[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2021-9346)
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Tue Jul 6 13:20:25 PDT 2021
Synopsis: ELSA-2021-9346 can now be patched using Ksplice
CVEs: CVE-2020-12352 CVE-2020-36386 CVE-2021-31916 CVE-2021-33034
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2021-9346.
More information about this errata can be found at
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
* CVE-2021-31916: Out-Of-Bounds memory write in Device Mapper subsystem.
A logic error whilst listing devices may cause an out-of-bounds memory
write. An attacker with CAP_SYS_ADMIN permissions could use this to
cause a denial-of-service.
* CVE-2020-12352: Information leak when handling AMP packets in Bluetooth stack.
A missing zeroing of stack memory when handling AMP packets in Bluetooth
stack could lead to an information leak. A remote attacker could use this
flaw to leak information about running kernel and facilitate an attack.
* CVE-2020-36386: Out-of-bounds read in Bluetooth HCI event subsystem.
Insufficient packet validation in the Bluetooth Host Controller Interface
event packet handler can cause out-of-bounds reads with a potential for
denial-of-service or leaking of privileged data.
* CVE-2021-33034: Use-after-free when tearing down bluetooth HCI channel.
A race condition in the bluetooth Host Controller Interface code could
result in a use-after-free. A malicious device might exploit this to
write data to an arbitrary kernel address, potentially allowing code
execution under control of the device.
* Improve Machine Check Exception handling.
On Machine Check Exception, collect error data in crashdump.
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the El-errata