[Ksplice][Ubuntu-20.04-Updates] New Ksplice updates for Ubuntu 20.04 Focal (USN-5318-1)

Oracle Ksplice quentin.casasnovas at oracle.com
Fri Mar 18 16:48:57 UTC 2022 

Synopsis: USN-5318-1 can now be patched using Ksplice
CVEs: CVE-2021-26341 CVE-2021-26401 CVE-2022-0001 CVE-2022-0002 CVE-2022-23960 CVE-2022-25636

Systems running Ubuntu 20.04 Focal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-5318-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 20.04
Focal install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Note: Oracle will not provide a zero downtime update for CVE-2022-0001, CVE-2022-0002, CVE-2021-26401 and CVE-2021-26341.

On the 8th of March 2022, Vrije Universiteit (VU) Amsterdam
researchers, AMD, Ampere, ARM and Intel jointly reported new
security vulnerabilities based on Branch Target
Injection (BTI) (commonly called Spectre v2 variants).

The reporters recommend disabling unprivileged BPF to mitigate
this vulnerability as well as using generic retpoline even when
eIBRS is available on the platform or on special AMD/Hygon CPUs.

Unprivileged BPF can already be disabled at runtime by setting
the kernel.unprivileged_bpf_disabled sysctl.

If your CPU is affected and is not already using retpoline as the
Spectre V2 mitigation, a reboot into the newest kernel will be
required in order to get the full retpoline mitigations in place.


* CVE-2022-25636: Privilege escalation in netfilter when using flow offload.

An incorrectly allocated array when creating a netfilter rule could lead to
a heap overflow when flow offload is supported.  A local user with the
ability to craft netfilter rules could this flaw to elevate its privileges.


* Note: Oracle has determined that CVE-2022-23960 is not applicable.

The kernel is not affected by CVE-2022-23960 since the code under
consideration is not compiled.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-20.04-updates mailing list