[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2019-4670)

Tue Jun 11 07:37:51 PDT 2019

Synopsis: ELSA-2019-4670 can now be patched using Ksplice
CVEs: CVE-2017-7308 CVE-2018-10878 CVE-2018-14633 CVE-2018-14634 CVE-2018-20836 CVE-2019-11810 CVE-2019-11815 CVE-2019-11884 CVE-2019-3459 CVE-2019-3460 CVE-2019-3819

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2019-4670.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2019-4670.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2019-11815: Use-after-free in RDS socket creation.

A logic error in the RDS code could fail to properly clean up a socket once
it is destroyed, which could then lead to a use-after-free on a new socket
creation.  This could be used to cause a denial-of-service.

Orabug: 29802785

* CVE-2018-14633: Information leak in iSCSI CHAP authentication.

A stack overflow in the iSCSI CHAP authentication MD5 computation could
result in an out of bounds access and denial of service or potentially
leaking sensitive data by an unauthenticated remote user.

Orabug: 29778875

* CVE-2019-3819: Deadlock in HID debug events read.

A logic error when reading HID debug events can result in the kernel entering
an infinite loop, leading to a system lock up. A privileged user could use this
flaw to cause a denial-of-service.

Orabug: 29629481

* CVE-2019-3459, CVE-2019-3460: Remote information leak via Bluetooth configuration request.

When parsing Bluetooth L2CAP options, some buffer length fields are not
properly validated, potentially allowing a malicious device to expose
kernel heap memory remotely.

Orabug: 29526426

* Improved fix for CVE-2018-10878: Out-of-bounds access when initializing ext4 block bitmap.

A logic error in the previous fix for CVE-2018-10878 prevented mounting ext4
filesystems with metablock groups enabled.

Orabug: 29797007

* CVE-2019-11884: Information leak in Bluetooth HIDP HIDPCONNADD ioctl().

Missing string termination in the Bluetooth HIDP HIDPCONNADD ioctl()
could result in leaking the contents of the kernel stack to a local
user.

Orabug: 29786786

* Kernel crash in OCFS2 reading of deleted inodes.

A race condition when reading an inode that has been deleted could
result in a kernel crash under specific conditions.

Orabug: 29233739

* CVE-2018-20836: Use-after-free in SCSI SAS timeout.

A logic error when performing task completion for a SCSI SAS SMP timeout
could result in a use-after-free and kernel crash.

Orabug: 29783225

* CVE-2019-11810: Denial-of-service in LSI Logic MegaRAID probing.

A logic error in the LSI Logic MegaRAID device probing could result in a
NULL pointer dereference and kernel crash under specific conditions.

Orabug: 29783254

* Improved runtime retpoline toggling for Spectre v2 mitigations.

On Skylake and later, switching from IBRS to retpoline at runtime would
not enable stuffing of the return stack buffer (RSB) and could lead to a
potential Spectre v2 mitigation bypass.

Orabug: 29660924

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.