[Ksplice-Fedora-30-updates] New Ksplice updates for Fedora 30 (FEDORA-2019-057d691fd4)

Oracle Ksplice ksplice-support_ww at oracle.com
Wed Nov 13 11:56:41 PST 2019 

Synopsis: FEDORA-2019-057d691fd4 can now be patched using Ksplice
CVEs: CVE-2019-16746

Systems running Fedora 30 can now use Ksplice to patch against the
latest Fedora kernel update, FEDORA-2019-057d691fd4.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Fedora 30
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Use-after-free during ATUSB device disconnect.

The ATUSB driver attempts to access a previously freed structure in its
device disconnect path.  The flaw could potentially be exploited using
a specially crafted USB device to cause a system to exhibit unexpected
behavior, including a potential denial-of-service.


* CVE-2019-16746: Potential buffer overflow when processing IEEE80211 beacon head.

A failure to validate the beacon frame header along with other beacon
frame attributes can lead to malformed data eventually being processed.
This can potentially be exploited by a remote attacker to cause a buffer
overflow, which can be leveraged to perform other types of attacks.


* NULL dereference in NFSv4 attribute encoding path.

In certain cases it is possible for the encode_attrs function to attempt
to dereference a NULL pointer, even after attempting to check to ensure
that the pointer is not NULL.  This flaw could potentially be exploited
by a local or remote attacker to cause a denial-of-service.


* Memory leak in Character Device in Userspace init path.

If certain operations fail when attempting to initialize a CUSE device
small amounts of memory will be leaked.  This flaw could be exploited
by a local attacker to waste system resources and degrade performance.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Fedora-30-Updates mailing list