[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (2.6.32-50.112)

[Jamie Iles]

Synopsis: 2.6.32-50.112 can now be patched using Ksplice
CVEs: CVE-2013-2164 CVE-2013-2232 CVE-2013-2234 CVE-2013-2237 CVE-2013-2851

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch
against the latest Ubuntu kernel update, 2.6.32-50.112.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 10.04 Lucid
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2013-2851: Format string vulnerability is software RAID device names.

A format string vulnerability in partition registration allows local
users to execute kernel mode code by writing format string specifiers to
/sys/module/md_mod/parameters/new_array in order to create an invalid
/dev/md device name.


* CVE-2013-2164: Kernel information leak in the CDROM driver.

Incorrect allocation in the generic CDROM driver could result in leaking
heap memory to userspace.


* CVE-2013-2232: Memory corruption in IPv6 routing cache.

Connecting an IPv6 socket to an IPv4 destination can cause IPv4 routing
information to be placed in the IPv6 routing cache causing memory corruption
and a kernel panic.


* CVE-2013-2234: Information leak in IPsec key management.

An error in the AF_KEY implementation allows privileged users to leak contents of
the kernel stack to userspace.


* CVE-2013-2237: Information leak on IPSec key socket.

Incorrect initialization on policy flushing could leak kernel stack
bytes to userspace.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.