[Ksplice-Fedora-21-updates] New updates available via Ksplice (4.0.6-200.fc21)

Samson Yeung samson.yeung at oracle.com
Wed Jul 1 12:05:33 PDT 2015 

Synopsis: 4.0.6-200.fc21 can now be patched using Ksplice
CVEs: CVE-2015-4001 CVE-2015-4002 CVE-2015-4003

Systems running Fedora 21 can now use Ksplice to patch against the
latest Fedora kernel update, 4.0.6-200.fc21.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 21 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory corruption in Ceph crush mapper.

A flaw in the Ceph crush mapper could lead temporary buffers to overlap
when there are more OSDs than replicas.  A local, privileged user could
use this flaw to cause memory corruption.


* Denial-of-service in the BSD Packet Filter just-in-time compiler.

A logic error in the BSD Packet Filter (BPF) just-in-time (jit) compiler
could lead the jit'ed program to contain only software breakpoints
instead of the intended opcodes.  A local, privileged user could use
this flaw to cause a denial-of-service by using a specially crafted BPF
program.


* Kernel panic in the network scheduler on classifier module unload.

A missing RCU barrier when removing a queue discipline on concurrent
module unload could lead to the kernel calling unloaded code.  A local,
privileged user could use this flaw to cause a denial-of-service or
potentially escalate privileges.


* NULL pointer dereference when handling IPv4 errors.

A missing check for NULL could lead to a NULL pointer dereference when
handling IP errors when the network device is being removed.  An
attacker could use this flaw to cause a denial-of-service.


* NULL pointer dereference in CAIF and Unix sockets on receival.

Lack of checking that the socket has been destroyed in the recvmsg()
handlers for CAIF and Unix sockets could lead to a NULL pointer
dereference.  A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Kernel crash when attaching a new queue discipline in the network
scheduler.

A flaw in the networking scheduler could lead to a use-after-free when
attaching a new queue discipline to a network device.  A local,
privileged user could use this flaw to cause a denial-of-service.


* NULL pointer dereference in the bridge driver when a query expires.

A logic error in the bridge driver when a query expires leads to setting
to NULL the wrong field of a structure.  A local, un-privileged user
could use this flaw to cause a denial-of-service.


* Kernel hang on UDP flood with wrong checksums.

A flaw in the UDP handling of wrong checksums could lead to a kernel
hang under a UDP flood attack.  A remote attacker could use this flaw to
cause a denial-of-service.


* Memory corruption on concurrent netlink insertion or removal.

Incorrect locking in the netlink driver could lead to memory corruptions
and kernel panic on concurrent netlink insertion or removal.  A local,
privileged user could use this flaw to cause a denial-of-service.


* Kernel panic on Intel VT/d iommu in passthrough mode.

A flaw in the Intel VT/d iommu driver when configured in passthrough
mode could lead to an invalid pointer dereference on translation-disabled
devices.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Kernel hang in generic block driver.

The generic block driver was calling a function not intended to run in
both interrupt and process context. In certain cases, this could lead to
the kernel hanging.


* CVE-2015-4003: Remote divide-by-zero in the ozwpan driver.

The oz_usb_handle_ep_data() in the ozwpan driver could allow remote
attackers to cause a divide-by-zero via a crafted packet.


* CVE-2015-4001, CVE-2015-4002: Remote denial-of-service in ozwpan driver.

Lack of input validation and incorrect uses of signed types in the
ozwpan could lead to a heap overflow.  A remote attacker could use these
flaws via a crafted packet to cause a denial-of-service or potentially
gain code execution.


* Use-after-free in the memory hotplug code when re-adding a node.

A lack of re-initializing a pointer to NULL in the memory hotplug code
when re-adding a node could lead to a use-after-free and kernel panic.
A local, privileged user could use this flaw to cause a denial-of-service.


* Kernel BUG when migrating compound pages on NUMA.

A flaw in the memory migrating code could result in compound pages being
marked for migration which later causes a kernel assertion to trigger,
resulting in a denial-of-service.


* Use-after-free in the multiqueue block core code.

Incorrect ordering when releasing internal structures when destroying a
queue leads to a use-after-free and kernel panic.  A local, privileged
user could use this flaw to cause a denial-of-service.


* Information leak in CFG80211 WiFi extension.

A lack of zeroing a stack allocated structure used for statistics in the
CFG80211 WiFi extension could result in information leaks from one
device to another.  A local, unprivileged user could use this flaw to
gain knowledge about network traffic on other devices.


* NULL pointer dereference in Btrfs when sending a snapshot.

A logic error in the Btrfs code when sending a snapshot could lead to a
NULL pointer dereference on concurrent snapshot deletion.  A local,
privileged user could use this flaw to cause a denial-of-service.


* CV-2015-4692: Denial-of-service when checking for events in the
emulated KVM APIC.

A missing check for NULL in the KVM code when checking if there are any
pending events on the emulated interrupt controller could lead to NULL
pointer dereference.  A local user with access to /dev/kvm could use
this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Fedora-21-Updates mailing list