[Ksplice-cloudlinux6-updates] New updates available via Ksplice (2.6.32-531.1.2.lve1.2.54.el6)

Wed Apr 2 19:29:51 PDT 2014

Synopsis: 2.6.32-531.1.2.lve1.2.54.el6 can now be patched using Ksplice
CVEs: CVE-2012-6542 CVE-2012-6545 CVE-2013-0343 CVE-2013-1928 CVE-2013-1929 CVE-2013-2164 CVE-2013-2234 CVE-2013-2851 CVE-2013-2888 CVE-2013-2889 CVE-2013-3231 CVE-2013-4345 CVE-2013-4387 CVE-2013-4470 CVE-2013-4591 CVE-2013-4592 CVE-2013-6367 CVE-2013-6368 CVE-2014-2523

Systems running CloudLinux 6 can now use Ksplice to patch against the
latest CloudLinux 6 kernel update, 2.6.32-531.1.2.lve1.2.54.el6.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on CloudLinux 6 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CPU lockup under heavy container I/O.

Incorrect locking and error handling could result in a CPU lockup when a
container performed large amounts of I/O using the ploop device.

* CVE-2013-4387: Memory corruption in IPv6 UDP fragmentation offload.

The kernel IPv6 stack does not correctly handle queuing multiple UDP fragments
when using UDP Fragmentation Offloading allowing a local unprivileged user to
cause kernel memory corruption and potentially gain privileged code execution.

* CVE-2013-0343: Denial of service in IPv6 privacy extensions.

A malicious remote user can disable IPv6 privacy extensions by flooding the host
with malicious temporary addresses.

* CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.

An off-by-one flaw was found in the way the ANSI CPRNG implementation in
the Linux kernel processed non-block size aligned requests. This could lead
to random numbers being generated with less bits of entropy than expected
when ANSI CPRNG was used.

* CVE-2013-2888: Memory corruption in Human Input Device processing.

The kernel does not correctly validate the 'Report ID' field in HID data allowing
a malicious USB or Bluetooth device to cause memory corruption and gain kernel
code execution.

* CVE-2013-2889: Memory corruption in Zeroplus HID driver.

The Zeroplus game controller device driver does not correctly validate
data from devices allowing a malicious device to cause kernel memory
corruption and potentially gain kernel code execution.

* CVE-2012-6542: Information leak in LLC socket name.

A malicious user can disclose the contents of kernel memory by calling
getsockname() on an LLC socket.

* CVE-2013-3231: Kernel stack information leak in LLC sockets.

Missing initialization could allow a local user to leak kernel stack
information when receiving messages.

* CVE-2013-1929: Buffer overflow in TG3 VPD firmware parsing.

Incorrect length checks when parsing the firmware could cause a buffer
overflow and corruption of memory.

* CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.

A malicious user can disclose the contents of kernel memory by calling
getsockname() on an Bluetooth RFCOMM socket.

* CVE-2013-1928: Kernel information leak in compat_ioctl/VIDEO_SET_SPU_PALETTE.

The compat control device call for VIDEO_SET_SPU_PALETTE was missing an error check
while converting the input arguments.  This could lead to leaking kernel
stack contents into userspace.

* CVE-2013-2164: Kernel information leak in the CDROM driver.

Incorrect allocation in the generic CDROM driver could result in leaking
heap memory to userspace.

* CVE-2013-2234: Information leak in IPsec key management.

An error in the AF_KEY implementation allows privileged users to leak contents of
the kernel stack to userspace.

* CVE-2013-2851: Format string vulnerability is software RAID device names.

A format string vulnerability in partition registration allows local
users to execute kernel mode code by writing format string specifiers to
/sys/module/md_mod/parameters/new_array in order to create an invalid
/dev/md device name.

* CVE-2013-4591: Privilege escalation in NFSv4 ACL handling.

The vendor fix for CVE-2012-2375 accidentally removed a check for small-sized
result buffers. A local, unprivileged user with access to an NFSv4 mount with
ACL support could use this flaw to crash the system or, potentially, escalate
their privileges on the system.

* CVE-2013-4592: Denial-of-service in KVM IOMMU mappings.

A flaw was found in the way IOMMU memory mappings were handled when
moving memory slots. A malicious user on a KVM host who has the ability to
assign a device to a guest could use this flaw to crash the host.

* Improved fix to CVE-2013-4470: Memory corruption IPv6 networking corking with UFO.

The original vendor fix to CVE-2013-4470 only addressed IPv4 sockets and
the system was still vulnerable to memory corruption with IPv6 sockets.

* CVE-2013-6367: Divide-by-zero in KVM LAPIC.

A divide-by-zero flaw was found in the apic_get_tmcct() function in KVM's
Local Advanced Programmable Interrupt Controller (LAPIC) implementation.
A privileged guest user could use this flaw to crash the host.

* CVE-2013-6368: Memory corruption in KVM virtual APIC accesses.

A memory corruption flaw was discovered in the way KVM handled virtual
APIC accesses that crossed a page boundary. A local, unprivileged user
could use this flaw to crash the system or, potentially, escalate their
privileges on the system.

* CVE-2014-2523: Memory corruption in DCCP header.

An invalid use of a pointer in net/netfilter/nf_conntrack_proto_dccp.c
could allow remote attackers to cause a denial of service (system crash)
or possibly execute arbitrary code via a DCCP packet that triggers a call
to the dccp_new, dccp_packet, or dccp_error function.

* Kernel panic in VFS lookup code.

A bug in the VFS lookup code could cause a kernel panic when
opening a file on an auto-fs filesystem with O_CREAT.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.