[El-errata] New updates available via Ksplice (ELSA-2016-3510)
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Thu Jan 21 11:45:10 PST 2016
Synopsis: ELSA-2016-3510 can now be patched using Ksplice
CVEs: CVE-2016-0728
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Security Advisory, ELSA-2016-3510.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on EL 6 install these
updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2016-0728: Privilege escalation in session keyrings.
A reference count imbalance with session keyrings could result in a
use-after-free condition. A local, unprivileged user could use this
flaw to crash the system or gain arbitrary code execution in the kernel.
* Return non-zero block length for really small files on ocfs2.
Tools like tar and rsync assume a file has no data if the block
length is 0 and will skip reading them.
* Consume unprocessed events when a Xen CPU dies.
When a CPU is offlined, there may be unprocessed events on a port for
that CPU. If the port is subsequently reused on a different CPU, it
could be in an unexpected state with the link bit set, resulting in
interrupts being missed. Fix this by consuming any unprocessed events
for a particular CPU when that CPU dies.
* Restrict Xen framebuffer to PV guests.
The PV framebuffer should only be used by PV guests, not HVM as the QEMU
backend only provides the VGA backend for HVM guests.
Ksplice will not be providing an update for Xen security advisories 155
and 157. Fixing XSA-155 requires updates to the hypervisor and qemu
which are not available through Ksplice. Xen hosts should reboot into
an updated hypervisor, qemu and kernel to protect against this issue,
and live migration may be used to avoid disruption to guests. Systems
other than Xen Dom0s (i.e. systems not hosting Xen virtual machines)
are not vulnerable and do not need to be rebooted in order to remain
secure.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the El-errata
mailing list