Oracle Linux is the only Linux distribution that supports live, non-disruptive patching, both in the kernel space and in the user space. That means you can immediately apply security patches without impacting your production environment—and without rebooting. To date, more than one million patches have been delivered in this fashion through Ksplice. It's simple and easy to get started with Ksplice.
When applying Ksplice updates on an Oracle Linux instance, you see a short description for each update. Where do you find out detailed description for the applied Ksplice update? This article explains a couple options to help you find out those details.
Here is an example of Oracle Linux 7 instance which I just used uptrack-upgrade command to bring it up to date.
# uptrack-upgrade
The following steps will be taken:
Install [fflm6oo5] Repeated IBRS/IBPB noise in kernel log on Xen Dom0 or old microcode.
Install [765skcrd] DMA memory exhaustion in Xen software IO TLB.
Install [sxvxl2wn] CVE-2018-10087: Denial-of-service when using wait() syscall with a too big pid.
Install [cgmi1ogm] CVE-2017-18017: Use-after-free when processing TCP packets in netfliter TCPMSS target.
Install [staghbkr] CVE-2018-5803: Denial-of-service when receiving forged packet over SCTP socket.
Install [lsa5ch76] Improved fix to CVE-2018-1093: Denial-of-service in ext4 bitmap block validity check.
Install [ayfdo3jh] Incorrect sequence numbers in RDS/TCP.
Install [5999eso8] CVE-2018-10124: Denial-of-service when using kill() syscall with a too big pid.
Install [5tpmsu5u] Denial-of-service when removing USB3 device.
Install [h5ieu9wx] CVE-2017-7616: Information leak when setting memory policy.
Install [pi3zh851] CVE-2017-11600: Denial-of-service in IP transformation configuration.
Install [qbyljb3p] CVE-2018-1130: Denial-of-service in DCCP message send.
Install [f6qk1vyk] Incorrect failover group parsing in RDS/IP.
Install [40hrgus3] Kernel crash in OCFS2 Distributed Lock Manager lock resource initialization.
Install [q3c70jgn] Device mapper path setup failure on queue limit change.
Install [pyse04hx] Performance loss with incorrect IBRS usage when retpoline enabled.
Install [qh1f7k32] Improved fix to Performance loss with incorrect IBRS usage when retpoline enabled.
Install [k1vqy4r2] Denial-of-service in OCFS2 reflink locking.
Install [pk444ubj] Denial-of-service in RDS user copying error.
Install [p3zgqk0r] Denial of service in RDS TCP socket shutdown.
Install [2xpjzdy0] Connection disruption when Infiniband ports are brought up and down quickly.
Install [7owmop3g] Race between RDS/IB setup and teardown causes NULL-pointer dereference.
Install [adyx3zqq] Connection disruption when migrating RDS/IB connection to downed port.
Install [nbn2v455] Revert fix for 'DMA memory exhaustion in Xen software IO TLB'.
Install [b4v7vjg4] CVE-2018-3620, CVE-2018-3646: Information leak in Intel CPUs under terminal fault.
Install [6bhl4l4n] CVE-2018-5391: Remote denial-of-service in IP fragment handling.
Install [9asukllr] CVE-2017-18344: Information disclosure in POSIX timers.
Installing [fflm6oo5] Repeated IBRS/IBPB noise in kernel log on Xen Dom0 or old microcode.
Installing [765skcrd] DMA memory exhaustion in Xen software IO TLB.
Installing [sxvxl2wn] CVE-2018-10087: Denial-of-service when using wait() syscall with a too big pid.
Installing [cgmi1ogm] CVE-2017-18017: Use-after-free when processing TCP packets in netfliter TCPMSS target.
Installing [staghbkr] CVE-2018-5803: Denial-of-service when receiving forged packet over SCTP socket.
Installing [lsa5ch76] Improved fix to CVE-2018-1093: Denial-of-service in ext4 bitmap block validity check.
Installing [ayfdo3jh] Incorrect sequence numbers in RDS/TCP.
Installing [5999eso8] CVE-2018-10124: Denial-of-service when using kill() syscall with a too big pid.
