[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (USN-1253-1)

Tim Abbott tim.abbott at oracle.com
Thu Nov 10 16:51:48 PST 2011 

Synopsis: USN-1253-1 can now be patched using Ksplice
CVEs: CVE-2011-1576 CVE-2011-1768 CVE-2011-1833 CVE-2011-2494 
CVE-2011-2495 CVE-2011-2497 CVE-2011-2695 CVE-2011-2699 CVE-2011-2928 
CVE-2011-3188 CVE-2011-3191 CVE-2011-3353

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1253-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 10.04 Lucid
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2011-1833: Information disclosure in eCryptfs.

Vasiliy Kulikov of Openwall and Dan Rosenberg discovered that eCryptfs
incorrectly validated permissions on the requested source directory. A
local attacker could use this flaw to mount an arbitrary directory,
possibly leading to information disclosure.


* CVE-2011-3188: Weak TCP sequence number generation.

Dan Kaminsky reported a weakness of the sequence number generation in
the TCP protocol implementation. This can be used by remote attackers
to inject packets into an active session.


* CVE-2011-2699: Predictable IPv6 fragment identification numbers.

The generator for IPv6 fragment identification numbers used a single
generator and thus was highly predictable and thus vulnerable to a
denial of service attack.


* CVE-2011-1768: Incorrect initialization order in IP tunnel protocols.

Multiple IP tunnel protocols initialized data structures out of order,
resulting in a possible denial of service (kernel oops) if a packet
arrives during certain intervals while the module is being
loaded.


* CVE-2011-2928: Denial of service with too-long symlinks in BeFS.

The befs_follow_link function in the Linux kernel's implementation of
the Be filesystem did not validate the length attribute of long
symlinks, which allowed local users to cause a denial of service
(incorrect pointer dereference and OOPS) by accessing a long symlink
on a malformed Be filesystem.


* CVE-2011-3353: Buffer overrun in fuse_notify_inval_entry.

The fuse_notify_inval_entry function failed to validate the length of a
requested write, potentially resulting in a denial of service (kernel BUG).


* CVE-2011-3191: Memory corruption in CIFSFindNext.

Darren Lavender reported an issue in the Common Internet File System
(CIFS). A malicious file server could cause memory corruption leading
to a denial of service.


* CVE-2011-2497: Buffer overflow in the Bluetooth subsystem.

A small user-provided value for the command size field in the command
header of an l2cap configuration request can cause a buffer overflow.


* CVE-2011-1576: Denial of service with VLAN packets and GRO.

A flaw allowed napi_reuse_skb() to be called on VLAN (virtual LAN)
packets. An attacker on the local network could trigger this flaw by
sending specially-crafted packets to a target system, possibly causing
a denial of service.


* CVE-2011-2695: Off-by-one errors in the ext4 filesystem.

Multiple off-by-one errors in the ext4 subsystem in the Linux kernel
before 3.0-rc5 allow local users to cause a denial of service (BUG_ON
and system crash) by accessing a sparse file in extent format with a
write operation involving a block number corresponding to the largest
possible 32-bit unsigned integer.


* CVE-2011-2494: Information leak in taskstats.

Taskstats information could be used to gather private information, such
as precise password lengths from openssh. This update restricts
taskstats information to the root user, which has the side effect
of making the "iotop" program require root.


* Improved fix to CVE-2011-2495: Information leak in /proc/PID/io.

Ubuntu's original patch for CVE-2011-2495, which added missing access
checks in /proc/PID/io, contained a race condition.  This race
condition could be used to obtain io statistics for a privileged
process, which could in turn be used to gather sensitive information
(e.g. ssh/ftp password length).

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.

More information about the Ksplice-Ubuntu-10.04-Updates mailing list