[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2020-5750)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Fri Jul 10 08:23:08 PDT 2020 

Synopsis: ELSA-2020-5750 can now be patched using Ksplice
CVEs: CVE-2017-16538 CVE-2019-15214 CVE-2019-19533 CVE-2019-19534 CVE-2019-19536

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2020-5750.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2020-5750.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2019-19533: Information leak in Technotrend/Hauppauge USB DEC driver.

A missing zeroing of memory when doing transfers in Technotrend /
Hauppauge USB DEC driver could lead to an information leak.  A local
attacker could use this flaw to gain information about running kernel
and facilitate an attack.

Orabug: 31351119


* CVE-2019-15214: Use-after-free when connecting ALSA cards.

A race condition when connecting an ALSA sound device could result in
prematurely freeing associated data structures. A malicious device might
exploit this to cause a denial-of-service or memory corruption.

Orabug: 31351891


* CVE-2019-19536: Information leak when initializing PCAN-USB device.

When loading a PCAN-USB driver, kernel passes an uninitialized buffer
to the device. This could leak privileged kernel memory to the device
and allow a malicious device to escalate privilege.

Orabug: 31351250


* CVE-2017-16538: Denial-of-service in DVB-USB subsystem.

A missing warm-start check and incorrect attach timing allows local
users to cause a denial of service (general protection fault and system
crash) or possibly have unspecified other impact via a crafted USB
device.

Orabug: 31352061


* CVE-2019-19534: Information leak using PEAK PCAN-USB/USB Pro interfaces for CAN 2.0b/CAN-FD.

A missing zeroing of heap buffer passed to user space in PEAK
PCAN-USB/USB Pro interfaces for CAN 2.0b/CAN-FD driver could lead to an
information leak. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.

Orabug: 31351141


* Incorrect error handling when creating a file on read-only filesystem.

A logic error in the path name lookup mechanism could lead to a wrong
error being returned when user try to create a file on a read-only
filesystem.

Orabug: 31493395

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list