[El-errata] New updates available via Ksplice (ELSA-2012-1540-1)

[Errata Announcements for Oracle Linux]

Synopsis: ELSA-2012-1540-1 can now be patched using Ksplice
CVEs: CVE-2012-2372 CVE-2012-3552 CVE-2012-4508

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Security Advisory, ELSA-2012-1540-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on EL 5 install these
updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.

A flaw was found in the Linux kernel's Reliable Datagram Sockets (RDS)
protocol implementation. A local, unprivileged user could use this flaw
to cause a denial of service.


* CVE-2012-3552: Denial-of-service in IP options handling.

Missing locking around IP options for a socket could allow an attacker
to trigger a use-after-free condition resulting in a kernel crash.
Under certain conditions this could be exploitable by a remote user.


* CVE-2012-4508: Stale data exposure in ext4.

A race condition in the usage of asynchronous IO and fallocate on an ext4
filesystem could lead to exposure of stale data from a deleted file. An
unprivileged local user could use this flaw to read privileged information.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.