[Ksplice-Fedora-28-updates] New Ksplice updates for Fedora 28 (FEDORA-2019-337484d88b)

Wed Feb 6 20:54:19 PST 2019

Synopsis: FEDORA-2019-337484d88b can now be patched using Ksplice
CVEs: CVE-2019-3701

Systems running Fedora 28 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2019-337484d88b.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 28
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Use-after-free in AX.25 radio device driver.

Logic errors in the AX.25 amateur radio device driver can result in
use-after-free in several error paths, potentially resulting in a
denial-of-service.

* NULL-pointer dereference when removing vxlan interface with GRO enabled.

When receiving data with Generic Receive Offload enabled on a vxlan
tunnel interface, a race condition can result in a NULL-pointer
dereference and denial-of-service.

* NULL-pointer dereference when transmitting IEEE 802.15.4 packets.

When transmitting packets over an IEEE 802.15.4 device, a missing daddr
field might result in a NULL-pointer dereference and denial-of-service.

* Improved fix for Spectre v1: Bounds-check bypass in multicast ioctls.

The ioctl handlers for the ip6mr and ipmr multicast routing systems are
potentially vulnerable to Spectre variant 1 speculative execution
attacks.

* Race conditions in IPv6 tunnel code cause memory corruption.

Several rare race conditions in the IPv6 tunnel code could lead to
use-after-free of memory, potentially resulting in memory corruption or
a denial-of-service.

* Information leak in CAPI ISDN ioctl.

When reading device information via sysctl for a CAPI ISDN device, the
device manufacturer field might potentially contain unsanitized kernel
data, potentially leaking information to a malicious user.

* Race condition in 6pack radio device driver causes denial-of-service.

Incorrect usage of the kernel timer APIs in the 6pack radio device
driver could result in a kernel assertion failure and denial-of-service.

* Potential deadlock or DoS in TLS context allocation.

When allocating a Transport Layer Security context, memory allocation is
performed with incorrect CPU context flags, potentially resulting in a
system deadlock or kernel BUG.

* Missing validation of packet socket fields causes denial-of-service.

Missing validation of raw PF_PACKET socket parameters could allow
invalid socket structures to be created, resulting in memory corruption
or a denial-of-service.

* Information leak via IPv6 getsockopt syscall.

When requesting information about an IPv6 socket via the getsockopt
syscall, the sin6_flowinfo field is not properly cleared, potentially
exposing sensitive kernel information to a malicious user.

* Logic errors in TIPC protocol implementation cause memory corruption.

Missing synchronization and incorrect error handling in the Transport
Inter Process Communication protocol can result in memory corruption,
potentially causing a denial-of-service.

* NULL-pointer dereference in IPv6 routing in degenerate cases.

In cases where the IPv6 neighbor table is full or near-to-full,
attempting to compute routes could, in rare cases, dereference a NULL
pointer, resulting in a denial-of-service.

* NULL-pointer dereference when writing to HFI device in PIO mode.

When writing to a file across an HFI virtual network interface in PIO
mode, invalid socket configuration could result in a NULL-pointer
dereference and denial-of-service.

* Improved fix for Spectre v1: Bounds-check bypass in ALSA sound drivers.

Several ALSA sound device drivers contain array accesses whose values
are controlled by userspace input, and might therefore be vulnerable to
a Spectre variant 1 speculative bounds-check bypass attack.

* Use-after-free when truncating on F2FS object.

When truncating a node on a Flash-Friendly File System, a race condition
result in the use-after-free of a page structure, resulting in potential
memory corruption or a denial-of-service.

* Information leak in F2FS via extended attribute entry_size.

When reading extended attributes on a Flash-Friendly File System, a
specially crafted attribute request could potentially expose kernel
memory to userspace.

* NULL-pointer dereference when connecting CEC-capable capture device.

When connecting a remote controller that supports the Consumer
Electronics Control protocol, incorrect logic could cause a NULL-pointer
dereference and denial-of-service.

* CVE-2019-3701: Denial-of-service in CAN controller.

Missing sanity checking in the Controller Area Network driver can allow
a malicious user to write arbitrary bits into the CAN device's I/O
memory, resulting in a system crash and denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.