[Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (DSA-4497)

[Oracle Ksplice]

Synopsis: DSA-4497 can now be patched using Ksplice
CVEs: CVE-2015-2150 CVE-2017-18509 CVE-2018-20836 CVE-2018-20856 CVE-2019-10207 CVE-2019-10638 CVE-2019-10639 CVE-2019-1125 CVE-2019-13631 CVE-2019-14283 CVE-2019-14284 CVE-2019-15239 CVE-2019-3882 CVE-2019-3900

Systems running Debian 9.0 Stretch can now use Ksplice to patch
against the latest Debian Security Advisory, DSA-4497.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 9.0
Stretch install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-1125: Information leak in kernel entry code when swapping GS.

A local attacker could speculatively access percpu data using a user
defined GS and leak information about running kernel to facilitate an
attack.


* CVE-2015-2150: Denial-of-service in Xen host from the guest.

A flaw in the Xen hypervisor allows guests to disable PCI_COMMAND on PCI
device reset, later causing a host crash when the guest tries to access the
device.  A local guest user could use this flaw to cause a
denial-of-service in the host.


* CVE-2018-20836: Use-after-free in SCSI SAS timeout.

A logic error when performing task completion for a SCSI SAS SMP timeout
could result in a use-after-free and kernel crash.


* CVE-2018-20856: Use-after-free in block device core.

A failure to initialize part of a structure in the block device allocation
path can lead to a use-after-free of certain kernel structures, which can
result in a kernel panic.  This could be used to cause a denial of service.


* CVE-2019-3882: Denial-of-service when repeatedly DMA mapping device MMIO.

By repeatedly mapping device MMIO memory via mmap, a malicious user
could potentially consume unbounded system memory, resulting in resource
starvation and a denial-of-service.


* CVE-2019-10207: NULL pointer dereference in Bluetooth TTY operations.

A missing check in some Bluetooth drivers could lead to a NULL
pointer dereference triggered by an unprivileged user while executing
certain tty operations.  This could be exploited to cause a denial of
service attack.


* CVE-2019-13631: Denial-of-service in GTCO CalComp/InterWrite tablet.

Missing range checks could allow an out-of-bounds stack memory write
when parsing USB descriptors.  A physically present user could use a
malicious device to trigger an out-of-bounds access leading to a kernel
crash.


* CVE-2019-14284: Denial-of-service in floppy disk formatting.

A division by zero in the setup_format_params function for the floppy
disk driver could result in a kernel crash.  A local user with access to
the floppy disk device could use this flaw to crash the system.


* Invalid memory access in with floppy driver FDSETDRVPRM ioctl.

A failure to properly validate user input in the FDSETDRVPRM ioctl in the
floppy driver could result in an out of bounds read access associated with
kernel memory.


* Denial-of-service in FDSETDRVPRM and FDGETDRVTYP ioctls.

A failure to validate user input in the FDSETDRVPRM ioctl could result
in an invalid pointer dereference when an out of range value is set in
FDSETDRVPRM ioctl followed by the FDGETDRVTYP ioctl.  This could be
exploited for a denial-of-service attack.


* CVE-2019-14283: Denial-of-service in floppy disk geometry setting during insertion.

Missing input validation in the floppy disk geometry setting calls could
allow a malicious local user with access to the floppy device to cause
an out-of-bounds access either crashing the system or leaking the
contents of kernel memory.


* XSA-300: Denial-of-service in Xen memory ballooning.

A logic error in the Xen memory balloon device driver could result in
exhaustion of resources or crashes of the backend device drivers
resulting in IO stalls or guest failures.  A local privileged user could
use this flaw to cause a denial of service.


* CVE-2019-15239: Use-after-free in TCP write queue purging.

A race condition in the TCP code could result in an use-after-free and
possible memory corruption of kernel panic.  This could be used to cause
a denial-of-service.


* CVE-2017-18509: Memory corruption in IPv6 via setting socket options.

A missing check in the IPv6 ip6mr code could allow an privileged attacker
to control a pointer in kernel land, potentially causing a general
protection fault or being able to execute arbitrary code.


* Note: Oracle will not be providing a zero downtime update for CVE-2019-10639.

CVE-2019-10639 could allow a remote user to derive the value of the IP ID
field and thus partially defeating kernel address space layout randomizaton.


* Note: Oracle will not be providing a zero downtime update for CVE-2019-10638.

CVE-2019-10638 is a flaw in the IP ID generation code that could allow a
remote user to track remote Linux devices.


* Note: Oracle will not be providing a zero downtime update for CVE-2019-3900.

CVE-2019-3900 is a denial-of-service for vhost devices.  Virtual Machine
hosts using vhost devices for networking untrusted guests should reboot
into a newer kernel to mitigate CVE-2019-3900.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.