[Ksplice-Fedora-22-updates] New updates available via Ksplice (FEDORA-2016-84fdc82b74)

Wed May 25 09:48:29 PDT 2016

Synopsis: FEDORA-2016-84fdc82b74 can now be patched using Ksplice
CVEs: CVE-2016-0758 CVE-2016-4557 CVE-2016-4558 CVE-2016-4569

Systems running Fedora 22 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-84fdc82b74.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 22 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Kernel panic when processing VLAN traffic over a BATMAN interface.

The BATMAN mesh networking driver does not correctly account for VLAN
headers when processing ethernet traffic which can lead to an
out-of-bounds read and kernel panic.

* Use after free when updating BATMAN routing information.

A logic error when updating the routing information of a BATMAN mesh
network can lead to a reference count imbalance and use after free and
kernel panic.

* NULL pointer dereference in AK8975 Magnetometer interrupt handler.

A NULL pointer dereference can occur in the Ashai Kasei AK8975 3-Axis
Magnetometer interrupt handler if an interrupt occurs during device
initialization leading to a kernel crash.

* CVE-2016-4557: Privilege escalation in Berkeley Packet Filter.

A use-after-free in the Berkeley Packet Filter could allow a local,
unprivileged user to crash the system or escalate privileges with a
carefully crafted BPF program.

* CVE-2016-0758: Privilege escalation in ASN.1 DER decoder.

A flaw in the ASN.1 DER decoder could allow a local, unprivileged user
to use a maliciously crafted X.509 certificate DER file to crash the
system or, potentially, escalate privileges.

* Kernel panic in Chelsio T4 RDMA queue management.

The management of queues for Chelsio T4 iWARP/RDMA devices is incorrect
and can lead to a kernel panic when processing doorbell operations

* Kernel panic when processing malformed IP virtual server traffic.

A logic error in the IP virtual server netfilter driver can trigger a
kernel panic when IPVS traffic does not contain a valid IP header.

* Memory leak in IEEE 802.11 interface management.

The kernel IEEE 802.11 driver does not correctly free memory when
adding a new interface which can lead to a memory leak and possible
kernel panic.

* Memory corruption in Xen page conversion.

A logic error when the Xen kernel driver converts pages to PFNs can
trigger an integer overflow and cause incorrect PFNs. This can cause
kernel memory corruption and possible data loss.

* Kernel panic in Xen balloon driver with sparse memory.

The Xen memory balloon driver does not correctly handle memory on 32bit
PAE systems with large amounts of physical memory. This can lead to a
kernel panic when allocating memory for a guest VM.

* Information leak in Xen event-channel ring resizing.

A logic error in the Xen kernel driver can leak to an information leak
and potential kernel panic when the Xen event-channel ring-buffer
becomes full.

* Information leak in 'environ' procfs file.

A race condition when forking a process can allow another process to
access the 'environ' file before it is initialized which can leak the
contents of kernel memory.

* Use after free in AMD Radeon metadata management.

A logic error when freeing buffer object metadata can trigger a use
after free condition and kernel panic.

* CVE-2016-4558: Privilege escalation in BPF reference counting.

On systems with more than 32GB of physical memory, a Berkeley Packet
Filter (BPF) program can overflow a reference count which leads to a use
after free condition and kernel panic. A local user could use this flaw
to escalate privileges.

* CVE-2016-4569: Information leak in sound timers.

Missing initialization of stack data structures could result in leaking
the contents of kernel stack memory to user-space.  A local user with
access to the sound device could use this flaw to infer the layout of
kernel memory.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.