From ksplice-support_ww at oracle.com Mon Apr 1 12:53:52 2019 From: ksplice-support_ww at oracle.com (Oracle Ksplice) Date: Mon, 1 Apr 2019 19:53:52 GMT Subject: [Ksplice][Debian 8.0 Updates] New Ksplice updates for Debian 8.0 Jessie (3.16.64-1) Message-ID: <201904011953.x31JrqsU023568@aserv0022.oracle.com> Synopsis: 3.16.64-1 can now be patched using Ksplice CVEs: CVE-2016-10150 CVE-2016-10741 CVE-2017-13168 CVE-2017-13305 CVE-2017-5753 CVE-2017-5967 CVE-2017-9725 CVE-2018-12896 CVE-2018-13053 CVE-2018-16862 CVE-2018-17972 CVE-2018-18281 CVE-2018-18690 CVE-2018-18710 CVE-2018-19824 CVE-2018-19985 CVE-2018-20511 CVE-2018-5848 CVE-2018-5953 CVE-2019-3701 CVE-2019-3819 CVE-2019-6974 CVE-2019-7221 CVE-2019-7222 CVE-2019-9213 Systems running Debian 8.0 Jessie can now use Ksplice to patch against the latest Debian kernel update, 3.16.64-1. INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack running Debian 8.0 Jessie install these updates. On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any action. Alternatively, you can install these updates by running: # /usr/sbin/uptrack-upgrade -y DESCRIPTION * CVE-2017-13168: Denial-of-service in sg read/write implementation. An unsafe implementation of read/write in the sg driver can result in userspace being able to corrupt Kernel memory. A local user with access to an sg device could use this flaw to cause undefined behaviour or a Kernel crash, leading to a denial-of-service. * CVE-2018-13053: Integer overflow in alarm_timer_nsleep. The alarm_timer_nsleep function in the kernel timekeeping code does not check for overflow when adding two time values together, potentially causing undefined behavior in the kernel. * CVE-2018-17972: Information leak in /proc kernel stack dumps. A failure to restrict accessing /proc/self/task/*/stack to only root could allow an unprivileged user to get information about the stack and its contents on another process. * CVE-2017-13305: Information leak in encrypted keys subsystem. Providing the encrypted keys subsystem with a shorter-than-expected master key description could cause the key validation routine to read beyond the end of the buffer, potentially exposing kernel memory. * CVE-2018-5848: Privilege escalation in the Wilocity Atheros driver. Improper length validation could lead to integer overdlow and undefined behaviour. A local user could use this flaw to cause a memory corruption and potentially escalate privileges. * CVE-2018-16862: Potential memory corruption in inode truncation path. A logic error in the memory manager's inode truncation path can lead to an inode not being properly cleaned up. If another file is created with the same inode, it is possible to read old leftover data, instead of the expected data, when attempting to read the new file. This could cause a system to exhibit unexpected behavior. * CVE-2018-18281: Information leak in mremap syscall. A logic error in the mremap code could allow one process to access memory of a different process. * CVE-2018-18690: XFS filesystem failure during extended attribute replacement. Incorrect handling of extended attribute replacement on an XFS filesystem could result in a filesystem shutdown. A local, unprivileged user could use this flaw to trigger a denial of service. * CVE-2018-18710: Information leak when checking the CD-ROM slot status. An incorrect bounds check in the CD-ROM driver could allow an out-of-bounds access and kernel information leak to an unprivileged user. * CVE-2016-10741: Denial-of-service during I/O on memory-mapped XFS block. Mixing direct I/O and memory-mapped I/O on an XFS block results in crashing the kernel. A malicious local user can exploit this to cause denial-of-service. * CVE-2017-9725: Memory corruption in contiguous memory allocation. A type conversion error when allocating contiguous memory for Direct Memory Access can result in memory corruption outside of the allocated memory. A local user could use this flaw to cause undefined behavior or a Kernel crash. * CVE-2018-19985: Out-of-bounds memory access in USB High Speed Mobile device driver. A missing length check in the hso_probe can lead to an out-of-bounds memory access. This could cause a system to exhibit unexpected behavior. * CVE-2019-7221: Use-after-free in nested KVM preemption timer. A failure to cancel a nested KVM timer before freeing it can result in a use-after-free. A guest VM could use this flaw to crash the host. * CVE-2019-7222: Information disclosure in KVM VMX emulation. Incorrectly handling a page fault exception while