/src/linux-headers-%{uname_r} |
265 | 265 |
|
266 | 266 |
%changelog |
267 |
+* Mon Nov 06 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.60-1 |
|
268 |
+- Version update |
|
267 | 269 |
* Wed Oct 11 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-3 |
268 | 270 |
- Add patch "KVM: Don't accept obviously wrong gsi values via |
269 | 271 |
KVM_IRQFD" to fix CVE-2017-1000252. |
... | ... |
@@ -1,15 +1,15 @@ |
1 | 1 |
%global security_hardening none |
2 | 2 |
Summary: Kernel |
3 | 3 |
Name: linux |
4 |
-Version: 4.9.53 |
|
5 |
-Release: 3%{?dist} |
|
4 |
+Version: 4.9.60 |
|
5 |
+Release: 1%{?dist} |
|
6 | 6 |
License: GPLv2 |
7 | 7 |
URL: http://www.kernel.org/ |
8 | 8 |
Group: System Environment/Kernel |
9 | 9 |
Vendor: VMware, Inc. |
10 | 10 |
Distribution: Photon |
11 | 11 |
Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz |
12 |
-%define sha1 linux=b3e6e5608b6684d103fea702cd08b498162a4c96 |
|
12 |
+%define sha1 linux=1f30f2da710d5dcb63f15f69fdb2c90e96064179 |
|
13 | 13 |
Source1: config |
14 | 14 |
Source2: initramfs.trigger |
15 | 15 |
%define ena_version 1.1.3 |
... | ... |
@@ -304,6 +304,8 @@ ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg |
304 | 304 |
/usr/share/doc/* |
305 | 305 |
|
306 | 306 |
%changelog |
307 |
+* Mon Nov 06 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.60-1 |
|
308 |
+- Version update |
|
307 | 309 |
* Wed Oct 11 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-3 |
308 | 310 |
- Add patch "KVM: Don't accept obviously wrong gsi values via |
309 | 311 |
KVM_IRQFD" to fix CVE-2017-1000252. |