[El-errata] New Ksplice updates for Oracle Enhanced RHCK 7 (ELSA-2018-3651)

[Errata Announcements for Oracle Linux]

Synopsis: ELSA-2018-3651 can now be patched using Ksplice
CVEs: CVE-2018-14633 CVE-2018-14646

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-3651.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Oracle Enhanced
RHCK 7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Provide an interface to freeze tasks.

Provides an alternative method for freezing selected tasks using a flag
in struct task_struct. This is useful starting with 3.3 due to
freezer changes.


* Workaround for alternative instruction inconsistencies.

Some RHEL7 kernels apply different alternative instructions between the
Kernel and modules, this prevents Ksplice update modules from patching core
Kernel code.  This update works around the problem by ensuring alternative
instructions are applied in Ksplice updates to the Kernel in the same way
they would have been at boot.


* CVE-2018-14646: Denial-of-service in network namespace netlink capabilities.

A NULL pointer dereference in the netlink code for a network namespaced
process could result in a kernel crash.  A local user in the namespace
could use this flaw to crash the host.


* CVE-2018-14633: Remote privilege escalation in iSCSI CHAP authentication.

A stack buffer overflow in the iSCSI CHAP authentication code could
allow an unauthenticated remote attacker to corrupt stack memory and
crash the system or potentially, execute code on the target system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.