The typical model for providing kernel errata (security/critical fixes) is through providing a newer version of the latest kernel in a "dot dot" release. For instance, for Oracle Linux 6 if the current latest "Red Hat Compatible kernel" is 2.6.32-431.1.2 and a security issue gets fixed, there will be a 2.6.32-431.3.1 (or so). The sysadmin then has to install the new kernel and reboot the server(s) in order to get that fix to be active. Now these "dot dot" release versions typically only contain security fixes or critical bugfixes so while a reboot is annoying and can have a significant time impact, the actual updates are very specific.

When updated versions of the OS are released (such as OL6 update 1, OL6 update 2,...) however, the change in the kernel can be more significant. For instance when you look at the lifecycle of Oracle Linux 6 with the "RHCK" versions. OL6 GA was shipping with kernel 2.6.32-71, update 1 2.6.32-131, update 2 2.6.32-220, update 3 2.6.32-279, update 4 2.6.32-358, update 5 2.6.32-431. Each of these kernels will have pretty significant changes. Aside from carrying forward the security fixes and critical bugfixes, they typically also contain new device drivers, new features backported into older kernels. In fact, if you look at the changelog of the RHCKs you will see features from kernels as current as 3.x backported into 2.6.32.

In this case, going from one version to another is a bigger deal for some customers that have a very conservative upgrade policy. However to be current with security updates one typically has to go to a newer version in order to get the errata. Security fixes are not backported to all older versions by default, while some vendors have a support option where they will support one or 2 other kernel versions, it's relatively selective.

With Ksplice however, we make the security/critical fix errata available for all the various kernels. Not just one or 2 selective versions. So you can be on any of these kernels, and without the need for a reboot, have the fixes available. That's choice and flexibility. It reduces risk of upgrading to newer kernels to get a fix, it reduces down time to zero and increases the security of your servers.

By the way, 2.6.32-71 was released 03-Jan-2011. Since then there were 45 kernels released (RHCK), with vulnerability fixes and critical fixes, so if you wanted to remain current, that would have resulted in 44 reboots for each server since 2011 (so 3.5 years). With Oracle Ksplice, you could still be running that 2.6.32-71 kernel from January 2011, without any reboot and be current with your CVEs. Imagine having 100's, if not 1000's of servers... time saved, cost saved...

To give you a concrete example, here is a list of all the different kernel versions (RHCK) for Oracle Linux 6 :

kernel-2.6.32-71
kernel-2.6.32-71.14.1
kernel-2.6.32-71.18.1
kernel-2.6.32-71.18.2
kernel-2.6.32-71.24.1
kernel-2.6.32-71.29.1
kernel-2.6.32-131.0.15
kernel-2.6.32-131.2.1
kernel-2.6.32-131.4.1
kernel-2.6.32-131.6.1
kernel-2.6.32-131.12.1
kernel-2.6.32-131.17.1
kernel-2.6.32-131.21.1
kernel-2.6.32-220.2.1
kernel-2.6.32-220.4.1
kernel-2.6.32-220.4.2
kernel-2.6.32-220.7.1
kernel-2.6.32-220.13.1
kernel-2.6.32-220.17.1
kernel-2.6.32-220.23.1
kernel-2.6.32-220
kernel-2.6.32-279.1.1
kernel-2.6.32-279.2.1
kernel-2.6.32-279.5.1
kernel-2.6.32-279.5.2
kernel-2.6.32-279.9.1
kernel-2.6.32-279.11.1
kernel-2.6.32-279.14.1
kernel-2.6.32-279.19.1
kernel-2.6.32-279.22.1
kernel-2.6.32-279
kernel-2.6.32-358.0.1
kernel-2.6.32-358.2.1
kernel-2.6.32-358.6.1
kernel-2.6.32-358.6.2
kernel-2.6.32-358.11.1
kernel-2.6.32-358.14.1
kernel-2.6.32-358.18.1
kernel-2.6.32-358.23.2
kernel-2.6.32-358
kernel-2.6.32-431.1.2
kernel-2.6.32-431.3.1
kernel-2.6.32-431.5.1
kernel-2.6.32-431.11.2
kernel-2.6.32-431.17.1
kernel-2.6.32-431

With Oracle Linux and Ksplice you could be running -any- of the above kernel versions in your production environments when a security vulnerability gets fixed, we will make a fix available for all of the above.

Here is a list of the latest Ksplice update packages for Oracle Linux 6 with RHCK, as you can see, all the kernels are there :

uptrack-updates-2.6.32-131.0.15.el6.x86_64.20140331-0
uptrack-updates-2.6.32-131.12.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-131.17.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-131.21.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-131.2.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-131.4.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-131.6.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.13.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.17.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.2.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.23.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.4.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.4.2.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.7.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-220.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.11.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.1.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.14.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.19.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.2.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.22.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.5.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.5.2.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.9.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-279.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.0.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.11.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.14.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.18.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.2.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.23.2.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.6.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.6.2.el6.x86_64.20140331-0
uptrack-updates-2.6.32-358.el6.x86_64.20140331-0
uptrack-updates-2.6.32-431.11.2.el6.x86_64.20140331-0
uptrack-updates-2.6.32-431.1.2.el6.x86_64.20140331-0
uptrack-updates-2.6.32-431.3.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-431.5.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-431.el6.x86_64.20140331-0
uptrack-updates-2.6.32-71.14.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-71.18.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-71.18.2.el6.x86_64.20140331-0
uptrack-updates-2.6.32-71.24.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-71.29.1.el6.x86_64.20140331-0
uptrack-updates-2.6.32-71.el6.x86_64.20140331-0

A preview of OpenStack distribution (Havana) is now available on oracle.com for Oracle Linux (controller + compute) and Oracle VM (compute). We will follow this up with the production (GA) release in the next several months, including an update to IceHouse and later Juno. (whitepaper)

An OpenStack distribution contains several components that can be grouped into 2 major buckets (a) controller components, such as keystone, horizon, glance, cinder,.... (b) compute components such as nova and neutron. We provide support for the controller components on top of Oracle Linux and as part of Oracle Linux Premier Support. We provide support for the compute components on top of either Oracle Linux or Oracle VM (as part of Premier Support for both products).

By adding the Oracle OpenStack Distribution to Oracle Linux and Oracle VM, we can provide integrated support for all components in the stack including applications, database, middleware, guest OS, host OS, virtualization, and OpenStack – plus servers and storage. Our experience attacking the world’s toughest enterprise workloads means we focus on OpenStack stability, availability, performance, debugging and diagnostics. Oracle OpenStack customers and partners can immediately benefit from advanced features like Ksplice and DTrace from Oracle Linux and the hardening, testing, performance and stability of Oracle VM.

If you have chosen an OpenStack distribution other than Oracle’s, rest assured. Oracle will not attempt to force you to choose our OpenStack distribution by withholding support; we will provide the same high quality Oracle Linux and Oracle VM support no matter which OpenStack distribution you choose.

Furthermore, Oracle will continue to collaborate with Oracle’s OpenStack partners validating with Oracle Linux and Oracle VM. Our goal remains the same: jointly deliver great solutions and support experience for our mutual customers. We also look forward to working with other vendors to certify networking, storage, hypervisor and other plugins into the Oracle OpenStack Distribution.

Finally, we plan to follow a development model similar to the approach we use with Linux and the Unbreakable Enterprise Kernel. Our development work is focused on contributing upstream to the OpenStack community and we will pick up new releases of OpenStack after testing and validation.

It is an exciting time for OpenStack developers and users. We are thrilled that Oracle and our customers are part of it!

# yum install mysql-community-server

Then install dtrace utils from ULN.

# yum install dtrace-utils

As root, enable DTrace and allow normal users to record trace information:

# modprobe fasttrap
# chmod 666 /dev/dtrace/helper

Start MySQL server.

# /etc/init.d/mysqld start

Now you can try out various dtrace scripts. You can find the reference manual for MySQL DTrace support here.

Example1

Save the script below as query.d.

#!/usr/sbin/dtrace -qws
#pragma D option strsize=1024


mysql*:::query-start /* using the mysql provider */
{

  self->query = copyinstr(arg0); /* Get the query */
  self->connid = arg1; /*  Get the connection ID */
  self->db = copyinstr(arg2); /* Get the DB name */
  self->who   = strjoin(copyinstr(arg3),strjoin("@",
     copyinstr(arg4))); /* Get the username */

  printf("%Y\t %20s\t  Connection ID: %d \t Database: %s \t Query: %s\n", 
     walltimestamp, self->who ,self->connid, self->db, self->query);

}

Run it, in another terminal, connect to MySQL server and run a few queries.

# dtrace -s query.d 
dtrace: script 'query.d' matched 22 probes
CPU     ID                    FUNCTION:NAME
  0   4133 _Z16dispatch_command19enum_server_commandP3THDPcj:query-start 2014 
    Jul 29 12:32:21 root@localhost	  Connection ID: 5 	 Database:  	 
    Query: select @@version_comment limit 1

  0   4133 _Z16dispatch_command19enum_server_commandP3THDPcj:query-start 2014 
    Jul 29 12:32:28 root@localhost	  Connection ID: 5 	 Database:  	 
    Query: SELECT DATABASE()

  0   4133 _Z16dispatch_command19enum_server_commandP3THDPcj:query-start 2014 
    Jul 29 12:32:28 root@localhost	  Connection ID: 5 	 Database: database 	 
    Query: show databases

  0   4133 _Z16dispatch_command19enum_server_commandP3THDPcj:query-start 2014 
    Jul 29 12:32:28 root@localhost	  Connection ID: 5 	 Database: database 	 
    Query: show tables

  0   4133 _Z16dispatch_command19enum_server_commandP3THDPcj:query-start 2014 
    Jul 29 12:32:31 root@localhost	  Connection ID: 5 	 Database: database 	 
    Query: select * from foo

Example 2

Save the script below as statement.d.

#!/usr/sbin/dtrace -s

#pragma D option quiet

dtrace:::BEGIN
{
   printf("%-60s %-8s %-8s %-8s\n", "Query", "RowsU", "RowsM", "Dur (ms)");
}

mysql*:::update-start, mysql*:::insert-start,
mysql*:::delete-start, mysql*:::multi-delete-start,
mysql*:::multi-delete-done, mysql*:::select-start,
mysql*:::insert-select-start, mysql*:::multi-update-start
{
    self->query = copyinstr(arg0);
    self->querystart = timestamp;
}

mysql*:::insert-done, mysql*:::select-done,
mysql*:::delete-done, mysql*:::multi-delete-done, mysql*:::insert-select-done
/ self->querystart /
{
    this->elapsed = ((timestamp - self->querystart)/1000000);
    printf("%-60s %-8d %-8d %d\n",
           self->query,
           0,
           arg1,
           this->elapsed);
    self->querystart = 0;
}

mysql*:::update-done, mysql*:::multi-update-done
/ self->querystart /
{
    this->elapsed = ((timestamp - self->querystart)/1000000);
    printf("%-60s %-8d %-8d %d\n",
           self->query,
           arg1,
           arg2,
           this->elapsed);
    self->querystart = 0;
}

Run it and do a few queries.

# dtrace -s statement.d 
Query                                                        RowsU    RowsM    Dur (ms)
select @@version_comment limit 1                             0        1        0
SELECT DATABASE()                                            0        1        0
show databases                                               0        6        0
show tables                                                  0        2        0
select * from foo                                            0        1        0

During Oracle OpenWorld, we talked about it a lot, of course, and I wanted to show you how far back these ksplice updates can go. How much flexibility it gives a system administrator in terms of which kernel to use, how easy and fast it is, etc...

One of the main advantages of the ksplice technology is the ability for us to build these updates for many, many, yes many,... kernels and have a highly automated and scalable build infrastructure. When we publish a ksplice update, we build the update for -every kernel errata- released since the first kernel for that given major distribution release we started to support. What does this mean? Well, in the case of Oracle Linux 5, we currently support ksplice updates starting with Oracle Linux 5 update 4's kernel. The base-kernel being the Red Hat Compatible kernel : 2.6.18-164.el5 built, Thu Sep 3 04:15:13 EDT 2009. Yes, you read that right, September 2009. So during the lifetime of Oracle Linux 5, starting with that kernel, we publish ksplice updates for every kernel since then to today (and forward, of course). So no matter what errata kernel you are on, since -164, or major Oracle Linux 5 release, ksplice updates released after that date will be available for all those kernels. A simple uptrack-upgrade will take that running version up to the latest updates. While the main focus of the ksplice online updates is around CVEs, we also add critical fixes to it as well, so it's a combination of both.

So back to OL5.4. running uname shows 2.6.18-164.el5. After uptrack-upgrade -y it will say 2.6.18-398.el5 (which by the way is the latest kernel for OL5 for 2.6.18). You can see the output below, you can also see how many 'minutes' it took, without reboot, all current and active right away, and you can follow the timeframe by looking at the year right behind CVE. You will see CVEs from 2009, 2010, 2011, 2012, 2013 and 2014. Completely current.

Now, this can be done on a running system, to install ksplice and start using it, you don't need to reboot, just install the uptrack tools and you're good to go. You can be current with CVEs and critical bugs without rebooting for years. You can be current, even though you run an older update release of Oracle Linux, and you are not required to take new kernels with potentially (in the RHCK case) new features backported, introducing new code beyond just bugfixes, introduce new device drivers, which on a system that's stable, you don't necessarily want or need. So it's always good to update to newer kernels when you get new hardware and you need new device drivers, but for existing stable production systems, you don't really want or need that, nor do you necessarily need to get stuff from new kernels backported into older versions (again, in particular in the RHCK case) which will introduce a lot of change, I will show you a lines of code change in another blog entry. ksplice let's you stick with an older version, yet, anything critical and CVE related will be there for you and this for any errata kernel you start with since, in the OL5 case, update 4... Not just one update earlier, or but any kernel at any point in time.

If you do have periodic scheduled reboots, fine, install the kernel rpms so that the next time you reboot, it boots into the latest kernel, if you want, but you don't have to. You have complete flexibility if and when you need it.

