[Ksplice][Ubuntu-12.04-Updates] New updates available via Ksplice (USN-2283-1)

[Oracle Ksplice]

Synopsis: USN-2283-1 can now be patched using Ksplice
CVEs: CVE-2014-0131 CVE-2014-4608 CVE-2014-4943

Systems running Ubuntu 12.04 Precise can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2283-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 12.04 Precise
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-4943: Privilege escalation in PPP over L2TP setsockopt/getsockopt.

PPP over L2TP sockets incorrectly used UDP's getsockopt and setsockopt
as a fallback handler. Since UDP's implementation expects different
data structures, a local attacker could corrupt kernel memory and gain
root privileges.


* CVE-2014-4608: Memory corruption in kernel lzo decompressor.

Missing bounds checking in the kernel lzo compressor can allow malformed
data to trigger kernel memory corruption. A local attacker could use
this flaw to gain elevated privileges.


* CVE-2014-0131: Information leak in skb_segment function.

Use-after-free vulnerability in the skb_segment function in net/core/skbuff.c
allows attackers to obtain sensitive information from kernel memory by
leveraging the absence of a certain orphaning operation.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.