[Ksplice][RHEL6-Updates] New updates available via Ksplice (RHSA-2011:1849-1)

[Nelson Elhage]

Synopsis: RHSA-2011:1849-1 can now be patched using Ksplice
CVEs: CVE-2011-4127
Red Hat Security Advisory Severity: Important

Systems running Red Hat Enterprise Linux 6, CentOS 6, and Scientific
Linux 6 can now use Ksplice to patch against the latest Red Hat
Security Advisory, RHSA-2011:1849-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on RHEL 6, CentOS 6,
and Scientific Linux 6 install these updates.  You can install these
updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.

Using the SG_IO IOCTL to issue SCSI requests to partitions or LVM
volumes resulted in the requests being passed to the underlying block
device. If a privileged user only had access to a single partition or
LVM volume, they could use this flaw to bypass those restrictions and
gain read and write access (and be able to issue other SCSI commands)
to the entire block device.

In KVM (Kernel-based Virtual Machine) environments using raw format
virtio disks backed by a partition or LVM volume, a privileged guest
user could bypass intended restrictions and issue read and write
requests (and other SCSI commands) on the host, and possibly access
the data of other guests that reside on the same underlying block
device. (CVE-2011-4127, Important)

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.