I hope that the output of this and a follow up blog I will do on OL6 as a similar example, shows how scalable this is, how much use this has had, how many updates we have done and can do, how complex these updates are (not just a one liner change in some file) not just a one off for one customer case but scalable. Also, with tons of checks in place so that it works for kernel modules, so that it won't lock up your box, we validate that it's the right kernel, that these updates are safe to apply, etc, etc.. proven, 7+ years old technology. And completely supported by us. You can run your database or middleware software and run uptrack-upgrade while it's up and running and humming along... perfectly OK.

time uptrack-upgrade -y
The following steps will be taken:
Install [v5267zuo] Clear garbage data on the kernel stack when handling signals.
Install [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.
Install [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.
Install [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.
Install [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.
Install [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.
Install [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.
Install [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.
Install [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.
Install [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.
Install [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.
Install [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.
Install [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6
Install [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.
Install [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.
Install [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.
Install [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().
Install [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.
Install [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.
Install [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.
Install [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.
Install [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.
Install [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.
Install [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.
Install [qdlkztzx] Kernel crash forwarding network traffic.
Install [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.
Install [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.
Install [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pages
Install [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.
Install [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.
Install [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.
Install [xem0m4sg] Floating point state corruption after signal.
Install [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.
Install [3ulklysv] CVE-2010-0307: Denial of service on amd64
Install [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 server
Install [trws48lp] CVE-2010-1087: Oops when truncating a file in NFS
Install [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinks
Install [gmqqylxv] CVE-2010-1187: Denial of service in TIPC
Install [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremap
Install [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTP
Install [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruption
Install [l5qljcxc] CVE-2010-1437: Privilege escalation in key management
Install [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2
Install [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.
Install [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.
Install [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.
Install [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.
Install [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.
Install [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.
Install [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.
Install [59car2zc] CVE-2010-2798: Denial of service in GFS2.
Install [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.
Install [5mgd1si0] Improved fix to CVE-2010-1173.
Install [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.
Install [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.
Install [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.
Install [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.
Install [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.
Install [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.
Install [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.
Install [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.
Install [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.
Install [ff1wrijq] Buffer overflow in icmpmsg_put.
Install [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.
Install [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.
Install [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.
Install [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.
Install [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.
Install [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
Install [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
Install [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.
Install [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
Install [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.
Install [usukkznh] Mitigate denial of service attacks with large argument lists.
Install [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.
Install [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.
Install [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.
Install [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.
Install [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Install [hnbz3ppf] Integer overflow in sys_remap_file_pages.
Install [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.
Install [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.
Install [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
Install [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.
Install [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.
Install [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.
Install [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.
Install [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
Install [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.
Install [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.
Install [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.
Install [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.
Install [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.
Install [ifgdet83] Use-after-free in MPT driver.
Install [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.
Install [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.
Install [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.
Install [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.
Install [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.
Install [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Install [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.
Install [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.
Install [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.
Install [jz43fdgc] Denial of service in NFS server via reference count leak.
Install [h860edrq] Fix a packet flood when initializing a bridge device without STP.
Install [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.
Install [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.
Install [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Install [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.
Install [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.
Install [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.
Install [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.
Install [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.
Install [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Install [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Install [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.
Install [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.
Install [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.
Install [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.
Install [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.
Install [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler API
Install [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.
Install [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.
Install [ofrder8l] Hangs using direct I/O with XFS filesystem.
Install [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.
Install [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.
Install [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.
Install [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.
Install [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().
Install [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.
Install [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.
Install [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.
Install [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.
Install [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.
Install [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.
Install [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.
Install [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.
Install [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.
Install [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.
Install [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.
Install [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.
Install [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.
Install [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.
Install [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Install [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.
Install [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.
Install [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.
Install [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.
Install [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.
Install [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.
Install [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.
Install [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.
Install [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Install [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.
Install [uknrp2eo] Denial of service in filesystem unmounting.
Install [97u6urvt] Soft lockup in USB ACM driver.
Install [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.
Install [loizuvxu] Kernel crash in Ethernet bridging netfilter module.
Install [yc146ytc] Unresponsive I/O using QLA2XXX driver.
Install [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.
Install [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.
Install [bvoz27gv] Arithmetic overflow in clock source calculations.
Install [lzwurn1u] ext4 filesystem corruption on fallocate.
Install [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Install [9do532u6] Kernel panic when overcommiting memory with NFSd.
Install [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.
Install [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.
Install [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.
Install [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.
Install [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.
Install [l093jvcl] Kernel panic in SMB extended attributes.
Install [qlzoyvty] Kernel panic in ext3 indirect blocks.
Install [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.
Install [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.
Install [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.
Install [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.
Install [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.
Install [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.
Install [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.
Install [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.
Install [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.
Install [2zzz6cqb] Data corruption on NFSv3/v2 short reads.
Install [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.
Install [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.
Install [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.
Install [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.
Install [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.
Install [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.
Install [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.
Install [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.
Install [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.
Install [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.
Install [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.
Install [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.
Install [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.
Install [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.
Install [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.
Install [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.
Install [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.
Install [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.
Install [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.
Install [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.
Install [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.
Install [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.
Install [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.
Install [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.
Install [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.
Install [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.
Install [pz65qqpk] Panic in GFS2 filesystem locking code.
Install [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.
Install [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.
Install [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.
Install [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.
Install [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.
Install [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.
Installing [v5267zuo] Clear garbage data on the kernel stack when handling signals.
Installing [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.
Installing [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.
Installing [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.
Installing [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.
Installing [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.
Installing [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.
Installing [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.
Installing [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.
Installing [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.
Installing [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.
Installing [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.
Installing [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6
Installing [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.
Installing [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.
Installing [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.
Installing [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().
Installing [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.
Installing [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.
Installing [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.
Installing [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.
Installing [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.
Installing [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.
Installing [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.
Installing [qdlkztzx] Kernel crash forwarding network traffic.
Installing [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.
Installing [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.
Installing [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pages
Installing [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.
Installing [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.
Installing [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.
Installing [xem0m4sg] Floating point state corruption after signal.
Installing [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.
Installing [3ulklysv] CVE-2010-0307: Denial of service on amd64
Installing [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 server
Installing [trws48lp] CVE-2010-1087: Oops when truncating a file in NFS
Installing [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinks
Installing [gmqqylxv] CVE-2010-1187: Denial of service in TIPC
Installing [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremap
Installing [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTP
Installing [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruption
Installing [l5qljcxc] CVE-2010-1437: Privilege escalation in key management
Installing [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2
Installing [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.
Installing [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.
Installing [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.
Installing [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.
Installing [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.
Installing [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.
Installing [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.
Installing [59car2zc] CVE-2010-2798: Denial of service in GFS2.
Installing [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.
Installing [5mgd1si0] Improved fix to CVE-2010-1173.
Installing [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.
Installing [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.
Installing [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.
Installing [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.
Installing [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.
Installing [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.
Installing [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.
Installing [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.
Installing [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.
Installing [ff1wrijq] Buffer overflow in icmpmsg_put.
Installing [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.
Installing [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.
Installing [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.
Installing [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.
Installing [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.
Installing [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
Installing [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
Installing [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.
Installing [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
Installing [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.
Installing [usukkznh] Mitigate denial of service attacks with large argument lists.
Installing [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.
Installing [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.
Installing [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.
Installing [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.
Installing [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Installing [hnbz3ppf] Integer overflow in sys_remap_file_pages.
Installing [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.
Installing [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.
Installing [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
Installing [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.
Installing [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.
Installing [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.
Installing [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.
Installing [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
Installing [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.
Installing [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.
Installing [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.
Installing [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.
Installing [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.
Installing [ifgdet83] Use-after-free in MPT driver.
Installing [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.
Installing [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.
Installing [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.
Installing [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.
Installing [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.
Installing [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Installing [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.
Installing [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.
Installing [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.
Installing [jz43fdgc] Denial of service in NFS server via reference count leak.
Installing [h860edrq] Fix a packet flood when initializing a bridge device without STP.
Installing [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.
Installing [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.
Installing [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Installing [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.
Installing [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.
Installing [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.
Installing [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.
Installing [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.
Installing [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Installing [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Installing [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.
Installing [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.
Installing [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.
Installing [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.
Installing [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.
Installing [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler API
Installing [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.
Installing [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.
Installing [ofrder8l] Hangs using direct I/O with XFS filesystem.
Installing [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.
Installing [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.
Installing [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.
Installing [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.
Installing [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().
Installing [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.
Installing [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.
Installing [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.
Installing [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.
Installing [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.
Installing [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.
Installing [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.
Installing [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.
Installing [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.
Installing [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.
Installing [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.
Installing [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.
Installing [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.
Installing [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.
Installing [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Installing [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.
Installing [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.
Installing [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.
Installing [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.
Installing [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.
Installing [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.
Installing [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.
Installing [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.
Installing [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Installing [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.
Installing [uknrp2eo] Denial of service in filesystem unmounting.
Installing [97u6urvt] Soft lockup in USB ACM driver.
Installing [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.
Installing [loizuvxu] Kernel crash in Ethernet bridging netfilter module.
Installing [yc146ytc] Unresponsive I/O using QLA2XXX driver.
Installing [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.
Installing [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.
Installing [bvoz27gv] Arithmetic overflow in clock source calculations.
Installing [lzwurn1u] ext4 filesystem corruption on fallocate.
Installing [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Installing [9do532u6] Kernel panic when overcommiting memory with NFSd.
Installing [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.
Installing [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.
Installing [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.
Installing [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.
Installing [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.
Installing [l093jvcl] Kernel panic in SMB extended attributes.
Installing [qlzoyvty] Kernel panic in ext3 indirect blocks.
Installing [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.
Installing [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.
Installing [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.
Installing [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.
Installing [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.
Installing [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.
Installing [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.
Installing [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.
Installing [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.
Installing [2zzz6cqb] Data corruption on NFSv3/v2 short reads.
Installing [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.
Installing [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.
Installing [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.
Installing [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.
Installing [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.
Installing [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.
Installing [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.
Installing [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.
Installing [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.
Installing [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.
Installing [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.
Installing [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.
Installing [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.
Installing [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.
Installing [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.
Installing [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.
Installing [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.
Installing [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.
Installing [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.
Installing [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.
Installing [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.
Installing [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.
Installing [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.
Installing [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.
Installing [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.
Installing [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.
Installing [pz65qqpk] Panic in GFS2 filesystem locking code.
Installing [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.
Installing [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.
Installing [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.
Installing [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.
Installing [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.
Installing [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.
Your kernel is fully up to date.
Effective kernel version is 2.6.18-398.el5

real	0m59.447s
user	0m22.640s
sys	0m22.611s

I ran out of xterm buffer space ;-) so starting with the Installing part of the output of uptrack-upgrade -y :

