[Ksplice][Ubuntu-17.10-Updates] New Ksplice updates for Ubuntu 17.10 Artful (4.13.0-46.51)
Oracle Ksplice
ksplice-support_ww at oracle.com
Mon Jul 2 11:07:12 PDT 2018
Synopsis: 4.13.0-46.51 can now be patched using Ksplice
CVEs: CVE-2018-1130 CVE-2018-11508 CVE-2018-5750 CVE-2018-5803 CVE-2018-6927 CVE-2018-7755 CVE-2018-7757
Systems running Ubuntu 17.10 Artful can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.13.0-46.51.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 17.10
Artful install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2018-5750: Information leak when registering ACPI Smart Battery System driver.
A too verbose printk when registering ACPI Smart Battery System driver
leaks kernel addresses. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.
* CVE-2018-5803: Denial-of-service when receiving forged packet over SCTP socket.
A missing check when receiving a forged packet with custom properties
over SCTP socket could lead to a kernel assert. A remote attacker could
use this flaw to cause a denial-of-service.
* CVE-2018-6927: Integer overflow when re queuing a futex.
A missing check when calling futex system call with "requeue" option could
lead to an integer overflow. A local attacker could use this flaw to
cause a denial-of-service.
* CVE-2018-7757: Memory leak when reading invalid_dword_count attribute of SAS Domain Transport driver.
A missing free when reading invalid_dword_count attribute of SAS Domain
Transport driver could lead to a memory leak. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.
* CVE-2018-1130: Denial-of-service in DCCP message send.
A logic error in the dccp code could lead to a NULL pointer dereference
when transmitting messages, leading to a kernel panic. An attacker could
use this to cause a denial-of-service.
* CVE-2018-11508: Information disclosure in 32-bit timex syscall.
A failure to correctly initialize memory can result in a leak of
sensitive Kernel memory to userspace. A local user could use this flaw
to facilitate a further attack.
* CVE-2018-7755: Information leak through floppy disk driver ioctl.
A logic error when using floppy disk driver ioctl could lead to a kernel
address leak. A local attacker could use this flaw to get address of
running kernel and facilitate an attack.
* Denial-of-service while reading files using filesystem caching.
A race condition when reading files using filesystem caching could lead
to a kernel assert. A local attacker could use this flaw to cause a
denial-of-service.
* Denial-of-service when registering a new binary type.
A logic error when registering a new binary type with a too big offset
could lead to an overflow. A local attacker could use this flaw to cause
a denial-of-service.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-17.10-updates
mailing list