livepatch-mgr是运行于Alibaba Cloud Linux之上的一个内核热补丁(kernel live patch)管理工具,支持热补丁相关运维管理操作,目前支持补丁基础管理、信息查询、主机修复功能。
#livepatch-mgr update
已加载插件:fastestmirror, langpacks, releasever-adapter, update-motd
Loading mirror speeds from cached hostfile
正在解决依赖关系
--> 正在检查事务
---> 软件包 kernel-hotfix-4121479-21.al7.x86_64.0.1.0-1.al7 将被 安装
--> 解决依赖关系完成
依赖关系解决
================================================================================
Package 架构 版本 源 大小
================================================================================
正在安装:
kernel-hotfix-4121479-21.al7 x86_64 1.0-1.al7 plus 244 k
事务概要
================================================================================
安装 1 软件包
总下载量:244 k
安装大小:1.0 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安装 : kernel-hotfix-4121479-21.al7-1.0-1.al7.x86_64 1/1
installing /var/khotfix/4.19.91-21.al7.x86_64/4121479/kpatch-4121479.ko (4.19.91-21.al7.x86_64)
loading patch module: /var/khotfix/4.19.91-21.al7.x86_64/4121479/kpatch-4121479.ko
验证中 : kernel-hotfix-4121479-21.al7-1.0-1.al7.x86_64 1/1
已安装:
kernel-hotfix-4121479-21.al7.x86_64 0:1.0-1.al7
完毕!
livepatch-mgr update --bugfix 同livepatch-mgr update 的输出,且仅限于安装 bugfix 类的热补丁包
livepatch-mgr update --security 同livepatch-mgr update 的输出,且仅限于安装 CVE 类的热补丁包
livepatch-mgr update -cve=< CVES > # CVES为指定的CVE ID,您可以指定多个CVE ID,以逗号(,)分隔,严格区分大小写 同livepatch-mgr update 的输出,且仅限于安装指定CVE的热补丁包
livepatch-mgr update --ids=< Advisory IDs > # Advisory IDs为指定的公告ID,您可以指定多个Advisory ID,以逗号(,)分隔,严格区分大小写 同livepatch-mgr update 的输出,且仅限于安装指定Advisory ID的热补丁包
显示分为3类,Loaded、Installed、Available LLoaded patch modules: 已加载(使能)的热补丁 Installed patch modules: 已安装的热补丁 Available and not installed patch modules: 可用且未安装的热补丁
#livepatch-mgr list
Loaded patch modules:
5692820 fix_trace_buffer_out_bound
CVE-2021-33909 5956925 seq_file: disallow extremely large seq buffer allocations;
4375449 ovl: fix dentry leak in ovl_get_redirect;
5260815 ext4: Avoid freeing inodes on dirty list;
5000697 mm, compaction: make capture control handling safe wrt interrupts;
CVE-2021-22555 5928799 netfilter: x_tables: fix compat match/target pad out-of-bound write;
4121479 fix XDP socket queue descriptor entries overflow;
Installed patch modules:
5692820 fix_trace_buffer_out_bound
CVE-2021-33909 5956925 seq_file: disallow extremely large seq buffer allocations;
4375449 ovl: fix dentry leak in ovl_get_redirect;
5260815 ext4: Avoid freeing inodes on dirty list;
5000697 mm, compaction: make capture control handling safe wrt interrupts;
CVE-2021-22555 5928799 netfilter: x_tables: fix compat match/target pad out-of-bound write;
4121479 fix XDP socket queue descriptor entries overflow;
Available and not installed patch modules:
CVE-2020-14386 kernel-hotfix-3768348-21.al7.x86_64 Using tp_reserve to calculate netoff can overflow as tp_rese...(more)
kernel-hotfix-5902278-21.al7.x86_64 We notice that hung task happens in a conner but practical ...(more)
#livepatch-mgr list --installed
Installed patch modules:
5692820 fix_trace_buffer_out_bound
CVE-2021-33909 5956925 seq_file: disallow extremely large seq buffer allocations;
4375449 ovl: fix dentry leak in ovl_get_redirect;
5260815 ext4: Avoid freeing inodes on dirty list;
5000697 mm, compaction: make capture control handling safe wrt interrupts;
CVE-2021-22555 5928799 netfilter: x_tables: fix compat match/target pad out-of-bound write;
