[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2014-15721)

[Oracle Ksplice]

Synopsis: FEDORA-2014-15721 can now be patched using Ksplice

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2014-15721.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL pointer dereference in Virtual eXtensible LAN over IPv6.

A flaw in the Virtual eXtensible LAN kernel driver could lead to a NULL
pointer dereference when creating a VXLAN over IPv6 if another VXLAN has
the same source port in use over IPv4. A local, privileged user could use
this flaw to crash the kernel and cause a denial-of-service.


* Kernel BUG in point to point stack when setting pass/active filters.

Incorrect locking in the point to point stack when doing an ioctl() to set
the pass or active filters could lead to sleeping while in atomic, causing
a kernel BUG(). A local, privileged user could use this flaw to cause a
denial-of-service.


* Memory leak in SCTP authentication key management.

Incorrect reference counting when setting the SCTP_AUTH_KEY socket option
on an SCTP socket leads to a memory leak of sensitive keying materials.

A local, unprivileged user could use this flaw to exhaust the memory on the
system and cause a denial-of-service. An attacker with memory read access
could also later gain sensitive information about the keys.


* Kernel panic in zram sub-system when unmapping a page.

A flaw in the zram sub-system could lead to trying to unmap a NULL pointer,
leading to a kernel panic. An attacker could use this flaw to cause a
denial-of-service under specific conditions.


* Memory leak in Cryptographic Accelerator and Assurance Module on key generation.

A flaw in the crypto CAAM driver leaves the input DMA area mapped in case
of failure to map the output DMA area when generating a key, leading to a
memory leak. A local user could use this flaw to exhaust the DMA memory
pool and cause a denial-of-service.


* NULL pointer dereference in Cryptographic Accelerator and Assurance Module.

Incorrect use of scatter-gather functions for DMA operations in the crypto
CAAM module could lead to dereferencing a NULL pointer when updating the
crypto hash multiple times. A local user could use this flaw to cause a
denial-of-service.


* Invalid memory access in KVM x86 emulator.

The KVM x86 emulator fails to initialize the operand type to immediate for
specific instructions, possibly leading to re-using previous operand type
causing invalid read/write access to memory. A local attacker could use
this flaw to crash the guest kernel or potentially elevate privileges.


* Denial-of-service in audit watch sub-system on inode cache eviction.

A lack of pinning the inode being watched in the audit sub-system leads the
watch rule to being ignored if the inode being watched is evicted from the
cache. A local user could use this flaw to bypass audit watch rules.


* Use-after-free in MAC80211 when registering a new radio.

Lack of unregistering IEEE80211 hardware in the error path of
mac80211_hwsim_create_radio() leads to a use-after-free and possible kernel
panic. A local, privileged user could use this flaw to cause a
denial-of-service.


* Divide by zero in Intel 915 when computing minimum brightness.

A lack of verifying input data from the VBT information could lead to a
division by zero in kernel in case the data retrieve are bogus. This could
cause a kernel panic and denial-of-service.


* Invalid memory access when updating bandwidth in Radeon graphic drivers.

Radeon graphic drivers lack a check to verify the device has been fully
initialized before updating their bandwidth, potentially leading to using
uninitialized memory and causing a kernel panic on suspend path. An
attacker could use this flaw to cause a denial-of-service.


* Information leak in Firewire stack when doing an ioctl.

A uninitialized variable on the stack could be leaked to userspace when
doing an ioctl() on a Firewire char device. An attacker could use this flaw
to gain knowledge about the running kernel in order to facilitate an
attack.


* Memory leak in NFS stack when releasing a direct request.

The routine to release a direct request in the NFS stack was lacking to
release an internal cinfo structure, leading to a memory leak. A local user
could use this flaw to exhaust the memory on the system and cause a
denial-of-service.


* Use-after-free in IEEE80211 stack when defragmenting a packet.

A flaw in the IEEE80211 stack upon receiving a fragmented packet leads to a
use-after-free and kernel panic when updating the network statistics. An
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference in CPUfreq sub-system on resume path.

A missing check that the CPUfreq policy isn't NULL when restoring the
policy during a system resume could lead to a NULL pointer dereference. A
local user could use this flaw to cause a denial-of-service.


* Kernel BUG in SunRPC stack when stringifying an acceptor.

Incorrect locking in the SunRPC gss_stringify_acceptor() function could
lead to sleep while in atomic context, leading to a kernel BUG. An attacker
could use this flaw to cause a denial-of-service.


* Buffer overflow in DEC2000 and DEC3000 USB adapters.

A lack of input validation when copying an ioctl command could lead to
overflowing data on the stack, causing a kernel panic. A local user could
use this flaw to cause a denial-of-service or potentially escalate
privileges.


* Information leak in InfiniBand core stack when creating an address handle.

A missing structure initialization leads to leaking kernel memory to user
space. A local user could use this flaw to gain precious information about
the running kernel in order to facilitate an attack.


* Out of bounds memory read access in Netfilter stack.

A logic error in the Netfilter stack when getting a reference to a netlink
socket leads to reading memory past an array boundaries, potentially
causing a kernel panic. A local user could use this flaw to cause a
denial-of-service.


* NULL pointer dereference when creating a netfilter new chain.

A logic error when testing the results of a per CPU allocation could lead
to a NULL pointer dereference. A local, privileged user could use this flaw
to cause a denial-of-service.


* Memory leak in netfilter stack when sending a packet on the netlink socket.

In case of error when appending a DONE message to a netfilter netlink
socket buffer, the socket buffer is never released, causing a memory leak
and blocking further communication on the netlink socket. A local,
privileged user could use this flaw to cause a denial-of-service.


* Out of bounds memory access in Dell WMI hotkeys driver.

A flaw in the Dell WMI driver leads when notifying of a hot key event could
lead to dereferencing memory above the boundaries of a dynamically
allocated array, potentially causing a kernel panic and/or leaking
information about the running kernel. A local user could use this flaw to
cause a denial-of-service or obtain sensitive information about the
allocator.


* Kernel panic in libceph AES encryption engine on large authentication packets.

A flaw in the libceph AES encryption engine leads to a kernel panic on
large authentication packets. An attacker could use this flaw to cause a
denial-of-service.


* Integer overflow in netfilter userspace logging with large payloads.

A flaw in the netlink code when sending large payloads to userspace could
lead to an integer overflow and data corruption.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.