[El-errata] New Ksplice updates for UEKR6 5.4.17 on OL7 and OL8 (ELSA-2022-9147)
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Fri Feb 18 14:40:03 UTC 2022
Synopsis: ELSA-2022-9147 can now be patched using Ksplice
CVEs: CVE-2017-11176 CVE-2021-20321 CVE-2021-3640 CVE-2021-3752 CVE-2021-3760 CVE-2021-4149 CVE-2021-42739 CVE-2021-43056 CVE-2021-43389 CVE-2021-43975 CVE-2021-44733
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2022-9147.
More information about this errata can be found at
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR6 5.4.17 on
OL7 and OL8 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
* CVE-2021-43975: Out-of-bounds access in aQuantia AQtion(tm) Ethernet card driver.
A lack of input validation in aQuantia AQtion(tm) Ethernet card driver
could result in an out-of-bounds access. Compromised/Malfunctioning
devices could be used by an attacker to trigger this flaw and cause
a denial-of-service or execute arbitrary code.
* CVE-2021-3640: Privilege escalation in Bluetooth Classic due to use-after-free.
A race condition flaw in ioctls of Bluetooth Classic could lead to
use-after-free. A privileged local user could use this flaw to cause
a denial-of-service or escalate their privileges on the system.
* CVE-2021-20321: Race condition in OverlayFS.
A possible race condition exists in overlayfs that may be triggered
when a user renames a file. A local user could use this flaw to cause
* Note: Oracle has determined that CVE-2021-3760 is not applicable.
Oracle has determined that CVE-2021-3760 is not applicable as the
code in question is not compiled.
* CVE-2021-3752: Use-after-free in the Bluetooth subsystem.
A use-after-free exists in the Bluetooth subsystem in the way a user connects
and disconnects from a socket. A local unprivileged user could use this flaw
to cause a denial-of-service or potentially escalate privileges.
* CVE-2021-43389: Out-of-bounds access in ISDN CAPI due to a race condition.
A race condition in Kernel CAPI Interface of the ISDN CAPI
implementation could result in an out-of-bounds access. A privileged
local user could use this flaw to cause a denial-of-service or execute
* CVE-2021-42739: Buffer overflow in FireDTV firewire DVB receiver driver.
The FireDTV firewire DVB receiver driver contains a buffer overflow when
processing a Program Map Table entry. A malicious device might exploit
this to overwrite memory and cause a denial-of-service.
* Note: Oracle has determined that CVE-2021-43056 is not applicable.
Oracle has determined that CVE-2021-43056 is not applicable to x86.
Applying the patch has no resulting changes in the generated object
* CVE-2021-4149: Denial-of-service in BTRFS file system.
An improper locking flaw in BTRFS file system during error handling
could lead to a deadlock condition. A local user could use this flaw
to cause a denial-of-service.
* Note: Oracle will not be providing an update for CVE-2021-44733.
A race condition flaw could happen in a Trusted Execution Environment
(TEE) during an attempt to free a shared memory object leading to
According to our audits most customers are not affected by this
vulnerability because they are not using the TEE kernel module.
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the El-errata