emulating VMX instructions can result in leaking host stack information to a guest. A guest VM could use this flaw to facilitate a further attack on the host. * CVE-2019-9213: Bypass of mmap_min_addr restriction. An incorrect capability check in the mmap memory expansion implementation can result in applications being able to bypass the minimum mmap address restriction. A local user on a system without SMAP enabled could use this flaw to exploit kernel NULL pointer dereferences. * CVE-2016-10150: Use-after-free in KVM device creation. Incorrect ordering when creating a KVM device can result in a use-after-free. A local user could use this flaw to cause an assertion failure in the kernel. * CVE-2018-12896: Denial-of-service via POSIX timer overflow. The POSIX timer overrun value can potentially overflow an integer value if the timer has a sufficiently long interval and expiry time. A malicious user to create such a timer to cause a denial-of-service. * CVE-2018-5953: Information leak in software IO TLB driver. Too verbose prints in software IO TLB driver leak information about running kernel. A local attacker could use this flaw to facilitate an attack. * CVE-2018-20511: Information leak when using Appletalk-IP driver. A missing initialization of on-stack data passed from kernelspace to userspace in Appletalk-IP driver ioctl could lead to an information leak. A local attacker could use this flaw to facilitate an attack. * CVE-2019-3701: Denial-of-service in CAN controller. Missing sanity checking in the Controller Area Network driver can allow a malicious user to write arbitrary bits into the CAN device's I/O memory, resulting in a system crash and denial-of-service. * CVE-2019-3819: Deadlock in HID debug events read. A logic error when reading HID debug events can result in the kernel entering an infinite loop, leading to a system lock up. A privileged user could use this flaw to cause a denial-of-service. * CVE-2019-6974: Use-after-free in KVM device creation. A reference count manipulation error when creating a KVM device can result in an early free, leading to a use-after-free. A local user with access to KVM could use this flaw to cause a kernel crash or potentially escalate privileges. * CVE-2018-19824: Use-after-free when connecting ALSA USB sound device. A use-after-free when connecting an ALSA USB sound device could result in memory corruption, potentially allowing a malicious user to corrupt memory or escalate privileges. * CVE-2017-5967: Information leak when reading /proc/timer_list and /proc/timer_stats. Too verbose messages when reading /proc/timer_list and /proc/timer_stats could leak information about current PID. An attacker from a PID namespace could use this flaw to get its real PID. * Improved fix for Spectre v1: Speculative execution in array accesses. The current fix for CVE-2017-5753 fails to correctly disable compiler optimization, which results in some array accesses not being correctly protected against speculative execution attacks. * Improved fix for Spectre v1: Bounds-check bypass in ZeitNet ZN1221/ZN1225 driver. A missing sanitization of array index after bounds check in ZeitNet ZN1221/ZN1225 driver could lead to an information leak. A local attacker could use this flaw to leak information about running system. * Improved fix for CVE-2017-5753: Bounds-check bypass in ATM LAN emulation. A missing use of the indirect call protection macro in the ATM LAN emulation driver could lead to speculative execution. A local attacker could use this flaw to leak information about the running system. * Improved fix for Spectre v1: Bounds-check bypass in Chelsio Communications T3 10Gb Ethernet driver. A missing sanitization of array index after bounds check in Chelsio Communications T3 10Gb Ethernet driver could lead to an information leak. A local attacker could use this flaw to leak information about running system. * Improved fix for Spectre v1: Bounds-check bypass in ext4 multiblocks allocation routines. A missing use of the indirect call protection macro in ext4 multiblocks allocation routines could lead to speculative execution. A local attacker could use this flaw to leak information about the running system. * Improved fix for Spectre v1: Information leak in filesystem quota control code. A missing sanitization of an array index in filesystem quota control code can lead to kernel memory being leaked to userspace. A local attacker could exploit this flaw to leak information about the running system. * Improved fix for Spectre v1: Information leak in