[El-errata] New Ksplice updates for UEKR6 5.4.17 on OL7 and OL8 (ELSA-2021-9564)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Wed Dec 1 14:55:28 UTC 2021 

Synopsis: ELSA-2021-9564 can now be patched using Ksplice
CVEs: CVE-2020-3702 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-3732 CVE-2021-3744 CVE-2021-38205 CVE-2021-42008

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2021-9564.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2021-9564.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR6 5.4.17 on
OL7 and OL8 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Note: Oracle has determined that CVE-2021-38205 is not applicable.

The kernel is not affected by CVE-2021-38205 since the code under
consideration is not compiled.


* CVE-2021-3732: Information disclosure in OverlayFS when mounting a filesystem.

A logic flaw in mounting functionality of OverlayFS subsystem could
allow an unprivileged local user with permissions to mount a filesystem
to access hidden files that should not be accessible in the original mount.
An unprivileged local attacker could use this flaw for information
disclosure.


* CVE-2021-3744: Denial-of-service in AMD Cryptographic Coprocessor driver.

Error handling flaws in AMD Cryptographic Coprocessor driver could cause
memory leaks due to a failure to free memory allocated to process some
software operations. A local user could use this flaws to cause a denial
of service.

Orabug: 33406845


* Failure to invalidate cached ACL information on directories in OCFS2.

When performing ACL changes on directories on one node in OCFS2 the ACL
information doesn't get refreshed on the other nodes due to a failure
to invalidate cached ACL information and resulting in stale information
from VFS layer to be seen on the other notes.

Orabug: 33407843


* CVE-2020-3702: Information disclosure in Atheros Wireless Card drivers.

A race condition flaw in layer 2 Wi-Fi encryption of Atheros Wireless
Card drivers could result in improper encryption. A specifically
handcrafted traffic could be created by a remote attacker and cause
information disclosure.


* Note: Oracle has determined that CVE-2021-42008 is not applicable.

The kernel is not affected by CVE-2021-42008 since the code under
consideration is not compiled.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list