[Ksplice-Fedora-23-updates] New updates available via Ksplice (FEDORA-2016-8a1f49149e)

[Oracle Ksplice]

Synopsis: FEDORA-2016-8a1f49149e can now be patched using Ksplice
CVEs: CVE-2016-3955 CVE-2016-3961

Systems running Fedora 23 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-8a1f49149e.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 23 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Use-after-free in Maxim MAX1111 ADC channel read.

Incorrect clearing of the MAX1111 global pointer on removal could result
in a use-after-free and kernel crash.  A local, privileged user could
use this flaw to crash the system.


* Trust bypass in PKCS#7 trust validation.

An uninitialized variable could result in trusting a PKCS#7 SignedInfo
block when the verification had actually failed.


* Kernel crash in ALSA timer arming.

Incorrect use of the timer API could result in triggering a kernel
assertion when rearming the ALSA system timer.


* Kernel crash in NUMA page migration.

Incorrect handling of NUMA nodes could result in a kernel crash when
allocating memory during page isolation.


* NULL pointer dereference in Transparent Inter Process Communication (TIPC) transmission.

A race condition in the transmission on TIPC sockets for a congested
channel could result in a NULL pointer dereference and kernel crash.  A
local, unprivileged user could use this flaw to crash the system.


* Denial-of-service in PPP interface creation failure.

Imbalanced locking when PPP interface creation failed could result in a
permanently held lock and failure to create future interfaces.


* Denial-of-service in recvmmsg() error handling.

Incorrect reference counting could result in a use-after-free in the
recvmmsg() system call.  A local, unprivileged user could use this flaw
to trigger a denial-of-service.


* Use-after-free in PPP ioctl() handling.

Incorrect locking in the PPP ioctl handler could result in dereferencing
an invalid pointer and a kernel crash.  A local user with access to the
PPP device could use this flaw to crash the system.


* Denial-of-service in 802.11 interface stopping.

Missing locking could result in memory corruption and dereferencing an
invalid pointer.  A local, privileged user could use this flaw to crash
the system.


* BTRFS filesystem data loss during fsync() after rename and inode creation.

Renaming a file on a BTRFS filesystem followed by creation of a new
inode with the same name could result in data loss if the filesystem is
uncleanly mounted.


* Denial-of-service in USB stack during device unplug.

Incorrect handing of USB devices during unplug could result in memory
corruption and a kernel crash.  A user with physical access to the
system could use this flaw to crash the system.


* CVE-2016-3955: Privilege escalation in IP over USB driver.

Missing user supplied input validation could result in an out-of-bounds
write allowing a local user to crash the system or potentially escalate
privileges.


* Infinite loop when calculating the IP checksum on destination link failure.

Lack of proper memory zeroing in case of destination link failure could
lead to an infinite loop when calculating IP checksums.


* Use-after-free when decrypting a packet after the netdevice was unregistered.

Asynchronous decryptions of packets on the netdevice receive queue were not
properly taking a reference on the netdevice, potentially leading to a
use-after-free if the netdevice is unregistered after queueing such packets
for decryption.


* Kernel BUG when sending a UDP over IPv6 longer than the MTU.

Failure to account for the space needed for the extension headers when
sending a UDP message over IPv6 when the packet is longer than the MTU
leads to a kernel BUG.  A local, unprivileged user could use this flaw to
cause a denial-of-service.


* Invalid pointer dereference in the MultiProtocol Label Switching router.

A missing check when looking up the network device to route packets to when
sending a packet through the MultiProtocol Label Switching stack could lead
to an invalid pointer dereference and kernel panic.  A local, unprivileged
user could use this flaw to cause a denial-of-service.


* Kernel panic when closing an Auvitek V4L2 device on concurrent device unregister.

Lack of proper testing for the device state when closing an Auvitek V4L2
device could lead to a kernel panic if the device was unregistered
concurrently.  A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Use-after-free in the perf subsystem on error in the perf_event_open syscall.

A double-free condition can be triggered in the perf_event_open() syscall
on error opening the event file, leading to a use-after-free and kernel
panic.  A local user with CAP_SYS_ADMIN or unprivileged user in case of a
permissive perf_event paranoid setting could use this flaw to cause a
denial-of-service.


* CVE-2016-3961: Xen PV guest crash when using HugeTLBFS.

HugeTLBFS is not supported on Xen PV guests and leads to a kernel crash
when an application tries to mmap() a Huge TLB.  A local user with the
ability to mmap() Huge TLB pages in a Xen PV guest can cause a
denial-of-service of the guest.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.