[Ksplice][Fedora-17-updates] New updates available via Ksplice (FEDORA-2013-7826)

Jamie Iles jamie.iles at oracle.com
Thu May 16 08:50:49 PDT 2013 

Synopsis: FEDORA-2013-7826 can now be patched using Ksplice
CVEs: CVE-2013-0160

Systems running Fedora 17 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2013-7826.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 17 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in RCU tracing files.

A memory leak in the RCU tracing debugfs files could allow an
unprivileged user to leak memory and cause a denial-of-service.


* Denial-of-service in dcache shrinking.

Removing entries from the dcache when there are a large number of open
files could result in a soft-lockup of the system.


* Use-after-free in sysfs read/write accesses.

A race condition between read/write accesses and readdir calls on sysfs
directories could result in a use-after-free and kernel crash.


* Denial-of-service in /proc/fs/fscache/stats.

A memory leak in /proc/fs/fscache/stats could allow an unprivileged user
to leak memory and cause a denial-of-service.


* Improved fix to CVE-2013-0160.

The original upstream fix for CVE-2013-0160 did not guard against the device
files being monitored with fsnotify and was still exploitable.


* Kernel crash in cgroup process attachment.

Incorrect initialization could cause the kernel to crash on memory
allocation failure when under heavy memory pressure.


* Use-after-free in frame buffer console fonts.

Changing framebuffer consoles did not correctly font data resulting in
use-after-free and kernel crash.


* Double-free in cgroup extended attributes.

Due to erroneous ownership logic, memory allocated for extended attributes
would be freed more than once. A malicious local user could potentially
use this to cause denial of service by crashing the kernel.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Fedora-17-Updates mailing list