[Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (DSA-4531)
Oracle Ksplice
ksplice-support_ww at oracle.com
Fri Oct 18 00:57:43 PDT 2019
Synopsis: DSA-4531 can now be patched using Ksplice
CVEs: CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902
Systems running Debian 9.0 Stretch can now use Ksplice to patch
against the latest Debian Security Advisory, DSA-4531.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Debian 9.0
Stretch install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2019-14835: Privilege escalation during live migration of guest.
A failure to check for guest creating a zero length queue in the vhost driver
can lead to a buffer overflow in the host kernel. A guest virtual machine
could use this flaw to crash the host or potentially escalate privileges when
the virtual machine is live migrated.
* CVE-2019-15117: Out-of-bounds access when parsing USB descriptor in ALSA USB driver.
A missing check when parsing USB descriptor in ALSA USB driver could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.
* CVE-2019-15118: Stack overflow when checking input source type in ALSA USB driver.
A logic error when checking input source type in ALSA USB driver could
lead to a stack overflow. A local attacker could use this flaw to cause
a denial-of-service.
* CVE-2019-14821: Denial-of-service in KVM MMIO coalesced writes.
An out-of-bounds access to the coalesced MMIO ring buffer could result
in a kernel crash. A malicious guest could use this flaw to crash the
hypervisor or potentially, escalate privileges.
* CVE-2019-15902: Bounds-check bypass in sys_ptrace().
An error when backporting original Spectre v1 fix for ptrace in stable
kernels makes it vulnerable to Spectre v1. A local attacker could
exploit this flaw to gain information about the running system.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Debian-9.0-Updates
mailing list