[Ksplice-Fedora-24-updates] New updates available via Ksplice (FEDORA-2016-9a16b2e14e)

[Oracle Ksplice]

Synopsis: FEDORA-2016-9a16b2e14e can now be patched using Ksplice
CVEs: CVE-2016-1237 CVE-2016-5696 CVE-2016-5829 CVE-2016-6156

Systems running Fedora 24 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2016-9a16b2e14e.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 24 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2016-5829: Memory corruption in unknown USB HID devices.

The USB HID driver does not validate USB data when an unknown HID device
is encountered which can allow a malicious USB device to trigger kernel
memory corruption and gain code execution.


* CVE-2016-1237: Permission bypass in NFS filesystem when setting ACLs.

Missing permission checks when setting the ACLs on a file from a NFS mount
could allow unprivileged users to grant themselves access to an otherwise
not allowed file.  This could potentially be used to escalate privileges.


* Memory leak in network scheduler iptables integration.

A reference counting error in the act_ipt network scheduler can trigger
a memory leak when initializing an action.


* Memory leak when opening /proc/net/kcm device.

A logic error in the procfs interface to Kernel Connection Multiplexor
sockets can trigger a kernel memory leak and subsequent kernel panic.


* Use after free in network emulator packet dequeuing.

A reference counting error when the network emulator dequeues a packet
can trigger a use after free and kernel panic.


* Kernel panic in crypto GETALG user interface.

A logic error when parsing GETALG netlink messages to the userspace
cryptographic subsystem can trigger an out-of-bounds read and kernel
panic.


* Memory leak in Moschip adapter USB device removal.

A logic error when a device is removed from a Moschip USB device is
removed can trigger a kernel memory leak and subsequent kernel panic.


* Deadlock in USB gadget userspace filesystem interface.

Incorrect locking in the USB gadget filesystem interface can trigger a
deadlock and kernel panic when queuing a request to a device.


* CVE-2016-6156: Memory corruption in Chrome OS Embedded Controller.

A race condition in ioctl interface to the Chrome OS Embedded Controller
device can allow a privileged user to trigger kernel memory corruption
and obtain kernel code execution.


* Kernel panic in qla2xxx driver during interrupt processing.

A NULL pointer dereference and kernel panic can be triggered when a
QLogic Fibre Channel device fails to initialize.


* Use after free when removing a BPF perf event.

A logic error when removing a perf event with associated BPF program can
trigger a use after free and kernel panic.


* Use-after-free when transmitting MultiProtocol Label Switching packets.

Incorrect RCU locking when transmitting MultiProtocol Label Switching
packets to a neighbor can trigger a use-after-free and kernel panic if the
transmission is preempted by a softirq.


* CVE-2016-5696: Session hijacking in TCP connections.

A logic error in the core TCP subsystem can allow attackers to easily
guess secret information and inject arbitrary packets into a TCP stream.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.