[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2024-12193)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue Mar 12 15:51:55 UTC 2024 

Synopsis: ELSA-2024-12193 can now be patched using Ksplice
CVEs: CVE-2021-34981 CVE-2022-48619 CVE-2023-51780 CVE-2023-6246 CVE-2023-7192 CVE-2024-0775

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2024-12193.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2024-12193.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2023-51780: Use-after-free in the ATM driver's message receive path.

A race condition in the Asynchronous Transfer Mode network driver's
receive path can lead to a use-after-free.  This flaw could allow a
local attacker to leak privileged information from the kernel, or to
cause a denial-of-service.

Orabug: 36229396


* CVE-2021-34981: Denial-of-service when using CMTP.

A reference count issue when using CMTP (CAPI Message Transport
Protocol) could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service or escalate privileges.

Orabug: 36229182


* CVE-2024-0775: Information leak when remounting ext4 filesystem.

A reference count issue when remounting ext4 filesystem could lead to a
use-after-free. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.


* CVE-2023-7192: Denial-of-service when using connection tracking via netlink socket.

A reference count issue when using connection tracking via netlink
socket could lead to a memory leak. A local attacker could use this flaw
to cause a denial-of-service.


* CVE-2022-48619: Denial-of-service when handling input events.

A missing check on user input when handling input events could lead to
an out-of-bounds access. A local attacker could use this flaw to cause a
denial-of-service.

Orabug: 36192120

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list