[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (USN-1939-1)

[Oracle Ksplice]

Synopsis: USN-1939-1 can now be patched using Ksplice
CVEs: CVE-2013-1943 CVE-2013-2206 CVE-2013-4162

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1939-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 10.04 Lucid
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.

A flaw was found in the way the Linux kernel's Stream Control
Transmission Protocol (SCTP) implementation handled duplicate cookies.
If a local user queried SCTP connection information at the same time a
remote attacker has initialized a crafted SCTP connection to the system,
it could trigger a NULL pointer dereference, causing the system to
crash.


* CVE-2013-1943: Local privilege escalation in KVM memory mappings.

A missing sanity check was found in KVM's memory mapping subsystem,
allowing a user-space process to register memory regions pointing
to the kernel address space. A local, unprivileged user could use this flaw
to escalate their privileges.


* CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.

When pushing pending frames in IPv6 udp code, an incorrect function call can
be made. This allows local users to cause a denial of service (BUG and system
crash) via a crafted application that uses the UDP_CORK option in a
setsockopt system call.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.