[El-errata] New Ksplice updates for UEKR2 2.6.39 on OL5 and OL6 (ELSA-2018-4145)
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Thu Jun 21 23:57:25 PDT 2018
Synopsis: ELSA-2018-4145 can now be patched using Ksplice
CVEs: CVE-2016-2384 CVE-2016-2543 CVE-2016-2544 CVE-2016-2545 CVE-2016-2547 CVE-2016-2548 CVE-2016-2549 CVE-2018-3665
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4145.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR2 2.6.39 on
OL5 and OL6 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
* CVE-2016-2384: Privilege escalation in USB MIDI device driver.
The USB MIDI device driver does not correctly free memory when failing
to initialize an endpoint which can cause a use-after-free condition. A
local unprivileged user can use this flaw to trigger kernel code
* CVE-2016-2543: Denial-of-service in ALSA SNDRV_SEQ_IOCTL_REMOVE_EVENTS ioctl().
A missing NULL pointer check in the SNDRV_SEQ_IOCTL_REMOVE_EVENTS
ioctl() handler could result in a NULL pointer dereference and kernel
crash. A local user with access to an ALSA device could use this flaw
to crash the system.
* CVE-2016-2544, CVE-2016-2545, CVE-2016-2547, CVE-2016-2548: Use-after-free in ALSA sequencer timers.
Multiple flaws could result in a use-after-free when adding and removing
timers in the ALSA sequencer. A local user with access to the device
could use this flaw to crash the system, or potentially escalate
* CVE-2016-2549: Denial-of-service in ALSA timer management.
Incorrect timer reprogramming in the ALSA subsystem could result in
deadlock. A local user with access to the device could use this flaw to
cause a denial-of-service.
* CVE-2018-3665: Information leak in floating point registers.
An information leak from floating point registers when lazy FPU context
switching was performed could allow a malicious local user to gain
access to sensitive information across process boundaries.
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the El-errata