[Ksplice][Ubuntu-18.04-Updates] New Ksplice updates for Ubuntu 18.04 Bionic (USN-3836-1)

[Oracle Ksplice]

Synopsis: USN-3836-1 can now be patched using Ksplice
CVEs: CVE-2018-18955 CVE-2018-6559

Systems running Ubuntu 18.04 Bionic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3836-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 18.04
Bionic install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL pointer dereference when getting network statistics in Mellanox Technologies ConnectX-4 and Connect-IB driver.

A logic error when getting network statistics with Mellanox Technologies
ConnectX-4 and Connect-IB core driver could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.


* Out-of-bounds access in Network Control Model communications driver.

A logic error when reserving space for a packet can result in an out of
bounds memory access, leading to memory corruption or a Kernel crash.


* Out-of-bounds memory access in simple network scheduler action driver.

A logic error when copying a string in the simple action network
scheduler driver can result in an out-of-bounds memory write, leading to
undefined behavior or a Kernel crash.


* Use-after-free in Transport Layer Security packet encryption.

A failure to handle a memory allocation failure during encryption of a
TLS packet can result in a use-after-free. A local user could use this
flaw to escalate privileges.


* Denial-of-service in BTRFS invalid ioctl flag handling.

A failure to correctly manipulate a reference count in an error case can
result in the inability to unmount a BTRFS filesystem. A local user with
access to a BTRFS filesystem could use this flaw to cause a
denial-of-service.


* NULL pointer dereference in ALSA PCM stream attach.

A failure to correctly handle a memory allocation failure can result in
partial initialization of a PCM stream, leading to a subsequent NULL
pointer dereference.


* Use-after-free in Network Block Device unmount.

A logic error when unmounting a Network Block Device can result in the
access of freed memory, leading to a use-after-free. A local user with
the ability to mount or umount filesystems could use this flaw to
potentially escalate privileges.


* Soft lockup during block multiqueue free.

A logic error when freeing a queue in the block multiqueue
implementation can result in a soft lockup.


* Out-of-bounds memory access in iwlwifi firmware load.

A failure to validate a firmware image from userspace can result in an
out-of-bounds read or write of Kernel memory.


* Denial-of-service when navigating SLAB page list.

Kernel may migrate certain threads to a different CPU from where the
thread originated. This could corrupt per-cpu SLAB page list during page
allocation and lead to an inadvertent denial-of-service when the thread
tries to access the page.


* Memory leak in DRM fence submission.

A logic error when referencing fences in the DRM subsystem can result in
a memory leak. A local user with access to 3D acceleration could use
this flaw to exhaust system memory, leading to a denial-of-service.


* NULL pointer dereference in IP transform.

A failure to handle an error case in the IP transform subsystem can
result in a NULL pointer dereference leading to a kernel crash.


* Information disclosure via bind mount manipulation.

A logic error when checking mount permissions can result in a namespaced
process being able to view filesystem content outside of its namespace.
A local user could use this flaw to view restricted information.


* Undefined behavior in EXT4 inline data retrieval.

A failure to report an error when reading EXT4 inline data can result in
the EXT4 filesystem operating on uninitialised memory, leading to
undefined behavior.


* NULL pointer dereference during Elastic Network Adapter bringup.

A race condition during the initialization of the ENA network drvier can
result in a kernel crash.


* CVE-2018-6559: Information disclosure via overlayfs in user namespace.

A failure to correctly handle user namespaces in overlayfs can result in
a user namespace being able to obtain names of restricted files and
directories.


* Kernel crash during Elastic Network Appliance removal.

A logic error when freeing an ENA instance can result in accessing an
invalid pointer, leading to a kernel crash.


* CVE-2018-18955: Privilege escalation in user namespace mappings.

A logic error in the user mappings between the host and a nested user
namespace can result in a process with the CAP_SYS_ADMIN capability in
the nested user namespace being able to bypass permissions restrictions
on resources outside of its namespace.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.