[Ksplice][Ubuntu-18.04-Updates] New Ksplice updates for Ubuntu 18.04 Bionic (4.15.0-39.42)

Oracle Ksplice ksplice-support_ww at oracle.com
Thu Nov 15 08:12:30 PST 2018 

Synopsis: 4.15.0-39.42 can now be patched using Ksplice
CVEs: CVE-2017-13168 CVE-2018-15471 CVE-2018-16658 CVE-2018-9363

Systems running Ubuntu 18.04 Bionic can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.15.0-39.42.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 18.04
Bionic install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-16658: Information leak in CD-ROM status ioctl.

An incorrect bounds check in the CD-ROM driver could allow an
out-of-bounds access and kernel information leak to an unprivileged
user.


* CVE-2018-15471: Privilege escalation in Xen network backend.

A validation failure in the Xen network backend driver can result in an
out-of-bounds memory access. A guest operating system could use this
flaw to potentially escalate privileges or cause a denial-of-service.


* CVE-2017-13168: Denial-of-service in sg read/write implementation.

An unsafe implementation of read/write in the sg driver can result in
userspace being able to corrupt Kernel memory. A local user with access
to an sg device could use this flaw to cause undefined behaviour or a
Kernel crash, leading to a denial-of-service.


* CVE-2018-9363: Remote code execution in Bluetooth HIDP driver.

An integer overflow in the Bluetooth HIDP driver could result in a
buffer overflow and memory corruption.  A remote user could use this
flaw to trigger a denial of service or potentially, gain code execution.


* Information leak in TLB shootdowns.

An incorrect optimization in TLB shootdowns could result in the use of
stale MMU caches allowing access to incorrect pages.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-18.04-updates mailing list