[Ksplice][Ubuntu-20.10-Updates] New Ksplice updates for Ubuntu 20.10 Groovy (USN-5016-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Aug 9 16:23:19 PDT 2021 

Synopsis: USN-5016-1 can now be patched using Ksplice
CVEs: CVE-2021-23134 CVE-2021-32399 CVE-2021-33034 CVE-2021-33909 CVE-2021-3506

Systems running Ubuntu 20.10 Groovy can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-5016-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 20.10
Groovy install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2021-3506: Denial-of-service in F2FS due to out-of-bounds memory access.

An out-of-bounds memory access flaw in the F2FS file system could lead
to a system crash when retrieving the next Node Address Table page.
A local attacker could use this flaw to cause a denial-of-service.


* Note: Oracle has determined that CVE-2021-33034 is not applicable.

Oracle has determined that CVE-2021-33034 is not applicable to this kernel
configuration. Applying the patch has no resulting changes in the generated
object files.


* CVE-2021-32399: Race condition when removing bluetooth HCI controller.

A race condition when removing bluetooth HCI controller could result in
an out-of-bounds write. A malicious unprivileged user might be able to
exploit this to cause a denial-of-service or privilege escalation.


* CVE-2021-23134: Privilege elevation in NFC when binding or connecting sockets.

A use-after-free flaw in the NFC subsystem could happen when binding or
connecting sockets. A privileged local user with the CAP_NET_RAW
capability could use this flaw to elevate their privileges.


* CVE-2021-33909: Code execution in the virtual file system.

An unsigned to signed integer conversion flaw in the virtual file system
implementation could lead to a system crash. A local attacker could use
this flaw to execute arbitrary code or cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-20.10-updates mailing list