Installing [1y0hqxq7] Invalid memory access in dynamic debug entry listing.
Installing [1f9nec9b] Clear garbage data on the kernel stack when handling signals.
Installing [lrh0cfph] Reduce usage of reserved percpu memory.
Installing [uo1fmxxr] CVE-2010-2962: Privilege escalation in i915 pread/pwrite ioctls.
Installing [11ofaaud] CVE-2010-3084: Buffer overflow in ETHTOOL_GRXCLSRLALL command.
Installing [8u4favcu] CVE-2010-3301: Privilege escalation in 32-bit syscall entry via ptrace.
Installing [ayk01zir] CVE-2010-3432: Remote denial of service vulnerability in SCTP.
Installing [p1o8wy3o] CVE-2010-3442: Heap corruption vulnerability in ALSA core.
Installing [r1mlwooa] CVE-2010-3705: Remote memory corruption in SCTP HMAC handling.
Installing [584zm6x2] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.
Installing [vt03uggp] CVE-2010-2955: Information leak in wireless extensions.
Installing [7rzgltfi] CVE-2010-3079: NULL pointer dereference in ftrace.
Installing [oyaovezn] CVE-2010-3437: Information leak in pktcdvd driver.
Installing [70cjk1y6] CVE-2010-3698: Denial of service vulnerability in KVM host.
Installing [9dm5foy9] CVE-2010-3081: Privilege escalation through stack underflow in compat.
Installing [mhsn7n2j] Memory corruption during KSM swapping.
Installing [kn5l6sh5] KVM guest crashes due to unsupported model-specific registers.
Installing [xmx98rz9] Erroneous merge of block write with block discard request.
Installing [23nlxpse] CVE-2010-2803: Information leak in drm subsystem.
Installing [mo9lbpsi] Memory leak in DRM buffer object LRU list handling.
Installing [91hrmhbr] Memory leak in GEM drm_vma_entry handling.
Installing [apryc0uo] CVE-2010-3865: Integer overflow in RDS rdma page counting.
Installing [ur02tbrc] CVE-2010-4160: Privilege escalation in PPP over L2TP.
Installing [5o3hvdgy] CVE-2010-4263: NULL pointer dereference in igb network driver.
Installing [a3z3nda1] CVE-2010-3477: Information leak in tcf_act_police_dump.
Installing [lsd1hzvx] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.
Installing [z92iokkb] CVE-2010-3080: Privilege escalation in ALSA sound system OSS emulation.
Installing [23yh7u1i] CVE-2010-3861: Information leak in ETHTOOL_GRXCLSRLALL ioctl.
Installing [jxtltpyu] CVE-2010-4163 and CVE-2010-4668: Kernel panic in block subsystem.
Installing [5fuyrpx3] CVE-2010-4162: Integer overflow in block I/O subsystem.
Installing [ylkgl75m] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
Installing [ppawlabm] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
Installing [q4n7w8t6] CVE-2010-3067: Information leak in sys_io_submit.
Installing [0w2s15ix] CVE-2010-3298: Information leak in hso_get_count().
Installing [dfi8ncbj] CVE-2010-3876: Kernel information leak in packet subsystem.
Installing [ahrdouix] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Installing [wvbjfli8] CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers.
Installing [pkhcqtro] CVE-2010-4075: Kernel information leak in serial subsystem.
Installing [cwksn40u] CVE-2010-4077: Kernel information leak in nozomi driver.
Installing [q4d3smds] CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.
Installing [z4duwd7q] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
Installing [eajqjo74] CVE-2010-4082: Kernel information leak in VIAFB_GET_INFO.
Installing [6hrf2a3e] CVE-2010-4083: Information leak in System V IPC.
Installing [3xm2ly3f] CVE-2010-4158: Kernel information leak in socket filters.
Installing [5y2oasdw] CVE-2010-4525: Information leak in KVM VCPU events ioctl.
Installing [35e4qfr6] CVE-2010-2492: Privilege escalation in eCryptfs.
Installing [rr12rtq3] Data corruption due to bad flags in break_lease and may_open.
Installing [20cz9gp7] Kernel oops in network neighbour update.
Installing [m650djkx] Deadlock on fsync during dm device resize.
Installing [c19gus65] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
Installing [3e86rex1] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
Installing [cxb3m3ae] CVE-2010-4165: Denial of service in TCP from user MSS.
Installing [dii4wm64] CVE-2010-4169: Use-after-free bug in mprotect system call.
Installing [e465fr49] CVE-2010-4243: Denial of service due to wrong execve memory accounting.
Installing [5s3fe1cn] Mitigate denial of service attacks with large argument lists.
Installing [j8jwyth1] Memory corruption in multipath deactivation queueing.
Installing [5qkkyd5m] Kernel panic in network bonding on ARP receipt.
Installing [f9j8s6u6] Failure to recover NFSv4 client state on server reboot.
Installing [qa379ag5] CVE-2011-0714: Remote denial of service in RPC server sockets.
Installing [12q8wuvd] CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.
Installing [tm68xsph] CVE-2011-0695: Remote denial of service in InfiniBand setup.
Installing [fk2zg5ec] CVE-2010-4656: Buffer overflow in I/O-Warrior USB driver.
Installing [bcfvwcux] CVE-2011-0716: Memory corruption in IGMP bridge snooping.
Installing [smkv0oja] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.
Installing [3eu2kr7i] CVE-2010-3296: Kernel information leak in cxgb driver.
Installing [3skmaxct] CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.
Installing [xuxi8p7r] CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver.
Installing [7npiqvil] CVE-2010-4655: Information leak in ETHTOOL_GREGS ioctl.
Installing [en0luyx8] Denial of service on empty virtio_console write.
Installing [yv0cumoa] Denial of service in r8169 receive queue handling.
Installing [j6vlp89e] Failure of virtio_net device on guest low-memory condition.
Installing [q53j90kj] KVM guest crash due to stale memory on migration.
Installing [ri498cnm] KVM guest crash due to unblocked NMIs on STI instruction.
Installing [tlrgiz2i] CVE-2010-4526: Remote denial of service vulnerability in SCTP.
Installing [9eta98wf] Use-after-free in CIFS session management.
Installing [19wu4xr4] CVE-2011-0712: Buffer overflows in caiaq driver.
Installing [3cxo6wrf] CVE-2011-1079: Denial of service in Bluetooth BNEP.
Installing [kzieu2je] CVE-2011-1080: Information leak in netfilter.
Installing [ekzp14u9] CVE-2010-4258: Failure to revert address limit override after oops.
Installing [jd3cmfll] CVE-2011-0006: Unhandled error condition when adding security rules.
Installing [jk52g3fx] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Installing [z2ne1xi4] CVE-2011-1013: Signedness error in drm.
Installing [gb4ntots] Cache allocation bug in DCCP.
Installing [pe4f00pm] CVE-2011-1093: NULL pointer dereference in DCCP.
Installing [yypibd1k] CVE-2011-1573: Denial of service in SCTP.
Installing [02al7nxj] CVE-2011-0726: Address space leakage through /proc/pid/stat.
Installing [00ahpz3z] CVE-2011-0711: Information leak in XFS filesystem.
Installing [iczdh30p] CVE-2010-4250: Reference count leak in inotify failure path.
Installing [ea8bohrp] Infinite loop in tty auditing.
Installing [85iuyyyj] Buffer overflow in iptables CLUSTERIP target.
Installing [8o0892h3] CVE-2010-4565: Information leak in Broadcast Manager CAN protocol.
Installing [p3ck0dr6] CVE-2011-1019: Module loading restriction bypass with CAP_NET_ADMIN.
Installing [w8sa7qie] CVE-2011-1016: Privilege escalation in radeon GPU driver.
Installing [aqnhua0z] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.
Installing [mla0f8wz] CVE-2011-1082: Denial of service in epoll.
Installing [5dbkxjue] CVE-2011-1090: Denial of service in NFSv4 client.
Installing [4qj7c7qc] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.
Installing [3vf1zjzf] CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Installing [a03rwxbz] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Installing [7z04dctw] Incorrect interrupt handling on down e1000 interface.
Installing [ep319ryq] CVE-2011-1770: Remote denial of service in DCCP options parsing.
Installing [qp7al6tc] CVE-2010-3858: Denial of service vulnerability with large argument lists.
Installing [85n0mc4q] CVE-2011-1598: Denial of service in CAN/BCM protocol.
Installing [z8t1hsjb] CVE-2011-1748: Denial of service in CAN raw sockets.
Installing [pvtdn3yd] CVE-2011-1767: Incorrect initialization order in ip_gre.
Installing [xughs2jb] CVE-2011-1768: Incorrect initialization order in IP tunnel protocols.
Installing [k6a6bqyr] CVE-2011-2479: Denial of service with transparent hugepages and /dev/zero.
Installing [pmkvbrcc] CVE-2011-1776: Missing boundary checks in EFI partition table parsing.
Installing [pb9pjnnn] CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.
Installing [mnpd8mip] CVE-2011-1593: Missing bounds check in proc filesystem.
Installing [d6vuea6w] CVE-2011-2213: Arbitrary code injection bug in IPv4 subsystem.
Installing [zmfowuqn] CVE-2011-2491: Local denial of service in NLM subsystem.
Installing [402w3brr] CVE-2011-2492: Information leak in bluetooth implementation.
Installing [vi7qxs20] CVE-2011-2497: Buffer overflow in the Bluetooth subsystem.
Installing [ql0oxrhk] CVE-2011-2517: Buffer overflow in nl80211 driver.
Installing [0xcbigxp] CVE-2011-1576: Denial of service with VLAN packets and GRO.
Installing [127f4d1u] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.
Installing [w72wz6f4] CVE-2011-2495: Information leak in /proc/PID/io.
Installing [c8v0sk8t] CVE-2011-1160: Information leak in tpm driver.
Installing [1nt1dahj] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Installing [bxqvqvef] CVE-2011-1746: Integer overflow in agp_allocate_memory.
Installing [d4m9k310] CVE-2011-2484: Denial of service in taskstats subsystem.
Installing [3vlbyy24] CVE-2011-2496: Local denial of service in mremap().
Installing [e0lkqz3i] CVE-2011-2723: Remote denial of service vulnerability in gro.
Installing [99r3sbjg] CVE-2011-2898: Information leak in packet subsystem
Installing [3ev4sw2b] CVE-2011-2918: Denial of service in event overflows in perf.
Installing [ll9j5877] CVE-2011-1833: Information disclosure in eCryptfs.
Installing [ww2gv7iv] CVE-2011-3359: Denial of service in Broadcom 43xx wireless driver.
Installing [9x0ub4l1] CVE-2011-3363: Denial of service in CIFS via malicious DFS referrals.
Installing [ggvpdbug] CVE-2011-3188: Weak TCP sequence number generation.
Installing [z4pt0sai] CVE-2011-1577: Denial of service in GPT partition handling.
Installing [omnzxxxr] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.
Installing [o4xkg2el] CVE-2011-3191: Privilege escalation in CIFS directory reading.
Installing [e2eyyaf9] CVE-2011-1162: Information leak in TPM driver.
Installing [1fmgtd1b] CVE-2011-4326: Denial of service in IPv6 UDP Fragmentation Offload.
Installing [ldjwxwd5] CVE-2011-2699: Predictable IPv6 fragment identification numbers.
Installing [tnhvync5] CVE-2011-2494: Information leak in task/process statistics.
Installing [gi4te905] CVE-2011-3593: Denial of service in VLAN with priority tagged frames.
Installing [h1wiua6s] CVE-2011-4110: Denial of service in kernel key management facilities.
Installing [4yrxpwih] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.
Installing [gz5jfzi3] CVE-2011-1020: Missing access restrictions in /proc subsystem.
Installing [o31erbbr] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Installing [yqaa1zsp] Arithmetic overflow in clock source calculations.
Installing [vxfxrncu] CVE-2011-4077: Buffer overflow in xfs_readlink.
Installing [rnvy1bow] CVE-2011-4081: NULL pointer dereference in GHASH cryptographic algorithm.
Installing [5bokjzmm] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Installing [q7t7hls4] CVE-2011-4347: Denial of service in KVM device assignment.
Installing [wmeoffm9] CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.
Installing [gu3picnz] CVE-2012-0038: In-memory corruption in XFS ACL processing.
Installing [v2td9qse] CVE-2012-0045: Denial of service in KVM system call emulation.
Installing [n2xairv0] CVE-2012-0879: Denial of service in CLONE_IO.
Installing [2k2kq44h] Fix crash on discard in the software RAID driver.
Installing [i244mlk5] CVE-2012-1097: NULL pointer dereference in the ptrace subsystem.
Installing [2anjx00z] CVE-2012-1090: Denial of service in the CIFS filesystem reference counting.
Installing [3ujb9j7q] Inode corruption in XFS inode lookup.
Installing [01x2k6jv] Denial of service due to race condition in the scheduler subsystem.
Installing [hfh1ug4u] CVE-2011-4086: Denial of service in journaling block device.
Installing [4wb0i9tz] CVE-2012-1601: Denial of service in KVM VCPU creation.
Installing [aqut3qai] CVE-2012-0044: Integer overflow and memory corruption in DRM CRTC support.
Installing [0zkt2e47] CVE-2012-2123: Privilege escalation when assigning permissions using fcaps.
Installing [pe6u1nwx] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.
Installing [jqtlake1] CVE-2012-2121: Memory leak in KVM device assignment.
Installing [u6ys5804] CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler.
Installing [lr9cjz2p] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.
Installing [nscqru85] CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service.
Installing [j01o1nco] ext4 filesystem corruption on fallocate.
Installing [p37lmn34] CVE-2012-2745: Denial-of-service in kernel key management.
Installing [alprvnsv] CVE-2012-2744: Remote denial-of-service in IPv6 connection tracking.
Installing [m06ws6vc] Unreliable futexes with read-only shared mappings.
Installing [b7mpy2k1] CVE-2011-1078: Information leak in Bluetooth SCO link driver.
Installing [pywfzhvz] CVE-2012-2384: Integer overflow in i915 execution buffer.
Installing [2ibdnvmo] Livelock due to invalid locking strategy when adding a leap-second.
Installing [oixf5hkj] CVE-2012-2384: Additional fix for integer overflow in i915 execution buffer.
Installing [m4x7vdnl] CVE-2012-2390: Memory leak in hugetlbfs mmap() failure.
Installing [o2a3jmox] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Installing [u3qpyl86] CVE-2012-3430: kernel information leak in RDS sockets.
Installing [wr1of5oe] CVE-2012-3552: Denial-of-service in IP options handling.
Installing [y40wlmcw] CVE-2012-3412: Remote denial of service through TCP MSS option in SFC NIC.
Installing [dxshabnc] Use-after-free in USB.
Installing [aovf4isj] Race condition in SUNRPC.
Installing [trz9wa6p] CVE-2012-3400: Buffer overflow in UDF parsing.
Installing [062ge0uf] CVE-2012-3511: Use-after-free due to race condition in madvise.
Installing [tu585kp5] CVE-2012-1568: A predictable base address with shared libraries and ASLR.
Installing [fky5li3t] CVE-2012-2133: Use-after-free in hugetlbfs quota handling.
Installing [xtpg99y6] CVE-2012-5517: NULL pointer dereference in memory hotplug.
Installing [ffehzdo8] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.
Installing [u0d6ztl3] CVE-2012-4565: Divide by zero in TCP congestion control Algorithm.
Installing [7au7wp12] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.
Installing [80vrmgyk] CVE-2012-4530: Kernel information leak in binfmt execution.
Installing [uytq1dk0] CVE-2012-4398: Denial-of-service in kernel module loading.
Installing [3c5erej0] CVE-2013-0310: NULL pointer dereference in CIPSO socket options.
Installing [j8x8j89y] CVE-2013-0311: Privilege escalation in vhost descriptor management.
Installing [mkibg12j] CVE-2012-4508: Stale data exposure in ext4.
Installing [daw7s3mo] CVE-2012-4542: SCSI command filter does not restrict access to read-only devices.
Installing [nqlo7yy2] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.
Installing [l6zf9mec] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.
Installing [r88p6prz] CVE-2013-1798: Information leak in KVM APIC driver.
Installing [tquaqo7o] CVE-2013-1792: Denial-of-service in user keyring management.
Installing [ao71x17l] CVE-2012-6537: Kernel information leaks in network transformation subsystem.
Installing [875umolk] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.
Installing [4dr93r2j] CVE-2013-1827: Denial-of-service in DCCP socket options.
Installing [cdrfdlrt] CVE-2013-0349: Kernel information leak in Bluetooth HIDP support.
Installing [9j8xk8dz] CVE-2012-6546: Information leak in ATM sockets.
Installing [4oeurjvw] CVE-2013-1767: Use-after-free in tmpfs mempolicy remount.
Installing [yhprsmoc] CVE-2013-1773: Heap buffer overflow in VFAT Unicode handling.
Installing [amh400jp] CVE-2012-6547: Kernel stack leak from TUN ioctls.
Installing [532069fc] CVE-2013-1774: NULL pointer dereference in USB Inside Out Edgeport serial driver.
Installing [uaslykxk] CVE-2013-2017: Double free in Virtual Ethernet Tunnel driver (veth).
Installing [1vegmzxj] CVE-2013-1943: Local privilege escalation in KVM memory mappings.
Installing [wddz9qxt] CVE-2012-6548: Information leak in UDF export.
Installing [d51dm2vs] CVE-2013-0914: Information leak in signal handlers.
Installing [sxb5x0pd] CVE-2013-2852: Invalid format string usage in Broadcom B43 wireless driver.
Installing [vzlh2p9r] CVE-2013-3222: Kernel stack information leak in ATM sockets.
Installing [l1wlz1f1] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.
Installing [m0y7j4ra] CVE-2013-3225: Kernel stack information leak in Bluetooth rfcomm.
Installing [3m5ckvvm] CVE-2013-3301: NULL pointer dereference in tracing sysfs files.
Installing [o44ucnfs] CVE-2013-2634, 2635: Kernel leak in data center bridging and netlink.
Installing [0m3a5xq8] CVE-2013-2128: Denial of service in TCP splice.
Installing [2fg4nowt] CVE-2013-2232: Memory corruption in IPv6 routing cache.
Installing [m4a0xb93] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.
Installing [pqfoprcp] CVE-2013-2237: Information leak on IPSec key socket.
Installing [i1ha5yp7] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.
Installing [aqfegdn1] CVE-2013-4299: Information leak in device mapper persistent snapshots.
Installing [oojymn3l] CVE-2013-4387: Memory corruption in IPv6 UDP fragmentation offload.
Installing [kb7zovzd] CVE-2013-0343: Denial of service in IPv6 privacy extensions.
Installing [7ew8svwd] Off-by-one error causes reduced entropy in kernel PRNG.
Installing [v3hs5diu] CVE-2013-2888: Memory corruption in Human Input Device processing.
Installing [aew2tmdl] CVE-2013-2889: Memory corruption in Zeroplus HID driver.
Installing [ox2wqeva] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.
Installing [w9rhkfub] CVE-2013-1928: Kernel information leak in compat_ioctl/VIDEO_SET_SPU_PALETTE.
Installing [r55nqyci] CVE-2013-2164: Kernel information leak in the CDROM driver.
Installing [1vgf62zi] CVE-2013-2234: Information leak in IPsec key management.
Installing [hc532irb] CVE-2013-2851: Format string vulnerability is software RAID device names.
Installing [e129vh8h] CVE-2013-4592: Denial-of-service in KVM IOMMU mappings.
Installing [9wzwcaep] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.
Installing [ufm8ladu] CVE-2013-4470: Memory corruption in IPv4 and IPv6 networking corking with UFO.
Installing [5rh9jkmi] CVE-2013-6367: Divide-by-zero in KVM LAPIC.
Installing [ur8700aj] CVE-2013-6368: Memory corruption in KVM virtual APIC accesses.
Installing [nyg2e0m1] Error in the tag insertion logic of the bonding network device.
Installing [1ekik21n] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.
Installing [m8de4fmg] CVE-2013-7263, CVE-2013-7265: Information leak in IPv4, IPv6 and PhoNet socket recvmsg.
Installing [p4ufjdr0] CVE-2014-0101: NULL pointer dereference in SCTP protocol.
Installing [o86dh6ww] Use-after-free in EDAC Intel E752X driver.
Installing [b2h8hej4] Deadlock in XFS filesystem when removing a inode from namespace.
Installing [nvhmnvp6] Memory leak in GFS2 filesystem for files with short lifespan.
Installing [7brqevk0] CVE-2013-1860: Buffer overflow in Wireless Device Management driver.
Installing [4nh0vuhi] Missing check in selinux for IPSec TCP SYN-ACK packets.
Installing [zvvk1k2q] Logic error in selinux when checking permissions on recv socket.
Installing [2mxh0jvn] CVE-2013-(726[6789], 727[01], 322[89], 3231): Information leaks in recvmsg.
Installing [1r5tw9sm] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.
Installing [z4k7xryp] CVE-2014-2523: Remote crash via DCCP conntrack.
Installing [pi89wa2j] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.
Installing [b4x8o44g] CVE-2014-0196: Pseudo TTY device write buffer handling race.
Installing [s8s7tfsm] CVE-2014-3153: Local privilege escalation in futex requeueing.
Installing [bqk9mi1j] CVE-2013-6378: Denial-of-service in Marvell 8xxx Libertas WLAN driver.
Installing [rokmr7ey] CVE-2014-1874: Denial-of-service in SELinux on empty security context.
Installing [hxq9cdju] CVE-2014-0203: Memory corruption on listing procfs symbolic links.
Installing [n6kpf53d] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.
Installing [pbab6ibn] CVE-2014-4943: Privilege escalation in PPP over L2TP setsockopt/getsockopt.
Installing [8n932y6h] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.
Installing [yfh1rar2] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.
Installing [5z4hhyp3] CVE-2013-7339: NULL pointer dereference in RDS socket binding.
Installing [1vpc7i76] CVE-2012-6647: NULL pointer dereference in non-pi futexes.
Installing [ruu6bc4r] CVE-2014-3144, CVE-2014-3145: Multiple local denial of service vulnerabilities in netlink.
Installing [hgeqfh2x] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.
Installing [345v5a2z] CVE-2014-4667: Denial-of-service in SCTP stack when unpacking a COOKIE_ECHO chunk.
Installing [92st5y9o] CVE-2014-0205: Use-after-free in futex refcounting.
Your kernel is fully up to date.
Effective kernel version is 2.6.32-431.29.2.el6

real	1m26.960s
user	0m39.562s
sys	0m34.806s

Anyway, we introduced support for Linux containers a year ago, back with Oracle Linux 6 and the release of UEKr3, no need to wait for OL7 (or rhel7...) we 've been doing this for almost a year and it was possible without having to reinstall servers and go from 6 to 7 and to systemd and have major changes. Just simply updating an OL6 environment and a reboot into uek3 and you were good to go, a year ago. So... with containers (and docker is very similar here)... you run one kernel. As opposed to running VMs where each VM is a completely isolated virtual environment with their own kernel and you can live migrate the VMs to another host if you need to update/patch the host, etc... So you run an OS that supports containers, you deploy your apps and isolate them nicely in a container each... and now you need to apply kernel security updates... well... that means, the host kernel on which all these containers environments are running... oops. my reboot now brings down a ton of containers. Well, not with ksplice. You run uptrack-update in the main environment and it nicely, online, without affecting your running apps in their containers or docker environments, updates to the latest fixes and CVEs. Done. No downtime, no scheduling issues with your application users... all set.

