[Ksplice][Debian 8.0 Updates] New updates available via Ksplice (3.16.7-ckt20-1+deb8u4)

Oracle Ksplice ksplice-support_ww at oracle.com
Mon Mar 7 18:11:44 PST 2016 

Synopsis: 3.16.7-ckt20-1+deb8u4 can now be patched using Ksplice
CVEs: CVE-2013-7446 CVE-2015-8785 CVE-2015-8812 CVE-2015-8830 CVE-2016-2069 CVE-2016-2384 CVE-2016-2543 CVE-2016-2544 CVE-2016-2545 CVE-2016-2546 CVE-2016-2547 CVE-2016-2549 CVE-2016-2847

Systems running Debian 8.0 Jessie can now use Ksplice to patch against
the latest Debian kernel update, 3.16.7-ckt20-1+deb8u4.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Debian 8.0 Jessie
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2016-2543: Denial-of-service in ALSA SNDRV_SEQ_IOCTL_REMOVE_EVENTS ioctl().

A missing NULL pointer check in the SNDRV_SEQ_IOCTL_REMOVE_EVENTS
ioctl() handler could result in a NULL pointer dereference and kernel
crash.  A local user with access to an ALSA device could use this flaw
to crash the system.


* Crash in USB hub initialization due to improper locking.

Improper locking of memory structures during USB hub initialization may
result in a crash if a USB hub is connected and disconnected rapidly.


* CVE-2016-2549: Denial-of-service in ALSA timer management.

Incorrect timer reprogramming in the ALSA subsystem could result in
deadlock.  A local user with access to the device could use this flaw to
cause a denial-of-service.


* CVE-2015-8812: Use-after-free in Infiniband CXGB3 driver on network congestion.

A logic error in the Infiniband CXGB3 driver could lead to a use-after-free
of a socket buffer when the network is congested.  A local, unprivileged
user could use this flaw to cause a kernel crash or potentially escalate
privileges.


* CVE-2016-2384: Privilege escalation in USB MIDI device driver.

The USB MIDI device driver does not correctly free memory when failing
to initialize an endpoint which can cause a use-after-free condition. A
local unprivileged user can use this flaw to trigger kernel code
execution.


* CVE-2016-2544, CVE-2016-2545, CVE-2016-2546, CVE-2016-2547: Use-after-free in ALSA sequencer timers.

Multiple flaws could result in a use-after-free when adding and
removing timers in the ALSA sequencer.  A local user with access to the
device could use this flaw to crash the system, or potentially escalate
privileges.


* Improved fix for CVE-2013-7446: Use-after-free in Unix sockets.

The original fix for CVE-2013-7446 did not handle the case where the
specified address is bound to the sending socket or when the socket was
connected to itself.  This flaw could lead to kernel deadlocks or double
unlocking of a spinlock.


* CVE-2015-8785: Infinite loop when submitting invalid io vectors to FUSE filesystem.

Due to a logic error in the io vector handling during FUSE filesystem
write operations, a malicious local user with access to the filesystem
could cause the kernel to enter an infinite loop.


* Infinite loop in Aufs when sendfile() is interrupted.

Improper handling of EINTR signal in Aufs when sendfile() is interrupted
results in infinite loop. A local user could use this flaw to cause a
denial-of-service.


* CVE-2016-2069: Race condition in the TLB flush logic on multi-processors.

A race condition in the TLB flush logic when modifying paging structures
could lead to stale entries in the local TLB after switching to a new
process.  A local attacker could use this flaw to cause a denial-of-service
or potentially escalate privileges.


* CVE-2015-8830: Denial of service in AIO.

Due to a missing length check, a userspace process could potentially
pass a very large IO control block to the kernel. A malicious user
could use this to cause denial of service.


* CVE-2016-2847: Denial of service in pipe buffer management.

Due to insufficient limits in pipe buffer management code, a malicious
process could create many pipes and fill the pipe buffers. This could
exhaust all available memory and cause denial of service.

This updates adds two new sysctl:

"""
pipe-user-pages-hard:

Maximum total number of pages a non-privileged user may allocate for pipes.
Once this limit is reached, no new pipes may be allocated until usage goes
below the limit again. When set to 0, no limit is applied, which is the
default setting.

pipe-user-pages-soft:

Maximum total number of pages a non-privileged user may allocate for pipes
before the pipe size gets limited to a single page. Once this limit is
reached, new pipes will be limited to a single page in size for this user
in order to limit total memory usage, and trying to increase them using
fcntl() will be denied until usage goes below the limit again. The default
value allows to allocate up to 1024 pipes at their default size. When set
to 0, no limit is applied.
"""

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Debian-8.0-Updates mailing list