From ksplice-support_ww at oracle.com Tue May 26 02:04:38 2015 From: ksplice-support_ww at oracle.com (Oracle Ksplice) Date: Tue, 26 May 2015 09:04:38 GMT Subject: [Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2015-8518) Message-ID: <201505260904.t4Q94cFJ008971@aserv0021.oracle.com> Synopsis: FEDORA-2015-8518 can now be patched using Ksplice CVEs: CVE-2015-3339 CVE-2015-3636 Systems running Fedora 20 can now use Ksplice to patch against the latest Fedora kernel update, FEDORA-2015-8518. INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack on Fedora 20 install these updates. On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any action. Alternatively, you can install these updates by running: # /usr/sbin/uptrack-upgrade -y DESCRIPTION * CVE-2015-3636: Memory corruption when unhashing IPv4 ping sockets. The kernel IPv4 subsystem does not correctly handle unhashing a ping socket which can trigger kernel memory corruption. A local user can use this flaw to gain elevated privileges. * Use-after-free in Open vSwitch when removing a virtual port. The Open vSwitch network driver does not correctly decrement a reference count when removing a virtual port which can trigger a use-after-free and kernel panic. * Denial-of-service in Berkeley Packet Filter program loading. Missing bounds checks could result in memory corruption and a kernel crash when loading a BPF programing. A local, privileged user could use this flaw to trigger a denial-of-service or potentially escalate privileges. * CVE-2015-3339: Privilege escalation due to race condition between execve and chown. The execve() syscall can race with inode attribute changes made by chown(). This race condition could result in execve() setting uid/gid to the new owner, leading to privilege escalation. * Kernel panic in IPv4 forwarding of timewait sockets. The kernel IPv4 stack does not correctly handle forwarding data from timewait sockets which can trigger an assertion failure and kernel panic. * Deadlock when sending IPv4 FIN packets. The kernel IPv4 stack can deadlock causing a kernel panic when transmitting IPv4 FIN packets under high memory pressure. * Data loss when mounting btrfs volume with the 'discard' option. When mounting a btrfs volume with '-o discard' the btrfs driver can possibly overwrite filesystem metadata causing data loss. * Denial of service in btrfs IOC_CLONE ioctl. Attempting to clone a zero-length region from one file to another on a btrfs volume can trigger an infinite loop and kernel panic. A local user could use this flaw to cause a denial of service. * Denial of service in btrfs IOC_FILE_EXTENT_SAME ioctl. Attempting to query the extents of a file on a btrfs volume can trigger an infinite loop and kernel panic. A local user could use this flaw to cause a denial of service. * Memory corruption in SPI device ioctl. An integer overflow in the kernel SPI driver can allow malformed ioctls to trigger kernel memory corruption and allow a local user to gain elevated privileges. * Kernel panic when chowning files on NFS mount. Under specific circumstances chowning a file on an NFS mount can trigger an assertion failure and cause a kernel panic. * Memory leak in HyperV virtual storage driver. The HyperV virtual storage driver does not correctly unmap memory when handling I/O commands from a guest causing a kernel memory leak in the host. * Data loss when handling iSER commands. The iSCSI Extensions for RDMA (iSER) driver incorrectly calculates the amount of length of DIX data which can lead to silent data corruption. * Memory corruption when resolving symlink target. A reference counting error when opening a symlink which crosses a mountpoint can trigger a use-after-free condition and kernel panic. * NULL pointer dereference in NFSv4 server SEEK and ALLOCATE commands. A logic error in the kernel NFSv4 server can trigger a NULL pointer dereference and kernel panic when handling SEEK and ALLOCATE commands with particular stateids. * Missing permission checks in NFSv4 server READ command. The kernel NFSv4 server does not validate permissions when handling READ commands with particular stateids which can allow remote attackers to read the contents of arbitrary files. SUPPORT Ksplice support is available at ksplice-support_ww at oracle.com.