Supported.. since a year ago. Stable.

For more detail you can go to SAP Note 2052912.

The Virtual Compute Appliance is a great, cost effective, easy to deploy converged infrastructure solution. Installations can be done by the customer, it takes just a few hours to bring up and start using a VCA system and deploy applications. The entire setup is pre-wired, pre-installed, pre-configured, using our best practices. All the software and hardware components in VCA are standard off the shelf, proven, products. Oracle Linux for the management node OS, Oracle VM for the compute nodes. Any application or product certified with Oracle VM will work without change or without the need for re-certification inside a VCA environment.

It is very exciting to have the SAP certification for VCA published.

https://blogs.oracle.com/stevenChan/entry/e_business_suite_virtual_machines

There are 2 ways to use the Ksplice service :

The RPM is updated whenever a new ksplice patch becomes available. So you always have 1 RPM installed for a given kernel, and this RPM gets updated. This was standard yum / rpm commands can be used to update your server(s) with ksplice patches as well and everything is nicely integrated.

The standard model is that an uptrack-upgrade command will apply all updates to current/latest on your server. This is of course the preferred way of applying security fixes on your running system, it's best to be on the latest version. However, in some cases, customers want more fine-grained control than latest.

We just did an update of the ksplice offline tools to add support for updating to a specific "kernel version". This way, if you are on kernel version x, you would like to go to kernel version y (effective patches/security fixes) but latest is kernel version z, you can tell uptrack-upgrade to go to kernel version y. Let me give a quick and simple example below. I hope this is a useful addition to the tools.

happy holidays and happy ksplicing!

To install the tools, make sure that your server(s) has access to the ol6_x86_64_ksplice channel (if it's OL6) :

$ yum install uptrack-offline

Now, in my example, I have Oracle Linux 6 installed with the following version of UEK3 :

$ uname -r
3.8.13-44.1.1.el6uek.x86_64

Let's check if updates are available :

$ yum search uptrack-updates-3.8.13-44.1.1
Loaded plugins: rhnplugin, security
This system is receiving updates from ULN.
=========== N/S Matched: uptrack-updates-3.8.13-44.1.1.el6uek.x86_64 ===========
uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch : Rebootless updates for the
     ...: Ksplice Uptrack rebootless kernel update service

As I mentioned earlier, for each kernel there's a corresponding ksplice update RPM. Just install that. In this case, I run 3.8.13-44.1.1.

$ yum install uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch
Loaded plugins: rhnplugin, security
This system is receiving updates from ULN.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch 0:20141216-0 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package                             Arch   Version    Repository          Size
================================================================================
Installing:
 uptrack-updates-3.8.13-44.1.1.el6uek.x86_64
                                     noarch 20141216-0 ol6_x86_64_ksplice  39 M

Transaction Summary
================================================================================
Install       1 Package(s)

Total download size: 39 M
Installed size: 40 M
Is this ok [y/N]: y
Downloading Packages:
uptrack-updates-3.8.13-44.1.1.el6uek.x86_64-20141216-0.n |  39 MB     00:29     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : uptrack-updates-3.8.13-44.1.1.el6uek.x86_64-20141216-0.noa   1/1 
The following steps will be taken:
Install [b9hqohyk] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.
...
...
Installing [vtujkei9] CVE-2014-6410: Denial of service in UDF filesystem parsing.
Your kernel is fully up to date.
Effective kernel version is 3.8.13-55.1.1.el6uek
  Verifying  : uptrack-updates-3.8.13-44.1.1.el6uek.x86_64-20141216-0.noa   1/1 

Installed:
  uptrack-updates-3.8.13-44.1.1.el6uek.x86_64.noarch 0:20141216-0               

Complete!

There have been a ton of updates released since 44.1.1, and the above update gets me to effectively running 3.8.13-55.1.1. Of course, without a reboot.

$ uptrack-uname -r
3.8.13-55.1.1.el6uek.x86_64

Now we get to the new feature. There's a new option in uptrack-upgrade that lists all effective kernel versions from the installed kernel to the latest based on the ksplice rpm installed.

$ uptrack-upgrade --list-effective
Available effective kernel versions:

3.8.13-44.1.1.el6uek.x86_64/#2 SMP Wed Sep 10 06:10:25 PDT 2014
3.8.13-44.1.3.el6uek.x86_64/#2 SMP Wed Oct 15 19:53:10 PDT 2014
3.8.13-44.1.4.el6uek.x86_64/#2 SMP Wed Oct 29 23:58:06 PDT 2014
3.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 PST 2014
3.8.13-55.el6uek.x86_64/#2 SMP Mon Dec 1 11:32:40 PST 2014
3.8.13-55.1.1.el6uek.x86_64/#2 SMP Thu Dec 11 00:20:49 PST 2014

So as an example, let's say I want to update from 44.1.1 to 44.1.5 instead of to 55.1.1 (for whatever reason I might have). All I have to do, is run uptrack-upgrade to go to that effective kernel version.

Let's start with removing the installed updates and go back from 55.1.1 to 44.1.1 and then upgrade again to 44.1.5 :

$ uptrack-remove --all
...$ uptrack-upgrade --effective="3.8.13-44.1.5.el6uek.x86_64/#2 SMP Wed Nov 12 14:23:31 
PST 2014"
...
...
Effective kernel version is 3.8.13-44.1.5.el6uek

And that's it.

You can find an overview of the feature in the Oracle Database Administrator's Guide. Basically, if you have flash devices attached to your server, you can use this flash memory to increase the size of the buffer cache. So instead of aging blocks out of the buffer cache and having to go back to reading them from disk, they move to the much, much faster flash storage as a secondary fast buffer cache (for reads, not writes).

Some scenarios where this is very useful : you have huge tables and huge amounts of data, a very, very large database with tons of query activity (let's say many TB) and your server is limited to a relatively small amount of main RAM - (let's say 128 or 256G). In this case, if you were to purchase and add a flash storage device of 256G or 512G (example), you can attach this device to the database with the Database Smart Flash Cache feature and increase the buffercache of your database from like 100G or 200G to 300-700G on that same server. In a good number of cases this will give you a significant performance improvement without having to purchase a new server that handles more memory or purchase flash storage that can handle your many TB of storage to live in flash instead of rotational storage.

It is also incredibly easy to configure.

-1 install Oracle Linux (I installed Oracle Linux 6 with UEK3)
-2 install Oracle Database 12c (this would also work with 11g - I installed 12.1.0.2.0 EE)
-3 add a flash device to your system (for the example I just added a 1GB device showing up as /dev/sdb)
-4 attach the storage to the database in sqlplus
Done.

$ ls /dev/sdb
/dev/sdb

$ sqlplus '/ as sysdba'

SQL*Plus: Release 12.1.0.2.0 Production on Tue Feb 24 05:46:08 2015

Copyright (c) 1982, 2014, Oracle.  All rights reserved.


Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options

SQL>alter system set db_flash_cache_file='/dev/sdb' scope=spfile;

System altered.

SQL>alter system set db_flash_cache_size=1G scope=spfile;

System altered.

SQL>shutdown immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.

SQL>startup
ORACLE instance started.

Total System Global Area 4932501504 bytes
Fixed Size		    2934456 bytes
Variable Size		 1023412552 bytes
Database Buffers	 3892314112 bytes
Redo Buffers		   13840384 bytes
Database mounted.
Database opened.

SQL>show parameters flash

NAME				     TYPE	 VALUE
------------------------------------ ----------- ------------------------------
db_flash_cache_file		     string	 /dev/sdb
db_flash_cache_size		     big integer 1G
db_flashback_retention_target	     integer	 1440

SQL>select * from v$flashfilestat; 

FLASHFILE#
----------
NAME
--------------------------------------------------------------------------------
     BYTES    ENABLED SINGLEBLKRDS SINGLEBLKRDTIM_MICRO     CON_ID
---------- ---------- ------------ -------------------- ----------
	 1
/dev/sdb
1073741824	    1		 0		      0 	 0

You can get more information on configuration and guidelines/tuning here. If you want selective control of which tables can use or will use the Database Smart Flash Cache, you can use the ALTER TABLE command. See here. Specifically the STORAGE clause. By default, the tables are aged out into the flash cache but if you don't want certain tables to be cached you can use the NONE option.

alter table foo storage (flash_cache none);

Here is a link to a white paper that gives a bit of a performance overview.

One update in Oracle linux 7 update 1 that I wanted to point out is the convenience of upgrading to MySQL 5.6 at install time. Oracle Linux 7 GA includes MariaDB 5.5 (due to our compatibility commitment in terms of exact packages and the same packages) and we added MySQL 5.6 RPMs on the ISO image (and in the yum repo channels online). So while it was easy for someone to download and upgrade from MariaDB 5.5 to MySQL 5.6 there was no install option. Now with 7.1 we included an installation option for MySQL. So you can decide which database to install in the installer or through kickstart with @mariadb or @mysql as a group. Again, MariaDB 5.5 is also part of Oracle Linux 7.1 and any users that are looking for strict package compatibility will see that we are very much that. All we have done is make it easy to have a better alternative option (1) conveniently available and integrated (2) without any compatibility risks whatsoever so you can easily run the real standard that is MySQL. A bug fix if you will.

I have a little screenshot available here.

Enjoy.

Another feature introduced with Oracle Linux 7.1 is support for Secure Boot.

If Secure Boot is enabled on a system (typically desktop, but in some cases also servers) - the system can have an embedded certificate (in firmware). This certificate can be one that's uploaded to the system by the admin or it could be one provided by the OEM/OS vendor. In many cases, in particular newer desktops, the system already contains the Microsoft key. (there can be more than one certificate uploaded...). When the firmware loads the boot loader, it verifies/checks the signature of this bootloader with the key stored in firmware before continuing. This signed bootloader (at this point trusted to continue) will then load a signed kernel, or signed second stage boot loader and verify it before starting and continuing the boot process. This creates what is called a chain of trust through the boot process.

We ship a 1st stage bootloader with Oracle Linux 7.1 which is a tiny "shim" layer that is signed by both Microsoft and Oracle. So if a system comes with Secure Boot support, and already ships the microsoft PK, then the shim layer will be started, verified, and if it passes verification, it will then load grub2 (the real bootloader). grub2 is signed by us (Oracle). The signed/verified shim layer contains the Oracle key and will validate that grub2 is ours (signed), if verification passes, grub2 will load the Oracle Linux kernel, and the same process takes place, our kernel is signed by us (Oracle) and grub2 will validate the signature prior to allowing execution of the kernel. Once the kernel is running, all kernel modules that we ship as part of Oracle Linux whether it's standard included kernel modules as part of the kernel RPM or external kernel modules used with Oracle Ksplice, are also signed by Oracle and the kernel will validate the signature prior to loading these kernel modules.

Enabling loading and verification of signed kernel modules is done by adding enforcemodulesig=1 to the grub kernel option line. In enforcing mode, any kernel module that is attempted to be loaded that's not signed by Oracle will fail to load.

If a system has Secure Boot support but a sysadmin wants to use the Oracle signature instead, we will make our certificate available to be downloaded securely from Oracle and then this can be uploaded into the firmware key database.

userspace ksplice

Most awesomely cool stuff. Solving real world problems. Imagine running a few 100 docker instances or a couple of Linux containers and you have to update the host's glibc and bring all that down... talk about impact.

kernel patches ... check

critical OS libraries like SSL and GLIBC ... check.

Oracle Linux 6 and 7 support ... check

Now, distribution vendors, including us, have released kernel updates that customers/users can download and install but as always a regular kernel upgrade requires a reboot. We have had ksplice as a service for Oracle Linux support customers for quite a few years now and we also support Ubuntu and Fedora for free for anyone (see here).

One thing that is not often talked about but, I believe is very powerful and I wanted to point out here, is the following:

Typically the distribution vendors (including us) will release an update kernel that's the 'latest' version with these CVEs fixed, but many customers run older versions of both the distribution and kernels. We now see some other vendors trying to provide the basics for some online patching but by and far it's based on one-offs and for specific kernels. A big part of the ksplice service is the backend infrastructure to easily build updates for literally a few 1000 kernels. This gives customers great flexibility. You can be on one of many dot-releases of the OS and you can use ksplice. Here is a list of example kernel versions for Oracle Linux that you could be running today and we provide updates for with ksplice,for ,for instance, this DCCP bug. That's a big difference with what other folks have been trying to mimic now that online patching has become more and more important for availability.

Here is an example kernel 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 08:34:17 PDT 2015 So that's a kernel built back in September of 2015, a random 'dot release' I run on one of my machines, and there's a ksplice patch available for these recent CVEs. I don't have to worry about having to install the 'latest' kernel, nor doing a reboot.

# uptrack-upgrade 
The following steps will be taken:
Install [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.
Install [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.

Go ahead [y/N]? y
Installing [f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.
Installing [5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.
Your kernel is fully up to date.
Effective kernel version is 2.6.32-642.15.1.el6

and done. That easy. My old 2.6.32-573.7.1 kernel looks like 2.6.32-642.15.1 in terms of critical fixes and CVEs.

# uptrack-show
Installed updates:
[cct5dnbf] Clear garbage data on the kernel stack when handling signals.
[ektd95cj] Reduce usage of reserved percpu memory.
[uuhgbl3e] Remote denial-of-service in Brocade Ethernet driver.
[kg3f16ii] CVE-2015-7872: Denial-of-service when garbage collecting uninstantiated keyring.
[36ng2h1l] CVE-2015-7613: Privilege escalation in IPC object initialization.
[33jwvtbb] CVE-2015-5307: KVM host denial-of-service in alignment check.
[38gzh9gl] CVE-2015-8104: KVM host denial-of-service in debug exception.
[6wvrdj93] CVE-2015-2925: Privilege escalation in bind mounts inside namespaces.
[1l4i9dfh] CVE-2016-0774: Information leak in the pipe system call on failed atomic read.
[xu4auj49] CVE-2015-5157: Disable modification of LDT by userspace processes.
[554ck5nl] CVE-2015-8767: Denial-of-service in SCTP heartbeat timeout.
[adgeye5p] CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.
[5ojkw9lv] CVE-2015-7550: Denial-of-service when reading and revoking a key concurrently.
[gfr93o7j] CVE-2015-8324: NULL pointer dereference in ext4 on mount error.
[ft01zrkg] CVE-2013-2015, CVE-2015-7509: Possible privilege escalation when mounting an non-journaled ext4 filesystem.
[87lw5yyy] CVE-2015-8215: Remote denial-of-service of network traffic when changing the MTU.
[2bby9cuy] CVE-2010-5313, CVE-2014-7842: Denial of service in KVM L1 guest from L2 guest.
[orjsp65y] CVE-2015-5156: Denial-of-service in Virtio network device.
[5j4hp0ot] Device Mapper logic error when reloading the block multi-queue.
[a1e5kxp6] CVE-2016-4565: Privilege escalation in Infiniband ioctl.
[gfpg64bh] CVE-2016-5696: Session hijacking in TCP connections.
[b4ljcwin] Message corruption in pseudo terminal output.
[prijjgt5] CVE-2016-4470: Denial-of-service in the keyring subsystem.
[4y2f30ch] CVE-2016-5829: Memory corruption in unknown USB HID devices.
[j1mivn4f] Denial-of-service when resetting a Fibre Channel over Ethernet interface.
[nawv8jdu] CVE-2016-5195: Privilege escalation when handling private mapping copy-on-write.
[97fe0h7s] CVE-2016-1583: Privilege escalation in eCryptfs.
[fdztfgcv] Denial-of-service when sending a TCP reset from the netfilter.
[gm4ldjjf] CVE-2016-6828: Use after free during TCP transmission.
[s8pymcf8] CVE-2016-7117: Denial-of-service in recvmmsg() error handling.
[1ktf7029] CVE-2016-4997, CVE-2016-4998: Privilege escalation in the Netfilter driver.
[f4muxalm] CVE-2017-6074: Denial-of-service when using IPV6_RECVPKTINFO socket option.
[5ncctcgz] CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.