NCT6775 driver. A missing sanitization of array index in the NCT6775 driver could lead to an information leak. A local attacker could use this flaw to leak information about the running system. * Improved fix for Spectre v1: Bounds-check bypass in Honeywell HMC6352 compass driver. A missing use of the indirect call protection macro in Honeywell HMC6352 compass driver could lead to speculative execution. A local attacker could use this flaw to leak information about the running system. * Improved fix for Spectre v1: Bounds-check bypass in Virtual terminal driver. A missing use of the indirect call protection macro in Virtual terminal driver could lead to speculative execution. A local attacker could use this flaw to leak information about the running system. * Improved fix for Spectre v1: bounds-check bypass in Infiniband driver. A missing use of the indirect call protection macro in the Infiniband driver could lead to speculative execution. A local attacker could use this flaw to leak information about the running system. * Improved fix for Spectre v1: bounds-check bypass in PTP clock driver. A missing use of the indirect call protection macro in the PTP clock driver could lead to speculative execution. A local attacker could use this flaw to leak information about the running system. * Improved fix for Spectre v1: bounds-check bypass in Human Input Device driver. Information controlled by userspace can be used to disclose kernel memory via speculation in the Human Input Device driver. A local user could use this flaw to facilitate a further attack on the system. * Improved fix for Spectre v1: Bounds-check bypass in asynchronous I/O subsystem. A missing sanitization of array index after bounds check in asynchronous I/O subsystem could lead to an information leak. A local attacker could use this flaw to leak information about running system. * Improved fix for Spectre v1: Bounds-check bypass in various ALSA sound drivers. Various arrays in the ALSA sound driver code are potentially vulnerable to a Spectre variant 1 speculative execution attack. * Improved fix for Spectre v1: Bounds-check bypass in scheduler userspace interface. A missing use of the indirect call protection macro in the scheduler userspace interface could lead to speculative execution. A local attacker could use this flaw to leak information about the running system. * Improved fix for Spectre v1: Bounds-check bypass in getrlimit syscall. The 'resource' parameter of the getrlimit syscall is vulnerable to a Spectre variant 1 speculative execution attack. * Improved fix for Spectre v1: Bounds-check bypass when using USB Gadget mass storage. A missing use of the indirect call protection macro in the USB Gadget mass storage driver could lead to a speculative execution. A local attacker could use this flaw to leak information about the running system. * Improved fix for Spectre v1: Bounds-check bypass in perf events. A missing use of the indirect call protection macro during perf event retrieval could lead to speculative execution. A local attacker could use this flaw to leak information about the running system. * Improved fix for Spectre v1: Bounds-check bypass in DRM driver's ioctl handler. A value that is indirectly controlled by userspace is used to index a buffer in drm_ioctl. A local attacker could use a Spectre-style attack to exploit this flaw and cause unexpected behavior, or a denial-of-service. SUPPORT Ksplice support is available at ksplice-support_ww at oracle.com. From ksplice-support_ww at oracle.com Mon Apr 1 16:54:55 2019 From: ksplice-support_ww at oracle.com (Oracle Ksplice) Date: Mon, 1 Apr 2019 23:54:55 GMT Subject: [Ksplice][Debian 8.0 Updates] New Ksplice updates for Debian 8.0 Jessie (3.16.64-2) Message-ID: <201904012354.x31NstZU007655@aserv0021.oracle.com> Synopsis: 3.16.64-2 can now be patched using Ksplice CVEs: CVE-2018-1066 Systems running Debian 8.0 Jessie can now use Ksplice to patch against the latest Debian kernel update, 3.16.64-2. INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack running Debian 8.0 Jessie install these updates. On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any action. Alternatively, you can install these updates by running: # /usr/sbin/uptrack-upgrade -y DESCRIPTION * Improved fix for CVE-2018-1066: Denial-of-service in CIFS session negotiation. The current fix for CVE-2018-1066 causes a behavior regression preventing SMB3 authenticated mounts from functioning correctly. SUPPORT Ksplice support is available at ksplice-support_ww at oracle.com.