[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2015-3594)

[Oracle Ksplice]

Synopsis: FEDORA-2015-3594 can now be patched using Ksplice
CVEs: CVE-2015-1421 CVE-2015-1593

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2015-3594.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Information leak when reading IPv4 and IPv6 error queue.

The error queue mechanism (MSG_ERRQUEUE) in IPv4 and IPv6 sockets does
not correctly initialise kernel data-structures which causes the
contents of kernel memory to be leaked to userspace.


* Denial of service when routing IPv6 atomic fragments.

The kernel IPv6 implementation processes atomic fragments according to
the IPv6 RFC. However, remote attackers can leverage a feature of
atomic fragments to stop the routing of IPv6 traffic, causing a denial
of service.


* CVE-2015-1421: Privilege escalation in SCTP INIT collisions.

Missing reference counting could result in a use-after-free during an
INIT collision when establishing an SCTP socket.  A remote attacker
could use this flaw to trigger a denial-of-service or potentially gain
privileges.


* Use-after-free when receiving IPv4 and IPv6 ICMP echo replies.

The kernel IPv4 and IPv6 subsystems incorrectly free memory when
receiving ICMP echo replies which can trigger a use-after-free condition
and kernel panic.


* Kernel panic when receiving compressed PPP data.

The kernel Point-to-Point networking implementation does not correctly
handle decompressing large PPP packets which can trigger an assertion
failure and kernel panic.


* Use-after-free when sending large frames via Hyper-V network driver.

The Hyper-V virtual network driver does not correctly handle errors when
sending large frames which allows a guest VM to trigger a use-after-free
condition and kernel panic in the host.


* CVE-2015-1593: Stack layout randomization entropy reduction.

A flaw in the the stack base randomization code could result in a
reduction of entropy by a factor of four.  An attacker could use this
flaw to reduce the amount of work needed to bypass ASLR.


* Information leak in ext4 zero range allocation.

The ext4 filesystem driver does not correctly zero data when attempting
to create a new zero range in a file. This potentially allows locally
unprivileged users to view the contents of other files.


* Insufficient randomness in random device mixing function.

The mixing function in the kernel random number generator incorrectly
mixed random data sourced from timer interrupts which reduces the
entropy of the kernel random number generator.


* Consistency check bypass in Xen SCSI backend driver.

A race condition in the Xen SCSI backend driver can allow guests to
bypass certain consistency checks which could trigger a crash in the
host.


* Kernel panic when reading pagemap procfs file.

Incorrect locking when reading the /proc/pid/pagemap procfs file can
trigger a kernel assertion and kernel panic. A unprivileged local user
can use this flaw to a denial of service.


* Denial of service when decoding NFSv4.1 sequence operations.

The kernel NFSv4.1 client tries to free invalid memory when decoding NFS
sequence operations which can trigger a kernel panic. This flaw can be
triggered by remote users.


* Security bypass in kernel pseudo terminal subsystem.

The kernel pseudo-terminal (PTY) subsystem does not enforce restrictions
on which users can signal processes which allows local unprivileged
users to send arbitrary signals to privileged process.


* Use-after-free in USB Host Controller Device driver.

Incorrect memory management in he USB Host Controller Driver (HCD) can
trigger a use-after-free condition and kernel panic.


* Memory corruption when mounting malformed UDF disk images.

The kernel UDF filesystem driver, used by some CD-ROMs and DVDs, does
not validate overly long extended attributes which can trigger kernel
memory corruption and a kernel panic.


* Denial of service in XFS quota management.

The kernel XFS filesystem driver does not reset quota metadata when
removing and creating files which can trigger an assertion failure and
kernel panic. A local user able to write to an XFS filesystem could use
this flaw to trigger a denial of service.


* Memory corruption when mounting malformed JFFS2 disk images.

The kernel JFFS2 filesystem driver does no validate the eraseblock which
can trigger an assertion and kernel panic.


* Use-after-free when disconnecting CephFS client.

A race condition when closing a connection to a CephFS service can
trigger a use-after-free condition and kernel panic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.