Effective kernel version is 2.6.32-642.15.1.el6

Here is the list of kernels we build modules for as part of Oracle Linux customers kernel choices:

oracle-2.6.18-238.0.0.0.1.el5
oracle-2.6.18-238.1.1.0.1.el5
oracle-2.6.18-238.5.1.0.1.el5
oracle-2.6.18-238.9.1.0.1.el5
oracle-2.6.18-238.12.1.0.1.el5
oracle-2.6.18-238.19.1.0.1.el5
oracle-2.6.18-274.0.0.0.1.el5
oracle-2.6.18-274.3.1.0.1.el5
oracle-2.6.18-274.7.1.0.1.el5
oracle-2.6.18-274.12.1.0.1.el5
oracle-2.6.18-274.17.1.0.1.el5
oracle-2.6.18-274.18.1.0.1.el5
oracle-2.6.18-308.0.0.0.1.el5
oracle-2.6.18-308.1.1.0.1.el5
oracle-2.6.18-308.4.1.0.1.el5
oracle-2.6.18-308.8.1.0.1.el5
oracle-2.6.18-308.8.2.0.1.el5
oracle-2.6.18-308.11.1.0.1.el5
oracle-2.6.18-308.13.1.0.1.el5
oracle-2.6.18-308.16.1.0.1.el5
oracle-2.6.18-308.20.1.0.1.el5
oracle-2.6.18-308.24.1.0.1.el5
oracle-2.6.18-348.0.0.0.1.el5
oracle-2.6.18-348.1.1.0.1.el5
oracle-2.6.18-348.2.1.0.1.el5
oracle-2.6.18-348.3.1.0.1.el5
oracle-2.6.18-348.4.1.0.1.el5
oracle-2.6.18-348.6.1.0.1.el5
oracle-2.6.18-348.12.1.0.1.el5
oracle-2.6.18-348.16.1.0.1.el5
oracle-2.6.18-348.18.1.0.1.el5
oracle-2.6.18-371.0.0.0.1.el5
oracle-2.6.18-371.1.2.0.1.el5
oracle-2.6.18-371.3.1.0.1.el5
oracle-2.6.18-371.4.1.0.1.el5
oracle-2.6.18-371.6.1.0.1.el5
oracle-2.6.18-371.8.1.0.1.el5
oracle-2.6.18-371.9.1.0.1.el5
oracle-2.6.18-371.11.1.0.1.el5
oracle-2.6.18-371.12.1.0.1.el5
oracle-2.6.18-398.0.0.0.1.el5
oracle-2.6.18-400.0.0.0.1.el5
oracle-2.6.18-400.1.1.0.1.el5
oracle-2.6.18-402.0.0.0.1.el5
oracle-2.6.18-404.0.0.0.1.el5
oracle-2.6.18-406.0.0.0.1.el5
oracle-2.6.18-407.0.0.0.1.el5
oracle-2.6.18-408.0.0.0.1.el5
oracle-2.6.18-409.0.0.0.1.el5
oracle-2.6.18-410.0.0.0.1.el5
oracle-2.6.18-411.0.0.0.1.el5
oracle-2.6.18-412.0.0.0.1.el5
oracle-2.6.18-416.0.0.0.1.el5
oracle-2.6.18-417.0.0.0.1.el5
oracle-2.6.18-418.0.0.0.1.el5
oracle-2.6.32-642.0.0.0.1.el6
oracle-3.10.0-514.6.1.0.1.el7
oracle-3.10.0-514.6.2.0.1.el7
oracle-uek-2.6.39-100.5.1
oracle-uek-2.6.39-100.6.1
oracle-uek-2.6.39-100.7.1
oracle-uek-2.6.39-100.10.1
oracle-uek-2.6.39-200.24.1
oracle-uek-2.6.39-200.29.1
oracle-uek-2.6.39-200.29.2
oracle-uek-2.6.39-200.29.3
oracle-uek-2.6.39-200.31.1
oracle-uek-2.6.39-200.32.1
oracle-uek-2.6.39-200.33.1
oracle-uek-2.6.39-200.34.1
oracle-uek-2.6.39-300.17.1
oracle-uek-2.6.39-300.17.2
oracle-uek-2.6.39-300.17.3
oracle-uek-2.6.39-300.26.1
oracle-uek-2.6.39-300.28.1
oracle-uek-2.6.39-300.32.4
oracle-uek-2.6.39-400.17.1
oracle-uek-2.6.39-400.17.2
oracle-uek-2.6.39-400.21.1
oracle-uek-2.6.39-400.21.2
oracle-uek-2.6.39-400.23.1
oracle-uek-2.6.39-400.24.1
oracle-uek-2.6.39-400.109.1
oracle-uek-2.6.39-400.109.3
oracle-uek-2.6.39-400.109.4
oracle-uek-2.6.39-400.109.5
oracle-uek-2.6.39-400.109.6
oracle-uek-2.6.39-400.209.1
oracle-uek-2.6.39-400.209.2
oracle-uek-2.6.39-400.210.2
oracle-uek-2.6.39-400.211.1
oracle-uek-2.6.39-400.211.2
oracle-uek-2.6.39-400.211.3
oracle-uek-2.6.39-400.212.1
oracle-uek-2.6.39-400.214.1
oracle-uek-2.6.39-400.214.3
oracle-uek-2.6.39-400.214.4
oracle-uek-2.6.39-400.214.5
oracle-uek-2.6.39-400.214.6
oracle-uek-2.6.39-400.215.1
oracle-uek-2.6.39-400.215.2
oracle-uek-2.6.39-400.215.3
oracle-uek-2.6.39-400.215.4
oracle-uek-2.6.39-400.215.6
oracle-uek-2.6.39-400.215.7
oracle-uek-2.6.39-400.215.10
oracle-uek-2.6.39-400.215.11
oracle-uek-2.6.39-400.215.12
oracle-uek-2.6.39-400.215.13
oracle-uek-2.6.39-400.215.14
oracle-uek-2.6.39-400.215.15
oracle-uek-2.6.39-400.243.1
oracle-uek-2.6.39-400.245.1
oracle-uek-2.6.39-400.246.2
oracle-uek-2.6.39-400.247.1
oracle-uek-2.6.39-400.248.3
oracle-uek-2.6.39-400.249.1
oracle-uek-2.6.39-400.249.3
oracle-uek-2.6.39-400.249.4
oracle-uek-2.6.39-400.250.2
oracle-uek-2.6.39-400.250.4
oracle-uek-2.6.39-400.250.5
oracle-uek-2.6.39-400.250.6
oracle-uek-2.6.39-400.250.7
oracle-uek-2.6.39-400.250.9
oracle-uek-2.6.39-400.250.10
oracle-uek-2.6.39-400.250.11
oracle-uek-2.6.39-400.264.1
oracle-uek-2.6.39-400.264.4
oracle-uek-2.6.39-400.264.5
oracle-uek-2.6.39-400.264.6
oracle-uek-2.6.39-400.264.13
oracle-uek-2.6.39-400.276.1
oracle-uek-2.6.39-400.277.1
oracle-uek-2.6.39-400.278.1
oracle-uek-2.6.39-400.278.2
oracle-uek-2.6.39-400.278.3
oracle-uek-2.6.39-400.280.1
oracle-uek-2.6.39-400.281.1
oracle-uek-2.6.39-400.282.1
oracle-uek-2.6.39-400.283.1
oracle-uek-2.6.39-400.283.2
oracle-uek-2.6.39-400.284.1
oracle-uek-2.6.39-400.284.2
oracle-uek-2.6.39-400.286.2
oracle-uek-2.6.39-400.286.3
oracle-uek-2.6.39-400.290.1
oracle-uek-2.6.39-400.290.2
oracle-uek-2.6.39-400.293.1
oracle-uek-2.6.39-400.293.2
oracle-uek-2.6.39-400.294.1
oracle-uek-2.6.39-400.294.2
oracle-uek-2.6.39-400.128.21
oracle-uek-3.8.13-16
oracle-uek-3.8.13-16.1.1
oracle-uek-3.8.13-16.2.1
oracle-uek-3.8.13-16.2.2
oracle-uek-3.8.13-16.2.3
oracle-uek-3.8.13-16.3.1
oracle-uek-3.8.13-26
oracle-uek-3.8.13-26.1.1
oracle-uek-3.8.13-26.2.1
oracle-uek-3.8.13-26.2.2
oracle-uek-3.8.13-26.2.3
oracle-uek-3.8.13-26.2.4
oracle-uek-3.8.13-35
oracle-uek-3.8.13-35.1.1
oracle-uek-3.8.13-35.1.2
oracle-uek-3.8.13-35.1.3
oracle-uek-3.8.13-35.3.1
oracle-uek-3.8.13-35.3.2
oracle-uek-3.8.13-35.3.3
oracle-uek-3.8.13-35.3.4
oracle-uek-3.8.13-35.3.5
oracle-uek-3.8.13-44
oracle-uek-3.8.13-44.1.1
oracle-uek-3.8.13-44.1.3
oracle-uek-3.8.13-44.1.4
oracle-uek-3.8.13-44.1.5
oracle-uek-3.8.13-55
oracle-uek-3.8.13-55.1.1
oracle-uek-3.8.13-55.1.2
oracle-uek-3.8.13-55.1.5
oracle-uek-3.8.13-55.1.6
oracle-uek-3.8.13-55.1.8
oracle-uek-3.8.13-55.2.1
oracle-uek-3.8.13-68
oracle-uek-3.8.13-68.1.2
oracle-uek-3.8.13-68.1.3
oracle-uek-3.8.13-68.2.2
oracle-uek-3.8.13-68.2.2.1
oracle-uek-3.8.13-68.2.2.2
oracle-uek-3.8.13-68.3.1
oracle-uek-3.8.13-68.3.2
oracle-uek-3.8.13-68.3.3
oracle-uek-3.8.13-68.3.4
oracle-uek-3.8.13-68.3.5
oracle-uek-3.8.13-98
oracle-uek-3.8.13-98.1.1
oracle-uek-3.8.13-98.1.2
oracle-uek-3.8.13-98.2.1
oracle-uek-3.8.13-98.2.2
oracle-uek-3.8.13-98.4.1
oracle-uek-3.8.13-98.5.2
oracle-uek-3.8.13-98.6.1
oracle-uek-3.8.13-98.7.1
oracle-uek-3.8.13-98.8.1
oracle-uek-3.8.13-118
oracle-uek-3.8.13-118.2.1
oracle-uek-3.8.13-118.2.2
oracle-uek-3.8.13-118.2.4
oracle-uek-3.8.13-118.2.5
oracle-uek-3.8.13-118.3.1
oracle-uek-3.8.13-118.3.2
oracle-uek-3.8.13-118.4.1
oracle-uek-3.8.13-118.4.2
oracle-uek-3.8.13-118.6.1
oracle-uek-3.8.13-118.6.2
oracle-uek-3.8.13-118.7.1
oracle-uek-3.8.13-118.8.1
oracle-uek-3.8.13-118.9.1
oracle-uek-3.8.13-118.9.2
oracle-uek-3.8.13-118.10.2
oracle-uek-3.8.13-118.11.2
oracle-uek-3.8.13-118.13.2
oracle-uek-3.8.13-118.13.3
oracle-uek-3.8.13-118.14.1
oracle-uek-3.8.13-118.14.2
oracle-uek-3.8.13-118.15.1
oracle-uek-3.8.13-118.15.2
oracle-uek-3.8.13-118.15.3
oracle-uek-3.8.13-118.16.2
oracle-uek-3.8.13-118.16.3
oracle-uek-4.1.12-32
oracle-uek-4.1.12-32.1.2
oracle-uek-4.1.12-32.1.3
oracle-uek-4.1.12-32.2.1
oracle-uek-4.1.12-32.2.3
oracle-uek-4.1.12-37.2.1
oracle-uek-4.1.12-37.2.2
oracle-uek-4.1.12-37.3.1
oracle-uek-4.1.12-37.4.1
oracle-uek-4.1.12-37.5.1
oracle-uek-4.1.12-37.6.1
oracle-uek-4.1.12-37.6.2
oracle-uek-4.1.12-37.6.3
oracle-uek-4.1.12-61.1.6
oracle-uek-4.1.12-61.1.9
oracle-uek-4.1.12-61.1.10
oracle-uek-4.1.12-61.1.13
oracle-uek-4.1.12-61.1.14
oracle-uek-4.1.12-61.1.16
oracle-uek-4.1.12-61.1.17
oracle-uek-4.1.12-61.1.18
oracle-uek-4.1.12-61.1.19
oracle-uek-4.1.12-61.1.21
oracle-uek-4.1.12-61.1.22
oracle-uek-4.1.12-61.1.23
oracle-uek-4.1.12-61.1.24
oracle-uek-4.1.12-61.1.25
oracle-uek-4.1.12-61.1.27
rhel-2.6.32-71.el6
rhel-2.6.32-71.7.1.el6
rhel-2.6.32-71.14.1.el6
rhel-2.6.32-71.18.1.el6
rhel-2.6.32-71.18.2.el6
rhel-2.6.32-71.24.1.el6
rhel-2.6.32-71.29.1.el6
rhel-2.6.32-131.0.15.el6
rhel-2.6.32-131.2.1.el6
rhel-2.6.32-131.4.1.el6
rhel-2.6.32-131.6.1.el6
rhel-2.6.32-131.12.1.el6
rhel-2.6.32-131.17.1.el6
rhel-2.6.32-131.21.1.el6
rhel-2.6.32-220.el6
rhel-2.6.32-220.2.1.el6
rhel-2.6.32-220.4.1.el6
rhel-2.6.32-220.4.2.el6
rhel-2.6.32-220.7.1.el6
rhel-2.6.32-220.13.1.el6
rhel-2.6.32-220.17.1.el6
rhel-2.6.32-220.23.1.el6
rhel-2.6.32-279.el6
rhel-2.6.32-279.1.1.el6
rhel-2.6.32-279.2.1.el6
rhel-2.6.32-279.5.1.el6
rhel-2.6.32-279.5.2.el6
rhel-2.6.32-279.9.1.el6
rhel-2.6.32-279.11.1.el6
rhel-2.6.32-279.14.1.el6
rhel-2.6.32-279.19.1.el6
rhel-2.6.32-279.22.1.el6
rhel-2.6.32-358.el6
rhel-2.6.32-358.0.1.el6
rhel-2.6.32-358.2.1.el6
rhel-2.6.32-358.6.1.el6
rhel-2.6.32-358.6.2.el6
rhel-2.6.32-358.6.2.el6.x86_64.crt1
rhel-2.6.32-358.11.1.el6
rhel-2.6.32-358.14.1.el6
rhel-2.6.32-358.18.1.el6
rhel-2.6.32-358.23.2.el6
rhel-2.6.32-431.el6
rhel-2.6.32-431.1.2.el6
rhel-2.6.32-431.3.1.el6
rhel-2.6.32-431.5.1.el6
rhel-2.6.32-431.11.2.el6
rhel-2.6.32-431.17.1.el6
rhel-2.6.32-431.20.3.el6
rhel-2.6.32-431.20.5.el6
rhel-2.6.32-431.23.3.el6
rhel-2.6.32-431.29.2.el6
rhel-2.6.32-504.el6
rhel-2.6.32-504.1.3.el6
rhel-2.6.32-504.3.3.el6
rhel-2.6.32-504.8.1.el6
rhel-2.6.32-504.12.2.el6
rhel-2.6.32-504.16.2.el6
rhel-2.6.32-504.23.4.el6
rhel-2.6.32-504.30.3.el6
rhel-2.6.32-573.el6
rhel-2.6.32-573.1.1.el6
rhel-2.6.32-573.3.1.el6
rhel-2.6.32-573.7.1.el6
rhel-2.6.32-573.8.1.el6
rhel-2.6.32-573.12.1.el6
rhel-2.6.32-573.18.1.el6
rhel-2.6.32-573.22.1.el6
rhel-2.6.32-573.26.1.el6
rhel-2.6.32-642.el6
rhel-2.6.32-642.1.1.el6
rhel-2.6.32-642.3.1.el6
rhel-2.6.32-642.4.2.el6
rhel-2.6.32-642.6.1.el6
rhel-2.6.32-642.6.2.el6
rhel-2.6.32-642.11.1.el6
rhel-2.6.32-642.13.1.el6
rhel-2.6.32-642.13.2.el6
rhel-3.10.0-123.el7
rhel-3.10.0-123.1.2.el7
rhel-3.10.0-123.4.2.el7
rhel-3.10.0-123.4.4.el7
rhel-3.10.0-123.6.3.el7
rhel-3.10.0-123.8.1.el7
rhel-3.10.0-123.9.2.el7
rhel-3.10.0-123.9.3.el7
rhel-3.10.0-123.13.1.el7
rhel-3.10.0-123.13.2.el7
rhel-3.10.0-123.20.1.el7
rhel-3.10.0-229.el7
rhel-3.10.0-229.1.2.el7
rhel-3.10.0-229.4.2.el7
rhel-3.10.0-229.7.2.el7
rhel-3.10.0-229.11.1.el7
rhel-3.10.0-229.14.1.el7
rhel-3.10.0-229.20.1.el6.x86_64.knl2
rhel-3.10.0-229.20.1.el7
rhel-3.10.0-327.el7
rhel-3.10.0-327.3.1.el7
rhel-3.10.0-327.4.4.el7
rhel-3.10.0-327.4.5.el7
rhel-3.10.0-327.10.1.el7
rhel-3.10.0-327.13.1.el7
rhel-3.10.0-327.18.2.el7
rhel-3.10.0-327.22.2.el7
rhel-3.10.0-327.28.2.el7
rhel-3.10.0-327.28.3.el7
rhel-3.10.0-327.36.1.el7
rhel-3.10.0-327.36.2.el7
rhel-3.10.0-327.36.3.el7
rhel-3.10.0-514.el7
rhel-3.10.0-514.2.2.el7
rhel-3.10.0-514.6.1.el7
rhel-3.10.0-514.6.2.el7
rhel-2.6.18-92.1.10.el5
rhel-2.6.18-92.1.13.el5
rhel-2.6.18-92.1.17.el5
rhel-2.6.18-92.1.18.el5
rhel-2.6.18-92.1.22.el5
rhel-2.6.18-128.el5
rhel-2.6.18-128.1.1.el5
rhel-2.6.18-128.1.6.el5
rhel-2.6.18-128.1.10.el5
rhel-2.6.18-128.1.14.el5
rhel-2.6.18-128.1.16.el5
rhel-2.6.18-128.2.1.el5
rhel-2.6.18-128.4.1.el5
rhel-2.6.18-128.7.1.el5
rhel-2.6.18-149.el5
rhel-2.6.18-164.el5
rhel-2.6.18-164.2.1.el5
rhel-2.6.18-164.6.1.el5
rhel-2.6.18-164.9.1.el5
rhel-2.6.18-164.10.1.el5
rhel-2.6.18-164.11.1.el5
rhel-2.6.18-164.15.1.el5
rhel-2.6.18-194.el5
rhel-2.6.18-194.3.1.el5
rhel-2.6.18-194.8.1.el5
rhel-2.6.18-194.11.1.el5
rhel-2.6.18-194.11.3.el5
rhel-2.6.18-194.11.4.el5
rhel-2.6.18-194.17.1.el5
rhel-2.6.18-194.17.4.el5
rhel-2.6.18-194.26.1.el5
rhel-2.6.18-194.32.1.el5
rhel-2.6.18-238.el5
rhel-2.6.18-238.1.1.el5
rhel-2.6.18-238.5.1.el5
rhel-2.6.18-238.9.1.el5
rhel-2.6.18-238.12.1.el5
rhel-2.6.18-238.19.1.el5
rhel-2.6.18-274.el5
rhel-2.6.18-274.3.1.el5
rhel-2.6.18-274.7.1.el5
rhel-2.6.18-274.12.1.el5
rhel-2.6.18-274.17.1.el5
rhel-2.6.18-274.18.1.el5
rhel-2.6.18-308.el5
rhel-2.6.18-308.1.1.el5
rhel-2.6.18-308.4.1.el5
rhel-2.6.18-308.8.1.el5
rhel-2.6.18-308.8.2.el5
rhel-2.6.18-308.11.1.el5
rhel-2.6.18-308.13.1.el5
rhel-2.6.18-308.16.1.el5
rhel-2.6.18-308.20.1.el5
rhel-2.6.18-308.24.1.el5
rhel-2.6.18-348.el5
rhel-2.6.18-348.1.1.el5
rhel-2.6.18-348.2.1.el5
rhel-2.6.18-348.3.1.el5
rhel-2.6.18-348.4.1.el5
rhel-2.6.18-348.6.1.el5
rhel-2.6.18-348.12.1.el5
rhel-2.6.18-348.16.1.el5
rhel-2.6.18-348.18.1.el5
rhel-2.6.18-371.el5
rhel-2.6.18-371.1.2.el5
rhel-2.6.18-371.3.1.el5
rhel-2.6.18-371.4.1.el5
rhel-2.6.18-371.6.1.el5
rhel-2.6.18-371.8.1.el5
rhel-2.6.18-371.9.1.el5
rhel-2.6.18-371.11.1.el5
rhel-2.6.18-371.12.1.el5
rhel-2.6.18-398.el5
rhel-2.6.18-400.el5
rhel-2.6.18-400.1.1.el5
rhel-2.6.18-402.el5
rhel-2.6.18-404.el5
rhel-2.6.18-406.el5
rhel-2.6.18-407.el5
rhel-2.6.18-408.el5
rhel-2.6.18-409.el5
rhel-2.6.18-410.el5
rhel-2.6.18-411.el5
rhel-2.6.18-412.el5
rhel-2.6.18-416.el5
rhel-2.6.18-417.el5
rhel-2.6.18-418.el5

