[Ksplice][Debian 7.0 Updates] New updates available via Ksplice (DSA-3060-1)

Tue Nov 4 13:22:04 PST 2014

Synopsis: DSA-3060-1 can now be patched using Ksplice
CVEs: CVE-2014-3610 CVE-2014-3611 CVE-2014-3645 CVE-2014-3646 CVE-2014-3647 CVE-2014-3673 CVE-2014-3687 CVE-2014-3688 CVE-2014-3690 CVE-2014-7207

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian Security Advisory, DSA-3060-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 7.0 Wheezy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2014-3611: Denial-of-service in KVM emulated programmable interval timer.

Incorrect locking in the KVM emulated programmable interval timer (PIT)
could crash the host kernel under specific conditions. A local attacker
could use this flaw to cause a denial-of-service in the host KVM.

* CVE-2014-3687: Remote denial-of-service in SCTP stack.

A flaw in the SCTP stack when receiving duplicate ASCONF chunks leads to a
kernel panic. A remote attacker could use this flaw to cause a
denial-of-service.

* CVE-2014-3610: Denial-of-service in KVM host from the guest.

A KVM guest could write a non-canonical address to certain MSRs registers,
which the host KVM will write into its own MSRs registers, leading the host
kernel to panic. A local attacker could use this flaw to cause a
denial-of-service.

* CVE-2014-3645 and CVE-2014-3646: KVM guest denial-of-service when using invalid opcodes.

The KVM host emulator does not gracefully handle a KVM guest using the
invept or invvpid opcodes, causing a guest VM exit without proper error
codes being propagated to userspace. A local, unprivileged guest user
could use this flaw to crash a KVM guest VM and cause a denial-of-service.

* CVE-2014-3647: Denial-of-service in guest KVM when changing RIP to non-canonical address.

A flaw in the KVM emulator mishandles non-canonical addresses when
emulating instructions which change the instruction pointer, potentially
causing a failed VM-entry. A privileged guest user could use this flaw to
cause a denial-of-service in the guest.

* CVE-2014-3673: Remote denial-of-service in SCTP stack.

A flaw in the SCTP stack when receiving malformed ASCONF chunks leads to a
kernel panic. A remote attacker could use this flaw to cause a
denial-of-service.

* CVE-2014-3688: Remote denial-of-service in SCTP stack by memory exhaustion.

A flaw in the SCTP stack could allow a remote attacker to force a SCTP
server to allocate big amounts of memory and trigger the kernel
out-of-memory killer, leading to a denial-of-service.

* CVE-2014-7207: Denial-of-service in UFO with virtual networking.

A flaw in the virtio and associated network virtualization subsystems
could result in a NULL pointer dereference or incorrect IPv6
fragmentation ID's.  A local user with access to tun or macvtap devices,
or a virtual machine connected to such a device, can cause a
denial-of-service.

* CVE-2014-3690: Denial of Service in KVM/VMX CR4 register management.

KVM on VMX does not reload the CR4 register when it changes on the host,
which means that host features aren't updated on guests. This could lead
to a local denial of service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.