[Ksplice][Ubuntu 8.04 Updates] New updates available via Ksplice (USN-1225-1)

[Christine Spang]

Synopsis: USN-1225-1 can now be patched using Ksplice
CVEs: CVE-2009-4067 CVE-2011-1573 CVE-2011-2494 CVE-2011-2495 CVE-2011-3188

Systems running Ubuntu 8.04 Hardy can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-1225-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 8.04 Hardy
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2011-2495: Information leak in /proc/PID/io.

/proc/PID/io could be used for gathering private information and did
not have access restrictions.


* CVE-2009-4067: Buffer overflow in Auerswald usb driver.

A buffer overflow flaw was found in the Linux kernel's Auerswald
PBX/System Telephone usb driver implementation.


* CVE-2011-1573: Remote denial of service in SCTP.

A flaw in the Linux kernel's Stream Control Transmission Protocol
(SCTP) implementation could allow a remote attacker to cause a denial
of service if the sysctl "net.sctp.addip_enable" and "auth_enable"
variables were turned on (they are off by default).


* CVE-2011-3188: Weak TCP sequence number generation.

Dan Kaminsky reported a weakness of the sequence number generation in
the TCP protocol implementation. This can be used by remote attackers
to inject packets into an active session.


* CVE-2011-2494: Information leak in taskstats.

Taskstats information could be used to gather private information, such
as precise password lengths from openssh. This update restricts
taskstats information to the root user, which has the side effect
of making the "iotop" program require root.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.