compare that to kpatch or kgraft or so.

Now, that doesn't mean that there won't be anything new added over time, of course security fixes and critical bugfixes get backported from new versions into these various packages and a good number of enhancements/features also get backported over the years. Very much so on the kernel side but in some cases or in a number of cases also in the various userspace packages. However for the most part the focus is on stability and consistency. This is also the case with the different tools and compiler/languages. A concrete example would be, OL7 provides Python 2.7.5. This base release of python will not change in OL7 in newer updates, doing a big chance would break compatibility etc so it's kept stable at 2.7.5.

A very important thing to keep reminding people of, however, again, is the fact that CVEs do get backported into these versions. I often hear someone ask if we ship a newer version of, say, openssl, because some CVE or other is fixed in that newer version - but typically that CVE would also be fixed in the versions we ship with OL. There is a difference between openssl the open source project and CVE's fixed 'upstream' and openssl shipped as part of Oracle Linux versions and maintained and bug fixed overtime with backports from upstream. We take care of critical bugs and security fixes in the current shipping versions.

Anyway - there are other Linux distributions out there that 'evolve' much more frequently and by doing so, out of the box tend to come with newer versions of libraries and tools and packages and that makes it very attractive for developers that are not bound to longer term stability and compatibility. So the developer goes off and installs the latest version of everything and writes their apps using that. That's a fine model in some cases but when you have enterprise apps that might be deployed for many years and have a dependency on certain versions of scripting languages or libraries or what have you, you can't just replace those with something that's much newer, in particular much newer major versions. I am sure many people will agree that if you have an application written in python using 2.7.5 and run that in production, you're not going to let the sysadmin or so just go rip that out and replace it with python 3.5 and assume it all just works and is transparently compatible....

So does that mean we are stuck? No... there is a yum repository called Software Collections Library which we make available to everyone on our freely accessible yum server. That Library gets updated on a regular basis, we are at version 2.3 right now, and it containers newer versions of many popular packages, typically newer compilers, toolkits etc, (such as GCC, Python, PHP, Ruby...) Things that developers want to use and are looking for more recent versions.

The channel is not enabled by default, you have to go in and edit /etc/yum.repos.d/public-yum-ol7.repo and set the ol7_software_collections' repo to enabled=1. When you do that, you can then go and install the different versions that are offered. You can just browse the repo using yum or just look online. (similar channels exist for Oracle Linux 6). When you go and install these different versions, they get installed in /opt and they won't replace the existing versions. So if you have python installed by default with OL7 (2.7.5) and install Python 3.5 from the software collections, this new version goes into /opt/rh/rh-python35. You can then use the scl utility to selectively enable which application uses which version.
An example :

scl enable rh-python35 -- bash 

One little caveat to keep in mind, if you have an early version of OL7 or OL6 installed, we do not modify the /etc/yum.repo.d/public-yum-ol7.repo file after initial installation (because we might overwrite changes you made) so it is always a good idea to get the latest version from our yum server. (You can find them here.) The channel/repo name might have changed or a new one could have been added or so...

As you can see, Oracle Linux is/can be a very current developer platform. The packages are there, they are just provided in a model that keeps stability and consistency. There is no need to go download upstream package source code and compile it yourself and replacing system toolkits/compilers that can cause incompatibilities.

One thing we discovered during testing of OL6.9 was that a recent change in "upstream" glibc can cause memory corruption resulting in a database start-up failure every now and then.

Since we caught this prior to release, we have, of course, fixed the bug.

The following code change introduced the bug (glibc-rh1012343.patch)

	     char newmode[modelen + 2];
	  -  memcpy (mempcpy (newmode, mode, modelen), "c", 2);
	  +  memcpy (mempcpy (newmode, mode, modelen), "ce", 2);
	     FILE *result = fopen (file, newmode);

	-  char newmode[modelen + 2];
	-  memcpy (mempcpy (newmode, mode, modelen), "ce", 2);
	+  char newmode[modelen + 3];
	+  memcpy (mempcpy (newmode, mode, modelen), "ce", 3);

  Wed Mar 22 *17:19:51* 2017
  *ORA-00210: cannot open the specified control file*
  ORA-00202: control file:'/opt/oracle/oltest/.srchome/single-database/nas/12.1.0.2.0-8192-72G/control_0
01'
  ORA-27054: NFS file system where the file is created or resides is
  not mounted with correct options
  *Linux-x86_64 Error: 13: Permission denied*
  Additional information: 2
  ORA-205 signalled during: ALTER DATABASE   MOUNT...
  Shutting down instance (abort) 

This version of Oracle Linux 6 uses UEK2 (there is no RHCK here of course as there is no corresponding release on SPARC) and this OS release can be installed on T4, T5 and T7 (M7,M5) but not yet on the S7 platform. OL6 for SPARC contains all the packages (binary and -devel) for DAX, ADI (SSM), an updated version of openssl with support of on-chip crypto features.

We also provide the SPARC LDOM Manager code (both source and binary). With LDOM manager installed you can run Oracle Linux as a control domain for both Linux and Solaris guests. You can of course also install Linux as s guest domain on top of Solaris. The kernel supports vswitch and vdiskserver etc. A native (linux only) installation is also supported.

Our yum repo will have the OL6/sparc channels later today. The repo also contains -devel packages and the toolchains for gcc etc ... BTW of course, gcc supports M7 (cpu) optimizations. We have optimized memcpy and tons of other stuff.

Lots of SPARC Linux kernel code is already in upstream Linux but a bunch of stuff is in progress of going in. The same goes for user space code. glib and gcc patches have for the most part been submitted upstream and committed, some are pending.

A newer ISO with UEK(4) is on its way (we have builds and are testing). This update will also support the S7 systems/chip.

OL6 for SPARC doesn't yet contain -all- the RPMs that are part of Oracle Linux on x86. Right now, it is just a subset however we will be expanding it over time.

I will blog about some Dax and ADI/SSM samples in a few days :) some ldom control domain tips etc...

have fun

During Oracle OpenWorld, we talked about it a lot, of course, and I wanted to show you how far back these ksplice updates can go. How much flexibility it gives a system administrator in terms of which kernel to use, how easy and fast it is, etc...

One of the main advantages of the ksplice technology is the ability for us to build these updates for many, many, yes many,... kernels and have a highly automated and scalable build infrastructure. When we publish a ksplice update, we build the update for -every kernel errata- released since the first kernel for that given major distribution release we started to support. What does this mean? Well, in the case of Oracle Linux 5, we currently support ksplice updates starting with Oracle Linux 5 update 4's kernel. The base-kernel being the Red Hat Compatible kernel : 2.6.18-164.el5 built, Thu Sep 3 04:15:13 EDT 2009. Yes, you read that right, September 2009. So during the lifetime of Oracle Linux 5, starting with that kernel, we publish ksplice updates for every kernel since then to today (and forward, of course). So no matter what errata kernel you are on, since -164, or major Oracle Linux 5 release, ksplice updates released after that date will be available for all those kernels. A simple uptrack-upgrade will take that running version up to the latest updates. While the main focus of the ksplice online updates is around CVEs, we also add critical fixes to it as well, so it's a combination of both.

So back to OL5.4. running uname shows 2.6.18-164.el5. After uptrack-upgrade -y it will say 2.6.18-398.el5 (which by the way is the latest kernel for OL5 for 2.6.18). You can see the output below, you can also see how many 'minutes' it took, without reboot, all current and active right away, and you can follow the timeframe by looking at the year right behind CVE. You will see CVEs from 2009, 2010, 2011, 2012, 2013 and 2014. Completely current.

Now, this can be done on a running system, to install ksplice and start using it, you don't need to reboot, just install the uptrack tools and you're good to go. You can be current with CVEs and critical bugs without rebooting for years. You can be current, even though you run an older update release of Oracle Linux, and you are not required to take new kernels with potentially (in the RHCK case) new features backported, introducing new code beyond just bugfixes, introduce new device drivers, which on a system that's stable, you don't necessarily want or need. So it's always good to update to newer kernels when you get new hardware and you need new device drivers, but for existing stable production systems, you don't really want or need that, nor do you necessarily need to get stuff from new kernels backported into older versions (again, in particular in the RHCK case) which will introduce a lot of change, I will show you a lines of code change in another blog entry. ksplice let's you stick with an older version, yet, anything critical and CVE related will be there for you and this for any errata kernel you start with since, in the OL5 case, update 4... Not just one update earlier, or but any kernel at any point in time.

If you do have periodic scheduled reboots, fine, install the kernel rpms so that the next time you reboot, it boots into the latest kernel, if you want, but you don't have to. You have complete flexibility if and when you need it.

