[Ksplice][Ubuntu-11.10-Updates] New updates available via Ksplice (3.0.0-14.23)

Jessica McKellar jessica.mckellar at oracle.com
Sat Dec 10 17:23:59 PST 2011 

Synopsis: 3.0.0-14.23 can now be patched using Ksplice
CVEs: CVE-2011-2699 CVE-2011-4081

Systems running Ubuntu 11.10 Oneiric can now use Ksplice to patch
against the latest Ubuntu kernel, 3.0.0-14.23.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 11.10 Oneiric
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* Kernel OOPS in fork() under heavy load.

Because MMU updates weren't being flushed when doing kmap_atomic (or
kunmap_atomic), we could hit a dereference bug when processing a 
"fork()" under
a heavy loaded machine.


* Local denial of service in search_binary_handler().

If a user tried to execute a binary for which the kernel has no handler,
it could cause the system to hang for a non-trivial amount of time.


* Improved fix for CVE-2011-2699.

Fedora's original fix for CVE-2011-2699 introduced a NULL dereference
in udp6_ufo_fragment.


* Use-after-free in DRM Translation Table Maps.

Due to a bug in DRM/TTM, some graphics drivers could use freed
memory.


* Buffer overread in x25.

Insufficient data size checking in x25_find_listener could result in
buffer overreads.


* CVE-2011-4081: NULL pointer dereference in GHASH cryptographic algorithm.

Nick Bowler reported an issue in the GHASH message digest
algorithm. ghash_update can pass a NULL pointer to gf128mul_4k_lle in some
cases, leading to a NULL pointer dereference (kernel OOPS).


* Buffer overwrite in target driver.

A bug with the handling of REPORT TARGET PORT GROUPS containing a
smaller allocation length than the payload requires caused memory
writes beyond the end of the buffer.


* Race between mremap and removing migration entries.

The remove_migration_pte function incorrectly checked whether the pte
was a swap pte without holding the appropriate lock, resulting in a
race against mremap which could lead to a kernel crash.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com or +1 
765-577-5423.

More information about the Ksplice-Ubuntu-11.10-Updates mailing list