[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-3442)
Oracle Ksplice
ksplice-support_ww at oracle.com
Thu Mar 6 23:53:54 PST 2014
Synopsis: FEDORA-2014-3442 can now be patched using Ksplice
CVEs: CVE-2014-0049 CVE-2014-0100 CVE-2014-0101 CVE-2014-0102
Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-3442.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2014-0102: Denial-of-service in keyring cycle detector.
A logic error in the keyring subsystem could lead to a kernel BUG. A local,
unprivileged user could user this flaw to cause a denial-of-service.
* CVE-2014-0049: Code execution in KVM mmio emulator.
A logic error in the KVM code could lead to out of bounds memory accesses,
resulting in a kernel crash or potentially allowing a local user to write
in the host memory. A local, privileged user could use this flaw to elevate
privileges and execute arbitrary code in kernel mode.
* Denial-of-service in TTY subsystem when using low_latency.
Incorrect locking in the TTY subsystem could lead to a deadlock. A local,
unprivileged user could use this flaw to cause a denial-of-service.
* CVE-2014-0100: Remote denial-of-service in the IPv4 fragmentation code.
A race condition in the IPv4 fragmentation code could result in a
use-after-free and kernel crash. A remote user could use this flaw to cause
a denial-of-service.
* CVE-2014-0101: NULL pointer dereference in SCTP protocol.
A flaw was found in the way Linux kernel processed authenticated
COOKIE_ECHO chunks in SCTP protocol. A remote attacker could use this flaw
to cause a denial-of-service by sending a maliciously prepared SCTP
handshake in order to trigger a NULL pointer dereference on the server.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Fedora-20-Updates
mailing list