[Ksplice-Fedora-22-updates] New updates available via Ksplice (FEDORA-2015-c1c2f5e168)
Oracle Ksplice
ksplice-support_ww at oracle.com
Wed Dec 23 13:48:13 PST 2015
Synopsis: FEDORA-2015-c1c2f5e168 can now be patched using Ksplice
CVEs: CVE-2013-7446 CVE-2015-7550 CVE-2015-8543
Systems running Fedora 22 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2015-c1c2f5e168.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Fedora 22 install
these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Use-after-free in Unix socket on concurrent reads while splicing.
A race condition in the Unix socket code on concurrent reads while splicing
could cause a socket buffer to be freed while in use by the splicing code,
leading to a kernel panic. A local unprivileged user could use this flaw
to cause a denial-of-service.
* Use-after-free in Unix stream socket on concurrent writes.
A flaw in the Unix socket could cause a use-after-free on concurrent writes
to a stream socket. A local, unprivileged user could use this flaw to
cause a denial-of-service.
* List corruption in Unix sockets when adding a socket buffer to the receive queue.
Incorrect locking when appending a socket buffer to a receive queue on a
Unix socket could lead to list corruptions and kernel panic. A local,
unprivileged user could use this flaw to cause a denial-of-service.
* NULL pointer dereference when routing IPv6 with DST_NOCACHE.
A missing NULL pointer check when routing IPv6 with DST_NOCACHE could lead
to a NULL pointer dereference. An attacker could use this flaw to cause a
denial-of-service.
* Deadlock in Mellanox Ethernet driver when releasing save counters.
A sleeping function was being called with a spinlock held in the Mellanox
Ethernet driver, potentially leading to a kernel deadlock.
* NULL pointer dereference in Cavium Ethernet driver when removing the interface.
A missing check for NULL before removing a Cavium Ethernet driver NIC could
lead to a NULL pointer dereference.
* Out-of-memory condition when sending a TCP message.
A flaw in the TCP stack allows a local, unprivileged user to cause a huge
contiguous memory allocation, potentially leading to an out-of-memory
condition.
* Integer underflow when receiving an odd number of file descriptors through Unix sockets.
Mis-calculation of the message size when passing an odd number of file
descriptors through a Unix socket could lead to an integer underflow. A
local, unprivileged user could use this flaw to cause a denial-of-service.
* Memory leak when removing routing table in the IPv4 and IPv6 stacks.
Incorrect reference counting when destroying a routing table in the IPv4
and IPv6 stacks leads to a memory leak. A local user could use this flaw
to exhaust the memory on the system and cause a denial-of-service.
* Out-of-bounds memory access when updating elements of a Berkeley Packet Filter array.
A logic error when copying elements of a Berkeley Packet Filter to an array
could lead to an out-of-bounds memory read. A local, privileged user could
use this flaw to cause a denial-of-service.
* NULL pointer dereference when dumping proxy entries.
A missing check for NULL when dumping proxy entries could lead to a NULL
pointer dereference when the proxy entry is device agnostic. A local,
unprivileged user could use this flaw to cause a denial-of-service.
* Data loss on Btrfs when cloning an inline extent.
A flaw in the Btrfs filesystem clone ioctl() causes data loss when cloning
a file with inline extent to a larger file with inline extent.
* Kernel BUG when running delayed references on Btrfs.
A kernel BUG assertion can be triggered in the Btrfs driver when running
delayed references under certain conditions. A local, unprivileged user
could use this flaw to cause a denial-of-service.
* Use-after-free in Rados block device when queueing work.
Incorrect reference counting in the Rados block device when queueing work
could lead to a use-after-free and kernel panic. A local attacker could
use this flaw to cause a denial-of-service.
* Multiple kernel BUG assertions in the ext4 crypto filesystem.
Multiple different kernel BUG assertions in the ext4 crypto subsystem could
be triggered by unprivileged users and lead to a denial-of-service.
* Use-after-free in the ext4 filesystem when stopping journaling.
A flaw in the ext4 filesystem when stopping journaling leads to a
use-after-free. A local, privileged user could use this flaw to cause a
denial-of-service.
* Data corruption on ext4 filesystem when recording an error into the super block.
A race condition in the ext4 filesystem when using JDB2 journaling could
cause non recoverable data corruption under certain circumstances. A
local, unprivileged user could use this flaw to cause permanent data
corruption.
* Denial-of-service in the NFSv4 client code when allocating an ID.
Incorrect reference counting when allocating an ID in the NFSv4 client code
could lead to a kernel crash under certain circumstances. A local,
unprivileged user with access to a NFSv4 mount could use this flaw to cause
a denial-of-service.
* Umask bypass when creating a block or character file on OCFS2.
A flaw in the OCFS2 filesystem causes the current umask to be ignored when
creating a block or character special file. A local, unprivileged user
could get access to those special files and potentially use it to escalate
privileges.
* Permission bypass on overlayfs when setting file extended attributes.
A flaw in the overlayfs when setting file extended attributes could allow
an otherwise restricted user to change capabilities on a file. A local,
unprivileged user could use this flaw to elevate privileges.
* Memory leak when closing an SCTPv6 socket.
The SCTPv6 failed to release its associated IPv6 socket when closing the
socket, leading to a memory leak. A local, unprivileged user could use
this flaw to exhaust the memory on the system and cause a
denial-of-service.
* CVE-2013-7446: Use after free in Unix sockets.
Invalid reference counting in the kernel Unix socket subsystem can
trigger a use after free condition. A local unprivileged user could use
this flaw to bypass permission checks on Unix sockets or potentially
escalate privileges.
* CVE-2015-7550: Denial-of-service when reading and revoking a key concurrently.
A race condition in the cryptographic key management sub-system could lead
to a kernel crash when revoking and reading a key concurrently. A local,
unprivileged user could use this flaw to cause a denial-of-service.
* CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.
It was discovered that a local user permitted to create raw sockets could
cause a denial-of-service by specifying an invalid protocol number for the
socket.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Fedora-22-Updates
mailing list