[Ksplice][Ubuntu-10.10-Updates] New updates available via Ksplice (2.6.35-24.42)
nelhage at ksplice.com
Tue Dec 21 08:34:31 PST 2010
Synopsis: 2.6.35-24.42 can now be patched using Ksplice
CVEs: CVE-2010-3442 CVE-2010-3861 CVE-2010-4072
Systems running Ubuntu 10.10 Maverick can now use Ksplice to patch
against the latest Ubuntu Security Notice, 2.6.35-24.42.
INSTALLING THE UPDATES
We recommend that all Ksplice Uptrack Ubuntu 10.10 Maverick users
install these updates. You can install these updates by running:
# uptrack-upgrade -y
* CVE-2010-3442: Heap corruption vulnerability in ALSA core.
The snd_ctl_new() function allocates space for a snd_kcontrol struct
by performing arithmetic operations on a user-provided size without
checking for integer overflow. This allows an unprivileged user to
write an arbitrary value repeatedly past the bounds of this chunk,
resulting in heap corruption.
* Mitigate denial of service attacks with large argument lists.
This update corrects a series of issues where an attacker could crash
a system or make it unresponsive through attacks involving processes
with very large argument lists.
* CVE-2010-3861: Kernel buffer overflow in ETHTOOL_GRXCLSRLALL ioctl.
An integer overflow error in the ETHTOOL_GRXCLSRLALL ioctl could result in a
denial of service or potential privilege escalation by a local user.
* CVE-2010-4072: Information leak in System V IPC
System V IPC leaks uninitialized kernel stack memory to user programs
in unused fields of the shmid_ds structure.
Ksplice support is available at support at ksplice.com or +1 765-577-5423.
More information about the Ubuntu-10.10-Updates