[El-errata] New Ksplice updates for UEKR3 3.8.13 on OL6 and OL7 (ELSA-2020-5879)
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Fri Oct 16 11:38:14 PDT 2020
Synopsis: ELSA-2020-5879 can now be patched using Ksplice
CVEs: CVE-2016-10905 CVE-2017-8924 CVE-2017-8925 CVE-2019-19965 CVE-2019-20054 CVE-2020-14314 CVE-2020-25285
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2020-5879.
More information about this errata can be found at
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR3 3.8.13 on
OL6 and OL7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
* CVE-2019-19965: Denial-of-service in SCSI device removal.
A race condition when probing SCSI devices could result in a NULL
pointer dereference and kernel crash. A local user with privileges to
add or remove SCSI devices could use this flaw to crash the system.
* CVE-2019-20054: Denial-of-service in procfs sysctl removal.
A missing NULL pointer check could result in a NULL pointer derefence
and kernel crash when removing a sysctl table from procfs. A local,
privileged user could use this flaw to crash the system.
* CVE-2020-14314: Denial-of-service in ext4 file system due to a broken indexing.
A memory out-of-bounds reads could happen in ext4 file system due to
a broken indexing. This flaw could allow a local user to crash the
system and cause a denial-of-service.
* CVE-2017-8924: Information leak in Digi Edgeport TI callback completion.
An integer underflow in the Digi Edgeport TI USB driver can allow a malicious
USB device to leak the contents of kernel memory to userspace.
* CVE-2017-8925: Memory leak when opening an Omninet serial driver.
An extra reference on the TTY was taken in the Omninet serial driver on
open, leading to a memory leak. A local, unprivileged user could use this
flaw to exhaust the memory on the system and cause a denial-of-service.
* CVE-2020-25285: Denial-of-service in sysctls of Linux Memory Manager.
A race condition in sysctls of Linux Kernel Virtual Memory Manager
could lead to NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.
* CVE-2016-10905: Use-after-free in GFS2 file system.
A logic error when using resource group to keep track of block
allocation in GFS2 filesystem could lead to a use-after-free. A local
attacker could use this flaw to cause a denial-of-service.
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the El-errata