[El-errata] New Ksplice updates for UEKR5 5.4.17 on OL7 and OL8 (ELSA-2020-5714)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Sun Jun 14 23:58:11 PDT 2020 

Synopsis: ELSA-2020-5714 can now be patched using Ksplice
CVEs: CVE-2019-19377 CVE-2020-0543 CVE-2020-12464 CVE-2020-12465 CVE-2020-12653 CVE-2020-12654 CVE-2020-12657 CVE-2020-12659 CVE-2020-12768

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2020-5714.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2020-5714.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 5.4.17 on
OL7 and OL8 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2020-0543: Side-channel information leak using SRBDS.

A side-channel information leak on some generations of Intel processors
could allow the leaking of internal microarchitectural buffers used by
instructions like RDRAND, RDSEED and SGX EGETKEY.

Updated microcode is required for this vulnerability to be mitigated.

The status of the mitigation can be found using the following command:
$ cat /sys/devices/system/cpu/vulnerabilities/srbds

Orabug: 31352779


* CVE-2020-12654: Denial-of-service when querying WMM status in mwifiex driver.

If an AP sends a malicious query to the station for WMM status, a buffer
overflow could occur. If an attacker can compromise the AP, this bug
could be triggered to cause a denial-of-service.

Orabug: 31350513


* CVE-2020-12465: Buffer overflow in mt76 driver when processing oversized packets.

A missing boundary check in the mt76 driver's packet receive path can
lead to a buffer overflow which can corrupt the memory of pages
adjacent to the skb structure.  A remote attacker could exploit this
flaw to execute arbitrary code or to cause other unexpected behavior,
including a potential denial-of-service.

Orabug: 31350952


* Mishandling of FPU state information in KVM causes info leak or DoS.

Flaws in KVM's handling of FPU state information could result in crashes
or information leaks. A malicious guest might be able to leak
information about the host or cause a denial-of-service.

Orabug: 31333676


* CVE-2020-12653: Denial-of-service when scanning for APs in mwifiex driver.

Failing to validate user-defined length parameter could cause an
out-of-bound memory access while scanning for APs in mwifiex driver. An
attacker could exploit this bug to cause a denial-of-service.

Orabug: 31350929


* CVE-2020-12464: Use-after-free in USB scatter-gather library.

Use-after-free could happen in usb_sg_cancel() of USB core scatter
gather implementation when cancellation of the S-G transfer races
with the transfer completion and could result in a system crash.

Orabug: 31350962


* CVE-2020-12657: Use-after-free in BFD I/O scheduler subsystem.

A race condition in the BFD I/O scheduler subsystem when clearing queue
leads to a use-after-free bug. An attacker may exploit this bug to cause
a denial-of-service.

Orabug: 31350910


* CVE-2019-19377: Use-after-free when unmounting a BTRFS image.

A logic error when unmounting a BTRFS image could lead to a use-after-
free. A local attacker could use this flaw and a crafted BTRFS image to
cause a denial-of-service.


* CVE-2020-12768: Memory leak in KVM when initializing AMD SVM structures.

When initializing data structures for the AMD Secure Virtual Machine
extension to KVM, an unexpected error might result in a memory leak of
KVM data structures, potentially resulting in a denial-of-service.

Orabug: 31350455


* CVE-2020-12659: Out-of-bounds write in XDP headroom.

The XDP_PACKET_HEADROOM field for an Express Data Path userspace buffer
is not properly validated. A malicious user with the CAP_NET_ADMIN
permission could exploit this flaw to corrupt kernel memory, potentially
escalating their privileges or causing a denial-of-service.

Orabug: 31350732


* NFSv4 client fails to correctly renew lease when using fsinfo.

When calling fsinfo over an NFSv4 mount, the client will erroneously
believe it has renewed its clientid lease, when in reality it is still
in the expiry period, resulting in potential lock loss and I/O errors on
the mount.

Orabug: 31304406


* NULL-pointer dereference when shutting down DSA switch.

When shutting down a Distributed Switch Architecture network device,
certain device drivers such as virtio_net might leave the driver with a
NULL netdev_ops pointer, resulting in an eventual NULL-pointer
dereference and denial-of-service.

Orabug: 30456791

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list