[Ksplice-Fedora-21-updates] New updates available via Ksplice (FEDORA-2015-0253d1f070)
Oracle Ksplice
ksplice-support_ww at oracle.com
Sat Nov 14 01:26:33 PST 2015
Synopsis: FEDORA-2015-0253d1f070 can now be patched using Ksplice
CVEs: CVE-2015-5156 CVE-2015-7872
Systems running Fedora 21 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2015-0253d1f070.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Fedora 21 install
these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Out of bounds memory access when accessing perf constraints on Intel CPU.
A missing bounds check for an index variable when accessing perf
constraints on Intel CPU could lead to memory corruptions and kernel panic.
A local, unprivileged user could use this flaw to cause a denial of
service.
* Kernel crash when applying alternative instructions.
The kernel did not disable interrupts whilst applying alternative
instructions, which could cause half-written opcodes to be executed and a
kernel panic. A local, un-privileged user could use this flaw to cause a
denial-of-service.
* Out of bounds memory access in get_wchan().
A logic error when checking bounds of the current stack pointer in
get_wchan() could lead to out of bounds memory accesses. A local,
un-privileged user could use this flaw to cause a kernel panic.
* Memory leak when iterating LED devices.
Incorrect reference counting when looking for LED devices name leads to a
memory leak. A local, privileged user could use this exhaust the memory on
the system.
* Use-after-free when finishing a context switch.
Lack of proper memory barriers in the finish_task_switch() code could lead
to use-after-free and kernel panic under certain circumstances. A local,
unprivileged user could use this flaw to cause a denial-of-service.
* NULL pointer dereference in the SPI subsystem on device close.
A missing NULL pointer check when freeing an SPI device could result in a
NULL pointer dereference and kernel panic. A local, un-privileged user
could use this flaw to cause a denial-of-service.
* NULL pointer dereference in IOMMU library on flush.
A lack of NULL pointer check in the IOMMU library on lazy flush could lead
to a NULL pointer dereference and kernel panic in certain circumstances.
* Kernel BUG when unmapping a hugetlbfs page.
A logic error in the hugetlbfs when unmapping a page that is mapped both
with MAP_SHARED and MAP_PRIVATE could trigger a BUG() assertion. A local,
un-privileged user could use this flaw to cause a denial-of-service.
* Denial-of-service in BTRFS special file writing.
Incorrect handling of special files including device nodes could result
in a kernel panic when evicting inodes. A local, privileged user with
permission to create device nodes could use this flaw to crash the
system.
* Remote information leak in the RPC over RDMA sub-system.
The Linux NFS server could return garbage data in the payload of inline
RDMA read replies if the client didn't provide a reply chunk or a write
list. A remote attacker could use this flaw to gain information about the
running kernel.
* Kernel panic when reshaping a RAID5 to RAID0.
A flaw in the RAID sub-system could lead to device errors and trigger a
kernel BUG() assertion when reshaping a RAID5 to a RAID0 in certain
circumstances. A local, privileged user could use this flaw to cause a
denial-of-service.
* Use-after-free when removing the netfilter logging module.
A failure to wait for pending RCUs when releasing internal objects on
netfilter logging module removal could lead to use-after-free and kernel
panic. A local, privileged user could use this flaw to cause a
denial-of-service.
* Memory leak in the NFS filesystem when resetting the metadata server.
A lack of cleaning up the page IO descriptor when resetting the metadata
server in the NFS filesystem leads to a memory leak. A local, privileged
user could use this flaw to exhaust the memory on the system and cause a
denial-of-service.
* Memory corruption in the XHCI driver on init command timeout.
A flaw in the XHCI driver causes a uninitialized timer to be deleted on
init command timeout, leading to memory corruption. A local, privileged
user could use this flaw to cause a denial-of-service.
* Kernel panic in IP virtual server syncing.
A logic error in the kernel IP virtual server support can trigger a
kernel panic when synchronizing a connection using version 0 of the sync
protocol.
* NULL pointer dereference in Batman address translation.
Multiple missing NULL pointer checks could result in a kernel crash when
manipulating the address translation table.
* Kernel crash in Batman translation table removal.
Missing locking could result in memory corruption when removing entries
from the translation table. Under specific conditions, this could
result in a kernel crash.
* Invalid memory access in B.A.T.M.A.N. Advanced Meshing protocol when transmitting.
A flaw in the B.A.T.M.A.N. Advanced Meshing driver when transmitting a
socket buffer without a header properly set could lead out of bounds memory
accesses in the socket buffer. A local, un-privileged user could use this
flaw to cause a denial-of-service.
* Memory leak in the RSI WiFi driver when loading the firmware.
A flaw in the RSI WiFi driver leads to a memory leak when trying to load
the firmware under memory pressure. A local, privileged user could use
this flaw to put even more memory pressure and exhaust the memory on the
system.
* Out of bounds memory access in the UBI driver.
A lack of input validation when parsing a UBI image could cause out of
bounds memory accesses and lead to a kernel crash. A local user able to
mount a special handcrafted image could use this flaw to cause a
denial-of-service.
* Kernel hang when disconnecting from the backend in Xen netfront driver.
Failure to check that an interface is running before calling
napi_synchronise() in the Xen netfront driver could lead to a kernel hang.
