[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2017-3595)

Mon Jul 31 08:37:04 PDT 2017

Synopsis: ELSA-2017-3595 can now be patched using Ksplice
CVEs: CVE-2015-8962 CVE-2017-1000380 CVE-2017-100363 CVE-2017-10911 CVE-2017-7273 CVE-2017-9077

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2017-3595.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Soft lockup after vcpu hot-remove in Xen PVM/HVM guests.

Due to a premature optimisation, hot-removing a vcpu from a Xen PVM/HVM
guest could in certain cases lead to a soft lockup.

* CVE-2017-7273: Denial-of-service in Crypress USB HID driver.

A missing check in Crypress USB HID driver when parsing usb descriptors
could lead to an out of bounds access. An attacker with physical access
to the machine could use this flaw to cause a denial-of-service.

* Kernel crash in Broadcom NetXtreme Receive Flow Steering.

A failure to allocate enough memory for Receive Flow Steering management
can result in a buffer overrun leading to undefined behaviour or a
kernel crash.

* CVE-2017-9077: Denial-of-service in TCPv6 sockets.

A use-after-free in the TCPv6 sockets could allow a local, unprivileged
user to crash the kernel, causing a denial of service.

* CVE-2017-100363: Denial-of-service in printer driver setup.

Missing validation on the "lp" module parameter could result in an
out-of-bounds access and integer overflow.  A local, privileged user
could use this flaw to crash the kernel or defeat secure boot
protections.

* Denial-of-service when destroying TCP socket using GFP_ATOMIC.

A logic error when destroying socket could lead to a memory leak if a
TCP socket is using GFP_ATOMIC flag for allocations. A local attacker
could use this flaw to cause a denial-of-service.

* CVE-2017-1000380: Information leak when reading timer information from ALSA devices.

A missing data initialization and a race condition when reading timer
information of ALSA devices from user space could lead to an information
leak. A local attacker could use this flaw to get information about
running kernel and facilitate an attack.

* CVE-2015-8962: Privilege escalation when detaching SCSI drives.

A double free flaw when detaching an SCSI drive on concurrent DMA
operations could lead to memory corruptions and kernel panic.  A local user
with the ability to detach an SCSI drive could potentially use this flaw to
elevate its privileges.

* Denial-of-service in XFS when creating then deleting multiple files.

An error in handling of dirty pages could lead to shortage of memory. An
attacker could use this flaw to cause a denial-of-service.

* Denial-of-service in NVMe user commands.

Missing validation could allow a local user with access to the NVMe
device to pass invalid flags causing memory corruption and a denial of
service.

* Use-after-free in NVMe core unregistration.

Incorrect sequencing of the NVMe core removal could result in a
use-after-free and kernel crash when removing the NVMe module.

* CVE-2017-10911: Information leak in Xen block-device backend driver.

A data structure allocated on stack in Xen block-device backend driver
may leak sensitive data through padding fields. A malicious unprivileged
guest may be able to obtain sensitive information from the host or other
guests.

* Out-of-bounds access in VFIO PCI interrupt setup.

Missing validation could allow an invalid index into the MSIx interrupt
array, resulting in undefined behaviour and a potential kernel crash.

* NULL pointer dereference in Broadcom NetXtreme C/E device reopen.

Failure to reinitialize all rings during reinitialization could result
in a NULL pointer dereference and kernel crash.  A local, privileged
user could use this flaw to crash the system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.