[Ksplice-Fedora-26-updates] New Ksplice updates for Fedora 26 (FEDORA-2018-4ca01704a2)

[Oracle Ksplice]

Synopsis: FEDORA-2018-4ca01704a2 can now be patched using Ksplice
CVEs: CVE-2018-10021

Systems running Fedora 26 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2018-4ca01704a2.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 26
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service when shutting down iSCSI transport interface.

Logic errors when shutting down iSCSI transport interface without logging
out could cause a deadlock. A local attacker could use this flaw to
cause a denial-of-service.


* Denial-of-service in network device tunnel name setting.

Missing validation of user supplied tunnel names could result in kernel
stack corruption and a denial of service, or potentially privilege
escalation.


* Denial-of-service in network scheduler initialization.

Multiple NULL pointer dereferences in the network scheduler code could
result in a kernel crash.  A local, privileged user could use this flaw
to crash the system.


* IPv6 IPSEC bypass with source address NAT.

Missing handling of source address Network Address Translation (NAT)
could result in failing to match a transformation policy and bypassing
an IPSEC tunnel.


* Denial-of-service in thermal power allocator.

Missing locking in the thermal power allocator could result in a
use-after-free and kernel crash during thermal zone updates.


* Use-after-free in Microchip LAN7800 USB network adapter.

Failure to clean up asynchronous work during initialization and removal
could cause a use-after-free and kernel crash.  A physically present
user could use this flaw to crash the system.


* Denial-of-service in device frequency scaling governors.

A missing NULL pointer check when setting the device frequency scaling
governor could trigger a kernel crash.  A local, privileged user could
use this flaw to crash the system.


* NULL pointer dereference in GPIO descriptor validation.

Incorrect assignment before checking of a GPIO descriptor could result
in dereferencing an invalid pointer and a kernel crash.


* Denial-of-service in F2FS filesystem ranges.

Missing locking could result in deadlock and a kernel hang when
inserting or collapsing ranges.  A local, unprivileged user could use
this flaw to trigger a denial of service.


* Denial-of-service in Videobuf2 queue allocation.

Missing validation of the user supplied buffer count could result in an
out-of-bounds memory access and kernel crash.  A local user with access
to the video device could use this flaw to crash the system or
potentially, escalate privileges.


* Use-after-free in block device queue mapping.

Missing reinitialization of the queue map when updating block multiqueue
queues could result in the dereference of an invalid pointer and kernel
crash.


* Use-after-free in block IO scheduler update.

Missing synchronization could result in a use-after-free when updating
the IO scheduler.  A local, privileged user could use this flaw to crash
the system.


* Use-after-free in Mellanox MLX5 RoCE enable.

A race condition in enabling and disabling RoCE support on an MLX5
adapter could result in a use-after-free and kernel crash.


* NULL pointer dereference in block multiqueue cleanup.

A missing check for a mapped queue could result in a NULL pointer
dereference and kernel crash when removing a block device from the
system.


* Use-after-free in Intel 10GbE PCIE Virtual Function disable.

Missing synchronization when disabling or resetting a Virtual Function
could result in a use-after-free and kernel crash.  A local, privileged
user could use this flaw to crash the system.


* Kernel hang in target core command queuing.

Incorrect handling of insufficient resources could result in deadlock
and a kernel hang under IO pressure.


* Use-after-free in Intel INT340X thermal driver.

Missing resource deallocation on probe failure could result in dangling
sysfs files and ACPI device which would trigger a kernel crash on
access.


* Denial-of-service in IPv6 header chain fragmentation.

Excessive extheaders in an IPv6 datagram beyond the PMTU size could
result in a kernel crash.  A local, unprivileged user could use this
flaw to crash the system.


* Kernel crash in Microchip LAN78XX USB Ethernet bind failure.

Missing resource cleanup on bind failure could result in a
use-after-free and kernel crash.


* Kernel crash in Distributed Switch Architecture (DSA) with incorrect port.

Incorrect handling of a frame with an unexpected CPU port would result
in a kernel crash when incrementing receive statistics.


* Kernel information leak in network receive.

Incorrect accesses for the frame Ethernet header could result in an
out-of-bounds access and kernel information leak under specific
conditions when receiving a frame.


* Kernel information leak in netlink socket connect().

Missing validation of the socket address when performing connect() on a
netlink socket could result in leaking information from the kernel
stack.  A local user could use this information to leak the kernel
address.


* NULL pointer dereference in network BPF cleanup.

Incorrect error handling when validating a BPF program could result in a
NULL pointer dereference and kernel crash.  A local, privileged user
could use this flaw to crash the system.


* Use-after-free in PPTP connect().

Invalid reference counting could result in a use-after-free and kernel
crash in the PPTP connect() function.


* NULL pointer dereference in Realtek R8169 device probing.

A race condition between device registration and initialization could
result in a NULL pointer dereference and kernel crash.


* Information leak in SCTP recvmmsg().

Missing initialization of the address field could result in leaking up
to 8 bytes of kernel memory to user-space.  A local, unprivileged user
could use this flaw to leak privileged memory contents.


* Uninitialized memory use in SCTP socket bind.

Missing validation could result in using uninitialized memory when
binding an SCTP socket resulting in incorrect address decoding.


* Denial-of-service Vhost virtio net accelerator polling.

Missing error handling in the vhost polling could result in a
use-after-free and kernel crash.


* Use-after-free in Virtual Routing and Forwarding (VRF) driver.

Missing error handling on VRF output could result in a use-after-free or
double-free and kernel crash.


* Denial-of-service in bonding enslave.

Incorrect error handling when enslaving a bonding device could result in
a deadlock and kernel hang.  A local privileged user could use this flaw
to hang the system.


* Use-after-free in network scheduler key deletion.

Failure to remove a key from internal kernel data structures could
result in a use-after-free or memory leak.


* Kernel crash in Mellanox MLX5e device with IPv6 stub.

Incorrect handling of the IPv6 stub when IPv6 is disabled could result
in dereferencing an invalid pointer and subsequently, a kernel crash.


* Use-after-free in Mellanox MLX5 eswitch flow failure.

Missing error handling when configuring flows could result in a memory
leak or double-free followed by a kernel crash.


* Denial-of-service in network stream parser.

Incorrect error reporting in the network stream parser could result in
infinite loops or invalid data reporting.


* Kernel crash in vhost log bitmap.

Missing validation of a user supplied bitmap could result in triggering
a kernel assertion and crash.  A local, privileged user could use this
flaw to crash the system.


* Denial-of-service in teaming port addition.

Incorrect error handling when adding a port to a teamed network device
could result in a deadlock and kernel hang.  A local privileged user
could use this flaw to hang the system.


* CVE-2018-10021: Denial-of-service in SAS device abort and failover.

Incorrect error handling when aborting or failing over a SAS device
could result in resource starvation and IO hangs.  A physically present
malicious user could use this flaw to cause a denial of service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.