RHSA-2020:3016: Important: kernel-rt security and bug fix update
The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements.Security Fix(es): kernel: use-after-free in sound/core/timer.c (CVE-2019-19807) kernel: kernel: DAX hugepages not considered during mremap (CVE-2020-10757) kernel: Rogue cross-process SSBD shutdown. Linux scheduler logical bug allows an attacker to turn off the SSBD protection. (CVE-2020-10766) kernel: Indirect Branch Prediction Barrier is force-disabled when STIBP is unavailable or enhanced IBRS is available. (CVE-2020-10767) kernel: Indirect branch speculation can be enabled after it was force-disabled by the PRSPECFORCEDISABLE prctl command. (CVE-2020-10768) kernel: buffer overflow in mwifiexcmdappendvsietlv function in drivers/net/wireless/marvell/mwifiex/scan.c (CVE-2020-12653) kernel: heap-based buffer overflow in mwifiexretwmmgetstatus function in drivers/net/wireless/marvell/mwifiex/wmm.c (CVE-2020-12654) Kernel: vfio: access to disabled MMIO space of some devices may lead to DoS scenario (CVE-2020-12888) kernel: kvm: Information leak within a KVM guest (CVE-2019-3016) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Bug Fix(es): kernel-rt: update RT source tree to the RHEL-8.2.z2 source tree (BZ#1829582)
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2020:3016?
RHSA-2020:3016 addresses vulnerabilities with a significant security impact due to a use-after-free flaw in the Real Time Linux kernel.
How do I fix RHSA-2020:3016?
To fix RHSA-2020:3016, update your kernel-rt packages to version 4.18.0-193.13.2.rt13.65.el8_2 or later.
Which packages are affected by RHSA-2020:3016?
RHSA-2020:3016 affects several kernel-rt packages including kernel-rt, kernel-rt-core, and other related debug and development packages.
What does the use-after-free vulnerability in RHSA-2020:3016 allow for?
The use-after-free vulnerability in RHSA-2020:3016 can potentially allow an attacker to execute arbitrary code with elevated privileges.
Is it safe to continue using systems without addressing RHSA-2020:3016?
Continuing to use systems without addressing RHSA-2020:3016 poses a risk of exploitation, and it is advisable to apply the necessary updates promptly.