[Ksplice][Fedora-14-Updates] New updates available via Ksplice (FEDORA-2011-11103)
Tim Abbott
tabbott at ksplice.com
Wed Aug 24 21:01:28 PDT 2011
Synopsis: FEDORA-2011-11103 can now be patched using Ksplice
CVEs: CVE-2010-2478 CVE-2011-1017 CVE-2011-1090 CVE-2011-1163 CVE-2011-1577 CVE-2011-1748 CVE-2011-2182 CVE-2011-2213 CVE-2011-2484 CVE-2011-2495 CVE-2011-2497 CVE-2011-2517 CVE-2011-2699 CVE-2011-2707 CVE-2011-2909
Systems running Fedora 14 can now use Ksplice to patch against the latest
Fedora security update, FEDORA-2011-11103.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Fedora 14 install these
updates. You can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to take
any additional action.
DESCRIPTION
* Null kernel dereference in the USB subsystem.
tty_port_tty_get could return NULL, which was dereferenced in
usb_wwan_indat_callback, causing a kernel OOPS.
* Heap corruption bug in pmcraid driver.
The pmcraid driver had a bug that allowed a privileged user to cause heap
corruption and other issues.
* Filesystem hang in btrfs.
Unprivileged users could trigger a filesystem rebalancing, which affects
the entire filesystem and may run uninterruptibly for a long time.
* CVE-2010-2478: buffer overflow in the ethtool driver diagnostic tool.
The niu_get_ethtool_tcam_all function used by the ethtool driver
diagnostic tool did not check the size of its output buffer, allowing a
local denial of service vulnerability.
* CVE-2011-1748: NULL pointer dereference vulnerability in the CAN protocol.
A missing check in the can/raw socket release function allowed a NULL
socket argument to be passed in from userspace, allowing a NULL pointer
dereference vulnerability.
* NULL pointer dereference in SCSI subsystem.
A missing NULL pointer check on q->queuedata in scsi_run_queue could cause
a kernel OOPS.
* Integer underflow in CIFS subsystem.
While decoding the string area in a SESSION_SETUP response, a missing
check on the number of bytes remaining to be decoded could underflow.
* Buffer overflow in the CIFS subsysterm.
A missing check in password processing allowed a buffer overflow.
* Missing validation of user-supplied data in the megaraid_sas driver.
The user-supplied ioc->sgl[i].iov_len was not validated before being
passed to dma_alloc_coherent, allowing a kernel OOPS.
* ext3 filesystem corruption when no space is left on the device.
When make_indexed_dir failed because there was no space left on the
device, not all changed buffers were being marked as dirty and thus being
written to disk, corrupting the directory.
* CVE-2011-2182: Incomplete fix for CVE-2011-1017 buffer overflow in ldm_frag_add.
The patch for CVE-2011-1017 (buffer overflow in ldm_frag_add) did not
handle some edge cases allowing for buffer overflows in the ldm_frag_add
function of the Windows Logical Disk Manager.
* CVE-2011-2517: buffer overflow in the nl80211 driver.
Incorrect SSID length checks in the trigger_scan and sched_scan operations
of the nl80211 driver allowed a buffer overflow when copying long SSIDs.
* CVE-2011-2213: arbitrary code injection and denial of service in the ipv4 subsystem.
Insufficient validation in inet_diag_bc_audit allowed a malicious user to
inject code or trigger an infinite loop.
* CVE-2011-2495: Information leak in /proc/PID/io.
/proc/PID/io could be used for gathering private information and did not
have access restrictions.
* CVE-2011-2707: Arbitrary read vulnerability in ptrace.
A missing access control check in the ptrace_setxregs() function in the
xtensa architecture allowed an unprivileged user to read arbitrary kernel
memory.
* System freeze in JMicron driver.
A missing dma_unmap in the JMicron ethernet device driver caused system
freezes under heavy loads.
* TKIP replay vulnerability in the mac80211 driver.
Missing protections against a TKIP replay vulnerability allowed an
attacker to take a QoS packet with TID 0 and replay it as a non-QoS
packet.
* CVE-2011-2909: Information leak in comedi driver.
The do_devinfo_ioctl function in the comedi driver incorrectly copied
uninitialized memory beyond the end of a string to user space.
* CVE-2011-2497: Buffer overflow in the Bluetooth subsystem.
A small user-provide value for the command size field in the command
header of an l2cap configuration request can cause a buffer overflow.
* CVE-2011-2517: Buffer overflow in nl80211 driver.
A missing check on the length of an SSID passed in a scan or sched_scan
request allowed a buffer overflow when copying the SSID.
* CVE-2011-2699: Predictable ipv6 fragment identification numbers.
The generator for ipv6 fragment identification numbers used a single
generator and thus was highly predictable and thus vulnerable to a denial
of service attack.
* CVE-2011-1017: kernel OOPS caused by corrupted LDM partition table.
Missing validation in the LDM subsystem could cause a kernel OOPS on
certain corrupted LDM partitions.
* CVE-2011-1090: local denial of service attack in the NFS subsystem.
The __nfs4_proc_set_acl function stored NFSv4 ACL data in memory that was
allocated but not properly freed, allowing a local denial of service
attack via a crafted attempt to set an ACL.
* CVE-2011-1163: Information leak in corrupted OFS partition table.
The osf_partition function in fs/partitions/osf.c did not properly handle
an invalid number of partitions, allowing a local information leak of
potentially sensitive data.
* CVE-2011-1577: kernel OOPS caused by corrupted GUID partition tables.
A heap-based buffer overflow in the is_gpt_valid function of the EFI
partition logic allowed a local denial of service attack via a crafted
size of the EFI GUID partition-table header on removable media.
* CVE-2011-2484: denial of service attack in taskstats kernel reporting utility.
The add_del_listener function in kernel/taskstats.c did not prevent
multiple registrations of exit handlers, allowing a local denial of
service attack via a crafted application.
SUPPORT
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Fedora-14-Updates
mailing list