[Ksplice][Fedora-15-updates] New updates available via Ksplice (FEDORA-2011-11019)
Anders Kaseorg
anders.kaseorg at oracle.com
Sat Aug 20 16:18:52 PDT 2011
Synopsis: FEDORA-2011-11019 can now be patched using Ksplice
CVEs: CVE-2011-2699 CVE-2011-2707 CVE-2011-2723 CVE-2011-2909
Systems running Fedora 15 can now use Ksplice to patch against the
latest Fedora security update, FEDORA-2011-11019.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Fedora 15 install
these updates. You can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.
DESCRIPTION
* CVE-2011-2909: Information leak in comedi driver.
The do_devinfo_ioctl function in the comedi driver incorrectly copied
uninitialized memory beyond the end of a string to user space.
* Fix heap corruption bug in pmcraid driver.
Passing a malformed PMCRAID_PASSTHROUGH_IOCTL ioctl from userspace could
lead to heap corruption or denial of service.
* CVE-2011-2707: Arbitrary read vulnerability in ptrace.
A missing access control check in the ptrace_setxregs() function in
the xtensa architecture allowed an unprivileged user to read arbitrary
kernel memory.
* CVE-2011-2723: Remote denial of service vulnerability in gro.
The skb_gro_header_slow function in the Linux kernel had a bug which
allowed a remote attacker to put certain gro fields in an inconsistent
state, resulting in a denial of service.
* Double free bug in ipv4 gre protocol.
The error handler function for the ipv4 gre protocol was fully
inapplicable to the gre protocol implementation, resulting in a double
free and kernel crash when handling gre errors.
* NULL pointer deference in iwlang subsystem.
The iwlagn_wait_tx_queue_empty function in the iwlagn subsystem did
not properly check for whether a certain pointer was NULL before
deferencing it.
* Fix divide-by-zero bug in ALSA snd-usb subsystem.
The parse_audio_feature_unit function in the ALSA snd-usb subsystem
did not properly check whether a user-provided size was zero before
dividing by it, resulting in a divide-by-zero exception in the kernel.
* Kernel oops due to race in ext3 filesystem.
The Linux kernel had a race condition between the ext3_xattr_block_set
function and the ext3_get_blocks_handle function, which could both
call into the block reservation system at the same time, resulting in
a kernel oops or a corrupt reservation structure.
* Kernel oops in journal credit accounting for ext3/4.
The ext3_symlink and ext4_symlink functions in the Linux kernel did
not properly count journal credits for long symlinks, which could
result in a failed assertion and kernel oops.
* NULL pointer dereference when mounting with CIFS prefixpath.
The cifs_d_revalidate function in the Linux kernel did not properly
check whether the "nd" pointer was NULL before dereferencing it,
resulting in a NULL pointer dereference and kernel crash.
* Information leak due to race condition in do_io_accounting.
The do_io_accounting function in the proc subsystem of the Linux
kernel did not properly lock task->signal_cred_guard_mutex when
gathering io information, allowing an unprivileged user to gather
sensative io statistics from a privileged process (e.g. ssh/ftp
password length).
* CVE-2011-2699: Predictable ipv6 fragment identification numbers.
The generator for ipv6 fragment identification numbers used a single
generator and thus was highly predictable and thus vulnerable to a
denial of service attack.
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Fedora-15-Updates
mailing list