[Ksplice][EL7-Updates] New Ksplice updates for OL 7, RHEL 7, CentOS 7, and Scientific Linux 7 (RHSA-2016-2574)

[Oracle Ksplice]

Synopsis: RHSA-2016-2574 can now be patched using Ksplice
CVEs: CVE-2015-8374 CVE-2015-8543 CVE-2015-8746 CVE-2015-8812 CVE-2015-8956 CVE-2016-2053 CVE-2016-2069 CVE-2016-2117 CVE-2016-2384 CVE-2016-3070 CVE-2016-3156 CVE-2016-3699 CVE-2016-3841 CVE-2016-4569 CVE-2016-4578 CVE-2016-4581 CVE-2016-4794 CVE-2016-5829 CVE-2016-6136 CVE-2016-6327 CVE-2016-6480

Ksplice will not be providing zero-downtime updates for CVE-2016-3699, CVE-2013-4312, CVE-2016-6198, CVE-2016-6136 and CVE-2013-4312.

Systems running RHCK on Oracle Linux 7, Red Hat Enterprise Linux 7,
CentOS 7, and Scientific Linux 7 can now use Ksplice to patch against
the latest Red Hat Security Advisory, RHSA-2016-2574.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running OL 7, RHEL 7,
CentOS 7, and Scientific Linux 7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-8543: Denial-of-service on out of range protocol for raw sockets.

It was discovered that a local user permitted to create raw sockets could
cause a denial-of-service by specifying an invalid protocol number for the
socket.


* CVE-2016-2117: Information leak in Atheros ATL2 transmission.

The Atheros ATL2 driver advertised features that weren't supported by
the hardware and this could result in a buffer overflow, leaking the
contents of kernel memory into transmitted packets.


* CVE-2016-2384: Privilege escalation in USB MIDI device driver.

The USB MIDI device driver does not correctly free memory when failing
to initialize an endpoint which can cause a use-after-free condition. A
local unprivileged user can use this flaw to trigger kernel code
execution.


* CVE-2016-3156: Denial-of-service when removing a network interface.

Removal of a network interface with lots of IPv4 addresses may lead to the
kernel hanging for a long time, with all network operation blocked.  A
local, privileged user in a container could use this flaw to block network
access and cause a denial-of-service.


* CVE-2016-3070: Denial of service when migrating dirty pages.

A NULL pointer dereference could happen when migrating dirty pages from an
AIO ring buffer to another node.  A local, unprivileged user could use this
flaw to cause a denial-of-service.


* CVE-2016-2069: Race condition in the TLB flush logic on multi-processors.

A race condition in the TLB flush logic when modifying paging structures
could lead to stale entries in the local TLB after switching to a new
process.  A local attacker could use this flaw to cause a denial-of-service
or potentially escalate privileges.


* CVE-2015-8746: Denial of service in NFS v4.2 client migration recovery.

The kernel NFS v4.2 client does not correctly handle recovering from
server migration which can trigger a NULL pointer dereference and kernel
panic.


* CVE-2015-8812: Use-after-free in Infiniband CXGB3 driver on network congestion.

A logic error in the Infiniband CXGB3 driver could lead to a use-after-free
of a socket buffer when the network is congested.  A local, unprivileged
user could use this flaw to cause a kernel crash or potentially escalate
privileges.


* CVE-2015-8956: NULL pointer dereference in the Bluetooth stack.

A missing NULL pointer check when binding to a bluetooth socket could cause
a NULL pointer dereference.  A local user with privileges to bind a
bluetooth socket could use this flaw to cause a denial-of-service.


* CVE-2016-2053: Denial of service in ASN.1 BER decoding.

The kernel ASN.1 BER decoder does not correctly handle missing elements
which can trigger a kernel panic when parsing malformed BER data from
userspace.


* CVE-2016-3699: Secure Boot bypass in ACPI table interface.

The securelevel facility does not prevent users from changing ACPI
tables which can allow local privileged users to bypass UEFI Secure Boot
restrictions.


* CVE-2016-4578, CVE-2016-4569: Information leak in sound timers.

Missing initialization of stack data structures could result in leaking
the contents of kernel stack memory to user-space.  A local user with
access to the sound device could use this flaw to infer the layout of
kernel memory.


* CVE-2016-4581: Denial-of-service in slave mount propagation.

Incorrect handling of mount propagation could result in a NULL pointer
dereference.  A local, unprivileged user could use this flaw to crash
the system.


* CVE-2016-5829: Memory corruption in unknown USB HID devices.

The USB HID driver does not validate USB data when an unknown HID device
is encountered which can allow a malicious USB device to trigger kernel
memory corruption and gain code execution.


* CVE-2016-6327: Denial of service in Infiniband task management.

The Infiniband SRP target does not correctly validate commands which can
allow a local user to trigger a NULL pointer dereference and kernel
panic by issuing an ABORT_TASK command.


* CVE-2016-6480: Denial-of-service in Adaptec AACRAID driver.

A race condition in fetching parameters from userspace could result in
accessing beyond the bounds of a buffer.  A local user with privileges
to access the device could use this flaw to crash the system.


* CVE-2016-4794: Use-after-free in per-cpu memory allocator.

Due to incorrect synchronization between synchronous map extension and
chunk destruction, a local user with the ability to call BPF programs
could cause a use-after-free and potentially escalate privileges.


* CVE-2016-6136: Audit log message spoofing.

A race condition when copying parameters from user-space could allow a
malicious user to spoof log messages in the audit subsystem, to
misrepresent commands or potentially evade logging.


* CVE-2015-8374: Information leak when truncating a compressed and inlined extent on Btrfs.

An information leak vulnerability was found when truncating a file to a
smaller size which consists of an inline extent that is compressed. The
data between the new file size and the old file size was not discarded,
allowing another user to read it through the clone ioctl.


* CVE-2016-3841: Use-after-free accessing the IPv6 transmit options.

Incorrect locking when accessing the IPv6 options in various places in the
network stack could lead to a user-after-free on concurrent destruction.  A
local user could use this flaw to cause a denial-of-service or potentially
escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.