[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2023-12232)
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Mon Apr 10 16:15:39 UTC 2023
Synopsis: ELSA-2023-12232 can now be patched using Ksplice
CVEs: CVE-2019-5489 CVE-2020-0404 CVE-2023-0394 CVE-2023-1073 CVE-2023-1074 CVE-2023-1095
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2023-12232.
More information about this errata can be found at
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
* CVE-2023-0394: NULL dereference during IPv6 raw frame processing.
An arithmetic error when processing certain IPv6 header information can
lead to a NULL pointer dereference. A malicious local user could
exploit this flaw to cause a denial-of-service.
* CVE-2019-5489: Information leak in the mincore() syscall implementation.
Missing checks in the mincore() syscall could let a local attacker
observes page cache access patterns on other processes in the system and
lead to an information leak.
* CVE-2020-0404: Possible privilege escalation in USB Video Class driver.
A logic error when processing USB descriptors can lead to a list
corruption in the USB Video Class driver. A local attacker could
exploit this flaw to escalate their privileges.
* CVE-2023-1073: Memory Corruption in HID subsystem.
An error in the human interface device (HID) subsystem during insertion
of a USB device can trigger memory corruption. This can allow a local
user to cause denial-of-service or escalate privileges.
* CVE-2023-1074: Memory Leak in Stream Control Transmission Protocol.
A flaw in the Stream Control Transmission Protocol (sctp) can allow a
local user to start a malicious networking service that leaks kernel
memory. This could allow the user to starve resources leading to a
* CVE-2023-1095: Denial-of-service in the netfilter sub-system.
A missing list initialization in the netfilter sub-system could lead to a
null pointer dereference in the error path. A local, privileged user could
use this flaw to cause a denial-of-service.
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the El-errata