[Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (DLA-2586-1)

[Oracle Ksplice]

Synopsis: DLA-2586-1 can now be patched using Ksplice
CVEs: CVE-2019-19318 CVE-2019-19813 CVE-2019-19816 CVE-2020-27815 CVE-2020-27825 CVE-2020-28374 CVE-2020-29568 CVE-2020-29569 CVE-2020-29660 CVE-2020-29661 CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-28038 CVE-2021-3178 CVE-2021-3347 CVE-2929-36158

Systems running Debian 9.0 Stretch can now use Ksplice to patch
against the latest Debian kernel update, DLA-2586-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 9.0
Stretch install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2021-26931, CVE-2021-28038: Mishandling of errors causes DoS of Xen backend.

Several error conditions in the scsi, block, and net Xen backend drivers
incorrectly cause kernel assertion failures. A malicious or buggy Xen
frontend might trigger these conditions, causing a denial-of-service in the
host.


* CVE-2020-29660, CVE-2020-29661: Use-after-free in tty subsystem.

Locking inconsistencies in the tty subsystem whilst handling certain
ioctls could result in a use-after-free. A local user could use this to
cause an information leak or denial of service.


* CVE-2021-26932, XSA-361: Denial-of-host-service by malicious Xen frontend.

Batched mapping operations can be potentially mishandled by the Linux
Xen backend, resulting in incorrectly reported success or failure of the
operation. Running a malicious or buggy frontend could result in a
denial-of-service on the host.


* CVE-2019-19813, CVE-2019-19816: Invalid memory accesses during btrfs filesystem sync.

A failure to properly validate certain metadata in a btrfs filesystem
image can lead to out-of-bounds writes and use-after-free issues.  Using
a specially crafted btrfs image, a local attacker could potentially
exploit these flaws to escalate privilege or cause other unexpected
behavior, including a denial-of-service.


* CVE-2021-26930, XSA-365: Bad error handing of blkback grant references.

The Xen blkback driver can incorrectly ignore errors when mapping grant
references, potentially reporting a false success, and causing unmapped
memory to be accessed. Hosting a malicious or buggy frontend driver
might result in a denial-of-service on the host.


* Oracle has determined that CVE-2020-27815 is not applicable.

Oracle has determined that CVE-2020-27815 is not applicable and corrects a
false-positive linter warning.  Applying the patch has no resulting
changes in the generated object files.


* CVE-2929-36158: Out-of-bounds memory write in wireless mwifiex driver.

A logic error in mwifiex wireless driver may overwrite allocated buffer
space.  A local user could exploit this vulnerability to cause a
denial-of-service or potentially escalate privileges.


* CVE-2020-28374: Access control bypass when reading or writing TCM devices.

Lack of validation against the session's list when matching a Target Core
Mod (TCM) device during an eXtended COPY (XCOPY) operation leads to access
control bypass.  Attackers with access to one device could read and write
from/to other devices they should not have access to.


* CVE-2020-29569: Use-after-free when disconnecting Xen block devices.

A logic error when disconnecting Xen block devices may cause a use-after-free.
A rouge guest instance may be able to use this to cause a Denial-of-Service
on dom0.


* CVE-2021-3178: Path traversal vulnerability in NFSv3 filesystem.

A flaw in the NFSv3 implementation when there is an NFS export of
a subdirectory of a filesystem could lead to a leak of the file handle
for parent directory. A remote attackers could use this flaw to traverse
to other parts of the filesystem and gain more access than expected.


* CVE-2020-27825: Race condition in kernel tracing buffers causes DoS.

Missing locking around kernel trace buffers could result in
use-after-free when the buffers are resized. A malicious user with trace
permissions might exploit this to cause a denial-of-service or escalate
their privileges.


* Note: Oracle will not be providing a rebootless update for CVE-2020-29568.

Oracle has determined that patching this vulnerability live on a running system
would not be safe and is recommending to reboot the vulnerable hosts.

Orabug: 32253412


* CVE-2019-19318: Use-after free when mounting a btrfs image twice.

A logic error in the btrfs mount path can lead to a use-after-free
scenario if a btrfs image is mounted twice.  A local attacker could use
a specially crafted btrfs image to trigger this bug, which could cause
a system to exhibit unexpected behavior, or trigger a kernel assertion,
resulting in a denial-of-service.


* CVE-2021-27363, CVE-2021-27364: Leak of iSCSI transport handle via sysfs.

The raw iSCSI transport handle address is exposed via sysfs, potentially
granting a malicious user information about the running system.
Addionally, a user might exploit the same sysfs entry to create
malicious netlink messages.


* CVE-2021-27365: Malicious netlink message via iSCSI sysfs entries.

Some iSCSI sysfs controls do not validate the length of input data. A
malicious user could exploit this to send a crafted netlink message.


* Note: Oracle will not provide a zero-downtime update for CVE-2021-3347.

Oracle has determined that patching CVE-2021-3347 on a running Debian
Stretch system would not be safe and recommends rebooting to avoid
the vulnerability.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.