[Ksplice-Fedora-25-updates] New Ksplice updates for Fedora 25 (4.8.8-300.fc25)

[Oracle Ksplice]

Synopsis: 4.8.8-300.fc25 can now be patched using Ksplice
CVEs: CVE-2016-7039 CVE-2016-8645 CVE-2016-9555

Systems running Fedora 25 can now use Ksplice to patch against the
latest Fedora kernel update, 4.8.8-300.fc25.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 25
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Information leak in Precision Time Protocol (PTP) driver.

Due to the lack of memory initialization, information was leaking to
userspace when making PTP_SYS_OFFSET_PRECISE ioctl call. A local user
who can communicate with the driver can use this to introspect kernel
memory space.


* Denial-of-service when using traffic control.

A null pointer dereference in traffic control classifier action
subsystem could crash the kernel. An attacker can exploit this to cause
denial of service using userspace tools such as tc.


* Use-after-free in TCP stack when IPv6 is used.

Incorrect data manipulation in TCP stack resulted in use-after-free when
using IPv6. An attacker can exploit this to execute arbitrary code in
kernel mode.


* Memory corruption in Mellanox driver.

Because of a race in Mellanox driver, some ethernet ring configuration may
lead to memory corruption. An attacker can exploit this to cause denial of
service.


* Denial of service when processing ARP requests on VLAN devices.

A bug in core networking code led to an infinite loop inside the kernel,
resulting in denial of service.


* Denial of service in IPv4 subsystem.

Incorrect locking in the sysctl interface to IPv4 subsystem let to
inconsistent lock state which could cause the kernel to get stuck in a
deadlock.


* Privilege escalation in SCTP getsockopt().

Incorrect integer operation when getting SCTP_EVENTS socket option leads
to undefined behavior. An attacker can use this to execute arbitrary code
in kernel mode.


* Denial-of-service in SCTP routing update.

When sending an SCTP packet, if the route has changed at transport layer
since we last sent a packet, trying to use the old configuration leads to
a kernel panic.


* CVE-2016-9555: Remote denial-of-service due to SCTP state machine memory corruption.

A missing bound-check in one of the state functions caused memory use
beyond what has been allocated. This could lead to memory corruption and
other undefined behaviors.


* Data loss when passing command to megaraid controller.

A bug in the way SYNCHRONIZE_CACHE command was handled resulted in
cached data not being flushed to disk properly in JBOD mode. This
results in data integrity failure.


* CVE-2016-8645: Denial of service when receiving TCP packet.

When collapsing multiple socket buffers into one, a bug in the code
could result in kernel panic. A remote attacker can trigger this by
sending specially crafted packets and cause denial of service.


* CVE-2016-7039: Kernel crash due to unbounded recursion in vlan GRO processing.

Linux kernel built with the 802.1Q/802.1ad VLAN OR Virtual eXtensible LAN
with Transparent Ethernet Bridging(TEB) GRO support, is vulnerable to a stack
overflow issue, leading to a stack corruption in the kernel.

A remote user could use this flaw to cause kernel panic by sending malicious
packets to a server that has GRO enabled.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.