[Ksplice][Debian 7.0 Updates] New updates available via Ksplice (3.2.73-2+deb7u3)

[Oracle Ksplice]

Synopsis: 3.2.73-2+deb7u3 can now be patched using Ksplice
CVEs: CVE-2013-4312 CVE-2013-7446 CVE-2015-7566 CVE-2015-8767 CVE-2015-8785 CVE-2015-8812 CVE-2016-0723 CVE-2016-0774 CVE-2016-2069 CVE-2016-2384 CVE-2016-2543 CVE-2016-2544 CVE-2016-2545 CVE-2016-2546 CVE-2016-2547 CVE-2016-2549 CVE-2016-2847

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian kernel update, 3.2.73-2+deb7u3.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 7.0 Wheezy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-7566: Denial-of-service in USB Handspring Visor driver.

Incomplete USB endpoint validation could result in a kernel crash when
probing a USB Handspring Visor device.  A malicious USB device could use
this flaw to crash the system.


* CVE-2015-8767: Denial-of-service in SCTP heartbeat timeout.

Incorrect locking when accepting an SCTP connection during the 4-way
handshake could result in deadlock.  A local user could use this flaw to
block SCTP connections.


* CVE-2016-0723: Denial-of-service in TTY TIOCGETD ioctl().

A use-after-free when getting the line discipline for a TTY could allow
a local user to trigger a kernel crash.


* CVE-2015-8785: Infinite loop when submitting invalid io vectors to FUSE filesystem.

Due to a logic error in the io vector handling during FUSE filesystem
write operations, a malicious local user with access to the filesystem
could cause the kernel to enter an infinite loop.


* CVE-2016-2069: Race condition in the TLB flush logic on multi-processors.

A race condition in the TLB flush logic when modifying paging structures
could lead to stale entries in the local TLB after switching to a new
process.  A local attacker could use this flaw to cause a denial-of-service
or potentially escalate privileges.


* CVE-2015-8812: Use-after-free in Infiniband CXGB3 driver on network congestion.

A logic error in the Infiniband CXGB3 driver could lead to a use-after-free
of a socket buffer when the network is congested.  A local, unprivileged
user could use this flaw to cause a kernel crash or potentially escalate
privileges.


* Infinite loop in Aufs when sendfile() is interrupted.

Improper handling of EINTR signal in Aufs when sendfile() is interrupted
results in infinite loop. A local user could use this flaw to cause a
denial-of-service.


* Improved fix for CVE-2013-7446: Use-after-free in Unix sockets.

The original fix for CVE-2013-7446 did not handle the case where the
specified address is bound to the sending socket or when the socket was
connected to itself.  This flaw could lead to kernel deadlocks or double
unlocking of a spinlock.


* CVE-2016-0774: Information leak in the pipe system call on failed atomic read.

The fix for CVE-2015-1805 incorrectly kept buffer offset and length in sync
on a failed atomic read, leading to piper buffer state corruption.  A
local, unprivileged user could use this flaw to cause a denial-of-service
or leak kernel memory to userspace.


* CVE-2016-2384: Privilege escalation in USB MIDI device driver.

The USB MIDI device driver does not correctly free memory when failing
to initialize an endpoint which can cause a use-after-free condition. A
local unprivileged user can use this flaw to trigger kernel code
execution.


* Crash in USB hub initialization due to improper locking.

Improper locking of memory structures during USB hub initialization may
result in a crash if a USB hub is connected and disconnected rapidly.


* CVE-2016-2543: Denial-of-service in ALSA SNDRV_SEQ_IOCTL_REMOVE_EVENTS ioctl().

A missing NULL pointer check in the SNDRV_SEQ_IOCTL_REMOVE_EVENTS
ioctl() handler could result in a NULL pointer dereference and kernel
crash.  A local user with access to an ALSA device could use this flaw
to crash the system.


* CVE-2016-2544, CVE-2016-2545, CVE-2016-2546, CVE-2016-2547: Use-after-free in ALSA sequencer timers.

Multiple flaws could result in a use-after-free when adding and
removing timers in the ALSA sequencer.  A local user with access to the
device could use this flaw to crash the system, or potentially escalate
privileges.


* CVE-2016-2549: Denial-of-service in ALSA timer management.

Incorrect timer reprogramming in the ALSA subsystem could result in
deadlock.  A local user with access to the device could use this flaw to
cause a denial-of-service.


* CVE-2013-4312: Denial of service in unix sockets.

Due to incorrect resource accounting, a process could allocate and keep
open an arbitrary number of file descriptors, thus exceeding the limits
set for the process. A malicious local user could use this flaw to cause
denial of service.


* CVE-2016-2847: Denial of service in pipe buffer management.

Due to insufficient limits in pipe buffer management code, a malicious
process could create many pipes and fill the pipe buffers. This could
exhaust all available memory and cause denial of service.

This updates adds two new sysctl:

"""
pipe-user-pages-hard:

Maximum total number of pages a non-privileged user may allocate for pipes.
Once this limit is reached, no new pipes may be allocated until usage goes
below the limit again. When set to 0, no limit is applied, which is the
default setting.

pipe-user-pages-soft:

Maximum total number of pages a non-privileged user may allocate for pipes
before the pipe size gets limited to a single page. Once this limit is
reached, new pipes will be limited to a single page in size for this user
in order to limit total memory usage, and trying to increase them using
fcntl() will be denied until usage goes below the limit again. The default
value allows to allocate up to 1024 pipes at their default size. When set
to 0, no limit is applied.
"""

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.