Installing [5tpmsu5u] Denial-of-service when removing USB3 device.
Installing [h5ieu9wx] CVE-2017-7616: Information leak when setting memory policy.
Installing [pi3zh851] CVE-2017-11600: Denial-of-service in IP transformation configuration.
Installing [qbyljb3p] CVE-2018-1130: Denial-of-service in DCCP message send.
Installing [f6qk1vyk] Incorrect failover group parsing in RDS/IP.
Installing [40hrgus3] Kernel crash in OCFS2 Distributed Lock Manager lock resource initialization.
Installing [q3c70jgn] Device mapper path setup failure on queue limit change.
Installing [pyse04hx] Performance loss with incorrect IBRS usage when retpoline enabled.
Installing [qh1f7k32] Improved fix to Performance loss with incorrect IBRS usage when retpoline enabled.
Installing [k1vqy4r2] Denial-of-service in OCFS2 reflink locking.
Installing [pk444ubj] Denial-of-service in RDS user copying error.
Installing [p3zgqk0r] Denial of service in RDS TCP socket shutdown.
Installing [2xpjzdy0] Connection disruption when Infiniband ports are brought up and down quickly.
Installing [7owmop3g] Race between RDS/IB setup and teardown causes NULL-pointer dereference.
Installing [adyx3zqq] Connection disruption when migrating RDS/IB connection to downed port.
Installing [nbn2v455] Revert fix for 'DMA memory exhaustion in Xen software IO TLB'.
Installing [b4v7vjg4] CVE-2018-3620, CVE-2018-3646: Information leak in Intel CPUs under terminal fault.
Installing [6bhl4l4n] CVE-2018-5391: Remote denial-of-service in IP fragment handling.
Installing [9asukllr] CVE-2017-18344: Information disclosure in POSIX timers.
Your kernel is fully up to date.
Effective kernel version is 4.1.12-124.18.5.el7uek
Subscribe to Oracle Linux Errata Mailing List
One of the simplest options is to subscribe to the Errata Announcements for Oracle Linux mailing list to retrieve the detailed description. Every update to every package in Oracle Linux is announced, along with any applicable CVEs and an overview of the security or bug fix addressed in the update. We also maintain an archive of previous announcements which can be reviewed at any time.
For example, this is the email notification of the recent Ksplice update in August 2018. You can read the detailed description of the Ksplice update.
https://oss.oracle.com/pipermail/el-errata/2018-August/007934.html
An equivalent mailing list is also available for Oracle VM updates.
Use uptrack-show Command
When you have Ksplice patches installed, you can get the same details using uptrack-show command. For example, let's look at the details of the Ksplice update (b4v7vjg4).
# uptrack-show b4v7vjg4
Update b4v7vjg4 is installed on your system. Detailed description:
CVE-2018-3620, CVE-2018-3646: Information leak in Intel CPUs under terminal fault.
A flaw in terminal fault handling on Intel CPUs could result in
information leaks across privilege boundaries including between
processes on a system or between virtual machines.
Mitigations for these CVEs include disabling SMT (HyperThreading) on
affected Intel CPUs, extra L1 data cache flushing when running virtual
machines when EPT is supported. Both of these mitigations have workload
dependent performance implications can can be tuned by the
administrator. This update will immediately enable L1 data cache
flushes on Intel CPUs if KVM is in use. Where untrusted guests are in
use it is recommended to disable SMT.
SMT disable:
/sys/devices/system/cpu/smt/control: write "on" to enable SMT, "off" to
disable SMT. Default: on.
L1D flushing:
/sys/module/kvm_intel/parameters/vmentry_l1d_flush, write:
- "never": disable L1D flushing, leaving CVE-2018-3620 unmitigated but
no noticeable performance impact
- "cond": flush only in high risk transfers, mitigates CVE-2018-3620
with the minimum number of flushes
- "always": flush on every VM entry, fully mitigates CVE-2018-3620
with the most overhead.
Default: "always"
That should help you find out what's installed and the detailed description without having to go to a website.
Additional Resources
Visit the resources below to take advantage of Oracle Linux to help you build your cloud infrastructure: