[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2020-5508)

[Errata Announcements for Oracle Linux]

Synopsis: ELSA-2020-5508 can now be patched using Ksplice
CVEs: CVE-2017-18595 CVE-2019-15807 CVE-2019-16233

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2020-5508.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2020-5508.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Enablement for applying custom alternative instructions.

This is required to workaround inconsistencies in the way alternative
instructions are applied to a running kernel.


* CVE-2019-16233: NULL pointer dereference when registering QLogic Fibre Channel driver.

A missing check when registering QLogic Fibre Channel driver fails could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.

Orabug: 30618784


* CVE-2019-15807: Denial-of-service when discovering expander in SAS Domain Transport Attributes fails.

A logic error when discovering expander in SAS Domain Transport
Attributes fails could lead to a kernel assert. A local attacker could
use this flaw to cause a denial-of-service.

Orabug: 30580687


* CVE-2017-18595: Use-after-free in kernel trace buffer allocation.

Incorrect error handling when allocating a kernel trace buffer could
result in a double free and kernel crash.  A local, privileged user
could use this flaw to trigger a denial of service.

Orabug: 30633873

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.