[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (Ubuntu-2.6.32-31.61)

Thu Apr 21 11:47:24 PDT 2011

Synopsis: Ubuntu-2.6.32-31.61 can now be patched using Ksplice
CVEs: CVE-2010-2943 CVE-2010-4165 CVE-2010-4656 CVE-2011-0521
CVE-2011-0712 CVE-2011-1010 CVE-2011-1082

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch against
the latest Ubuntu kernel update, Ubuntu-2.6.32-31.61.

INSTALLING THE UPDATES

We recommend that all Ksplice Uptrack Ubuntu 10.04 Lucid users install
these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.

DESCRIPTION

* Improved fix for CVE-2010-2943.

Ubuntu provided an improved patch for CVE-2010-2943,
fixing an xfsdump failure.

* CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.

Dan Carpenter reported an issue in the DVB driver for AV7110
cards. Local users can pass a negative info->num value, corrupting
kernel memory and causing a denial of service.

* CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.

A missing validation check was found in the Linux kernel's
mac_partition() implementation, used for supporting file systems created
on Mac OS operating systems. A local attacker could use this flaw to cause
a denial of service by mounting a disk that contains specially-crafted
partitions.

* CVE-2011-1082: Denial of service in epoll.

The epoll subsystem did not prevent an unprivileged local user from
creating a cycle of epoll file descriptors, which would lead to a
denial of service.

* Denial of service in corrupted LDM partition.

Insufficient checks in parsing a corrupted LDM partition table could result in a
kernel denial of service (crash) or potentially other consequences.

* Remote denial of service in DCCP.

A logic error in DCCP could result in a denial of service (NULL pointer
dereference) if a remote peer sends a Reset packet after closing a socket.

* Incorrect reference counting of task credentials.

Under some circumstances, a credentials struct's refcount could be incremented
while the struct is being freed, leading to a kernel panic or other kernel
misbehavior.

* Incorrect error handling in credential allocation.

Several pieces of the kernel credential management subsystem did not properly
handle memory allocation failures, resulting in various potential
denial-of-service conditions.

* CVE-2011-0712: Buffer overflows in caiaq driver.

An attacker with physical access could gain elevated privileges via
pathways relating to buffer overflows in the caiaq audio driver.

* CVE-2010-4656: Buffer overflow in I/O-Warrior USB driver.

Kees Cook reported an issue in the driver for I/O-Warrior USB devices.
Local users with access to these devices may be able to overrun kernel
buffers, resulting in a denial of service or privilege escalation.

* Improved fix for CVE-2010-4165.

Ubuntu provided an improved fix for CVE-2010-4165 that uses a more correct
lower bound on requests to set the TCP maximum segment size.

* Kernel panic on loading malformed AppArmor profile.

Loading a malformed AppArmor profile could cause the kernel to attempt to free
an invalid pointer, resulting in a kernel panic.

* Memory corruption in nfsd statistics update.

When the in-kernel NFS server fails to find an exported file in the readahead
cache, it can write past the end of the nfsd statistics array, corrupting the
following region in memory.

* Invalid memory access in OCFS2 connection tracking.

Under some circumstances, the function ocfs2_connection_find() can return an
invalid pointer rather than correctly reporting a NULL result.  When this
pointer is used by other code, a kernel oops or other misbehavior can result.

* Missing writeback in OCFS2 refcount tree.

In some situations the OCFS2 filesystem refcount tree code would fail to write
new pages to disk.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.