I hope that the output of this and a follow up blog I will do on OL6 as a similar example, shows how scalable this is, how much use this has had, how many updates we have done and can do, how complex these updates are (not just a one liner change in some file) not just a one off for one customer case but scalable. Also, with tons of checks in place so that it works for kernel modules, so that it won't lock up your box, we validate that it's the right kernel, that these updates are safe to apply, etc, etc.. proven, 7+ years old technology. And completely supported by us. You can run your database or middleware software and run uptrack-upgrade while it's up and running and humming along... perfectly OK.

time uptrack-upgrade -yThe following steps will be taken:Install [v5267zuo] Clear garbage data on the kernel stack when handling signals.Install [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.Install [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.Install [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.Install [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.Install [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.Install [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.Install [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.Install [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.Install [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.Install [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.Install [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.Install [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6Install [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.Install [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.Install [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.Install [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().Install [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.Install [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.Install [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.Install [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.Install [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.Install [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.Install [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.Install [qdlkztzx] Kernel crash forwarding network traffic.Install [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.Install [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.Install [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pagesInstall [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.Install [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.Install [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.Install [xem0m4sg] Floating point state corruption after signal.Install [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.Install [3ulklysv] CVE-2010-0307: Denial of service on amd64Install [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 serverInstall [trws48lp] CVE-2010-1087: Oops when truncating a file in NFSInstall [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinksInstall [gmqqylxv] CVE-2010-1187: Denial of service in TIPCInstall [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremapInstall [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTPInstall [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruptionInstall [l5qljcxc] CVE-2010-1437: Privilege escalation in key managementInstall [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2Install [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.Install [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.Install [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.Install [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.Install [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.Install [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.Install [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.Install [59car2zc] CVE-2010-2798: Denial of service in GFS2.Install [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.Install [5mgd1si0] Improved fix to CVE-2010-1173.Install [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.Install [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.Install [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.Install [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.Install [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.Install [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.Install [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.Install [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.Install [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.Install [ff1wrijq] Buffer overflow in icmpmsg_put.Install [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.Install [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.Install [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.Install [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.Install [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.Install [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.Install [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.Install [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.Install [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.Install [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.Install [usukkznh] Mitigate denial of service attacks with large argument lists.Install [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.Install [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.Install [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.Install [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.Install [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.Install [hnbz3ppf] Integer overflow in sys_remap_file_pages.Install [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.Install [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.Install [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.Install [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.Install [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.Install [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.Install [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.Install [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.Install [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.Install [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.Install [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.Install [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.Install [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.Install [ifgdet83] Use-after-free in MPT driver.Install [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.Install [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.Install [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.Install [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.Install [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.Install [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.Install [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.Install [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.Install [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.Install [jz43fdgc] Denial of service in NFS server via reference count leak.Install [h860edrq] Fix a packet flood when initializing a bridge device without STP.Install [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.Install [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.Install [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.Install [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.Install [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.Install [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.Install [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.Install [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.Install [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.Install [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.Install [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.Install [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.Install [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.Install [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.Install [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.Install [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler APIInstall [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.Install [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.Install [ofrder8l] Hangs using direct I/O with XFS filesystem.Install [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.Install [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.Install [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.Install [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.Install [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().Install [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.Install [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.Install [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.Install [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.Install [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.Install [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.Install [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.Install [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.Install [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.Install [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.Install [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.Install [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.Install [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.Install [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.Install [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.Install [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.Install [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.Install [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.Install [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.Install [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.Install [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.Install [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.Install [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.Install [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.Install [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.Install [uknrp2eo] Denial of service in filesystem unmounting.Install [97u6urvt] Soft lockup in USB ACM driver.Install [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.Install [loizuvxu] Kernel crash in Ethernet bridging netfilter module.Install [yc146ytc] Unresponsive I/O using QLA2XXX driver.Install [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.Install [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.Install [bvoz27gv] Arithmetic overflow in clock source calculations.Install [lzwurn1u] ext4 filesystem corruption on fallocate.Install [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.Install [9do532u6] Kernel panic when overcommiting memory with NFSd.Install [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.Install [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.Install [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.Install [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.Install [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.Install [l093jvcl] Kernel panic in SMB extended attributes.Install [qlzoyvty] Kernel panic in ext3 indirect blocks.Install [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.Install [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.Install [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.Install [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.Install [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.Install [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.Install [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.Install [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.Install [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.Install [2zzz6cqb] Data corruption on NFSv3/v2 short reads.Install [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.Install [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.Install [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.Install [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.Install [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.Install [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.Install [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.Install [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.Install [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.Install [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.Install [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.Install [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.Install [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.Install [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.Install [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.Install [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.Install [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.Install [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.Install [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.Install [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.Install [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.Install [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.Install [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.Install [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.Install [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.Install [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.Install [pz65qqpk] Panic in GFS2 filesystem locking code.Install [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.Install [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.Install [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.Install [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.Install [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.Install [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.Installing [v5267zuo] Clear garbage data on the kernel stack when handling signals.Installing [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.Installing [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.Installing [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.Installing [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.Installing [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.Installing [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.Installing [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.Installing [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.Installing [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.Installing [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.Installing [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.Installing [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6Installing [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.Installing [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.Installing [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.Installing [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().Installing [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.Installing [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.Installing [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.Installing [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.Installing [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.Installing [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.Installing [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.Installing [qdlkztzx] Kernel crash forwarding network traffic.Installing [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.Installing [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.Installing [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pagesInstalling [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.Installing [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.Installing [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.Installing [xem0m4sg] Floating point state corruption after signal.Installing [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.Installing [3ulklysv] CVE-2010-0307: Denial of service on amd64Installing [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 serverInstalling [trws48lp] CVE-2010-1087: Oops when truncating a file in NFSInstalling [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinksInstalling [gmqqylxv] CVE-2010-1187: Denial of service in TIPCInstalling [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremapInstalling [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTPInstalling [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruptionInstalling [l5qljcxc] CVE-2010-1437: Privilege escalation in key managementInstalling [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2Installing [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.Installing [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.Installing [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.Installing [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.Installing [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.Installing [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.Installing [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.Installing [59car2zc] CVE-2010-2798: Denial of service in GFS2.Installing [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.Installing [5mgd1si0] Improved fix to CVE-2010-1173.Installing [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.Installing [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.Installing [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.Installing [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.Installing [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.Installing [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.Installing [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.Installing [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.Installing [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.Installing [ff1wrijq] Buffer overflow in icmpmsg_put.Installing [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.Installing [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.Installing [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.Installing [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.Installing [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.Installing [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.Installing [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.Installing [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.Installing [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.Installing [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.Installing [usukkznh] Mitigate denial of service attacks with large argument lists.Installing [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.Installing [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.Installing [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.Installing [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.Installing [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.Installing [hnbz3ppf] Integer overflow in sys_remap_file_pages.Installing [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.Installing [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.Installing [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.Installing [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.Installing [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.Installing [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.Installing [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.Installing [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.Installing [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.Installing [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.Installing [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.Installing [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.Installing [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.Installing [ifgdet83] Use-after-free in MPT driver.Installing [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.Installing [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.Installing [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.Installing [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.Installing [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.Installing [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.Installing [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.Installing [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.Installing [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.Installing [jz43fdgc] Denial of service in NFS server via reference count leak.Installing [h860edrq] Fix a packet flood when initializing a bridge device without STP.Installing [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.Installing [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.Installing [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.Installing [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.Installing [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.Installing [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.Installing [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.Installing [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.Installing [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.Installing [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.Installing [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.Installing [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.Installing [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.Installing [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.Installing [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.Installing [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler APIInstalling [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.Installing [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.Installing [ofrder8l] Hangs using direct I/O with XFS filesystem.Installing [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.Installing [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.Installing [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.Installing [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.Installing [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().Installing [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.Installing [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.Installing [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.Installing [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.Installing [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.Installing [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.Installing [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.Installing [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.Installing [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.Installing [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.Installing [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.Installing [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.Installing [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.Installing [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.Installing [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.Installing [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.Installing [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.Installing [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.Installing [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.Installing [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.Installing [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.Installing [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.Installing [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.Installing [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.Installing [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.Installing [uknrp2eo] Denial of service in filesystem unmounting.Installing [97u6urvt] Soft lockup in USB ACM driver.Installing [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.Installing [loizuvxu] Kernel crash in Ethernet bridging netfilter module.Installing [yc146ytc] Unresponsive I/O using QLA2XXX driver.Installing [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.Installing [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.Installing [bvoz27gv] Arithmetic overflow in clock source calculations.Installing [lzwurn1u] ext4 filesystem corruption on fallocate.Installing [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.Installing [9do532u6] Kernel panic when overcommiting memory with NFSd.Installing [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.Installing [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.Installing [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.Installing [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.Installing [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.Installing [l093jvcl] Kernel panic in SMB extended attributes.Installing [qlzoyvty] Kernel panic in ext3 indirect blocks.Installing [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.Installing [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.Installing [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.Installing [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.Installing [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.Installing [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.Installing [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.Installing [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.Installing [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.Installing [2zzz6cqb] Data corruption on NFSv3/v2 short reads.Installing [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.Installing [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.Installing [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.Installing [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.Installing [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.Installing [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.Installing [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.Installing [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.Installing [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.Installing [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.Installing [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.Installing [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.Installing [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.Installing [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.Installing [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.Installing [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.Installing [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.Installing [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.Installing [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.Installing [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.Installing [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.Installing [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.Installing [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.Installing [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.Installing [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.Installing [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.Installing [pz65qqpk] Panic in GFS2 filesystem locking code.Installing [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.Installing [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.Installing [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.Installing [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.Installing [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.Installing [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.Your kernel is fully up to date.Effective kernel version is 2.6.18-398.el5real

