[Ksplice-Fedora-22-updates] New updates available via Ksplice (FEDORA-2015-10677)

Tue Jun 30 08:44:46 PDT 2015

Synopsis: FEDORA-2015-10677 can now be patched using Ksplice
CVEs: CVE-2015-4001 CVE-2015-4002 CVE-2015-4003

Systems running Fedora 22 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2015-10677.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 22 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CV-2015-4692: Denial-of-service when checking for events in the emulated KVM APIC.

A missing check for NULL in the KVM code when checking if there are any
pending events on the emulated interrupt controller could lead to NULL
pointer dereference.  A local user with access to /dev/kvm could use this
flaw to cause a denial-of-service.

* NULL pointer dereference in Btrfs when sending a snapshot.

A logic error in the Btrfs code when sending a snapshot could lead to a
NULL pointer dereference on concurrent snapshot deletion.  A local,
privileged user could use this flaw to cause a denial-of-service.

* CVE-2015-4003: Remote divide-by-zero in the ozwpan driver.

The oz_usb_handle_ep_data() in the ozwpan driver could allow remote
attackers to cause a divide-by-zero via a crafted packet.

* CVE-2015-4001, CVE-2015-4002: Remote denial-of-service in ozwpan driver.

Lack of input validation and incorrect uses of signed types in the ozwpan
could lead to a heap overflow.  A remote attacker could use these flaws via
a crafted packet to cause a denial-of-service or potentially gain code
execution.

* Memory corruption in Ceph crush mapper.

A flaw in the Ceph crush mapper could lead temporary buffers to overlap
when there are more OSDs than replicas.  A local, privileged user could use
this flaw to cause memory corruption.

* Denial-of-service in the BSD Packet Filter just-in-time compiler.

A logic error in the BSD Packet Filter (BPF) just-in-time (jit) compiler
could lead the jit'ed program to contain only software breakpoints instead
of the intended opcodes.  A local, privileged user could use this flaw to
cause a denial-of-service by using a specially crafted BPF program.

* NULL pointer dereference when handling IPv4 errors.

A missing check for NULL could lead to a NULL pointer dereference when
handling IP errors when the network device is being removed.  An attacker
could use this flaw to cause a denial-of-service.

* Kernel crash when attaching a new queue discipline in the network scheduler.

A flaw in the networking scheduler could lead to a use-after-free when
attaching a new queue discipline to a network device.  A local, privileged
user could use this flaw to cause a denial-of-service.

* Kernel panic in the network scheduler on classifier module unload.

A missing RCU barrier when removing a queue discipline on concurrent module
unload could lead to the kernel calling unloaded code.  A local, privileged
user could use this flaw to cause a denial-of-service or potentially
escalate privileges.

* NULL pointer dereference in CAIF and Unix sockets on receival.

Lack of checking that the socket has been destroyed in the recvmsg()
handlers for CAIF and Unix sockets could lead to a NULL pointer
dereference.  A local, unprivileged user could use this flaw to cause a
denial-of-service.

* NULL pointer dereference in the bridge driver when a query expires.

A logic error in the bridge driver when a query expires leads to setting to
NULL the wrong field of a structure.  A local, un-privileged user could use
this flaw to cause a denial-of-service.

* Kernel hang on UDP flood with wrong checksums.

A flaw in the UDP handling of wrong checksums could lead to a kernel hang
under a UDP flood attack.  A remote attacker could use this flaw to cause a
denial-of-service.

* Memory corruption on concurrent netlink insertion or removal.

Incorrect locking in the netlink driver could lead to memory corruptions
and kernel panic on concurrent netlink insertion or removal.  A local,
privileged user could use this flaw to cause a denial-of-service.

* Kernel panic on Intel VT/d iommu in passthrough mode.

A flaw in the Intel VT/d iommu driver when configured in passthrough mode
could lead to an invalid pointer dereference on translation-disabled
devices.  A local, privileged user could use this flaw to cause a
denial-of-service.

* Kernel hang in generic block driver.

The generic block driver was calling a function not intended to run in both
interrupt and process context. In certain cases, this could lead to the
kernel hanging.

* Use-after-free in the memory hotplug code when re-adding a node.

A lack of re-initializing a pointer to NULL in the memory hotplug code when
re-adding a node could lead to a use-after-free and kernel panic.  A local,
privileged user could use this flaw to cause a denial-of-service.

* Kernel BUG when migrating compound pages on NUMA.

A flaw in the memory migrating code could result in compound pages being
marked for migration which later causes a kernel assertion to trigger,
resulting in a denial-of-service.

* Use-after-free in the multiqueue block core code.

Incorrect ordering when releasing internal structures when destroying a
queue leads to a use-after-free and kernel panic.  A local, privileged user
could use this flaw to cause a denial-of-service.

* Information leak in CFG80211 WiFi extension.

A lack of zeroing a stack allocated structure used for statistics in the
CFG80211 WiFi extension could result in information leaks from one device
to another.  A local, unprivileged user could use this flaw to gain
knowledge about network traffic on other devices.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.