Kernel Update - does it make sense, even no problems ?

General support questions
Post Reply
zahn-martin
Posts: 35
Joined: 2020/05/05 19:44:15

Kernel Update - does it make sense, even no problems ?

Post by zahn-martin » 2020/06/20 09:07:59

Does it make sense to update the kernel from:

kernel-3.10.0-1127.el7.x86_64

to:

kernel-3.10.0-1127.10.1.el7

even when I have no problems with the original kernel ?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Kernel Update - does it make sense, even no problems ?

Post by TrevorH » 2020/06/20 12:14:46

Yes. You're several kernels backlevel from the current one and those fix a number of security problems. You can see the rpm changelog by running

rpm -q --changelog kernel-3.10.0-1127.10.1.el7.x86_64 | less

and if you want to see the list of CVE's fixed then run

Code: Select all

[trevor@centos7 ~]$ rpm -q --changelog kernel-3.10.0-1127.10.1.el7.x86_64 | head -101 | grep -i cve
- [net] netlabel: cope with NULL catmap (Paolo Abeni) [1827239 1827240] {CVE-2020-10711}
- [kernel] blktrace: fix dereference after null check (Ming Lei) [1806367 1798318] {CVE-2019-19768}
- [kernel] blktrace: Protect q->blk_trace with RCU (Ming Lei) [1806367 1798318] {CVE-2019-19768}
- [kernel] blktrace: fix trace mutex deadlock (Ming Lei) [1806367 1798318] {CVE-2019-19768}
- [kernel] blktrace: fix unlocked registration of tracepoints (Ming Lei) [1806367 1798318] {CVE-2019-19768}
- [kernel] blktrace: fix unlocked access to init/start-stop/teardown (Ming Lei) [1806367 1798318] {CVE-2019-19768}
- [kernel] tracing: Fix possible double free on failure of allocating trace buffer (Jerome Marchand) [1803010 1803011] {CVE-2017-18595}
- [kernel] tracing: Fix crash when it fails to alloc ring buffer (Jerome Marchand) [1803010 1803011] {CVE-2017-18595}
You can look up those CVEs by consulting e.g https://access.redhat.com/security/cve/CVE-2020-10711 and read about what they are.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply