[Ksplice][Ubuntu-10.10-Updates] New updates available via Ksplice (USN-1201-1)

Tim Abbott tim.abbott at oracle.com
Tue Sep 13 21:21:13 PDT 2011 

Synopsis: USN-1201-1 can now be patched using Ksplice
CVEs: CVE-2011-1020 CVE-2011-1493 CVE-2011-1770 CVE-2011-2484 CVE-2011-2492

Systems running Ubuntu 10.10 Maverick can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1201-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 10.10
Maverick install these updates.  You can install these updates by
running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2011-2484: Denial of service in taskstats kernel reporting utility.

The add_del_listener function in kernel/taskstats.c did not prevent
multiple registrations of exit handlers, allowing a local denial of
service attack via a crafted application.


* CVE-2011-1770: Remote denial of service in DCCP options parsing.

Dan Rosenberg reported an issue in the Datagram Congestion Control
Protocol (DCCP).  Remote users can cause a denial of service or
potentially obtain access to sensitive kernel memory.


* CVE-2011-1020: Missing access restrictions in /proc subsystem.

The proc filesystem implementation did not restrict access to the
/proc directory tree of a process after this process performs an exec
of a setuid program, which allowed local users to obtain sensitive
information or potentially cause other integrity issues.


* CVE-2011-2492: Information leak in bluetooth implementation.

Structure padding in two structures in the Bluetooth implementation was
not initialized properly before being copied to user-space, possibly
allowing local, unprivileged users to leak kernel stack memory to
user-space. (CVE-2011-2492, Low)


* Additional fix for CVE-2011-1493.

The ROSE protocol did not ensure that socket data being parsed wasn't being
read in from beyond the boundaries of the incoming socket butter, which 
could
result in information disclosure, or, in a very unlikely case, a local 
denial
of service.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.

More information about the Ubuntu-10.10-Updates mailing list