[Ksplice-Fedora-22-updates] New updates available via Ksplice (FEDORA-2016-63ee0999e4)

[Oracle Ksplice]

Synopsis: FEDORA-2016-63ee0999e4 can now be patched using Ksplice
CVEs: CVE-2016-1583 CVE-2016-3134 CVE-2016-4997 CVE-2016-4998

Systems running Fedora 22 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-63ee0999e4.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 22 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2016-1583: Privilege escalation in eCryptfs.

eCryptfs was incorrectly trying to use the mmap() file operation on lower
filesystem that may not support it.  A local, unprivileged user could use
this flaw to cause a denial-of-service through recursive faults or
potentially escalate privileges.


* CVE-2016-3134, CVE-2016-4997, CVE-2016-4998: Memory corruption in SO_SET_REPLACE netfilter interface.

The netfilter subsystem does not correctly validate IPT_SO_SET_REPLACE
data from userspace which can allow local users with CAP_NET_ADMIN
privileges to trigger kernel memory corruption and possibly gain
elevated privileges.


* Use after free in netlink dump interface.

Incorrect locking in the generic netlink interface can cause a use after
free and kernel panic when attempting to dump multiple interfaces
concurrently.


* Deadlock when configuring ethernet team interfaces.

The team network driver incorrectly locks data-structures when changing
configuration data which can trigger a deadlock and kernel panic.


* Kernel panic when creating UDP L2TP socket.

A logic error when creating a L2TP socket for UDP data can cause the
kernel to use an uninitialized pointer which triggers a kernel panic.


* Kernel panic when setting KVM emulated debug registers.

The KVM subsystem does not validate the value of emulated debug
registers which can trigger a kernel panic when resuming a guest. A
privileged guest can use this flaw to crash the host.


* Kernel panic in KVM emulated IRQ chip.

A privileged guest can trigger a NULL pointer dereference and kernel
panic in the host when a non-existent IRQ route is modified.


* Kernel panic when destroying cgroup.

The kernel cgroup subsystem does not hold the correct locks when
destroying a cgroup which can lead to a kernel panic.


* Memory leak when malformed UDP packets are tunneled.

A logic error when handling malformed UDP packets in a tunnel can
trigger a kernel memory leak and eventual kernel panic.


* Use after free when mounting BPF filesystem in namespace.

The Berkeley Packet Filter allows mounting a filesystem interface in
namespaces which can trigger a kernel panic because of incorrect
reference counting.


* Kernel panic when adding a negative key to a keyring.

A logic error in the kernel keyring subsystem can cause a write to an
uninitialized pointer which can trigger kernel memory corruption and a
kernel panic.


* Incorrect AES XTS encryption in AMD crypto-coprocessor.

A logic error when offloading AES XTS operations to an AMD crypto-
coprocessors can cause incorrect results when attempting to encrypt
large amounts of data.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.