[Ksplice-Fedora-29-updates] New Ksplice updates for Fedora 29 (FEDORA-2019-c042484003)

[Oracle Ksplice]

Synopsis: FEDORA-2019-c042484003 can now be patched using Ksplice
CVEs: CVE-2019-3701

Systems running Fedora 29 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2019-c042484003.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 29
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service during TTY reopen.

A locking error in the TTY subsystem can result in a NULL pointer dereference
if a TTY device is reopened whilst it's in use. A local user with access to a
TTY device could use this flaw to cause a kernel crash, leading to a
denial-of-service.


* Improved fix for CVE-2019-3701: Denial-of-service in CAN frame modification rules.

A validation failure in the CAN frame modification implementation can result in
an out-of-bounds write, leading to a kernel crash. A local user with the
CAP_NET_ADMIN capability could use this flaw to cause a denial-of-service.


* Information disclosure in IPv6 error reporting.

A failure to clear memory in the IPv6 error reporting implementation can result
in the leak of sensitive kernel information to userspace. A local user could
use this flaw to facilitate a further attack.


* Denial-of-service in AF_PACKET refcount manipulation.

A failure to correctly decrement a refcount in the AF_PACKET implementation can
result in the inability to unload Infiniband kernel modules.


* Denial-of-service in tap device packet send.

A race condition when sending a packet via a tap device can result in a NULL
pointer dereference, leading to a kernel crash. A local user could use this
flaw to cause a denial-of-service.


* Kernel crash in IPv6 header read.

A logic error when reading from queued IPv6 packet headers can result in an
assertion failure, leading to a kernel crash.


* Use-after-free in SMC socket release.

An early free when releasing an SMC socket can result in a race condition,
leading to a use-after-free. A local user with the ability to create an SMC
socket could use this flaw to cause a kernel crash or potentially escalate
privileges.


* Kernel crash in IPsec authenticated encryption request completion.

A logic error in the authenticated encryption implementation for IPsec can
result in a NULL pointer dereference, leading to a kernel crash.


* Out-of-bounds memory access in authenticated encryption key parsing.

A logic error when reading unaligned keys for authenticated encryption can lead
to an integer underflow and result in a out-of-bounds memory access, leading to
a kernel crash. A local user could use this flaw to cause a denial-of-service.


* Deadlock in BTRFS metadata balancing.

Incorrectly issuing a metadata balancing operation when finishing an IO
operation can result in a deadlock.


* Undefined behavior during BTRFS filesystem umount.

A race condition when destroying extents can result in assertion failures when
unmounting a BTRFS filesystem, leading to undefined behavior.


* Use-after-free in Yama ancestry walk.

A race condition in the Yama security module can result in attempting to access
a freed process. A local user could use this flaw to cause a kernel crash or
potentially escalate privileges.


* Out-of-bounds access in V4L2 debug messaging.

A failure to correctly validate the number of video planes in a V4L2 device can
result in an out-of-bounds memory access. A local user could use this flaw to
disclose sensitive kernel information or cause a kernel crash.


* Information disclosure in RDMA rkey management.

A logic error can allow RDMA users to read the global rkey, allowing them to
access all RDMA registered memory in the system.


* Denial-of-service in IPv6 ICMP send implementation.

A race condition in the IPv6 ICMP send implementation can result in a NULL
pointer dereference leading to a kernel crash. A local user could use this flaw
to cause a denial-of-service.


* NULL pointer dereference when freeing credential.

A missing NULL pointer check during a credential free could result in a kernel
crash.


* Use-after-free in V4L2 video buffer management.

A race condition when duplicating a file descriptor for a video buffer can
result in accessing released memory. A local user with access to a V4L2 device
could use this flaw to cause undefined behavior or a kernel crash.


* NULL pointer dereference in sunrpc portmapper request.

A failure to handle a memory allocation failure in the sunrpc implementation
can result in a NULL pointer dereference, leading to a kernel crash.


* Denial-of-service in ebtables memory allocation.

A failure to associate ebtables memory allocations with the current memory
cgroup can result in a process with restricted memory being able to exhaust
system memory. A local user could use this flaw to cause a denial-of-service.


* Kernel crash during invalid SELinux policy load.

A failure to handle errors during the load of an SELinux policy can result in a
kernel crash.


* Livelock in loop device block resize operation.

A failure to handle a block size change on an existing loopback device can
result in a livelock. A local user with the ability to configure a loopback
device could use this flaw to cause a denial-of-service.


* Information disclosure in SCTP socket address allocation.

A failure to correctly sanitise an SCTP socket memory allocation can result in
sensitive information being disclosed to userspace. A local user could use this
flaw to facilitate a further attack.


* Out-of-bounds memory access in lightweight tunnel transmission BPF filter.

A logic error when processing packet headers in a BPF filter for lightweight
tunnel packet transmission can result in an out-of-bounds memory access. A
local user could use this flaw to cause a kernel crash.


* Kernel crash in loopback device file descriptor configuration.

A locking error in the loopback device implementation can lead to a NULL
pointer dereference, leading to a kernel crash. A local user with access to a
loopback device could use this flaw to cause a denial-of-service.


* Undefined behavior in Transparent Interprocess Communication Protocol implementation.

Multiple instances of validation failures in the TIPC driver can result in the
kernel operating on uninitialized memory, leading to undefined behaviour or a
kernel crash. A local user could use this flaw to cause a denial-of-service.


* Use-after-free in netfilter connection counting.

A race condition in the garbage collector for the netfilter connection count
plugin can result in a use-after-free.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.