[Ksplice-Fedora-21-updates] New updates available via Ksplice (FEDORA-2015-d7e074ba30)

[Oracle Ksplice]

Synopsis: FEDORA-2015-d7e074ba30 can now be patched using Ksplice
CVEs: CVE-2015-2925 CVE-2015-5257 CVE-2015-7613

Systems running Fedora 21 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2015-d7e074ba30.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Fedora 21 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel crash in STMicroelectronics ST21NFCA NFC session loading.

Incorrect error handling could result in trying to free an uninitialized
buffer, triggering a kernel crash.


* NULL pointer dereference in NFC command transmission.

A missing NULL pointer check could result in a kernel crash when sending
an NFC command over a HCI device.


* Denial-of-service in multiqueue block pending request list sysfs attribute.

Missing bounds checking could result in overfilling a sysfs buffer when
displaying the pending requests for a multiqueue block device.  A local
user with access to the sysfs attributes could use this flaw to trigger
a denial-of-service under specific conditions.


* Denial-of-service in unshare() with CLONE_VM.

A logic error in unshare() could allow a local user with access to
/proc/PID/maps to prevent unshare() calls from succeeding, resulting in
a denial-of-service.


* Kernel crash in 80211 mesh network transmission.

Incorrect handling of peering state could result in a kernel crash when
transmitting frames on a network with fixed mesh paths and all stations
had not yet completed peering.


* Denial-of-service in ext4 filesystems during hot unplug.

Under specific conditions, unplugging a block device with a mounted ext4
filesystem could trigger a kernel crash.  A user with physical access to
the system could use this flaw to trigger a denial-of-service.


* Privilege escalation in CIFS copy offload ioctl.

Under specific conditions, an attacker with access to a CIFS filesystem
mounted with version >= 2.0 could use this flaw to gain code execution
inside the kernel and escalate privileges.


* Filesystem corruption in BTRFS transaction completion.

Incorrect handling of aborted transactions could result in filesystem
corruption under specific conditions.


* Multiple use-after-frees in NFS server delegations.

Under specific conditions, incorrect delegation handling could result in
decrementing reference counts too many times and triggering a
use-after-free and kernel crash.


* Remote denial-of-service in NFS migration recovery for NFS v4.2.

Missing migration recovery operations for NFS v4.2 mounts could result
in a NULL pointer dereference when accessing a mount that was exported
with a "refer=" export option.  An attacker with access to the NFS
server could use this flaw to remotely crash the client.


* Sensitive information leak in process coredumps.

Filesystem handling code in coredump writing had a number of flaws that
could allow a local attacker to read the contents of a coredump for a
process that they did not own.  This could leak potentially sensitive
information to a user that should not have access.


* NULL pointer dereference in MMC request completions.

A race condition in MMC request completion could result in a NULL
pointer dereference and kernel crash under specific conditions.


* Data loss when reshaping RAID10 volume.

A logic error when calculating metadata can trigger data loss when
resizing a RAID10 volume.


* Use-after-free in MD block driver array stopping.

Failure to flush a workqueue during array stop could result in a
use-after-free and kernel crash.


* Kernel crash in HFS B-tree insertion.

Inserting a new record in an HFS B-tree at position 0 could corrupt the
tree resulting in either filesystem corruption or a kernel crash.


* NULL pointer dereference in Mellanox Connect-IB user memory region error handling.

Incorrect error handling when registering a user memory region could
result in a NULL pointer dereference and kernel crash.


* Use after-free in HFS B-tree node handling.

Incorrect releasing of pages for HFS B-tree nodes could result in a
use-after-free and kernel crash.  On a heavily loaded system, a local
attacker could use this flaw to crash the system.


* Denial-of-service in network device queue allocation.

A kernel assertion could be triggered from user-space when adding a
network device.  A local, privileged user could use this flaw to crash
the system.


* Kernel crash in bridge device transmission.

Under specific conditions, forwarding a packet that had been received by
a driver that supported low latency socket polling could result in an
invalid memory access and kernel crash.


* Denial of service when freeing Xen netback driver grants.

A logic error in the Xen netback driver can trigger an assertion failure
and kernel panic when freeing grants used in zerocopy transfers.


* Memory corruption when receiving datagram packets.

Incorrect reference counting can cause a double-free and kernel panic
when peeking received datagram packets, such as the UDP and netlink
protocols.


* Use-after-free in Controlled Delay (CODEL) packet scheduler.

Incorrect memory management in the Controlled Delay (CODEL) packet
scheduler can trigger a use-after-free condition and kernel panic when
dropping packets.


* Denial-of-service in IP datagram socket connection.

Missing locking when creating an IP datagram socket could result in list
corruption.  A local, unprivileged user could use this flaw to trigger a
denial-of-service.


* NULL pointer dereference when replacing BPF-based traffic classifier.

A logic error in the he kernel traffic classification system can trigger
a NULL pointer dereference when replacing an existing BPF traffic
classifier.


* NULL pointer dereference when replacing flow-based traffic classifier.

A logic error in the he kernel traffic classification system can trigger
a NULL pointer dereference when replacing an existing flow-based traffic
classifier.


* Denial-of-service in Netlink mmapped socket release.

Incorrect locking could result in deadlock when releasing a netlink
socket that was mmapped.  A local, unprivileged user could use this flaw
to crash the system.


* Memory leak when attaching hook to AF_PACKET sockets.

Incorrect reference counting in the AF_PACKET socket implementation can
cause a memory leak when attaching a packet hook to a AF_PACKET socket.
This flaw can be triggered by local user with CAP_NET_RAW capabilities.


* Denial-of-service in BPF program replacement.

A memory leak when replacing BPF programs could result in a
denial-of-service, triggerable by a local user.


* NULL pointer dereference in socket BPF program dumping.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when dumping a diagnostic filter eBPF program for a
socket.


* Kernel hang in IPv6 multicast router addition.

Incorrect handling of IPv6 multicast router iteration could result in
failure to acquire a lock and a kernel deadlock.


* Kernel crash in memory mapped netlink sockets with TAP devices.

Incorrect handling of packets for a memory mapped netlink socket could
result in a kernel crash.  A local, privileged user could use this flaw
to crash the system.


* Use-after-free in ZRAM compressor creation.

Incorrect error handling when creating a ZRAM compressor could result in
a use-after-free and kernel crash.


* CVE-2015-5257: Denial-of-service in Whiteheat device probing.

Missing validation of USB endpoints could result in a NULL pointer
dereference when probing a Whiteheat USB device.  An attacker with a
malicious USB device and physical access to the system could use this
flaw to crash the system.


* CVE-2015-2925: Privilege escalation in bind mounts inside namespaces.

Incorrect handling of renames inside container bind mounts could allow a
local user to escape a container and escalate privileges under specific
conditions.


* CVE-2015-7613: Privilege escalation in IPC object initialization.

Incorrect initialization of IPC objects could result in memory
corruption when creating message queues or shared memory.  A local,
unprivileged user could use this flaw to escalate privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.