[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-1610-1)
Jamie Iles
jamie.iles at oracle.com
Mon Oct 15 05:01:29 PDT 2012
Synopsis: USN-1610-1 can now be patched using Ksplice
CVEs: CVE-2012-3520
Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1610-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Memory leak in NFS page cache allocation.
Invalid error handling for memory allocation failures in NFS could
result in a memory leak and a denial-of-service.
* Use-after-free in Parallel NFS.
A use-after-free condition can be triggered when canceling an operation
against a Parallel-NFS mount causing a kernel crash.
* Memory corruption in FUSE handling of vectored responses.
An incorrect check of the size of the response vector could lead to an
overflow and corruption of memory after the vector.
* Use-after-free in audit.
A delayed destroy can cause a user-after-free error in
audit_tree.
* NULL pointer dereference handling scsi over IB command responses.
A NULL dereference will occur if a reply to a previous request would happen
during or after an abort command.
* NULL pointer dereference in DCCP sockets.
A NULL pointer dereference can be triggered by querying or setting the
socket options of a DCCP socket that has no associated CCID.
* NULL pointer dereference in TCM driver.
Under low-memory conditions the TCM driver can attempt to free a NULL
page leading to a kernel crash.
* NULL pointer dereference in USB ACM.
A NULL pointer dereference can be triggered when probing a device that
provides an ACM endpoint.
* Kernel panic in netconsole bridge device.
A reference-counting error can cause a kernel panic when removing a
bridge device which has a netconsole running on it.
* Unreported error can cause unusable mount in NFS.
An unreported error can cause a mount to seem to succeed but have
completely unusable values for block sizes, maxfilesize, etc.
* Race-condition in VFS file operations.
A race condition when performing scatter-gather IO on a file can lead
to data corruption.
* Kernel panic in SUNRPC over TCP.
A kernel panic can be triggered when closing a SUNRPC TCP socket.
* Race condition in SUNRPC.
A race condition can cause data corruption when closing a SUNRPC socket.
* Use-after-free in Radeon graphics driver.
A use-after-free condition can be triggered when failing to initialize
a graphics buffer object.
* Kernel panic in hugetlbfs.
A race condition between processes sharing huge page mappings can cause
a kernel panic.
* NULL pointer dereference in NFS lookup code.
Fix kernel oops caused by a null pointer dereference due to
lookup_one_len() calling down to the dentry revalidation code with
a NULL pointer to struct nameidata.
* Inode leak in eCryptfs file renaming.
Inodes are not being properly removed when they are the target of
a rename() system call, causing extra disk space to be consumed.
* Race condition in eCryptfs can cause hangs when accessing the filesystem.
A race condition when releasing files can cause errors when
accessing a eCryptfs filesystem leading to system hangs.
* CVE-2012-3520: privilege escalation in netlink socket credential passing.
Under certain circumstances the kernel could pass zeroed credentials to
userspace causing the application to mistakenly see credentials for the
superuser resulting in a possible privilege escalation.
* Fix kernel crash in iwl wifi driver debugfs accesses.
Invalid memory accesses in the iwl wifi driver can lead to
kernel crashes.
* SCSI MegaRAID kernel panic.
A kernel panic can be triggered when the MegaRAID driver is loaded but
no adapters are present on the system.
* Denial-of-service with DRM errors.
Unnecessary DRT errors could be used to cause a denial-of-service
with these error messages filling up the system logs.
* Invalid resource freeing in UBI layer.
The UBI layer incorrectly freed resources when handling eraseblocks
resulting in memory corruption and memory leaks.
* UDF data corruption fix.
Files stored in ICB (inode) can be partially overwritten with all
zeros.
* NUMA memory policy kernel panic.
A kernel panic can be triggered when querying a task's NUMA memory policy
via procfs.
* Kernel panic in packet scheduler.
A missing bounds check in the network packet scheduler can lead to
a kernel panic.
* Kernel panic in packet ring-buffer.
An invalid assumption between the kernel and a userspace process can lead
to a kernel panic when destroying packets in a ring-buffer.
* Information leak in ATM socket options.
The SO_ATMPCV socket option allows malicious users to disclose the
contents of kernel memory.
* Information leak in ATM socket name.
An malicious user can disclose the contents of kernel memory by calling
getsockname() on an ATM socket.
* Information leak in Bluetooth socket options.
The HCI_FILTER socket option allows malicious users to disclose
the contents of kernel memory.
* Information leak in Bluetooth socket name.
A malicious user can disclose the contents of kernel memory by calling
getsockname() on a Bluetooth socket.
* Information leak in Bluetooth RFCOMM socket options.
The BT_SECURITY socket option allows malicious users to disclose the
contents of kernel memory.
* Information leak in Bluetooth RFCOMM ioctl.
The RFCOMMGETDEVLIST ioctl allows malicious users to disclose the
contents of kernel memory.
* Information leak in Bluetooth RFCOMM socket name.
A malicious user can disclose the contents of kernel memory by calling
getsockname() on an Bluetooth RFCOMM socket.
* Information leak in Bluetooth L2CAP socket name.
A malicious user can disclose the contents of kernel memory by calling
getsockname() on an Bluetooth L2CAP socket.
* Information leak in LLC socket name.
A malicious user can disclose the contents of kernel memory by calling
getsockname() on an LLC socket.
* Information leak in DCCP socket options.
The DCCP_SOCKOPT_CCID_TX_INFO socket option allows malicious users to
disclose the contents of kernel memory.
* Information leak in IP Virtual Server socket options.
A malicious user can disclose the contents of kernel memory by calling
getsockopt() on an IP virtual server socket.
* Information leak in socket compatibility ioctl.
The SIOCGIFCONF socket option allows malicious users to disclose the
contents of kernel memory.
* Netlink spoofing allows privilege elevation.
A local user may be able to elevate privileges by spoofing the source
of a netlink message.
* Kernel crash when removing net namespace.
Invalid ordering of operations can lead to a kernel crash in ipv4
ipmr when removing net namespace.
* Invalid memory access in xHCI ring queue handling.
An incorrect dequeuing of items from the xHCI ring queue can
cause general protection faults by accessing invalid memory regions.
* Use-after-free in Intel HD Audio.
A use-after-free condition can be triggered when resetting an Intel HD
Audio codec.
* IRQ stack overflow in apparmor.
A profile replacement can lead to an IRQ stack overflow in apparmor. This
can result in memory corruption and a kernel crash.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-12.04-Updates
mailing list