[Ksplice][Ubuntu-15.10-Updates] New updates available via Ksplice (USN-3035-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Fri Jul 15 13:33:10 PDT 2016 

Synopsis: USN-3035-1 can now be patched using Ksplice
CVEs: CVE-2016-3070

Systems running Ubuntu 15.10 Wily can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-3035-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 15.10 Wily
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel panic when modesetting Intel 915 graphics devices.

A race condition in Intel i915 driver can trigger a kernel panic when
attempting to perform a modeset on a non-existent device.


* Use after free in Bluetooth VHCI device opening.

The kernel Bluetooth driver does not correctly handle opening VHCI
devices, used for emulating HCI devices, which can trigger a use after
free and kernel panic.


* Memory leak in Bluetooth VHCI device opening.

The kernel Bluetooth driver does not handle closing a VHCI device before
packets are delivered to userspace which leads to a kernel memory leak
and subsequent denial of service.


* Kernel panic when setting baud-rate on generic PCI serial devices.

Setting the baud-rate of a generic PCI serial device can trigger a
divide-by-zero error and subsequent kernel panic. A local user could
use this flaw to trigger a denial of service.


* Kernel panic when DMA enabled on DAS1800 devices.

A logic error in the DAS1800 data acquisition device driver can trigger
a NULL pointer dereference and kernel panic when DMA is enabled on a
device.


* Kernel panic when detaching Thunderbolt devices.

A logic error in the Thunderbolt kernel driver can trigger a double-free
and kernel panic when a Thunderbolt device is detaching while being
probed.


* Kernel panic when adding orphaned inodes on ext4 filesystem.

A logic error when adding orphaned inodes on ext4 filesystems can
trigger memory corruption and kernel panic.


* Use after free when loading Atheros 10k WiFi driver.

A race condition between initializing an Atheros 10k device and
receiving frames can trigger a use after free and kernel panic.


* Privilege escalation when probing Keyspan USB Serial devices.

A logic error when failing to probe a Keyspan USB Serial device can
trigger a use-after-free and possible privilege escalation.


* Privilege escalation when probing Moxa USB Serial devices.

A logic error when failing to probe a Moxa USB Serial device can trigger
a use-after-free and possible privilege escalation.


* Privilege escalation when probing Quatech USB Serial devices.

A logic error when failing to probe a Quatech USB Serial device can
trigger a use-after-free and possible privilege escalation.


* Kernel panic when initializing Realtek 8xxx WiFi device.

Invalid locking when resetting the transfer/receive ring-buffers for
Realtek 8xxx devices can trigger an assertion trigger a kernel panic.


* Use after free in when failing xfs inode writeback.

Incorrect locking when flushing inodes on an xfs filesystem can trigger
a use after free and kernel panic.


* Kernel panic when resuming Xen VM from suspend.

A logic error when resuming a Xen VM from suspend can trigger an
assertion failure and kernel panic when moving IRQs that have been
disabled.


* Denial-of-service in USB HID event handling.

Missing validation in the HID event handling could result in
out-of-bounds memory accesses.  An attacker with physical access to the
system could use this flaw to trigger a denial-of-service.


* CVE-2016-3070: Denial of service when migrating dirty pages.

A NULL pointer dereference could happen when migrating dirty pages from an
AIO ring buffer to another node.  A local, unprivileged user could use this
flaw to cause a denial-of-service.


* Denial of service with corrupt orphan list on ext4 filesystem.

The kernel ext4 filesystem driver does not correctly corrupt orphan
inode lists which can trigger an infinite loop and kernel deadlock.


* Race condition in NFS client during unlink.

An race condition in the NFS client can lead to a LOCK request being
sent to the NFS server with an invalid state id. A local, unprivileged
user could exploit this flaw to cause a denial of service.


* Memory leak in Infiniband driver on send failure.

Improper cleanup on message send failure leads to a memory leak in the
Infiniband driver.


* Use after free in netlink dump interface.

Incorrect locking in the generic netlink interface can cause a use after
free and kernel panic when attempting to dump multiple interfaces
concurrently.


* Use-after-free in the B.A.T.M.A.N. Mesh Protocol driver.

Incorrect memory management during routing of a unicast packet in the
B.A.T.M.A.N Mesh Protocol driver leads to a use-after-free condition and
potential kernel crash. An adversary on the same network could utilize
this flaw to cause a Denial-of-service.


* Denial of service in Intel IOMMU/VT-d fault handler.

High DMA remapping fault rates can lead to a denial of service
with overwhelming the console with log messages.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-15.10-updates mailing list