[Ksplice][Debian 8.0 Updates] New updates available via Ksplice (3.16.7-ckt11-1)

[Oracle Ksplice]

Synopsis: 3.16.7-ckt11-1 can now be patched using Ksplice
CVEs: CVE-2015-3636

Systems running Debian 8.0 Jessie can now use Ksplice to patch against
the latest Debian kernel update, 3.16.7-ckt11-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 8.0 Jessie
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory corruption in Multiple Device driver when destroying a device.

Incorrect locking in the Multiple Device driver when destroying a device
could lead to memory corruptions and kernel panic.  A local, privileged
user could use this flaw to cause a denial-of-service.


* Frames filtering bypass in mesh forwarding in mac80211 stack.

A flaw in the mac80211 mesh forwarding allows un-encrypted frames to pass
through.  A remote attacker could use this flaw to inject un-encrypted
frames to an otherwise encrypted network.


* Denial-of-service in Intel Memory Protection Extensions.

Incorrect checking for user mode tasks could result in a
denial-of-service when handling bounds faults on a system with MPX
available.


* Information leak in /proc/PID/pagemap.

/proc/PID/pagemap includes the virtual to physical mappings and could be
accessed by a local, unprivileged user.  This could be used in
conjunction with flaws such as ROWHAMMER to elevate privileges.


* Use-after-free in ISCSI target connection closing.

A race condition in the ISCSI target connection closing procedure could
result in a use-after-free condition and subsequent kernel crash.


* Denial-of-service in pSCSI backend.

A missing NULL pointer check could result in a denial-of-service,
triggerable by a local, unprivileged user for incomplete configurations.


* NULL pointer dereference during Target device initialization failure.

Failure to create a workqueue when initializing a target device could
result in a NULL pointer dereference and kernel crash under specific
conditions.


* Information leak in Infiniband Userspace events.

The Infiniband uverbs driver did not clear the events structure
resulting in leaking 4-8 bytes of kernel stack contents to userspace.


* Out-of-bounds memory access in multiqueue block core segment merging.

An incorrect array index could result in accessing beyond the bounds of
an array when merging requests.  This could result in a crash or other,
undefined behaviour.


* Kernel crash in physical to virtual reverse mapping lookup.

Incorrect error handling when adjusting a virtual memory area could
result in integer underflow and a crash in the address reverse mapping
code.


* Data corruption on hfsplus filesystem when inserting node at position zero.

A logic error in the hfsplus filesystem driver leads to on-disk data
corruption when inserting a node at position zero.


* Use-after-free in Industrial I/O core error handling.

Incorrect error handling in the Industrial I/O device registration
function could result in a double-free and kernel crash.


* Use-after-free in CIFS page writing during intermittent network connectivity.

Incorrect error handling during loss of network connection could result
in a use-after-free when writing pages on a CIFS filesystem.


* NULL pointer dereference in Analog Devices IMU SPI driver.

Missing reference counting could result in a NULL pointer dereference in
the Analog Devices IMU SPI driver during removal if the trigger was
changed.


* Use-after-free in network namespace device moving.

Incorrect linked list manipulation could result in a use-after-free and
kernel crash when moving devices between namespaces.


* Kernel panic when chowning files on NFS mount.

Under specific circumstances chowning a file on an NFS mount can trigger
an assertion failure and cause a kernel panic.


* Memory corruption in SPI device ioctl.

An integer overflow in the kernel SPI driver can allow malformed ioctls
to trigger kernel memory corruption and allow a local user to gain
elevated privileges.


* Kernel information leak in PCI Advanced Error Reporting.

Incorrect printing for TLP headers in the PCI Advanced Error Reporting
driver could result in printing the address of a kernel pointer and
stack bytes to userspace.


* Kernel panic in ServerEngines iSCSI BladeEngine 2 initialization failure.

An incorrect call to remove the device in the error handling path could
result in a kernel crash when a BladeEngine 2 device failed to
initialize.


* Kernel crash in SCSI devices during unplug.

Incorrect handling of unoperational links could result in accessing a
device when it should not be possible to do so.  This could result in an
invalid pointer dereference and kernel crash.


* Data corruption in ext4 hole punching with indirect mappings.

Under specific conditions, ext4 filesystems could experience data loss
when using FALLOC_FL_PUNCH_HOLE on files.


* Kernel panic in IPv4 forwarding of timewait sockets.

The kernel IPv4 stack does not correctly handle forwarding data from
timewait sockets which can trigger an assertion failure and kernel
panic.


* Deadlock when sending IPv4 FIN packets.

The kernel IPv4 stack can deadlock causing a kernel panic when
transmitting IPv4 FIN packets under high memory pressure.


* Data loss when mounting btrfs volume with the 'discard' option.

When mounting a btrfs volume with '-o discard' the btrfs driver can
possibly overwrite filesystem metadata causing data loss.


* Memory leak in HyperV virtual storage driver.

The HyperV virtual storage driver does not correctly unmap memory when
handling I/O commands from a guest causing a kernel memory leak in the
host.


* Denial of service in btrfs IOC_FILE_EXTENT_SAME ioctl.

Attempting to query the extents of a file on a btrfs volume can trigger
an infinite loop and kernel panic. A local user could use this flaw to
cause a denial of service.


* Denial of service in btrfs IOC_CLONE ioctl.

Attempting to clone a zero-length region from one file to another on a
btrfs volume can trigger an infinite loop and kernel panic. A local
user could use this flaw to cause a denial of service.


* Memory corruption when resolving symlink target.

A reference counting error when opening a symlink which crosses a
mountpoint can trigger a use-after-free condition and kernel panic.


* Data loss when handling iSER commands.

The iSCSI Extensions for RDMA (iSER) driver incorrectly calculates the
amount of length of DIX data which can lead to silent data corruption.


* CVE-2015-3636: Memory corruption when unhashing IPv4 ping sockets.

The kernel IPv4 subsystem does not correctly handle unhashing a ping
socket which can trigger kernel memory corruption. A local user can use
this flaw to gain elevated privileges.


* Filesystem corruption on software RAID0 devices.

Corruption of a sector number for a RAID0 device could result in
corrupting the filesystem when making requests.  This could have
side-effects of discarding contents of unrelated files when unlinking
and other corruption.


* Use-after-free in IPv6 virtual tunnelling during removal.

Incorrect removal of tunnel interfaces would result in a use-after-free
and kernel crash when removing the IPv6 virtual tunnelling module.


* Filesystem corruption with ext4 delayed extents.

Incorrect handling of unwritten and delayed extents could result in
filesystem corruption.  A local, unprivileged user could use this flaw
to zero parts of files under specific conditions.


* Filesystem corruption in ext4 fallocate().

A race condition in the fallocate() implementation on an ext4 filesystem
could result in filesystem corruption under specific conditions.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.