[Ksplice-cloudlinux6-updates] New updates available via Ksplice (2.6.32-673.8.1.lve1.4.14.el6)

Oracle Ksplice ksplice-support_ww at oracle.com
Thu Jul 21 10:37:04 PDT 2016 

Synopsis: 2.6.32-673.8.1.lve1.4.14.el6 can now be patched using Ksplice
CVEs: CVE-2015-2925 CVE-2015-5157 CVE-2015-5307 CVE-2015-7550 CVE-2015-8104 CVE-2015-8543 CVE-2015-8767 CVE-2016-0774 CVE-2016-3134 CVE-2016-3156 CVE-2016-4565 CVE-2016-4997 CVE-2016-4998

Systems running CloudLinux 6 can now use Ksplice to patch against the
latest CloudLinux 6 kernel update, 2.6.32-673.8.1.lve1.4.14.el6.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on CloudLinux 6 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-7550: Denial-of-service when reading and revoking a key concurrently.

A race condition in the cryptographic key management sub-system could lead
to a kernel crash when revoking and reading a key concurrently.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.

It was discovered that a local user permitted to create raw sockets could
cause a denial-of-service by specifying an invalid protocol number for the
socket.


* CVE-2016-3134: Memory corruption when parsing netfilter source chains.

A logic error when parsing netfilter source chains can allow local users
to corrupt kernel memory.


* CVE-2016-0774: Information leak in the pipe system call on failed atomic read.

The fix for CVE-2015-1805 incorrectly kept buffer offset and length in sync
on a failed atomic read, leading to piper buffer state corruption.  A
local, unprivileged user could use this flaw to cause a denial-of-service
or leak kernel memory to userspace.


* CVE-2015-5307: KVM host denial-of-service in alignment check.

A guest could cause a denial-of-service on a KVM host by triggering an
infinite stream of alignment check exceptions and causing the processor
microcode to enter an infinite loop.  A privileged user in a guest could
use this flaw to crash the host.


* CVE-2015-8104: KVM host denial-of-service in debug exception.

A guest could cause a denial-of-service on a KVM host by triggering a
debug exception to fire during an existing debug exception.  This could
cause the host to get trapped in an infinite loop causing a
denial-of-service.  A privileged user in a guest could use this flaw to
crash the host.


* Improved fix for CVE-2015-2925: Privilege escalation in bind mounts inside namespaces.

Incorrect handling of renames inside container bind mounts could allow a
local user to escape a container and escalate privileges under specific
conditions.


* CVE-2015-5157: Disable modification of LDT by userspace processes.

The seldom-used modify_ldt syscall allowing processes to modify their local
descriptor table has several vulnerabilities allowing local unprivileged
users to elevate privileges.

This update disables by default the modify_ldt syscall and introduces a new
sysctl 'ksplice_modify_ldt' to allow administrators to re-enable it.
Re-enabling the syscall will make the machine vulnerable.

To re-enable modify_ldt, run the following command as root:

  sysctl ksplice_modify_ldt=1

To disable, run:

  sysctl ksplice_modify_ldt=0

This mitigates CVE-2015-3290, CVE-2015-3291 and CVE-2015-5157.


* CVE-2015-8767: Denial-of-service in SCTP heartbeat timeout.

Incorrect locking when accepting an SCTP connection during the 4-way
handshake could result in deadlock.  A local user could use this flaw to
block SCTP connections.


* CVE-2016-3156: Denial-of-service when removing a network interface.

Removal of a network interface with lots of IPv4 addresses may lead to the
kernel hanging for a long time, with all network operation blocked.  A
local, privileged user in a container could use this flaw to block network
access and cause a denial-of-service.


* CVE-2016-4997, CVE-2016-4998: Privilege escalation in the Netfilter driver.

Incomplete input validation when processing Netfilter xtables entries could
lead to out of bounds memory read and write.  An unprivileged user inside a
container could use this flaw to cause a denial-of-service or elevate
privileges.


* CVE-2016-4565: Privilege escalation in Infiniband ioctl.

The Infiniband ioctl interface does not correctly validate parameters
from userspace which can allow local users to corrupt kernel memory and
escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-CloudLinux6-Updates mailing list