[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-9466)

Mon Aug 18 09:20:48 PDT 2014

Synopsis: FEDORA-2014-9466 can now be patched using Ksplice
CVEs: CVE-2014-5206 CVE-2014-5207

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-9466.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Remote information leak in Broadcom genet driver.

The padding of short packets was not filled with zero, leading to leaking
information about the running kernel in short packets sent over ethernet. A
remote attacker could use this flaw to gain information that can be used in
attack.

* Use-after-free in Transformation user configuration interface (xfrm).

The function xfrm_lookup() did not take a reference on the destination
entry on lookup, potentially leading to the destination entry being
released while still in use. This could cause a use-after-free and kernel
panic.

* NULL pointer dereference in sendmsg() syscall.

A flaw in the sendmsg() syscall could lead to a NULL pointer dereference
when using sendmsg() with a message length of zero. A local, unprivileged
user could use this flaw to cause a denial-of-service.

* Denial-of-service in networking stack when copying io vectors.

Lack of testing the size of the io vector when copying it could result in
dereferencing invalid memory and a kernel panic. A local, unprivileged user
could use this flaw to cause a denial-of-service.

* Deadlock in SCTP protocol stack when transmitting a packet.

Improper use of the macro IP_INC_STATS_BH() to update the network
statistics when transmitting a packet in the SCTP stack in user context
could lead to a deadlock. A local, unprivileged user could use this flaw to
cause a denial-of-service.

* CVE-2014-5206, CVE-2014-5207: Privilege escalation on remount with user namespaces.

Incorrect handling of bind-mounts in a user-namespace could allow an
unprivileged local user to remount a filesystem to make a read-only
filesystem writable or to allow creation of setuid binaries or device
nodes.  This could be used to escalate privileges.

Existing bind mounts in running namespaces with the noatime, noexec, nodev,
noatime or ro options should be restarted to apply the new protections.

* Kernel crash in Broadcom BNX2X driver during TCP offload.

Incorrect unmapping of transmitted packets could result in a kernel
crash when a TCP packet was tunneled using TCP segment offloading.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.