[Ksplice][Debian 7.0 Updates] New Ksplice updates for Debian 7.0 Wheezy (DLA-1392-1)

Jamie Iles jamie.iles at oracle.com
Tue Jun 5 11:26:20 PDT 2018 

Synopsis: DLA-1392-1 can now be patched using Ksplice
CVEs: CVE-2017-18208 CVE-2018-1093 CVE-2018-10940 CVE-2018-1130 CVE-2018-8897

Systems running Debian 7.0 Wheezy can now use Ksplice to patch against
the latest Debian kernel update, DLA-1392-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 7.0
Wheezy install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-18208: Denial-of-service when using madvise system call.

A logic error when using madvise system call with WILLNEED option on a
Direct Access filesystem could lead to a deadlock. A local attacker
could use this flaw to cause a denial-of-service.


* CVE-2018-1130: Denial-of-service in DCCP message send.

A logic error in the DCCP code could lead to a NULL pointer dereference
when transmitting messages, leading to a kernel panic.  An attacker could
use this to cause a denial-of-service.


* CVE-2018-10940: Information leak when checking if CD-ROM media changed.

A missing check when user checks if CD-ROM media changed using an IOCTL
could lead to an information leak. A local attacker could use this flaw
to leak information about running kernel and facilitate an attack.


* CVE-2018-1093: Denial-of-service in ext4 bitmap block validity check.

A failure to correctly validate bitmap information from an ext4
filesystem can result in an out-of-bounds read, leading to a Kernel
crash. A local user with the ability to mount an ext4 filesystem could
use this flaw to cause a denial-of-service.


* CVE-2018-8897: Denial-of-service in KVM breakpoint handling.

Incorrect stack management of data watchpoints and breakpoints could
allow an unprivileged user to crash the system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Debian-7.0-Updates mailing list