[Ksplice-Fedora-20-updates] New updates available via Ksplice (FEDORA-2015-8518)

[Oracle Ksplice]

Synopsis: FEDORA-2015-8518 can now be patched using Ksplice
CVEs: CVE-2015-3339 CVE-2015-3636

Systems running Fedora 20 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2015-8518.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 20 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-3636: Memory corruption when unhashing IPv4 ping sockets.

The kernel IPv4 subsystem does not correctly handle unhashing a ping
socket which can trigger kernel memory corruption. A local user can use
this flaw to gain elevated privileges.


* Use-after-free in Open vSwitch when removing a virtual port.

The Open vSwitch network driver does not correctly decrement a reference
count when removing a virtual port which can trigger a use-after-free
and kernel panic.


* Denial-of-service in Berkeley Packet Filter program loading.

Missing bounds checks could result in memory corruption and a kernel
crash when loading a BPF programing.  A local, privileged user could use
this flaw to trigger a denial-of-service or potentially escalate
privileges.


* CVE-2015-3339: Privilege escalation due to race condition between execve and chown.

The execve() syscall can race with inode attribute changes made by chown().
This race condition could result in execve() setting uid/gid to the new
owner, leading to privilege escalation.


* Kernel panic in IPv4 forwarding of timewait sockets.

The kernel IPv4 stack does not correctly handle forwarding data from
timewait sockets which can trigger an assertion failure and kernel
panic.


* Deadlock when sending IPv4 FIN packets.

The kernel IPv4 stack can deadlock causing a kernel panic when
transmitting IPv4 FIN packets under high memory pressure.


* Data loss when mounting btrfs volume with the 'discard' option.

When mounting a btrfs volume with '-o discard' the btrfs driver can
possibly overwrite filesystem metadata causing data loss.


* Denial of service in btrfs IOC_CLONE ioctl.

Attempting to clone a zero-length region from one file to another on a
btrfs volume can trigger an infinite loop and kernel panic. A local
user could use this flaw to cause a denial of service.


* Denial of service in btrfs IOC_FILE_EXTENT_SAME ioctl.

Attempting to query the extents of a file on a btrfs volume can trigger
an infinite loop and kernel panic. A local user could use this flaw to
cause a denial of service.


* Memory corruption in SPI device ioctl.

An integer overflow in the kernel SPI driver can allow malformed ioctls
to trigger kernel memory corruption and allow a local user to gain
elevated privileges.


* Kernel panic when chowning files on NFS mount.

Under specific circumstances chowning a file on an NFS mount can trigger
an assertion failure and cause a kernel panic.


* Memory leak in HyperV virtual storage driver.

The HyperV virtual storage driver does not correctly unmap memory when
handling I/O commands from a guest causing a kernel memory leak in the
host.


* Data loss when handling iSER commands.

The iSCSI Extensions for RDMA (iSER) driver incorrectly calculates the
amount of length of DIX data which can lead to silent data corruption.


* Memory corruption when resolving symlink target.

A reference counting error when opening a symlink which crosses a
mountpoint can trigger a use-after-free condition and kernel panic.


* NULL pointer dereference in NFSv4 server SEEK and ALLOCATE commands.

A logic error in the kernel NFSv4 server can trigger a NULL pointer
dereference and kernel panic when handling SEEK and ALLOCATE commands
with particular stateids.


* Missing permission checks in NFSv4 server READ command.

The kernel NFSv4 server does not validate permissions when handling READ
commands with particular stateids which can allow remote attackers to
read the contents of arbitrary files.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.