[Ksplice][Debian 8.0 Updates] New updates available via Ksplice (DSA-3448-1)

[Oracle Ksplice]

Synopsis: DSA-3448-1 can now be patched using Ksplice
CVEs: CVE-2013-4312 CVE-2015-7566 CVE-2015-8767 CVE-2016-0723 CVE-2016-0728

Systems running Debian 8.0 Jessie can now use Ksplice to patch against
the latest Debian Security Advisory, DSA-3448-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 8.0 Jessie
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2013-4312: Denial of service in unix sockets.

Due to incorrect resource accounting, a process could allocate and keep
open an arbitrary number of file descriptors, thus exceeding the limits
set for the process. A malicious local user could use this flaw to cause
denial of service.


* CVE-2015-7566: Denial-of-service in USB Handspring Visor driver.

Incomplete USB endpoint validation could result in a kernel crash when
probing a USB Handspring Visor device.  A malicious USB device could use
this flaw to crash the system.


* CVE-2016-0728: Privilege escalation in session keyrings.

A reference count imbalance with session keyrings could result in a
use-after-free condition.  A local, unprivileged user could use this
flaw to crash the system or gain arbitrary code execution in the kernel.


* CVE-2016-0723: Denial-of-service in TTY TIOCGETD ioctl().

A use-after-free when getting the line discipline for a TTY could allow
a local user to trigger a kernel crash.


* CVE-2015-8767: Denial-of-service in SCTP heartbeat timeout.

Incorrect locking when accepting an SCTP connection during the 4-way
handshake could result in deadlock.  A local user could use this flaw to
block SCTP connections.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.