[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2020-5801)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue Aug 18 08:15:44 PDT 2020 

Synopsis: ELSA-2020-5801 can now be patched using Ksplice
CVEs: CVE-2019-19054 CVE-2020-14416

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2020-5801.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2020-5801.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Race condition in generic block device code causes spurious BUG.

An incorrect condition when attempting to exclusively lock a block
device could cause error checking code to erroneously fire, causing a
BUG and denial-of-service.

Orabug: 31554143


* CVE-2019-19054: Denial-of-service in the cx2388x tv card driver.

Failure to handle error during initial setup on in the cx2388x tv card
driver causes memory leak. An attacker could exploit this to cause a
denial-of-service.

Orabug: 31351672


* CVE-2020-14416: Use-after-free when writing to SLIP serial line.

A locking error when writing to SLIP serial line while the line is being
closed could lead to a use-after-free. A local attacker could use this
flaw to cause a denial-of-service.

Orabug: 31516085


* NULL pointer dereferences when using QLogic QLA2XXX Fibre Channel.

Multiple logic errors when using QLogic QLA2XXX Fibre Channel could lead
to NULL pointer dereferences. A local attacker could use this flaw to
cause a denial-of-service.

Orabug: 31530589


* Improper handling of vIOAPIC triggered interrupts.

A logic error in the code that handles vCPU IOAPIC interrupts can
render certain interrupt scans useless, which causes issues with
interrupt handling.

Orabug: 31584727


* Invalid blk-mq request handling during CPU offlining.

In certain cases, it is possible for blk-mq requests to get moved from
one software queue to another when a CPU is being offlined.  This will
cause the request to become invalid, if the software queue the request
is moved to maps to a different hardware queue than its original
software queue.

Orabug: 31457304


* Note: Oracle is still investigating potential zero-downtime mitigations for CVE-2020-12888.

Fixes for this CVE are still undergoing analaysis and testing.  A
zero-downtime update may be provided at a later date.

Orabug: 31439671

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list