[Ksplice][Virtuozzo 4.7 Updates] New updates available via Ksplice (2.6.32-042stab117.8)

Oracle Ksplice ksplice-support_ww at oracle.com
Fri Aug 12 08:57:22 PDT 2016 

Synopsis: 2.6.32-042stab117.8 can now be patched using Ksplice
CVEs: CVE-2010-5313 CVE-2013-2015 CVE-2014-7842 CVE-2014-8134 CVE-2015-5156 CVE-2015-7509 CVE-2015-8215

Systems running Virtuozzo 4.7 or the OpenVZ RHEL 6 kernel can now use
Ksplice to patch against the latest Parallels Virtuozzo Containers 4.7
kernel security update, 2.6.32-042stab117.8.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Virtuozzo 4.7 or
OpenVZ on RHEL 6 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-8134: Information leak in 32-bit KVM guests.

A bug in the espfix handling code could result in leaking high bits of
the kernel stack pointer when returning to a userspace with a 16 bit
stack.  A local unprivileged user could potentially use this flaw to
leak kernel stack addresses.


* CVE-2013-2015, CVE-2015-7509: Possible privilege escalation when mounting an non-journaled ext4 filesystem.

A flaw was found in the ext4 file system when handling non-journal file
systems with an orphan list. An attacker with physical access to the system
could use this flaw to crash the system or potentially escalate their
privileges on the system.


* CVE-2015-8215: Remote denial-of-service of network traffic when changing the MTU.

Lack of validating the MTU in the IPv6 stack when it is reset could allow a
remote attacker to change the MTU through rogue router advertisement
packets.  A remote attacker could use this flaw to disrupt the system's
networking leading to high packet loss and denial-of-service.


* CVE-2010-5313, CVE-2014-7842: Denial of service in KVM L1 guest from L2 guest.

A malicious nested L2 KVM guest can cause the L1 guest to crash by
triggering a race condition when accessing MMIO memory. A local attacker
could use this flaw to cause a denial of service.


* CVE-2015-5156: Denial-of-service in Virtio network device.

Incorrect handling of fragmented socket buffers could result in a buffer
overflow when performing receive offload under specific conditions.  A
local, unprivileged user could use this flaw to crash the system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-VZ4.7-Updates mailing list