[Ksplice][Debian 6.0 Updates] New updates available via Ksplice (DLA-412-1)

[Oracle Ksplice]

Synopsis: DLA-412-1 can now be patched using Ksplice
CVEs: CVE-2015-7513 CVE-2015-7566 CVE-2015-8767 CVE-2016-0723 CVE-2016-2069

Systems running Debian 6.0 Squeeze can now use Ksplice to patch
against the latest Debian kernel update, DLA-412-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 6.0 Squeeze
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-7513: Divide-by-zero in KVM when reloading the programmable interrupt timer.

A missing input sanitization when loading the programmable interrupt timer
counters from userspace could cause KVM to make a division by zero, causing
a kernel crash.  A local user with the capibility to run KVM machines could
use this flaw to cause a denial-of-service.


* CVE-2015-7566: Denial-of-service in USB Handspring Visor driver.

Incomplete USB endpoint validation could result in a kernel crash when
probing a USB Handspring Visor device.  A malicious USB device could use
this flaw to crash the system.


* CVE-2015-8767: Denial-of-service in SCTP heartbeat timeout.

Incorrect locking when accepting an SCTP connection during the 4-way
handshake could result in deadlock.  A local user could use this flaw to
block SCTP connections.


* CVE-2016-0723: Denial-of-service in TTY TIOCGETD ioctl().

A use-after-free when getting the line discipline for a TTY could allow
a local user to trigger a kernel crash.


* CVE-2016-2069: Race condition in the TLB flush logic on multi-processors.

A race condition in the TLB flush logic when modifying paging structures
could lead to stale entries in the local TLB after switching to a new
process.  A local attacker could use this flaw to cause a denial-of-service
or potentially escalate privileges.


* Use-after-free in IPv6 multicast router.

Late timer deinitialization could cause a use-after-free when freeing
IPv6 multicast router tables.


* Infinite loop when submitting invalid I/O vectors to FUSE filesystem.

Due to a logic error in the I/O vector handling during FUSE filesystem
write operations, a malicious local user with access to the filesystem
could cause the kernel to enter an infinite loop.


* Symlink corruption in SysV filesystem.

Incorrect handling of inline symlinks in the SysV filesystem driver could
cause a corruption of userspace applications or an information leak where
data that should not be accessible by userspace applications becomes
exposed.


* Softlockups and RCU stalls in sendfile() system call.

Due to missing scheduling points in sendfile(), attempting to send large
amounts of memory between certain types of file descriptors could cause the
kernel to get tied up, causing a denial of service.


* Use-after-free when opening X.25 async driver TTY.

A logic error in the X.25 async driver could result in a use-after-free
when opening the TTY device. A malicious local user with sufficient
permissions could potentially use this to crash the kernel or escalate
privileges.


* Multicast group exhaustion in IPv4 IGMP driver.

In certain circumstances, hot-unplugging an interface that has joined
an IPv4 IGMP multicast group would cause the stale group entry to remain
in memory. This entry is counted against the igmp_max_memberships sysctl
and could prevent new groups from being joined. A malicious local user
with the ability to hot-unplug interfaces could use this to cause denial
of service.


* Integer underflow when receiving an odd number of file descriptors through Unix sockets.

Mis-calculation of the message size when passing an odd number of file
descriptors through a Unix socket could lead to an integer underflow.  A
local, unprivileged user could use this flaw to cause a denial-of-service.


* Multiple out-of-bounds memory accesses in SCSI enclosure support.

Multiples flaw in the SCSI enclosure support driver could lead to
out-of-bounds memory accesses and kernel panic.  A local user could use
this flaw to cause a denial-of-service.


* NULL pointer dereference in the TTY line discipline on receival.

A missing check for NULL before calling the receive_buf function pointer on
a line discipline could lead to a NULL pointer dereference.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* Use-after-free in ISDN Gigaset driver on device shutdown.

A logic error in the ISDDB Gigaset device shutdown path could lead to a
use-after-free and kernel panic.


* Memory leak in SPI stack when allocating master device.

A reference was taken on the wrong device when allocating a SPI master
device, leading to a memory leak.  A local user could use this flaw to
exhaust the memory on the system.


* Use-after-free when taking a reference on an IPv6 label.

A logic error in the IPv6 stack could lead to a use-after-free under
certain circumstances.  A local, unprivileged user could use this flaw to
cause a denial-of-service.


* Denial-of-service when hot-removing memory on missing sections.

A logic error in the routine checking the pages in a memory zone could lead
to a kernel crash when offlining memory.  A local, privileged user could
use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.