[Ksplice][Ubuntu 10.04 Updates] New updates available via Ksplice (USN-2282-1)

[Oracle Ksplice]

Synopsis: USN-2282-1 can now be patched using Ksplice
CVEs: CVE-2014-3153 CVE-2014-3917 CVE-2014-4608 CVE-2014-4943

Systems running Ubuntu 10.04 Lucid can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2282-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 10.04 Lucid
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-4943: Privilege escalation in PPP over L2TP setsockopt/getsockopt.

PPP over L2TP sockets incorrectly used UDP's getsockopt and setsockopt
as a fallback handler. Since UDP's implementation expects different
data structures, a local attacker could corrupt kernel memory and gain
root privileges.


* CVE-2014-4608: Memory corruption in kernel lzo decompressor.

Missing bounds checking in the kernel lzo compressor can allow malformed
data to trigger kernel memory corruption. A local attacker could use
this flaw to gain elevated privileges.


* CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.

Linux kernel built with the system-call auditing support is vulnerable to a
kernel crash or information disclosure flaw caused by out of bounds memory
access.  When system call audit rules are present on a system, an
unprivileged user could use this flaw to leak kernel memory or cause a
denial-of-service.


* Improvement for CVE-2014-3153: Local privilege escalation in futex requeueing.

Invalid parameters to the futex() syscall may break assumptions made in
the kernel and would leave dangling pointers that could be exploited
to gain root privileges.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.