[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-5235)

[Oracle Ksplice]

Synopsis: FEDORA-2014-5235 can now be patched using Ksplice
CVEs: CVE-2014-0155 CVE-2014-2851

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-5235.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory leak in SCTP stack on COOKIE ECHO error path.

A memory leak in SCTP stack on COOKIE ECHO handling when memory is
constrained could lead to a memory leak. A remote attacker could use this
flaw to exhaust the memory on the system and cause a denial-of-service.


* Denial-of-service in Bridge code on receiving malformed MFD queries.

A lack of input validation in the bridge code when handling MFD queries
could lead to multi-cast ports being shut down. A remote attacker could use
this flaw to cause a denial-of-service.


* Memory leak in TIPC code when sending a message on a closed connection.

Incorrect reference counting in the error path of tipc_conn_sendmsg() when
the connection is found to be closed could lead to a memory leak. A local,
unprivileged user could use this flaw to exhaust the memory on the system
and cause a denial-of-service.


* Denial-of-service in IPv4 fragmentation code on evicting fragments.

A race condition in the IPv4 fragmentation code could lead to a kernel
crash under specific conditions. A local, privileged user could use this
flaw to cause a denial-of-service.


* Deadlock in Stochastic Fairness Queueing packet scheduling algorithm.

Incorrect locking in the Stochastic Fairness Queueing scheduling algorithm
could lead to a memory allocation which might sleep with interrupts
disabled, causing a deadlock.


* Deadlock in TCP stack on software checksum calculation.

A logic error in the TCP stack when the NIC has no support for RX checksum
could lead to a deadlock under specific conditions.


* NULL pointer dereference in VXLAN code when handling ARP requests.

A lack of input validation in the VXLAN code could lead to a NULL pointer
dereference when memory is constrained. A remote attacker could use this
flaw to cause a denial-of-service.


* Denial-of-service in TIPC stack on failed subscriptions.

Incorrect locking in the TIPC stack could lead to a spinlock recursion and
denial-of-service. A remote authenticated attacker could use this flaw to
cause a denial-of-service.


* Memory leak in IP tunnel stack when dropping a multi-cast packet.

Incorrect reference counting in the IP tunnel code could lead to a memory
leak when dropping a multi-cast packet. A local, unprivileged user could
use this flaw to cause a denial-of-service by exhausting the host memory.


* Double-free in virtio-net on packet transmission.

Incorrect logic in the virtio-net driver could lead to a double-free under
specific circumstances. A local user could use this flaw to cause a kernel
crash or potentially escalate privileges.


* Deadlocks in IPv6 stack when updating statistic counters.

Incorrect locking in various places in the IPv6 stack could lead to a
deadlock when updating statistic counters.


* Memory corruption in ISDN loop driver.

A lack of input validation in various places of the ISDN loop driver could
lead to out of bounds memory accesses. A local, unprivileged user could use
these flaws to cause a denial-of-service or potentially escalate
privileges.


* CVE-2014-0155: Denial-of-service on KVM host when handling end of interrupts.

A lack of input validation in KVM hosts when handling redirection table of
an emulated interrupt controller could lead to a crash of the host. A
local, privileged user of a guest could use this flaw to cause a
denial-of-service via a specifically crafted redirection table entry.


* CVE-2014-2851: Integer overflow when initializing a ping socket.

Incorrect reference counting in the error path of ping_init_sock() leads to
a memory leak and could result in an reference integer overflow and
use-after-free. A local, unprivileged user could use this flaw to cause a
denial-of-service or potentially to escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.