[Ksplice][Ubuntu-20.04-Updates] New Ksplice updates for Ubuntu 20.04 Focal (USN-5980-1)

[Oracle Ksplice]

Synopsis: USN-5980-1 can now be patched using Ksplice
CVEs: CVE-2021-3669 CVE-2022-2196 CVE-2022-4382 CVE-2023-23559

Systems running Ubuntu 20.04 Focal can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-5980-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 20.04
Focal install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2023-23559: Buffer overflow in driver for RNDIS-based wireless USB devices.

A buffer overflow exists in the driver code for wireless USB devices based on
Remote Network Driver Interface Specification (RNDIS). This could allow a local
user to cause denial-of-service.


* CVE-2022-2196: Information leak in Kernel-based Virtual Machine.

A flaw in KVM due to a missing flush of indirect branch predictors
at VM-exit time may result in a leak of information.
A nested guest VM (L2) may use this flaw to perform Spectre v2 attacks
on L1 guest VMs.


* CVE-2022-4382: Use-after-free in USB Gadget Filesystem driver.

A race condition in the gadgetfs driver when processes are concurrently
mounting and unmounting the gadgetfs filesystem may lead to a
use-after-free. A local user could use this flaw to cause a
denial-of-service or elevate privileges on the system.


* CVE-2021-3669: Denial-of-service in Inter Process Communication.

A flaw in Inter Process Communication when reading information about
System V IPC resources could result in resource exhaustion when large
shared memory segment counts are involved. A local user could use this
flaw for a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.