[El-errata] New Ksplice updates for UEKR3 3.8.13 on OL6 and OL7 (ELSA-2017-3534)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue Apr 4 00:28:04 PDT 2017 

Synopsis: ELSA-2017-3534 can now be patched using Ksplice
CVEs: CVE-2015-4700 CVE-2015-5707 CVE-2015-8569 CVE-2016-10088 CVE-2016-10142 CVE-2016-3140 CVE-2016-3672 CVE-2016-4580 CVE-2016-7425 CVE-2016-8399 CVE-2016-8633 CVE-2016-8645 CVE-2016-9576 CVE-2016-9588 CVE-2017-5970 CVE-2017-6345 CVE-2017-7187

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2017-3534.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR3 3.8.13 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-6345: Denial of service in 802.2 LLC packet processing.

A logic error when receiving PDUs on an 802.2 LLC network socket can trigger a
kernel panic and denial of service when freeing memory.


* CVE-2017-5970: Denial-of-service in ipv4 options field handling.

Incorrect behaviour when ipv4 options are used can result in a kernel
crash.  A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2016-3140: Denial of service in Digi AccelePort USB descriptor parsing.

A logic error in the Digi AccelePort USB driver can allow a malformed
USB descriptor with missing endpoints to trigger a NULL pointer
dereference and kernel panic.


* CVE-2016-4580: Kernel stack information leak in X25 facility negotiation.

Missing initialization of a stack data structure could result in leaking
up to 8 bytes of kernel stack information to a local, unprivileged user.


* CVE-2016-7425: Heap corruption in ARECA SATA/SAS RAID host adapter.

Lack of bounds checking when copying data from userspace could lead to heap
corruption.  A local user with the ability to transfer messages to the
ARECA SATA/SAS RAID driver could use this flaw to gain kernel execution.


* CVE-2015-5707: Privilege escalation in generic SCSI character device.

An integer overflow in the SCSI generic driver in the Linux kernel could
allow a local user with write permission on a SCSI generic device to
escalate privileges.


* CVE-2015-8569: Information leak in point-to-point protocol.

A lack of validating user input could cause kernel stack memory to be
leaked to userspace in the point-to-point bind() and connect() functions.
A local, unprivileged user could use this flaw to gain information about
the running kernel.


* CVE-2016-8633: Remote code execution in the firewire driver.

Improper input validation when handling fragmented datagrams could allow a
remote attacker, through a specially crafted packet, to gain code
execution.  A remote attacker could use this flaw to compromise a system
remotely.


* CVE-2015-4700: Denial-of-service in the BSD Packet Filter just-in-time compiler.

A logic error in the BSD Packet Filter (BPF) just-in-time (jit) compiler
could lead the jit'ed program to contain only software breakpoints instead
of the intended opcodes.  A local, privileged user could use this flaw to
cause a denial-of-service by using a specially crafter BPF program.


* CVE-2016-8645: Denial of service when receiving TCP packet.

When collapsing multiple socket buffers into one, a bug in the code
could result in kernel panic. A remote attacker can trigger this by
sending specially crafted packets and cause denial of service.


* CVE-2016-3672: Incorrect mmap randomization in i386 and X86_32 mode.

An incorrect logic when randomizing mmap addresses could facilitate an
attack and allow a local attacker to escalate privileges.


* CVE-2016-10088, CVE-2016-9576: Use-after-free in SCSI device interface.

Incorrect validation of sendfile arguments can cause a use-after-free in
the SCSI subsystem. A local user with access to /dev/sg* devices could
use this flaw to read kernel memory or escalate privileges.


* CVE-2016-10142: Denial of service when routing IPv6 atomic fragments.

The kernel IPv6 implementation processes atomic fragments according to
the IPv6 RFC. However, remote attackers can leverage a feature of
atomic fragments to stop the routing of IPv6 traffic, causing a denial
of service.


* CVE-2016-8399: Information leak using ICMP protocol.

A missing check on ICMP header length could cause an out-of-bounds read
of stack. A user could use this flaw to leak information about
kernel memory and facilitate an attack.


* CVE-2017-7187: Denial-of-service in SCSI driver ioctl handler.

The ioctl handler function in SCSI driver allows local users to cause a
denial of service (stack-based buffer overflow) or possibly have
unspecified other impact via a large command size in an SG_NEXT_CMD_LEN
ioctl call, leading to out-of-bounds write access in the sg_write
function.


* CVE-2016-9588: Denial-of-service in Intel nested VMX exception handling.

Failure to handle exceptions thrown by an L2 guest could result in
kernel crash.  A malicious guest could use this flaw to crash the
virtualization host.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list