From christine.spang at oracle.com Fri Jun 22 11:30:27 2012 From: christine.spang at oracle.com (Christine Spang) Date: Fri, 22 Jun 2012 14:30:27 -0400 Subject: [Ksplice][Fedora-15-updates] New updates available via Ksplice (FEDORA-2012-8931) Message-ID: <4FE4B9C3.609@oracle.com> Synopsis: FEDORA-2012-8931 can now be patched using Ksplice CVEs: CVE-2012-2373 CVE-2012-2375 CVE-2012-2390 Systems running Fedora 15 can now use Ksplice to patch against the latest Fedora kernel update, FEDORA-2012-8931. INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack on Fedora 15 install these updates. On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any action. Alternatively, you can install these updates by running: # /usr/sbin/uptrack-upgrade -y DESCRIPTION * Memory corruption in KVM device assignment slot handling. A race condition in the KVM device assignment slot handling caused by missing locks around the unmapping of memory slots could cause a memory corruption. * CVE-2012-2375: Kernel crash in NFSv4. The upstream fix for CVE-2010-4131 was incomplete and still exploitable under certain circumstances. nfs4_getfacl decoding causes a kernel crash when a server returns more than 2 GETATTR bitmap words in response to the FATTR4_ACL attribute request. * Denial of service in TCP sockets. Splicing data to a TCP socket in out-of-memory conditions could result stalls and a denial of service. * Task hang in sync-mounted ext4 filesystems. An ext4 filesystem mounted with the sync option and no journal would result in task hangs when accessing the filesystem. * NULL pointer dereference in MTD character driver. A NULL pointer dereference in the MTD character driver could result in a kernel panic. * Deadlock in JFFS2 filesystem. Under certain circumstances, circular locking in the JFFS2 filesystem could result in a soft lockup. * Use-after-free in device mapper subsystem. The expiry of a timer after suspending a device could result in a use-after-free resulting in undefined operation. * Memory leak in memory control group. The memory control group did not free all data structures on removal of the last event leading to a memory leak. * Denial of service in the Layer 2 Tunneling Protocol TX routine. A specially crafted send request over the L2TP protocol could lead to the TX function failing without releasing the socket mutex. * CVE-2012-2373: denial-of-service in PAE page tables. On a PAE system, a non-atomic load could be corrupted by a page fault resulting in a kernel crash, triggerable by an unpriviliged user. * CVE-2012-2390: Memory leak in hugetlbfs mmap() failure. Incorrect error handling in the mmap() implementation for hugetlbfs could result in reservations not being freed resulting in a denial of service. * Insufficient validation in asynchronous I/O. Insufficient validation in the asynchronous I/O setup code could result in accessing files locked with a mandatory file lock or overflowing the file offset leading to data corruption. * Use of undefined memory in ISCSI driver. The ISCSI driver could access undefined memory when parsing OEM parameters for single-controller devices resulting in undefined behaviour. * Use-after-free in selinux policy loading. Incorrect initialisation of the number of policy booleans could result in accessing stale data after failing to load a new policy and undefined behaviour. * Use-after-free in shared memory policies. Incorrect reference counting with shared memory policies could lead to a use-after-free condition and undefined behaviour. With SLUB debugging enabled this could result in a kernel crash. * Deadlock in device mapper subsystem. The device mapper used the wrong type of memory allocation in flush submission resulting in possible deadlock and a denial-of-service. * Use-after-free in USB userspace device I/O. Incorrect reference counting lead to a possible race condition in several paths and a possible use-after-free resulting in undefined behaviour. * NULL pointer dereference in GMA500 driver. When a system has GMA500 devices with SDVO ports present, system suspend could result in a NULL pointer dereference and kernel crash. * Out-of-bounds memory access in IOMMU subsystem. An off-by-one error in the IOMMU subsystem when processing a fault could result in undefined behaviour. SUPPORT Ksplice support is available at ksplice-support_ww at oracle.com.