[Ksplice][Ubuntu-17.04-Updates] New Ksplice updates for Ubuntu 17.04 Zesty (4.10.0-28.32)

[Oracle Ksplice]

Synopsis: 4.10.0-28.32 can now be patched using Ksplice
CVEs: CVE-2014-9900 CVE-2017-1000380 CVE-2017-7346 CVE-2017-9605

Systems running Ubuntu 17.04 Zesty can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.10.0-28.32.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 17.04
Zesty install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-7346: Denial-of-service when user defines surface in VMware Virtual GPU driver.

A missing check on user input could lead to an infinite loop. A local
attacker could use this flaw to cause a denial-of-service.


* CVE-2017-1000380: Information leak when reading timer information from ALSA devices.

A missing data initialization and a race condition when reading timer
information of ALSA devices from user space could lead to an information
leak. A local attacker could use this flaw to get information about
running kernel and facilitate an attack.


* CVE-2017-9605: Information leak when user defines surface in VMware Virtual GPU driver.

A missing initialization of local variable when user defines surface in
VMXGFX driver could leak stack information. A local attacker could use
this flaw to gain information about the running kernel and facilitate an
attack.


* CVE-2014-9900: Information disclosure in Wake-On-LAN driver.

Due to a failure to correctly clear memory, sensitive kernel information
can be disclosed to userspace when information about Wake-On-LAN support
is requested. A local attacker could use this flaw to facilitate a
further attack on the kernel.


* Denial-of-service in hugepage soft offline handling.

A failure to correctly handle reference counting when soft offlining
huge pages can result in a soft lockup. A local attacker could use this
flaw to cause a denial-of-service.


* Information disclosure in aacraid ioctl handlers.

Due to a failure to correctly clear memory, sensitive kernel information
can be disclosed to userspace when information from the aacraid driver
is requested. A local attacker could use this flaw to facilitate a
further attack on the kernel.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.