I ran out of xterm buffer space ;-) so starting with the Installing part of the output of uptrack-upgrade -y :Installing [1y0hqxq7] Invalid memory access in dynamic debug entry listing.Installing [1f9nec9b] Clear garbage data on the kernel stack when handling signals.Installing [lrh0cfph] Reduce usage of reserved percpu memory.Installing [uo1fmxxr] CVE-2010-2962: Privilege escalation in i915 pread/pwrite ioctls.Installing [11ofaaud] CVE-2010-3084: Buffer overflow in ETHTOOL_GRXCLSRLALL command.Installing [8u4favcu] CVE-2010-3301: Privilege escalation in 32-bit syscall entry via ptrace.Installing [ayk01zir] CVE-2010-3432: Remote denial of service vulnerability in SCTP.Installing [p1o8wy3o] CVE-2010-3442: Heap corruption vulnerability in ALSA core.Installing [r1mlwooa] CVE-2010-3705: Remote memory corruption in SCTP HMAC handling.Installing [584zm6x2] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.Installing [vt03uggp] CVE-2010-2955: Information leak in wireless extensions.Installing [7rzgltfi] CVE-2010-3079: NULL pointer dereference in ftrace.Installing [oyaovezn] CVE-2010-3437: Information leak in pktcdvd driver.Installing [70cjk1y6] CVE-2010-3698: Denial of service vulnerability in KVM host.Installing [9dm5foy9] CVE-2010-3081: Privilege escalation through stack underflow in compat.Installing [mhsn7n2j] Memory corruption during KSM swapping.Installing [kn5l6sh5] KVM guest crashes due to unsupported model-specific registers.Installing [xmx98rz9] Erroneous merge of block write with block discard request.Installing [23nlxpse] CVE-2010-2803: Information leak in drm subsystem.Installing [mo9lbpsi] Memory leak in DRM buffer object LRU list handling.Installing [91hrmhbr] Memory leak in GEM drm_vma_entry handling.Installing [apryc0uo] CVE-2010-3865: Integer overflow in RDS rdma page counting.Installing [ur02tbrc] CVE-2010-4160: Privilege escalation in PPP over L2TP.Installing [5o3hvdgy] CVE-2010-4263: NULL pointer dereference in igb network driver.Installing [a3z3nda1] CVE-2010-3477: Information leak in tcf_act_police_dump.Installing [lsd1hzvx] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.Installing [z92iokkb] CVE-2010-3080: Privilege escalation in ALSA sound system OSS emulation.Installing [23yh7u1i] CVE-2010-3861: Information leak in ETHTOOL_GRXCLSRLALL ioctl.Installing [jxtltpyu] CVE-2010-4163 and CVE-2010-4668: Kernel panic in block subsystem.Installing [5fuyrpx3] CVE-2010-4162: Integer overflow in block I/O subsystem.Installing [ylkgl75m] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.Installing [ppawlabm] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.Installing [q4n7w8t6] CVE-2010-3067: Information leak in sys_io_submit.Installing [0w2s15ix] CVE-2010-3298: Information leak in hso_get_count().Installing [dfi8ncbj] CVE-2010-3876: Kernel information leak in packet subsystem.Installing [ahrdouix] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.Installing [wvbjfli8] CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers.Installing [pkhcqtro] CVE-2010-4075: Kernel information leak in serial subsystem.Installing [cwksn40u] CVE-2010-4077: Kernel information leak in nozomi driver.Installing [q4d3smds] CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.Installing [z4duwd7q] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.Installing [eajqjo74] CVE-2010-4082: Kernel information leak in VIAFB_GET_INFO.Installing [6hrf2a3e] CVE-2010-4083: Information leak in System V IPC.Installing [3xm2ly3f] CVE-2010-4158: Kernel information leak in socket filters.Installing [5y2oasdw] CVE-2010-4525: Information leak in KVM VCPU events ioctl.Installing [35e4qfr6] CVE-2010-2492: Privilege escalation in eCryptfs.Installing [rr12rtq3] Data corruption due to bad flags in break_lease and may_open.Installing [20cz9gp7] Kernel oops in network neighbour update.Installing [m650djkx] Deadlock on fsync during dm device resize.Installing [c19gus65] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.Installing [3e86rex1] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.Installing [cxb3m3ae] CVE-2010-4165: Denial of service in TCP from user MSS.Installing [dii4wm64] CVE-2010-4169: Use-after-free bug in mprotect system call.Installing [e465fr49] CVE-2010-4243: Denial of service due to wrong execve memory accounting.Installing [5s3fe1cn] Mitigate denial of service attacks with large argument lists.Installing [j8jwyth1] Memory corruption in multipath deactivation queueing.Installing [5qkkyd5m] Kernel panic in network bonding on ARP receipt.Installing [f9j8s6u6] Failure to recover NFSv4 client state on server reboot.Installing [qa379ag5] CVE-2011-0714: Remote denial of service in RPC server sockets.Installing [12q8wuvd] CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.Installing [tm68xsph] CVE-2011-0695: Remote denial of service in InfiniBand setup.Installing [fk2zg5ec] CVE-2010-4656: Buffer overflow in I/O-Warrior USB driver.Installing [bcfvwcux] CVE-2011-0716: Memory corruption in IGMP bridge snooping.Installing [smkv0oja] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.Installing [3eu2kr7i] CVE-2010-3296: Kernel information leak in cxgb driver.Installing [3skmaxct] CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.Installing [xuxi8p7r] CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver.Installing [7npiqvil] CVE-2010-4655: Information leak in ETHTOOL_GREGS ioctl.Installing [en0luyx8] Denial of service on empty virtio_console write.Installing [yv0cumoa] Denial of service in r8169 receive queue handling.Installing [j6vlp89e] Failure of virtio_net device on guest low-memory condition.Installing [q53j90kj] KVM guest crash due to stale memory on migration.Installing [ri498cnm] KVM guest crash due to unblocked NMIs on STI instruction.Installing [tlrgiz2i] CVE-2010-4526: Remote denial of service vulnerability in SCTP.Installing [9eta98wf] Use-after-free in CIFS session management.Installing [19wu4xr4] CVE-2011-0712: Buffer overflows in caiaq driver.Installing [3cxo6wrf] CVE-2011-1079: Denial of service in Bluetooth BNEP.Installing [kzieu2je] CVE-2011-1080: Information leak in netfilter.Installing [ekzp14u9] CVE-2010-4258: Failure to revert address limit override after oops.Installing [jd3cmfll] CVE-2011-0006: Unhandled error condition when adding security rules.Installing [jk52g3fx] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.Installing [z2ne1xi4] CVE-2011-1013: Signedness error in drm.Installing [gb4ntots] Cache allocation bug in DCCP.Installing [pe4f00pm] CVE-2011-1093: NULL pointer dereference in DCCP.Installing [yypibd1k] CVE-2011-1573: Denial of service in SCTP.Installing [02al7nxj] CVE-2011-0726: Address space leakage through /proc/pid/stat.Installing [00ahpz3z] CVE-2011-0711: Information leak in XFS filesystem.Installing [iczdh30p] CVE-2010-4250: Reference count leak in inotify failure path.Installing [ea8bohrp] Infinite loop in tty auditing.Installing [85iuyyyj] Buffer overflow in iptables CLUSTERIP target.Installing [8o0892h3] CVE-2010-4565: Information leak in Broadcast Manager CAN protocol.Installing [p3ck0dr6] CVE-2011-1019: Module loading restriction bypass with CAP_NET_ADMIN.Installing [w8sa7qie] CVE-2011-1016: Privilege escalation in radeon GPU driver.Installing [aqnhua0z] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.Installing [mla0f8wz] CVE-2011-1082: Denial of service in epoll.Installing [5dbkxjue] CVE-2011-1090: Denial of service in NFSv4 client.Installing [4qj7c7qc] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.Installing [3vf1zjzf] CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.Installing [a03rwxbz] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.Installing [7z04dctw] Incorrect interrupt handling on down e1000 interface.Installing [ep319ryq] CVE-2011-1770: Remote denial of service in DCCP options parsing.Installing [qp7al6tc] CVE-2010-3858: Denial of service vulnerability with large argument lists.Installing [85n0mc4q] CVE-2011-1598: Denial of service in CAN/BCM protocol.Installing [z8t1hsjb] CVE-2011-1748: Denial of service in CAN raw sockets.Installing [pvtdn3yd] CVE-2011-1767: Incorrect initialization order in ip_gre.Installing [xughs2jb] CVE-2011-1768: Incorrect initialization order in IP tunnel protocols.Installing [k6a6bqyr] CVE-2011-2479: Denial of service with transparent hugepages and /dev/zero.Installing [pmkvbrcc] CVE-2011-1776: Missing boundary checks in EFI partition table parsing.Installing [pb9pjnnn] CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.Installing [mnpd8mip] CVE-2011-1593: Missing bounds check in proc filesystem.Installing [d6vuea6w] CVE-2011-2213: Arbitrary code injection bug in IPv4 subsystem.Installing [zmfowuqn] CVE-2011-2491: Local denial of service in NLM subsystem.Installing [402w3brr] CVE-2011-2492: Information leak in bluetooth implementation.Installing [vi7qxs20] CVE-2011-2497: Buffer overflow in the Bluetooth subsystem.Installing [ql0oxrhk] CVE-2011-2517: Buffer overflow in nl80211 driver.Installing [0xcbigxp] CVE-2011-1576: Denial of service with VLAN packets and GRO.Installing [127f4d1u] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.Installing [w72wz6f4] CVE-2011-2495: Information leak in /proc/PID/io.Installing [c8v0sk8t] CVE-2011-1160: Information leak in tpm driver.Installing [1nt1dahj] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.Installing [bxqvqvef] CVE-2011-1746: Integer overflow in agp_allocate_memory.Installing [d4m9k310] CVE-2011-2484: Denial of service in taskstats subsystem.Installing [3vlbyy24] CVE-2011-2496: Local denial of service in mremap().Installing [e0lkqz3i] CVE-2011-2723: Remote denial of service vulnerability in gro.Installing [99r3sbjg] CVE-2011-2898: Information leak in packet subsystemInstalling [3ev4sw2b] CVE-2011-2918: Denial of service in event overflows in perf.Installing [ll9j5877] CVE-2011-1833: Information disclosure in eCryptfs.Installing [ww2gv7iv] CVE-2011-3359: Denial of service in Broadcom 43xx wireless driver.Installing [9x0ub4l1] CVE-2011-3363: Denial of service in CIFS via malicious DFS referrals.Installing [ggvpdbug] CVE-2011-3188: Weak TCP sequence number generation.Installing [z4pt0sai] CVE-2011-1577: Denial of service in GPT partition handling.Installing [omnzxxxr] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.Installing [o4xkg2el] CVE-2011-3191: Privilege escalation in CIFS directory reading.Installing [e2eyyaf9] CVE-2011-1162: Information leak in TPM driver.Installing [1fmgtd1b] CVE-2011-4326: Denial of service in IPv6 UDP Fragmentation Offload.Installing [ldjwxwd5] CVE-2011-2699: Predictable IPv6 fragment identification numbers.Installing [tnhvync5] CVE-2011-2494: Information leak in task/process statistics.Installing [gi4te905] CVE-2011-3593: Denial of service in VLAN with priority tagged frames.Installing [h1wiua6s] CVE-2011-4110: Denial of service in kernel key management facilities.Installing [4yrxpwih] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.Installing [gz5jfzi3] CVE-2011-1020: Missing access restrictions in /proc subsystem.Installing [o31erbbr] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.Installing [yqaa1zsp] Arithmetic overflow in clock source calculations.Installing [vxfxrncu] CVE-2011-4077: Buffer overflow in xfs_readlink.Installing [rnvy1bow] CVE-2011-4081: NULL pointer dereference in GHASH cryptographic algorithm.Installing [5bokjzmm] CVE-2011-4132: Denial of service in Journaling Block Device layer.Installing [q7t7hls4] CVE-2011-4347: Denial of service in KVM device assignment.Installing [wmeoffm9] CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.Installing [gu3picnz] CVE-2012-0038: In-memory corruption in XFS ACL processing.Installing [v2td9qse] CVE-2012-0045: Denial of service in KVM system call emulation.Installing [n2xairv0] CVE-2012-0879: Denial of service in CLONE_IO.Installing [2k2kq44h] Fix crash on discard in the software RAID driver.Installing [i244mlk5] CVE-2012-1097: NULL pointer dereference in the ptrace subsystem.Installing [2anjx00z] CVE-2012-1090: Denial of service in the CIFS filesystem reference counting.Installing [3ujb9j7q] Inode corruption in XFS inode lookup.Installing [01x2k6jv] Denial of service due to race condition in the scheduler subsystem.Installing [hfh1ug4u] CVE-2011-4086: Denial of service in journaling block device.Installing [4wb0i9tz] CVE-2012-1601: Denial of service in KVM VCPU creation.Installing [aqut3qai] CVE-2012-0044: Integer overflow and memory corruption in DRM CRTC support.Installing [0zkt2e47] CVE-2012-2123: Privilege escalation when assigning permissions using fcaps.Installing [pe6u1nwx] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.Installing [jqtlake1] CVE-2012-2121: Memory leak in KVM device assignment.Installing [u6ys5804] CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler.Installing [lr9cjz2p] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.Installing [nscqru85] CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service.Installing [j01o1nco] ext4 filesystem corruption on fallocate.Installing [p37lmn34] CVE-2012-2745: Denial-of-service in kernel key management.Installing [alprvnsv] CVE-2012-2744: Remote denial-of-service in IPv6 connection tracking.Installing [m06ws6vc] Unreliable futexes with read-only shared mappings.Installing [b7mpy2k1] CVE-2011-1078: Information leak in Bluetooth SCO link driver.Installing [pywfzhvz] CVE-2012-2384: Integer overflow in i915 execution buffer.Installing [2ibdnvmo] Livelock due to invalid locking strategy when adding a leap-second.Installing [oixf5hkj] CVE-2012-2384: Additional fix for integer overflow in i915 execution buffer.Installing [m4x7vdnl] CVE-2012-2390: Memory leak in hugetlbfs mmap() failure.Installing [o2a3jmox] CVE-2012-2313: Privilege escalation in the dl2k NIC.Installing [u3qpyl86] CVE-2012-3430: kernel information leak in RDS sockets.Installing [wr1of5oe] CVE-2012-3552: Denial-of-service in IP options handling.Installing [y40wlmcw] CVE-2012-3412: Remote denial of service through TCP MSS option in SFC NIC.Installing [dxshabnc] Use-after-free in USB.Installing [aovf4isj] Race condition in SUNRPC.Installing [trz9wa6p] CVE-2012-3400: Buffer overflow in UDF parsing.Installing [062ge0uf] CVE-2012-3511: Use-after-free due to race condition in madvise.Installing [tu585kp5] CVE-2012-1568: A predictable base address with shared libraries and ASLR.Installing [fky5li3t] CVE-2012-2133: Use-after-free in hugetlbfs quota handling.Installing [xtpg99y6] CVE-2012-5517: NULL pointer dereference in memory hotplug.Installing [ffehzdo8] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.Installing [u0d6ztl3] CVE-2012-4565: Divide by zero in TCP congestion control Algorithm.Installing [7au7wp12] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.Installing [80vrmgyk] CVE-2012-4530: Kernel information leak in binfmt execution.Installing [uytq1dk0] CVE-2012-4398: Denial-of-service in kernel module loading.Installing [3c5erej0] CVE-2013-0310: NULL pointer dereference in CIPSO socket options.Installing [j8x8j89y] CVE-2013-0311: Privilege escalation in vhost descriptor management.Installing [mkibg12j] CVE-2012-4508: Stale data exposure in ext4.Installing [daw7s3mo] CVE-2012-4542: SCSI command filter does not restrict access to read-only devices.Installing [nqlo7yy2] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.Installing [l6zf9mec] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.Installing [r88p6prz] CVE-2013-1798: Information leak in KVM APIC driver.Installing [tquaqo7o] CVE-2013-1792: Denial-of-service in user keyring management.Installing [ao71x17l] CVE-2012-6537: Kernel information leaks in network transformation subsystem.Installing [875umolk] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.Installing [4dr93r2j] CVE-2013-1827: Denial-of-service in DCCP socket options.Installing [cdrfdlrt] CVE-2013-0349: Kernel information leak in Bluetooth HIDP support.Installing [9j8xk8dz] CVE-2012-6546: Information leak in ATM sockets.Installing [4oeurjvw] CVE-2013-1767: Use-after-free in tmpfs mempolicy remount.Installing [yhprsmoc] CVE-2013-1773: Heap buffer overflow in VFAT Unicode handling.Installing [amh400jp] CVE-2012-6547: Kernel stack leak from TUN ioctls.Installing [532069fc] CVE-2013-1774: NULL pointer dereference in USB Inside Out Edgeport serial driver.Installing [uaslykxk] CVE-2013-2017: Double free in Virtual Ethernet Tunnel driver (veth).Installing [1vegmzxj] CVE-2013-1943: Local privilege escalation in KVM memory mappings.Installing [wddz9qxt] CVE-2012-6548: Information leak in UDF export.Installing [d51dm2vs] CVE-2013-0914: Information leak in signal handlers.Installing [sxb5x0pd] CVE-2013-2852: Invalid format string usage in Broadcom B43 wireless driver.Installing [vzlh2p9r] CVE-2013-3222: Kernel stack information leak in ATM sockets.Installing [l1wlz1f1] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.Installing [m0y7j4ra] CVE-2013-3225: Kernel stack information leak in Bluetooth rfcomm.Installing [3m5ckvvm] CVE-2013-3301: NULL pointer dereference in tracing sysfs files.Installing [o44ucnfs] CVE-2013-2634, 2635: Kernel leak in data center bridging and netlink.Installing [0m3a5xq8] CVE-2013-2128: Denial of service in TCP splice.Installing [2fg4nowt] CVE-2013-2232: Memory corruption in IPv6 routing cache.Installing [m4a0xb93] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.Installing [pqfoprcp] CVE-2013-2237: Information leak on IPSec key socket.Installing [i1ha5yp7] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.Installing [aqfegdn1] CVE-2013-4299: Information leak in device mapper persistent snapshots.Installing [oojymn3l] CVE-2013-4387: Memory corruption in IPv6 UDP fragmentation offload.Installing [kb7zovzd] CVE-2013-0343: Denial of service in IPv6 privacy extensions.Installing [7ew8svwd] Off-by-one error causes reduced entropy in kernel PRNG.Installing [v3hs5diu] CVE-2013-2888: Memory corruption in Human Input Device processing.Installing [aew2tmdl] CVE-2013-2889: Memory corruption in Zeroplus HID driver.Installing [ox2wqeva] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.Installing [w9rhkfub] CVE-2013-1928: Kernel information leak in compat_ioctl/VIDEO_SET_SPU_PALETTE.Installing [r55nqyci] CVE-2013-2164: Kernel information leak in the CDROM driver.Installing [1vgf62zi] CVE-2013-2234: Information leak in IPsec key management.Installing [hc532irb] CVE-2013-2851: Format string vulnerability is software RAID device names.Installing [e129vh8h] CVE-2013-4592: Denial-of-service in KVM IOMMU mappings.Installing [9wzwcaep] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.Installing [ufm8ladu] CVE-2013-4470: Memory corruption in IPv4 and IPv6 networking corking with UFO.Installing [5rh9jkmi] CVE-2013-6367: Divide-by-zero in KVM LAPIC.Installing [ur8700aj] CVE-2013-6368: Memory corruption in KVM virtual APIC accesses.Installing [nyg2e0m1] Error in the tag insertion logic of the bonding network device.Installing [1ekik21n] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.Installing [m8de4fmg] CVE-2013-7263, CVE-2013-7265: Information leak in IPv4, IPv6 and PhoNet socket recvmsg.Installing [p4ufjdr0] CVE-2014-0101: NULL pointer dereference in SCTP protocol.Installing [o86dh6ww] Use-after-free in EDAC Intel E752X driver.Installing [b2h8hej4] Deadlock in XFS filesystem when removing a inode from namespace.Installing [nvhmnvp6] Memory leak in GFS2 filesystem for files with short lifespan.Installing [7brqevk0] CVE-2013-1860: Buffer overflow in Wireless Device Management driver.Installing [4nh0vuhi] Missing check in selinux for IPSec TCP SYN-ACK packets.Installing [zvvk1k2q] Logic error in selinux when checking permissions on recv socket.Installing [2mxh0jvn] CVE-2013-(726[6789], 727[01], 322[89], 3231): Information leaks in recvmsg.Installing [1r5tw9sm] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.Installing [z4k7xryp] CVE-2014-2523: Remote crash via DCCP conntrack.Installing [pi89wa2j] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.Installing [b4x8o44g] CVE-2014-0196: Pseudo TTY device write buffer handling race.Installing [s8s7tfsm] CVE-2014-3153: Local privilege escalation in futex requeueing.Installing [bqk9mi1j] CVE-2013-6378: Denial-of-service in Marvell 8xxx Libertas WLAN driver.Installing [rokmr7ey] CVE-2014-1874: Denial-of-service in SELinux on empty security context.Installing [hxq9cdju] CVE-2014-0203: Memory corruption on listing procfs symbolic links.Installing [n6kpf53d] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.Installing [pbab6ibn] CVE-2014-4943: Privilege escalation in PPP over L2TP setsockopt/getsockopt.Installing [8n932y6h] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.Installing [yfh1rar2] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.Installing [5z4hhyp3] CVE-2013-7339: NULL pointer dereference in RDS socket binding.Installing [1vpc7i76] CVE-2012-6647: NULL pointer dereference in non-pi futexes.Installing [ruu6bc4r] CVE-2014-3144, CVE-2014-3145: Multiple local denial of service vulnerabilities in netlink.Installing [hgeqfh2x] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.Installing [345v5a2z] CVE-2014-4667: Denial-of-service in SCTP stack when unpacking a COOKIE_ECHO chunk.Installing [92st5y9o] CVE-2014-0205: Use-after-free in futex refcounting.Your kernel is fully up to date.Effective kernel version is 2.6.32-431.29.2.el6real