[El-errata] New Ksplice updates for UEKR2 2.6.39 on OL5 and OL6 (ELSA-2017-3637)

Tue Nov 7 01:32:06 PST 2017

Synopsis: ELSA-2017-3637 can now be patched using Ksplice
CVEs: CVE-2016-10044 CVE-2017-1000380 CVE-2017-100363 CVE-2017-10661
CVE-2017-14489 CVE-2017-7308 CVE-2017-8831 CVE-2017-9074 CVE-2017-9075 CVE-2017-9077

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2017-3637.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR2 2.6.39 on
OL5 and OL6 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2017-14489: NULL pointer dereference in the SCSI transport layer.

A logic error when checking the bounds to be read from a netlink socket in
the SCSI could lead to a NULL pointer dereference.  A local user could use
this flaw to cause a denial-of-service.

* CVE-2017-10661: Data race when canceling timer file descriptors causes
denial-of-service.

Missing serialization when canceling timer file descriptors could cause
the cancels to race, causing a data race or use-after-free, potentially
resulting in a kernel crash and denial-of-service.

* CVE-2017-9075: Denial-of-service in SCTPv6 sockets.

A use-after-free in the SCTPv6 sockets could allow a local, unprivileged
user to crash the kernel, causing a denial of service.

* CVE-2017-9077: Denial-of-service in TCPv6 sockets.

A use-after-free in the TCPv6 sockets could allow a local, unprivileged
user to crash the kernel, causing a denial of service.

* CVE-2017-9074: Information leak via ipv6 fragment header.

The header size of an ipv6 fragment is not properly checked, potentially
allowing an attacker to read out-of-bounds memory when attempting to
parse it, leaking information.

* CVE-2017-1000380: Information leak when reading timer information from ALSA
devices.

A missing data initialization and a race condition when reading timer
information of ALSA devices from user space could lead to an information
leak. A local attacker could use this flaw to get information about
running kernel and facilitate an attack.

* CVE-2017-100363: Denial-of-service in printer driver setup.

Missing validation on the "lp" module parameter could result in an
out-of-bounds access and integer overflow.  A local, privileged user
could use this flaw to crash the kernel or defeat secure boot
protections.

* CVE-2017-7308: Memory corruption in AF_PACKET socket options.

Multiple integer overflows in the AF_PACKET setsockopt implementation can
trigger kernel memory corruption. A local user could use this flaw to elevate
privileges.

* CVE-2016-10044: Permission bypass when setting up an async io filesystem.

Missing limitation on execution access when setting up an async io
filesystem could allow a local attacker to bypass SELinux restrictions
and leads to permission bypass.

* CVE-2017-9074: Denial-of-service when using Generic Segmentation Offload on
IPV6 socket.

A missing check when using Generic Segmentation Offload on IPV6 socket
could lead to a memory leak. A local attacker could use this flaw to cause
a denial-of-service.

* CVE-2017-8831: Denial-of-service when using NXP SAA7164 video driver.

A missing check on user input when using NXP SAA7164 video driver could
lead to an out-of-bounds access. A local attacker could use this flaw to
cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.