[Ksplice-Fedora-24-updates] New updates available via Ksplice (FEDORA-2016-30e3636e79)
Oracle Ksplice
ksplice-support_ww at oracle.com
Wed Aug 10 13:37:35 PDT 2016
Synopsis: FEDORA-2016-30e3636e79 can now be patched using Ksplice
CVEs: CVE-2016-4794 CVE-2016-5400
Systems running Fedora 24 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-30e3636e79.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Fedora 24 install
these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Use after free in 802.11 mesh networking station cleanup.
A race condition when destroying 802.11 mesh network station information
can trigger a use after free and kernel panic.
* Kernel panic in EDAC workqueue cleanup.
A logic error when cleaning up a workqueue used in the Error Detection
And Correction (EDAC) subsystem can trigger a NULL pointer dereference
and kernel panic.
* Deadlock when establishing new InfiniBand connection.
Incorrect locking in the InfiniBand connection manager can trigger a
deadlock and kernel panic when a new connection has been established.
* Use after free when removing USB-3 host controller.
A race condition when removing a shared USB-3 host controller can
trigger a use after free condition and kernel panic.
* Use after free in NFS client asynchronous readpages.
Incorrect reference counting can trigger a use after free condition and
kernel panic when the kernel NFS client attempts an asynchronous read.
* Memory leak when creating SUNRPC transport interface.
Incorrect reference counting when failing to allocate a switch can
trigger a kernel memory leak when creating a SUNRPC transport interface.
* Kernel panic when setting AppArmor process attributes.
A logic error in the AppArmor security module can trigger an out of
bound write and kernel panic when writing to /proc/pid/attr/ procfs
files.
* CVE-2016-5400: Memory leak in AirSpy SDR device initialization.
A logic error when failing to initialize a AirSpy USB SDR device can
trigger a kernel memory leak and subsequent kernel panic. A local user
with USB access can use this flaw to cause a denial of service.
* Memory corruption when collecting user perf callgraphs.
Incorrect memory management can trigger kernel stack corruption when
collecting user perf callgraphs. A local user could use this flaw to
cause a denial of service.
* Use after free when closing dummy soundcard.
Incorrect reference counting when closing a dummy soundcard with a
high-resolution timer backend can trigger a use after free condition and
kernel panic.
* Memory corruption when removing Echoaudio ALSA devices.
A logic error when allocating memory for Echoaudio ALSA devices can
trigger kernel memory corruption and kernel panic.
* Memory leak in NFS atomic file opening.
Incorrect reference counting in the kernel NFS client when an error is
encountered opening a file atomically can trigger a memory leak and
kernel panic.
* Memory corruption in CIFS NTLM authentication.
Incorrect memory management in the kernel SMB server can allow a remote
user to cause kernel memory corruption by providing an over-sized
NTMLSSP message.
* Information leak in virtual terminal key mapping.
A logic error when mapping raw scan codes to keys in the virtual
terminal driver can trigger an out-of-bounds read which can leak the
contents of kernel memory to userspace.
* Kernel panic in GPIO descriptor validation.
The generic GPIO library does not correctly validate descriptors which
can trigger an out-of-bounds read and kernel panic when an error is
encountered.
* Memory leak in overlayfs file permission checking.
A logic error when an error is encountered checking the permission of a
file on an overlay filesystem can trigger a kernel memory leak and
kernel panic.
* Permission bypass when mounting filesystem in user namespace.
A logic error when mounting a filesystem can allow a read-only
filesystem to be mounted read-write in a user namespace allowing an
unprivileged user to write data outside their namespace.
* Use after free when closing ALSA digital audio stream.
A logic error when closing an ALSA digital audio stream with channel
mapping controls can trigger a use after free and kernel panic.
* Memory leak in industrial IO device polling.
Memory is incorrectly freed when attaching a polling function to an
industrial device fails which can trigger a kernel memory leak and
kernel panic.
* Permission bypass when updating attributes on overlayfs files.
A logic error when updating attributes on an overlayfs file can allow a
local user to write to a setuid or setgid file. This could be used by a
malicious user to gain elevated privileges.
* Kernel panic when creating RDMA verb queue pair.
A logic error when an RDMA verb queue pair cannot be allocated can
trigger an invalid memory access and kernel panic.
* Memory leak when releasing IPv6 routes.
A logic error when an IPv6 route is released can lead to a kernel memory
leak and subsequent kernel panic. A remote attacker may be able to
trigger this issue by creating and destroying many routes.
* Kernel panic when removing ELO USB touchscreen device.
A logic error when removing a ELO USB 4000/4500 touchscreen device can
trigger a use after free condition and kernel panic.
* Denial of service in OverlayFS directory removal.
A race condition can allow a malicious user to remove an upper directory
while it is being hidden in the lower directory which can trigger a
kernel panic.
* Kernel panic with trace points with non-constant formats.
An invalid optimization can trigger a NULL pointer dereference and
kernel panic when a trace point contains a non-constant format string.
* CVE-2016-4794: Use-after-free in per-cpu memory allocator.
Due to incorrect synchronization between synchronous map extension and
chunk destruction, a local user with the ability to call BPF programs
could cause a use-after-free and potentially escalate privileges.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Fedora-24-Updates
mailing list