(RHSA-2015:0989) Important: kernel-rt security, bug fix, and enhancement update

ID RHSA-2015:0989
Type redhat
Reporter RedHat
Modified 2018-06-07T08:58:25


The kernel-rt packages contain the Linux kernel, the core of any Linux operating system.

  • A buffer overflow flaw was found in the way the Linux kernel's Intel AES-NI instructions optimized version of the RFC4106 GCM mode decryption functionality handled fragmented packets. A remote attacker could use this flaw to crash, or potentially escalate their privileges on, a system over a connection with an active AEC-GCM mode IPSec security association. (CVE-2015-3331, Important)

This update provides a build of the kernel-rt package for Red Hat Enterprise MRG 2.5, which is layered on Red Hat Enterprise Linux 6. The kernel-rt sources have been updated to include fixes for the following issues:

  • Audit subsystem not resolving path name on directory watches
  • audit watches do not track correctly after a rename
  • auditctl output is changed in RHEL 7
  • megaraid_sas: non-booting system with intel_iommu=on kernel parameter
  • GFS2: kernel NULL pointer dereference in gfs2_inplace_reserve
  • Crypto adapter cannot be brought online - affect all HW
  • crypto/seqiv.c: wrong check of return code from crypto_rng_get_bytes
  • Backport crypto: sha256_ssse3 - also test for BMI2
  • Null pointer at team_handle_frame+0x62/0x100 [team]
  • AES CTR x86_64 "by8" AVX optimization
  • Intel RDSEED - Fix for entropy counting
  • Intel SHA1 multi-buffer crypto implementation
  • Intel SHA1 AVX2 optimization support
  • mlx4_en: HW timestamp ends up in error queue of socket which does not have SO_TIMESTAMPING enabled


All kernel-rt users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. The system must be rebooted for this update to take effect.