[El-errata] New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2019-4820)

Tue Oct 15 05:51:50 PDT 2019

Synopsis: ELSA-2019-4820 can now be patched using Ksplice
CVEs: CVE-2019-10207 CVE-2019-14283 CVE-2019-15666

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2019-4820.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2019-4820.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* NULL pointer dereference during hardware reconfiguration in Cisco VIC Ethernet NIC driver.

If the receive buffer is resized while the read index points outside the
buffer, this could lead to a NULL pointer dereference.

* Information leak in mlx5 Infiniband driver.

A kernel structure was not fully initialized in the mlx5 driver's user-mode
memory reservation code, which could lead to kernel stack memory being leaked to
userspace.  This flaw could be exploited by a local attacker to leak information
about the running system.

* CVE-2019-10207: NULL pointer dereference in Bluetooth TTY operations.

A missing check in some Bluetooth drivers could lead to a NULL
pointer dereference triggered by an unprivileged user while executing
certain tty operations.  This could be exploited to cause a denial of
service attack.

Orabug: 30244614

* Resource leak when deleting FIB nexthop exception.

When removing an entry from the FIB nexthop exception table, a race
condition might cause the destination device structure to become leaked,
potentially resulting in system instability or a denial-of-service.

Orabug: 30276919

* Out-of-bounds write in Line6 POD USB audio interface driver.

The driver for Line6 POD USB audio interfaces allocates a buffer based
on the usb_maxpacket value reported by the device itself. A malicious
device could report a value of zero to cause an out-of-bounds write,
potentially resulting in memory corruption.

* CVE-2019-14283: Denial-of-service in floppy disk geometry setting during insertion.

Missing input validation in the floppy disk geometry setting calls could
allow a malicious local user with access to the floppy device to cause
an out-of-bounds access either crashing the system or leaking the
contents of kernel memory.

Orabug: 30318218

* NULL pointer dereference in Reliable Datagram Socket binding.

Missing NULL pointer checks during binding of a Reliable Datagram Socket
could result in a NULL Pointer dereference and kernel crash.

Orabug: 30319176, 30304759

* NULL pointer dereference in Xen network device error handling.

Incorrect error handling when filling fragments for a Xen network device
could result in a NULL pointer dereference and kernel crash.

Orabug: 30313831

* Guest kernel crash in AMD VM Spectre v4 mitigation.

Incorrect handling of the MSR_IA32_SPEC_CTRL could result in a guest
kernel crash when enabling the Spectre v4 mitigation.

Orabug: 30257820

* Information leak in Reliable Datagram Sockets IPv6 message info.

Missing initialization could result in copying stale kernel stack
contents to user-space when copying IPv6 message info for an RDS socket.

Orabug: 30260894

* CVE-2019-15666: Denial-of-service in network transformation policy removal.

Missing directory validation when unlinking a network transformation
policy could result in an out-of-bounds array access and kernel crash.

Orabug: 30322228

* Network device resource leak in Infiniband device destruction.

Incorrect reference counting when destroying a network device could
result in a resource leak of network devices under specific conditions.

Orabug: 30290073

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.