[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2019-4315)
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Tue Jan 8 14:43:53 PST 2019
Synopsis: ELSA-2019-4315 can now be patched using Ksplice
CVEs: CVE-2017-9725 CVE-2018-1092 CVE-2018-18221 CVE-2018-18255 CVE-2018-7995 CVE-2018-9363 CVE-2018-9516
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2019-4315.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2018-7995: Denial-of-service when accessing CPU MCE sysfs entries.
A race condition when accessing CPU Machine Check sysfs entries could
lead to a kernel panic. A local attacker could use this flaw to cause a
denial-of-service.
Orabug: 29149888
* CVE-2018-9516: Denial-of-service in Bluetooth HIDP debug events.
Missing bounds checks in the Bluetooth HIDP debugfs functions could
result in an out of bounds access and kernel crash, triggerable by a
privileged user.
Orabug: 29128165
* CVE-2018-9363: Remote code execution in Bluetooth HIDP driver.
An integer overflow in the Bluetooth HIDP driver could result in a
buffer overflow and memory corruption. A remote user could use this
flaw to trigger a denial of service or potentially, gain code execution.
Orabug: 29121215
* CVE-2018-1092: NULL pointer dereference when using unallocated root directory on ext4 filesystem.
A missing check when using unallocated root directory on ext4 filesystem
could lead to a NULL pointer dereference. A local attacker could mount a
crafted ext4 filesystem and cause a denial-of-service.
Orabug: 29048557
* CVE-2017-9725: Memory corruption in contiguous memory allocation.
A type conversion error when allocating contiguous memory for Direct
Memory Access can result in memory corruption outside of the allocated
memory. A local user could use this flaw to cause undefined behavior or
a Kernel crash.
Orabug: 28407826
* CVE-2018-18255: Integer overflow when setting allocated CPU time for perf events.
A missing check on user input when setting allocated CPU time for perf
events could lead to an integer overflow. A local attacker could use
this flaw to cause a denial-of-service.
Orabug: 27823815
* CVE-2018-18221: Denial-of-service using mlockall and munlockall syscalls.
The mlockall and munlockall syscalls contain unmatched changes to the
NR_MLOCK accounting value. By repeatedly calling these syscalls, a
malicious user can cause a denial-of-service.
Orabug: 27677611
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the El-errata
mailing list