[Ksplice-cloudlinux6-updates] New updates available via Ksplice (2.6.32-458.18.1.lve1.2.39.el6)

Thu Sep 26 06:41:46 PDT 2013

Synopsis: 2.6.32-458.18.1.lve1.2.39.el6 can now be patched using Ksplice
CVEs: CVE-2012-6544 CVE-2012-6548 CVE-2013-0914 CVE-2013-1848 CVE-2013-1935 CVE-2013-1943 CVE-2013-2017 CVE-2013-2128 CVE-2013-2146 CVE-2013-2206 CVE-2013-2232 CVE-2013-2237 CVE-2013-2239 CVE-2013-2634 CVE-2013-2852 CVE-2013-3222 CVE-2013-3224 CVE-2013-3225 CVE-2013-3301

Systems running CloudLinux 6 can now use Ksplice to patch against the
latest CloudLinux 6 kernel update, 2.6.32-458.18.1.lve1.2.39.el6.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on CloudLinux 6 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2013-2017: Double free in Virtual Ethernet Tunnel driver (veth).

A double free flaw was found in the Linux kernel's Virtual Ethernet
Tunnel driver (veth). A remote attacker could possibly use this flaw to
crash a target system.

* CVE-2013-1943: Local privilege escalation in KVM memory mappings.

A missing sanity check was found in KVM's memory mapping subsystem,
allowing a user-space process to register memory regions pointing
to the kernel address space. A local, unprivileged user could use this flaw
to escalate their privileges.

* CVE-2013-1935: Denial of service in KVM paravirt interrupt handling.

A flaw was found in the way KVM initialized a guest's registered
paravirtualized end-of-interrupt indication flag when entering the
guest. An unprivileged guest user could potentially use this flaw
to crash the host. (CVE-2013-1935, Important)

* CVE-2013-2239: Multiple memory leaks in OpenVZ kernel 2.6.32.

Failure to properly initilize variables in ploop and quota could allow
local users to obtain sensitive information from kernel stack memory.

* Invalid bean counter memory free in tcpsndbuf.

A race condition between poll and send in tcpsndbuf could cause a
subsequent bc release to perform an invalid memory free and taint
the kernel.

* CVE-2012-6548: Information leak in UDF export.

A malicious can disclose the contents of kernel memory by exporting
a filehandle from a UDF filesystem.

* CVE-2013-0914: Information leak in signal handlers.

A logic error in the handling of signal handlers allows a child process to
leak information about the memory layout of parent processes.

* CVE-2013-1848: Format string vulnerability in ext3 mounting.

The ext3 file-system driver incorrectly uses an argument from userspace as a
format string allowing local users with the ability to mount ext3 filesystems
to corrupt kernel memory and gain privileged execution.

* CVE-2013-2852: Invalid format string usage in Broadcom B43 wireless driver.

Format string vulnerability in the b43_request_firmware function
in the Broadcom B43 wireless driver in the Linux kernel through 3.9.4
allows local users to gain privileges by leveraging root access and
including format string specifiers in an fwpostfix modprobe parameter,
leading to improper construction of an error message.

* CVE-2013-3222: Kernel stack information leak in ATM sockets.

Missing data clearing operations could allow an unprivileged user to
leak kernel stack memory to userspace.

* CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.

Receiving messages from a bluetooth socket whilst the socket is
simultaneously being shut down could leak kernel stack bytes to
userspace allowing a local user to gain information about the running
kernel.

* CVE-2013-3225: Kernel stack information leak in Bluetooth rfcomm.

Missing data clearing operations could allow a local user to leak kernel
stack memory to userspace.

* CVE-2013-3301: NULL pointer dereference in tracing sysfs files.

The tracing sysfs files did not correctly allow seeking on a file opened
for writing, allowing a priviliged user to crash the system.

* CVE-2013-2634, 2635: Kernel leak in data center bridging and netlink.

The dcb netlink interface and the rtnetlink interface leak stack memory in
various places.

* CVE-2013-2128: Denial of service in TCP splice.

The tcp_read_sock function in tcp.c does not properly manage skb consumption,
which allows local users to cause a denial of service (system crash) via a
crafted splice system call for a TCP socket

* Incorrect load average calculation on checkpoint+restore.

Incorrect restoration of a task flag would result in a system reporting
a load average of 0 after a checkpoint+restore operation.

* Invalid memory access in socket buffers.

Failure to properly initialize a field in the skbuff structure could
lead to an invalid memory access.  This could lead to a kernel crash.

* CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.

A flaw was found in the way the Linux kernel's Stream Control
Transmission Protocol (SCTP) implementation handled duplicate cookies.
If a local user queried SCTP connection information at the same time a
remote attacker has initialized a crafted SCTP connection to the system,
it could trigger a NULL pointer dereference, causing the system to
crash.

* CVE-2013-2232: Memory corruption in IPv6 routing cache.

Connecting an IPv6 socket to an IPv4 destination can cause IPv4 routing
information to be placed in the IPv6 routing cache causing memory corruption
and a kernel panic.

* CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.

A malicious user can disclose the contents of kernel memory by calling
getsockname() on an Bluetooth L2CAP socket.

* CVE-2013-2237: Information leak on IPSec key socket.

Incorrect initialization on policy flushing could leak kernel stack
bytes to userspace.

* CVE-2013-2146: Denial of service in access to reserved performance MSRs.

On systems with certain Intel processors, a local, unprivileged user could
use this flaw to cause a denial of service by leveraging the perf subsystem
to write into the reserved bits of the OFFCORE_RSP_0 and OFFCORE_RSP_1
model-specific registers.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.