[Ksplice][Debian 8.0 Updates] New Ksplice updates for Debian 8.0 Jessie (3.16.68-1)

Thu Jun 6 01:30:02 PDT 2019

Synopsis: 3.16.68-1 can now be patched using Ksplice
CVEs: CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 CVE-2019-11190 CVE-2019-11486 CVE-2019-11599 CVE-2019-3459 CVE-2019-3460 CVE-2019-3882 CVE-2019-3901 CVE-2019-6133

Systems running Debian 8.0 Jessie can now use Ksplice to patch against
the latest Debian kernel update, 3.16.68-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 8.0
Jessie install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, CVE-2018-12127: Microarchitectural Data Sampling.

A hardware vulnerability on various Intel x86 processors can allow a process to
speculatively access privileged information stored in CPU microarchitectural
buffers. A local user or guest VM could use this flaw to learn information
about the host kernel or hypervisor and use this to facilitate a further
attack.

Updated microcode is required for the mitigation to be effective, please see
the output of /sys/devices/system/cpu/vulnerabilities/mds to determine whether
the microcode supports the mitigation.

This update does not mitigate the vulnerability when SMT is in use.

This update does not mitigate the vulnerability on 32 bits systems.

* CVE-2019-3459, CVE-2019-3460: Remote information leak via Bluetooth configuration request.

When parsing Bluetooth L2CAP options, some buffer length fields are not
properly validated, potentially allowing a malicious device to expose
kernel heap memory remotely.

* CVE-2019-3901: Privilege escalation when opening performance events.

A race condition between perf_event_open and execve can allow an
unprivileged user to trace a privileged process, potentially allowing an
unprivileged user to escalate privileges.

* CVE-2019-11190: Information leak using a setuid program and accessing process stats.

A late setup of credentials when running a setuid program could let an
attacker dump /proc/<pid>/stat and get more information about running
kernel.

* CVE-2019-6133: Permission bypass of userspace Policykit protection.

When a non-root user try to control a systemd unit, the Policykit asks
for an administrator password. Once entered, polkit caches this password
up to five minutes for corresponding process based on PID and start_time
of the process. A race condition in the fork syscall could let an
attacker spawn a process with same start_time and same PID as targeted
process and thus control a systemd unit.

* CVE-2019-3882: Denial-of-service when repeatedly DMA mapping device MMIO.

By repeatedly mapping device MMIO memory via mmap, a malicious user
could potentially consume unbounded system memory, resulting in resource
starvation and a denial-of-service.

* CVE-2019-11599: Information leak in the coredump implementation.

A locking error in the coredump implementation could let an attacker
leak sensitive information or cause a denial-of-service.

* CVE-2019-11486: Denial-of-service in Siemens R3964 line discipline drivers.

Multiple race conditions in the r3964 line discipline driver could lead to
various conditions that could be exploited to cause a denial-of-service.

* Improved fix for Spectre v1: Bounds-check bypass in ALSA sound drivers.

Several ALSA sound device drivers contain array accesses whose values
are controlled by userspace input, and might therefore be vulnerable to
a Spectre variant 1 speculative bounds-check bypass attack.

* Improved fix for Spectre v1: Bounds-check bypass in ACP Modem driver.

A user-controlled value is used to index an array in the ACP Modem
driver.  This flaw could be exploited using a Spectre v1 style attack to
leak information about the running system.

* Improved fix for Spectre v1: Bounds-check bypass in IPMI subsystem.

A missing sanitization of array index after bounds check during multiple
user-controlled configuration operations in the IPMI subsystem could lead
to an information leak. A local attacker could use this flaw to escalate
privilege.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.