[Ksplice][Debian 9.0 Updates] New Ksplice updates for Debian 9.0 Stretch (DSA-4266)

Oracle Ksplice ksplice-support_ww at oracle.com
Thu Aug 9 00:58:01 PDT 2018 

Synopsis: DSA-4266 can now be patched using Ksplice
CVEs: CVE-2018-10878 CVE-2018-13405 CVE-2018-5390

Systems running Debian 9.0 Stretch can now use Ksplice to patch
against the latest Debian Security Advisory, DSA-4266.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Debian 9.0
Stretch install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Deadlock when connecting to a virtual network using Xen driver.

A logic error in mutex handling of Xen virtual network driver when
connecting to a virtual network could lead to a deadlock. A local
attacker could use this flaw to cause a denial-of-service.


* Improved fix for CVE-2018-10878: Out-of-bounds access when initializing ext4 block bitmap.

A logic error in the previous fix for CVE-2018-10878 prevented mounting ext4
filesystems with metablock groups enabled.


* Out-of-bounds access in Network Control Model communications driver.

A logic error when reserving space for a packet can result in an out of
bounds memory access, leading to memory corruption or a Kernel crash.


* CVE-2018-13405: Permissions bypass when creating file in SGID directory.

Creating an executable file in an SGID directory can result in the file
having the group ownership of the directory. This can be exploited to
elevate privileges if the file is created in a directory owned by a
privileged group.


* CVE-2018-5390: Denial-of-service when receiving misordered TCP packets.

A malicious remote user can send large numbers of out-of-order TCP
packets, causing the local server to waste time processing its local
data structures and resulting in an effective denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Debian-9.0-Updates mailing list