4121479 fix XDP socket queue descriptor entries overflow;
#livepatch-mgr list --installed --bugfix
Installed patch modules:
5692820 fix_trace_buffer_out_bound
4375449 ovl: fix dentry leak in ovl_get_redirect;
5260815 ext4: Avoid freeing inodes on dirty list;
5000697 mm, compaction: make capture control handling safe wrt interrupts;
4121479 fix XDP socket queue descriptor entries overflow;
#livepatch-mgr list --installed --security
Installed patch modules:
CVE-2021-33909 5956925 seq_file: disallow extremely large seq buffer allocations;
CVE-2021-22555 5928799 netfilter: x_tables: fix compat match/target pad out-of-bound write;
#livepatch-mgr list --running
Loaded patch modules:
5692820 fix_trace_buffer_out_bound
CVE-2021-33909 5956925 seq_file: disallow extremely large seq buffer allocations;
4375449 ovl: fix dentry leak in ovl_get_redirect;
5260815 ext4: Avoid freeing inodes on dirty list;
5000697 mm, compaction: make capture control handling safe wrt interrupts;
CVE-2021-22555 5928799 netfilter: x_tables: fix compat match/target pad out-of-bound write;
4121479 fix XDP socket queue descriptor entries overflow;
#livepatch-mgr list --running --bugfix
Loaded patch modules:
5692820 fix_trace_buffer_out_bound
4375449 ovl: fix dentry leak in ovl_get_redirect;
5260815 ext4: Avoid freeing inodes on dirty list;
5000697 mm, compaction: make capture control handling safe wrt interrupts;
4121479 fix XDP socket queue descriptor entries overflow;
#livepatch-mgr list --running --security
Loaded patch modules:
CVE-2021-33909 5956925 seq_file: disallow extremely large seq buffer allocations;
CVE-2021-22555 5928799 netfilter: x_tables: fix compat match/target pad out-of-bound write;
#livepatch-mgr list --available
================================================================================
kernel-hotfix-4121479-21.al7.x86_64
================================================================================
Update ID : HOTFIX-BA-2020:0005
Release : Alibaba Cloud Linux 2.1903 Hotfix
Issued : 2020-11-24
Updated : 2020-11-24
Description : the implementation of xskq_umem_get_ring_size and xskq_rxtx_get_ring_size are
vulnerable to buffer overflow, attacker can use large q->nentries value to
tirgger...(more)
CVE(s) :
Severity : Important
================================================================================
kernel-hotfix-5000697-21.al7.x86_64
================================================================================
Update ID : HOTFIX-BA-2021:0003
Release : Alibaba Cloud Linux 2.1903 Hotfix
Issued : 2021-03-18
Updated : 2021-03-18
Description : While stressing compaction, one run oopsed on NULL capc->cc in
__free_one_page()'s task_capc(zone): compact_zone_order() had been interrupted,
and a page was b...(more)
CVE(s) :
Severity : Important
================================================================================
kernel-hotfix-3768348-21.al7.x86_64
================================================================================
Update ID : HOTFIX-SA-2020:0002
Release : Alibaba Cloud Linux 2.1903 Hotfix
Issued : 2020-09-21
Updated : 2020-09-21
Description : Using tp_reserve to calculate netoff can overflow as tp_reserve is unsigned int
and netoff is unsigned short. This may lead to macoff receving a smaller value
...(more)
CVE(s) : CVE-2020-14386
Severity : Important
......
