[Ksplice][Ubuntu-20.04-Updates] New Ksplice updates for Ubuntu 20.04 Focal (USN-5210-1)

Tue Jan 18 11:35:53 UTC 2022

Synopsis: USN-5210-1 can now be patched using Ksplice
CVEs: CVE-2020-26541 CVE-2021-20321 CVE-2021-3760 CVE-2021-3896 CVE-2021-4002 CVE-2021-41864 CVE-2021-43056 CVE-2021-43389

Systems running Ubuntu 20.04 Focal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-5210-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 20.04
Focal install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2021-43389, CVE-2021-3896: Out-of-bounds access in ISDN CAPI due to a race condition.

A race condition in Kernel CAPI Interface of the ISDN CAPI
implementation could result in an out-of-bounds access. A privileged
local user could use this flaw to cause a denial-of-service or execute
arbitrary code.

* CVE-2021-3760: Use-after-free in NFC subsystem when closing NCI RSP connection.

A use-after-free flaw could happen in NFC Controller Interface (NCI)
implementation of the NFC subsystem when closing NCI RSP connection.
A local attacker could use this to cause a denial-of-service or execute
arbitrary code.

* CVE-2021-41864: Out-of-bounds write access in eBPF during a map operation.

An integer overflow could happen in eBPF during a map operation
resulting in out-of-bounds write access. An unprivileged user
could use this flaw for a denial-of-service or to execute code.

* CVE-2021-20321: Denial-of-service in the OverlayFS subsystem due to a race condition.

A race condition flaw when accessing file objects in the OverlayFS
subsystem could lead to a system crash. A local user could use this flaw
to cause a denial-of-service.

* Note: Oracle has determined that CVE-2021-43056 is not applicable.

Oracle has determined that CVE-2021-43056 is not applicable to x86.
Applying the patch has no resulting changes in the generated object
files.

* Note: Oracle will not be providing an update for CVE-2020-26541.

This CVE is only applicable at boot time, so by the time Ksplice live updates
are applied, the relevant code has already ran.

* CVE-2021-4002: Information disclosure in the hugetlb due to memory leak.

A memory leak flaw in the hugetlbfs memory usage of the hugetlb
implementation could allow a local attacker to leak or alter data from
other processes that use huge pages and result in sensitive information
disclosure.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.