* Out of bounds memory access in Multiple devices driver when allocating a bitmap.
A logic error when passing the slot number to the function allocating a
bitmap in the Multiple devices driver could lead to out of bounds memory
access and kernel panic when the bitmap isn't clustered. An attacker could
use this flaw to cause a denial-of-service.
* Use-after-free and NULL pointer dereference in NFS when decoding a layout.
A flaw in the NFS file layout subsystem could lead to use-after-free and
NULL pointer dereference in certain circumstances.
* Kernel hang in Multiple devices driver when destroying a device.
Incorrect lock ordering when destroying a RAID device could lead to a
deadlock and kernel hang.
* NULL pointer dereference in the Multiple devices driver when switching from cleaner policy.
A flaw in the Multiple devices driver could lead to a NULL pointer
dereference in certain circumstances. A local attack could use this flaw
to cause a denial-of-service.
* Permission bypass in the tty driver.
A flaw in the tty code would allow someone with a file descriptor opened
write only to re-open the tty with different flags, allowing him to control
the terminal when this should require both read and write access to the
tty.
* Remote denial-of-service when receiving socket buffers with partial checksums.
A flaw in the socket buffer code dealing with partial checksums causes out
of bounds memory accesses on the socket buffer and kernel panic. A remote
attacker could use this flaw to cause a denial-of-service.
* Kernel BUG when passing a socket buffer allocated from pfmemalloc on a user socket.
A flaw in the socket buffer management when dealing with socket buffers
allocated from pfmemalloc could lead to a kernel BUG() assertion to trigger
under certain circumstances. A local, un-privileged user could use this
flaw to cause a denial-of-service.
* NULL pointer dereference in the Point to point over ethernet protocol.
A flaw in the Point to point over ethernet driver could lead to a NULL
pointer dereference and kernel panic when flushing the device. A local,
un-privileged user could use this flaw to cause a denial-of-service.
* Kernel panic when dumping eBPF filter via SO_GET_FILTER.
A logic error in the BPF subsystem can trigger a NULL pointer
dereference and kernel panic when dumping a eBPF filter via the
SO_GET_FILTER sockopt.
* Denial-of-service when allocating from offline NUMA node in Openvswitch driver.
A flaw in the Openvswitch driver when allocating from the cache for an
offline NUMA node leads to a VM_BUG_ON() assertion to trigger and kernel
panic. An attacker could use this flaw to cause a denial-of-service.
* Kernel panic in the Redirecting and Mirroring network scheduler.
A flaw in the network scheduler for redirecting and mirroring packets could
cause a kernel panic when moving socket buffer from a receive to a transmit
queue. An attacker could use this flaw to cause a denial-of-service.
* Information leak when getting strings from the ethtool device.
A lack of cleaning an allocated buffer that is copied to user space on
ETHTOOL_GSTRINGS requests could leak information about the running kernel.
This could help an attacker to elevate privileges.
* Kernel crash when using ahash driver without import/export callback.
Ahash drivers are required to provide import/export callbacks to be
registered with the ahash crypto sub-system, otherwise they could lead to a
kernel crash under certain circumstances. A local, un-privileged user
could use this flaw to cause a denial-of-service.
* Use-after-free in Btrfs filesystem when iterating extended refs.
A flaw in the Btrfs filesystem code when iterating over extended refs leads
to a use-after-free and kernel panic. A local, un-privileged user could
use this flaw to cause a denial-of-service.
* Use-after-free in Rados block device driver on failure to probe.
A flaw in the Rados block device driver leads to double-free if there's an
error when probing the parent device. A local, privileged user could use
this flaw to cause a denial-of-service.
* Stack corruption in Silicon Labs demodulator driver.
A possible stack corruption leading to a kernel crash may
occur when initializing certain tv demodulators.
* CVE-2015-5156: Denial-of-service in Virtio network device.
Incorrect handling of fragmented socket buffers could result in a buffer
overflow when performing receive offload under specific conditions. A
local, unprivileged user could use this flaw to crash the system.
* CVE-2015-7872: Denial-of-service when garbage collecting uninstantiated keyring.
A logic error in the security keyring subsystem leads to a kernel crash
when garbage collecting a un-instantiated keyring. A local, un-privileged
user can use this flaw to cause a denial-of-service.
* Multiple NULL pointer dereferences in Target Core driver.
Multiple missing pointer checks in the Target Core driver could lead to a
NULL pointer dereference and kernel panic. An attacker could use this flaw
to cause a denial-of-service.
* Remote memory corruption in B.A.T.M.A.N. Advanced Meshing protocol.
A lack of synchronization in the B.A.T.M.A.N. Advanced Meshing protocol
when processing multiple incoming originator messages from the same
originator could lead to memory corruption. A remote attacker could use
this flaw to cause a denial-of-service.
* Denial-of-service in netfilter chains handling.
A logic error causes the netfilter nf_tables chains from one network
namespace to be used in all network namespaces. A local privileged user
jailed in a network namespace could snoop traffic from other network
namespaces or drop all of their traffic.
* Divide by zero in Intel power state driver when scaling the frequency.
A logic error in the Intel power state driver could lead to a divide by
zero when timers are being delayed for too long. A local, un-privileged
user could use this flaw to cause a denial-of-service.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Fedora-21-Updates
mailing list