### 列出本机适合的bugfix类的热补丁
```bash
#livepatch-mgr list --available --bugfix
================================================================================
kernel-hotfix-4375449-21.al7.x86_64
================================================================================
Update ID : HOTFIX-BA-2021:0031
Release : Alibaba Cloud Linux 2.1903 Hotfix
Issued : 2021-08-07
Updated : 2021-08-07
Description : We need to lock d_parent->d_lock before dget_dlock, or this may have d_lockref
updated parallelly like calltrace below which will cause dentry->d_lockref leak
a...(more)
CVE(s) :
Severity : Important
================================================================================
kernel-hotfix-5260815-21.al7.x86_64
================================================================================
Update ID : HOTFIX-BA-2021:0027
Release : Alibaba Cloud Linux 2.1903 Hotfix
Issued : 2021-08-07
Updated : 2021-08-07
Description : ext4: Avoid freeing inodes on dirty list When we are evicting inode with
journalled data, we may race with transaction commit. This results in use-after-
free i...(more)
CVE(s) :
Severity : Important
......
#livepatch-mgr list --available --security
================================================================================
kernel-hotfix-3768348-21.al7.x86_64
================================================================================
Update ID : HOTFIX-SA-2020:0002
Release : Alibaba Cloud Linux 2.1903 Hotfix
Issued : 2020-09-21
Updated : 2020-09-21
Description : Using tp_reserve to calculate netoff can overflow as tp_reserve is unsigned int
and netoff is unsigned short. This may lead to macoff receving a smaller value
...(more)
CVE(s) : CVE-2020-14386
Severity : Important
================================================================================
kernel-hotfix-5928799-21.al7.x86_64
================================================================================
Update ID : HOTFIX-SA-2021:0009
Release : Alibaba Cloud Linux 2.1903 Hotfix
Issued : 2021-07-21
Updated : 2021-07-21
Description : A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in
net/netfilter/x_tables.c. The compat IPT_SO_SET_REPLACE/IP6T_SO_SET_REPLACE
sets...(more)
CVE(s) : CVE-2021-22555
Severity : High
================================================================================
kernel-hotfix-5956925-21.al7.x86_64
================================================================================
Update ID : HOTFIX-SA-2021:0018
Release : Alibaba Cloud Linux 2.1903 Hotfix
Issued : 2021-07-23
Updated : 2021-07-23
Description : An out-of-bounds write flaw was found in the Linux kernel's seq_file in the
Filesystem layer. This flaw allows a local attacker with a user privilege to
gain a...(more)
CVE(s) : CVE-2021-33909
Severity : High
......
#livepatch-mgr.py load
loading kernel-hotfix-5956925-23.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5956925/kpatch-5956925.ko
loading kernel-hotfix-5902278-23.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5902278/kpatch-5902278.ko
loading kernel-hotfix-5260815-23.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5260815/kpatch-5260815.ko
loading kernel-hotfix-5928799-23.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5928799/kpatch-5928799.ko
loading kernel-hotfix-5577959-23.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5577959/kpatch-5577959.ko
#livepatch-mgr load --security
loading kernel-hotfix-5956925-23.al7.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5956925/kpatch-5956925.ko
loading kernel-hotfix-5928799-23.al7.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5928799/kpatch-5928799.ko
#livepatch-mgr load --bugfix
loading kernel-hotfix-5902278-23.al7.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5902278/kpatch-5902278.ko
