[Ksplice][Debian 8.0 Updates] New updates available via Ksplice (DSA-3434-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Thu Jan 7 08:53:21 PST 2016
Synopsis: DSA-3434-1 can now be patched using Ksplice
CVEs: CVE-2015-7513 CVE-2015-7550 CVE-2015-8569 CVE-2015-8575 CVE-2015-8709
Systems running Debian 8.0 Jessie can now use Ksplice to patch against
the latest Debian Security Advisory, DSA-3434-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Debian 8.0 Jessie
install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2015-8575: Information leak in Bluetooth socket binding.
Lack of input validation when binding a Bluetooth socket could result in
kernel stack memory being leaked to userspace. A local attacker could use
this flaw to gain information about the running kernel.
* CVE-2015-7550: Denial-of-service when reading and revoking a key concurrently.
A race condition in the cryptographic key management sub-system could lead
to a kernel crash when revoking and reading a key concurrently. A local,
unprivileged user could use this flaw to cause a denial-of-service.
* CVE-2015-8709: Privilege escalation in user-namespace switching.
Incorrect capabilities check for ptrace() could allow a privileged user
in an untrusted user-namespace to escape the namespace when a root-owned
process entered the user-namespace.
* CVE-2015-8569: Information leak in point-to-point protocol.
A lack of validating user input could cause kernel stack memory to be
leaked to userspace in the point-to-point bind() and connect() functions.
A local, unprivileged user could use this flaw to gain information about
the running kernel.
* CVE-2015-7513: Divide-by-zero in KVM when reloading the programmable interrupt timer.
A missing input sanitization when loading the programmable interrupt timer
counters from userspace could cause KVM to make a division by zero, causing
a kernel crash. A local user with the capibility to run KVM machines could
use this flaw to cause a denial-of-service.
Ksplice will not be providing an update for Xen security
advisories 155 and 157. Fixing XSA-155 requires updates to the
hypervisor and qemu which are not available through Ksplice. Xen
hosts should reboot into an updated hypervisor, qemu and kernel
to protect against this issue, and live migration may be used to
avoid disruption to guests. Systems other than Xen Dom0s (i.e.
systems not hosting Xen virtual machines) are not vulnerable and
do not need to be rebooted in order to remain secure.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Debian-8.0-Updates
mailing list