[Ksplice-Fedora-25-updates] New Ksplice updates for Fedora 25 (FEDORA-2017-b9b1ac0d15)

[Oracle Ksplice]

Synopsis: FEDORA-2017-b9b1ac0d15 can now be patched using Ksplice
CVEs: CVE-2017-7308 CVE-2017-7645 CVE-2017-7895

Systems running Fedora 25 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2017-b9b1ac0d15.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 25
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial of service in IP neighbour probing.

A missing pointer check can trigger a NULL pointer dereference and kernel panic
when an interface needs to solicit information from a neighbour.


* Information leak in KCM ioctl.

A logic error when copying Kernel Connection Multiplexor ioctl information from
userspace can leak the contents of kernel memory.


* Denial of service in Mellanox ethernet LAG support.

An uninitialized pointer can trigger an out-of-bounds read and kernel panic
when changing LAG parameters on a Mellanox ethernet device.


* Memory leak when handling L2TP control frames.

Incorrect reference counting when handling control frames from an L2TP socket
can trigger a kernel memory leak and subsequent kernel panic.


* Denial of service when listening on SCTP socket.

A logic error in the SCTP subsystem can trigger a kernel panic and denial of
service when attempting to listen on a non-listening socket.


* Memory leak when disconnecting TCP socket.

Incorrect reference counting when closing a TCP socket can allow a local
attacker to trigger kernel memory corruption and potentially gain elevated
privileges.


* Denial of service when disabling IPv6 network interface.

Incorrect locking when disabling an IPv6 network interface can allow a local
attacker to trigger an infinite loop and cause a denial of service.


* Kernel panic when processing IPv6 segment routing headers.

The kernel Ipv6 stack does not correctly handle truncated Segment Routing
Headers which can trigger an out-of-bounds read and kernel panic.


* Kernel panic when handling invalid IPv6 segment routing headers.

A logic error when the kernel IPv6 stack attempts to parse an invalid IPv6
Segment Routing Header can trigger a double-free and kernel panic.


* Memory corruption when reading Plan9 directories.

A logic error when the Plan9 filesystems reads a directory from a remote server
can trigger memory corruption and a kernel panic.


* Denial of service in Geschwister Schneider UG USB driver.

Incorrect use of DMA buffer on the stack when passing USB control message to
Geschwister Schneider UG driver could lead to a stack corruption. A local
attacker could use this flaw to cause a denial-of-service.


* Denial of service in IPv6 virtual routing.

A logic error when changing the virtual routing and forwarding configuration of
an IPv6 interface could trigger a use-after-free and kernel panic.


* Memory corruption when calculating nexthop of IPv6 tunnel.

A logic error when passing IPv4 traffic through an IPv6 tunnel can trigger an
out-of-bounds write and kernel memory corruption.


* Memory corruption when changing IPv4 TCP congestion control.

The IPv4 subsystem does not initialize memory when changing the congestion
control on a TCP socket which can allow a local attacker to trigger kernel
memory corruption.


* CVE-2017-7895: Remote information leak in kernel NFS server.

Missing bounds checks could result in an out-of-bounds memory access,
allowing a remote attacker to leak the contents of kernel memory.


* Denial of service when removing IPv6 multicast interfaces.

The IPv6 subsystem does not correctly handle IPv6 interfaces with multicast
routing support which can cause interfaces to be removed twice and trigger a
kernel assertion.


* CVE-2017-7645: Remote denial-of-service via overly sized NFS2/3 RPC call.

If an NFS version 2 or 3 client appends extraneous data to their RPC
calls or replies, the server fails to correctly allocate sufficient
memory, potentially causing memory corruption and a denial-of-service.


* CVE-2017-7308: Memory corruption in AF_PACKET socket options.

Multiple integer overflows in the AF_PACKET setsockopt implementation can
trigger kernel memory corruption. A local user could use this flaw to elevate
privileges.


* Memory leak when destroying MAC-VLAN devices.

Incorrect reference counting when destroying a MAC-VLAN device can cause a
kernel memory leak and subsequent kernel panic.


* Memory corruption in L2TP session management.

Incorrect reference counting L2TP networking subsystem can trigger a
use-after-free and memory corruption when dumping session information to
netlink or debugfs information.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.