loading kernel-hotfix-5260815-23.al7.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5260815/kpatch-5260815.ko
loading kernel-hotfix-5577959-23.al7.x86_64
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5577959/kpatch-5577959.ko
# 带绝对路径的ko
#livepatch-mgr load /var/khotfix/4.19.91-21.al7.x86_64/5956925/kpatch-5956925.ko
loading kernel-hotfix-5956925
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5956925/kpatch-5956925.ko
# 不带ko后缀的模块名字
#livepatch-mgr load kpatch-5260815
loading kernel-hotfix-5928799
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5928799/kpatch-5928799.ko
# 带ko后缀的模块名字
#livepatch-mgr.py load kpatch-4121479.ko
loading kernel-hotfix-5902278
loading patch module: /var/khotfix/4.19.91-23.al7.x86_64/5902278/kpatch-5902278.ko
#livepatch-mgr unload
unloading kernel-hotfix-5956925-23.x86_64
disabling patch module: kpatch_5956925
unloading patch module: kpatch_5956925
unloading kernel-hotfix-5902278-23.x86_64
disabling patch module: kpatch_5902278
unloading patch module: kpatch_5902278
unloading kernel-hotfix-5260815-23.x86_64
disabling patch module: kpatch_5260815
unloading patch module: kpatch_5260815
unloading kernel-hotfix-5928799-23.x86_64
disabling patch module: kpatch_5928799
unloading patch module: kpatch_5928799
unloading kernel-hotfix-5577959-23.x86_64
disabling patch module: kpatch_5577959
unloading patch module: kpatch_5577959
#livepatch-mgr unload --security
unloading kernel-hotfix-5956925-23.al7.x86_64
disabling patch module: kpatch_5956925
unloading patch module: kpatch_5956925
unloading kernel-hotfix-5928799-23.al7.x86_64
disabling patch module: kpatch_5928799
unloading patch module: kpatch_5928799
#livepatch-mgr unload --bugfix
unloading kernel-hotfix-5902278-23.al7.x86_64
disabling patch module: kpatch_5902278
unloading patch module: kpatch_5902278
unloading kernel-hotfix-5260815-23.al7.x86_64
kpatch: patch module kpatch_5260815 is not loaded
unloading kernel-hotfix-5577959-23.al7.x86_64
kpatch: patch module kpatch_5577959 is not loaded
// 带绝对路径的ko
#livepatch-mgr unload /var/khotfix/4.19.91-21.al7.x86_64/5928799/kpatch-5928799.ko
unoading kernel-hotfix-5928799
disabling patch module: kpatch_5928799
unloading patch module: kpatch_5928799
// 不带ko后缀的模块名字
#livepatch-mgr unload kpatch_5692820
unoading kernel-hotfix-5902278
disabling patch module: kpatch_5902278
unloading patch module: kpatch_5902278
// 带ko后缀的模块名字
#livepatch-mgr unload kpatch_5000697.ko
unoading kernel-hotfix-5577959
disabling patch module: kpatch_5577959
unloading patch module: kpatch_5577959
livepatch-mgr sync
通过sync子命令,将直接刷行livepatch-mgr的Errata缓存数据,以便及时获得安全包更新情况
在用户登录shell的时候,shell会反馈目前系统中安全更新的情况给用户,具体的显示为:
****************** Livepatch-mgr Security Reminder ******************
Your system have [0] security packages available to install
Your system have [0] security packages installed but not loaded
Conclusion : Safe
*********************************************************************
[root@******** ~]#
登录shell的时候,Livepatch-mgr Security Reminder 会在用户每一个登录shell的时候进行通知。告诉用户目前系统由由多少个待安全的内核安全更新,以及有多少个已经安装了,但是没有加载的安全修复包。
当出现一下情况时:
****************** Livepatch-mgr Security Reminder ******************
[Errno 11] Resource temporarily unavailable
或者这种情况时:
****************** Livepatch-mgr Security Reminder ******************
Error: Hotfix data cache is missing
please use "livepatch-mgr sync" to rebuild
**********************************************************************
这是因为livepatch-mgr的缓存数据库遭到了删除或者损坏,此时可以通过livepatch-mgr sync命令重建数据库
livepatch-mgr remind --enable
开启以后,用户每次登录shell的时候,reminder都会对当前系统安全包状态进行通知
livepatch-mgr remind --disable
关闭以后,用户在登录shell的时候,reminder将不会对当前系统安全包状态进行通知。
livepatch-mgr remind
除了登录shell的时候,reminder对当前系统状态进行通知以外,用户在使用系统的时候也能通过remind子命令直接查看系统当前安全包状态
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。