[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (USN-1344-1)

[Christine Spang]

Synopsis: USN-1344-1 can now be patched using Ksplice
CVEs: CVE-2011-2203 CVE-2011-4110

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1344-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 10.04 Lucid
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2011-4110: Null pointer dereference in key subsystem.

A NULL pointer dereference flaw was found in the way the Linux
kernel's key management facility handled user-defined key types. A
local, unprivileged user could use the keyctl utility to cause a
denial of service. (CVE-2011-4110, Moderate)


* Information leak in ecryptfs_decode_from_filename().

An attacker could read a small amount of kernel memory beyond the end of
the filename_rev_map[] array by creating a file with a filename
containing characters with ASCII values greater than the size of the
array.


* Potential NULL pointer dereference in scsi_kill_request().

The scsi_kill_request function attempts to dereference the cmd member of
the request argument before checking whether or not it is NULL, in which
case it would BUG().


* CVE-2011-2203: Null pointer dereference mounting HFS filesystems.

A NULL pointer dereference flaw was found in the Linux kernel's HFS
file system implementation. A local attacker could use this flaw to
cause a denial of service by mounting a disk that contains a
specially-crafted HFS file system with a corrupted MDB extent
record. (CVE-2011-2203, Low)

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.