[Ksplice][Debian 6.0 Updates] New updates available via Ksplice (DLA-155-1)

Fri Feb 20 00:51:43 PST 2015

Synopsis: DLA-155-1 can now be patched using Ksplice
CVEs: CVE-2013-6885 CVE-2014-7822 CVE-2014-8133 CVE-2014-8134 CVE-2014-8160 CVE-2014-9420 CVE-2014-9584 CVE-2014-9585 CVE-2015-1421 CVE-2015-1593

Systems running Debian 6.0 Squeeze can now use Ksplice to patch
against the latest Debian kernel update, DLA-155-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 6.0 Squeeze
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2014-8133: Kernel information leak in 16-bit userspace stacks.

The espfix implementation which prevents kernel information leaking to
unprivileged guests can be bypassed by creating a custom thread area. A
local unprivileged user could potentially use this flaw to leak stack
addresses.

* CVE-2014-8160: iptables rules by-pass when the protocol module is not loaded.

A flaw in the generic conntrack sub-system allows protocols that do not
have a protocol handler kernel module loaded to pass through the iptables
firewall even if explicitly denied by rule.

* CVE-2014-9420: Infinite loop in isofs when parsing continuation entries.

A flaw in the iso9660 file system support could lead to an infinite
recursion loop when parsing continuation entries.  An unprivileged user
could use this flaw to crash the system resulting in a denial-of-service.

* CVE-2014-9584: Out-of-bounds memory access in ISO filesystem when printing ER records.

A missing input validation when printing ER records on the iso9660 driver
could lead to an out-of-bounds memory write, potentially leading to a
kernel panic.  A local attacker could use a corrupted ISO file to cause a
denial-of-service.

* CVE-2014-9585: Address space layout randomization bypass for VDSO address.

A flaw in the VDSO code loader leads to a 50% chance of having the VDSO
address placed at the end of a PMD. This could allow an attacker to bypass
ASLR protections more easily.

* CVE-2015-1593: Stack layout randomization entropy reduction.

A flaw in the the stack base randomization code could result in a
reduction of entropy by a factor of four.  An attacker could use this
flaw to reduce the amount of work needed to bypass ASLR.

* CVE-2014-7822: Incorrect parameter validation in splice() system call.

An incorrect parameter validation in the splice() system call could allow
a local, unprivileged user to use this flaw to write past the maximum
file size, and thus crash the system.

* CVE-2013-6885: Denial-of-service on AMD processors.

Under a highly specific and detailed set of internal timing conditions, a
locked instruction may trigger a timing sequence whereby the write to a
write combined memory type is not flushed, causing the locked instruction
to stall indefinitely. A local, unprivileged user could use this flaw to
cause a denial-of-service.

* CVE-2014-8134: Information leak in 32-bit KVM guests.

A bug in the espfix handling code could result in leaking high bits of
the kernel stack pointer when returning to a userspace with a 16 bit
stack.  A local unprivileged user could potentially use this flaw to
leak kernel stack addresses.

* CVE-2015-1421: Privilege escalation in SCTP INIT collisions.

Missing reference counting could result in a use-after-free during an
INIT collision when establishing an SCTP socket.  A remote attacker
could use this flaw to trigger a denial-of-service or potentially gain
privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.