[El-errata] New updates available via Ksplice (ELSA-2015-3043)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Jun 11 09:06:40 PDT 2015


Synopsis: ELSA-2015-3043 can now be patched using Ksplice
CVEs: CVE-2014-9419 CVE-2014-9420 CVE-2014-9585

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Security Advisory, ELSA-2015-3043.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on EL 6 install these
updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-9419: Address leak on context switch bypasses ASLR.

A flaw in the context switch code could lead to leaking another thread's
local storage area.  A local, unprivileged user could use this flaw to gain
information about another process address space mappings and bypass address
space layout randomization.


* CVE-2014-9420: Infinite loop in isofs when parsing continuation entries.

A flaw in the iso9660 file system support could lead to an infinite
recursion loop when parsing continuation entries.  An unprivileged user
could use this flaw to crash the system resulting in a denial-of-service.


* CVE-2014-9585: Address space layout randomization bypass for VDSO address.

A flaw in the VDSO code loader leads to a 50% chance of having the VDSO
address placed at the end of a PMD. This could allow an attacker to bypass
ASLR protections more easily.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.





More information about the El-errata mailing list