[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2283-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Fri Jul 18 16:09:21 PDT 2014
Synopsis: USN-2283-1 can now be patched using Ksplice
CVEs: CVE-2014-0131 CVE-2014-4608 CVE-2014-4943
Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2283-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2014-4943: Privilege escalation in PPP over L2TP setsockopt/getsockopt.
PPP over L2TP sockets incorrectly used UDP's getsockopt and setsockopt
as a fallback handler. Since UDP's implementation expects different
data structures, a local attacker could corrupt kernel memory and gain
root privileges.
* CVE-2014-4608: Memory corruption in kernel lzo decompressor.
Missing bounds checking in the kernel lzo compressor can allow malformed
data to trigger kernel memory corruption. A local attacker could use
this flaw to gain elevated privileges.
* CVE-2014-0131: Information leak in skb_segment function.
Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c
allows attackers to obtain sensitive information from kernel memory by
leveraging the absence of a certain orphaning operation.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-12.04-Updates
mailing list