[Ksplice][Fedora-15-updates] New updates available via Ksplice (FEDORA-2012-8931)
Christine Spang
christine.spang at oracle.com
Fri Jun 22 11:30:27 PDT 2012
Synopsis: FEDORA-2012-8931 can now be patched using Ksplice
CVEs: CVE-2012-2373 CVE-2012-2375 CVE-2012-2390
Systems running Fedora 15 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2012-8931.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Fedora 15 install
these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Memory corruption in KVM device assignment slot handling.
A race condition in the KVM device assignment slot handling caused by
missing locks around the unmapping of memory slots could cause a memory
corruption.
* CVE-2012-2375: Kernel crash in NFSv4.
The upstream fix for CVE-2010-4131 was incomplete and still exploitable
under certain circumstances. nfs4_getfacl decoding causes a kernel
crash when a server returns more than 2 GETATTR bitmap words in response
to the FATTR4_ACL attribute request.
* Denial of service in TCP sockets.
Splicing data to a TCP socket in out-of-memory conditions could result
stalls and a denial of service.
* Task hang in sync-mounted ext4 filesystems.
An ext4 filesystem mounted with the sync option and no journal would
result in task hangs when accessing the filesystem.
* NULL pointer dereference in MTD character driver.
A NULL pointer dereference in the MTD character driver could result in a
kernel panic.
* Deadlock in JFFS2 filesystem.
Under certain circumstances, circular locking in the JFFS2 filesystem
could result in a soft lockup.
* Use-after-free in device mapper subsystem.
The expiry of a timer after suspending a device could result in a
use-after-free resulting in undefined operation.
* Memory leak in memory control group.
The memory control group did not free all data structures on removal of
the last event leading to a memory leak.
* Denial of service in the Layer 2 Tunneling Protocol TX routine.
A specially crafted send request over the L2TP protocol could lead to
the TX function failing without releasing the socket mutex.
* CVE-2012-2373: denial-of-service in PAE page tables.
On a PAE system, a non-atomic load could be corrupted by a page fault
resulting in a kernel crash, triggerable by an unpriviliged user.
* CVE-2012-2390: Memory leak in hugetlbfs mmap() failure.
Incorrect error handling in the mmap() implementation for hugetlbfs
could result in reservations not being freed resulting in a denial of
service.
* Insufficient validation in asynchronous I/O.
Insufficient validation in the asynchronous I/O setup code could result
in accessing files locked with a mandatory file lock or overflowing the
file offset leading to data corruption.
* Use of undefined memory in ISCSI driver.
The ISCSI driver could access undefined memory when parsing OEM
parameters for single-controller devices resulting in undefined
behaviour.
* Use-after-free in selinux policy loading.
Incorrect initialisation of the number of policy booleans could result
in accessing stale data after failing to load a new policy and undefined
behaviour.
* Use-after-free in shared memory policies.
Incorrect reference counting with shared memory policies could lead to a
use-after-free condition and undefined behaviour. With SLUB debugging
enabled this could result in a kernel crash.
* Deadlock in device mapper subsystem.
The device mapper used the wrong type of memory allocation in flush
submission resulting in possible deadlock and a denial-of-service.
* Use-after-free in USB userspace device I/O.
Incorrect reference counting lead to a possible race condition in
several paths and a possible use-after-free resulting in undefined
behaviour.
* NULL pointer dereference in GMA500 driver.
When a system has GMA500 devices with SDVO ports present, system suspend
could result in a NULL pointer dereference and kernel crash.
* Out-of-bounds memory access in IOMMU subsystem.
An off-by-one error in the IOMMU subsystem when processing a fault could
result in undefined behaviour.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Fedora-15-Updates
mailing list