[Ksplice][Ubuntu-11.04-Updates] New updates available via Ksplice (2.6.38-13.52)

[Jessica McKellar]

Synopsis: 2.6.38-13.52 can now be patched using Ksplice
CVEs: CVE-2011-2183 CVE-2011-2491 CVE-2011-2494 CVE-2011-2495 
CVE-2011-2517 CVE-2011-2909

Systems running Ubuntu 11.04 Natty can now use Ksplice to patch
against the latest Ubuntu kernel, 2.6.38-13.52.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 11.04 Natty
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2011-2494: Information leak in taskstats.

Taskstats information could be used to gather private information, such
as precise password lengths from openssh. This update restricts
taskstats information to the root user, which has the side effect
of making the "iotop" program require root.


* CVE-2011-2495: Information leak in /proc/PID/io.

/proc/PID/io could be used for gathering private information and did
not have access restrictions.


* CVE-2011-2909: Information leak in comedi driver.

The do_devinfo_ioctl function in the comedi driver incorrectly copied
uninitialized memory beyond the end of a string to user space.


* CVE-2011-2517: Buffer overflow in 802.11 netlink interface.

The nl80211_trigger_scan function failed to check for a valid SSID
length, leading to denial of service via buffer overflow.


* CVE-2011-2183: NULL pointer dereference in ksmd.

Andrea Righi reported a case where an exiting task can race against
ksmd::scan_get_next_rmap_item and trigger a NULL pointer dereference
in ksmd.


* CVE-2011-2491: Local denial of service in NLM subsystem.

A flaw in the client-side NLM implementation could allow a local,
unprivileged user to cause a denial of service.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.