[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2016-3644)

[Errata Announcements for Oracle Linux]

Synopsis: ELSA-2016-3644 can now be patched using Ksplice CVEs:
CVE-2015-8956 CVE-2016-1583 CVE-2016-2053 CVE-2016-3070 CVE-2016-4569
CVE-2016-4578 CVE-2016-4794 CVE-2016-6136 CVE-2016-6480

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2016-3644.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2016-3070: Denial of service when migrating dirty pages.

A NULL pointer dereference could happen when migrating dirty pages from an
AIO ring buffer to another node.  A local, unprivileged user could use this
flaw to cause a denial-of-service.


* CVE-2015-8956: NULL pointer dereference in the Bluetooth stack.

A missing NULL pointer check when binding to a bluetooth socket could cause
a NULL pointer dereference.  A local user with privileges to bind a
bluetooth socket could use this flaw to cause a denial-of-service.


* CVE-2016-4578, CVE-2016-4569: Information leak in sound timers.

Missing initialization of stack data structures could result in leaking
the contents of kernel stack memory to user-space.  A local user with
access to the sound device could use this flaw to infer the layout of
kernel memory.


* Improved fix to CVE-2016-1583: Privilege escalation in eCryptfs.

The original upstream fix for CVE-2016-1583 restricted opening files
without an mmap handler, but could result in applications failing to
open files that did not need mmap on them.  The new fix defers this
until mmap is called.


* CVE-2016-6480: Denial-of-service in Adaptec AACRAID driver.

A race condition in fetching parameters from userspace could result in
accessing beyond the bounds of a buffer.  A local user with privileges
to access the device could use this flaw to crash the system.


* CVE-2016-4794: Use-after-free in per-cpu memory allocator.

Due to incorrect synchronization between synchronous map extension and
chunk destruction, a local user with the ability to call BPF programs
could cause a use-after-free and potentially escalate privileges.


* CVE-2016-6136: Audit log message spoofing.

A race condition when copying parameters from user-space could allow a
malicious user to spoof log messages in the audit subsystem, to
misrepresent commands or potentially evade logging.


* CVE-2016-2053: Denial of service in ASN.1 BER decoding.

The kernel ASN.1 BER decoder does not correctly handle missing elements
which can trigger a kernel panic when parsing malformed BER data from
userspace.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.