[Ksplice][Ubuntu-11.10-Updates] New updates available via Ksplice (USN-1275-1)

[Jessica McKellar]

Synopsis: USN-1275-1 can now be patched using Ksplice
CVEs: CVE-2011-1161 CVE-2011-1162 CVE-2011-2494

Systems running Ubuntu 11.10 Oneiric can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-1275-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 11.10 Oneiric
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.


DESCRIPTION

* CVE-2011-2494: Information leak in taskstats.

Taskstats information could be used to gather private information,
such as precise password lengths from openssh. This update restricts
taskstats information to the root user, which has the side effect of
making the "iotop" program require root.


* Fix unsafe user pointer access in sendmsg.

The sendmsg and sendmmsg system calls did not correctly validate user
pointers before accessing them, resulting in a potential denial of
service (kernel oops).


* CVE-2011-1161: Information leak in transmission logic of TPM driver.

A missing buffer size check in tpm_transmit could allow leaking of
potentially sensitive kernel memory.


* CVE-2011-1162: Information leak in TPM driver.

A buffer in tpm_read was not initialized before being returned to
userspace, leading to a leak of potentially sensitive kernel memory.


* NULL pointer dereference in kernel alarm timer.

A NULL pointer dereference in alarm_timer_set could allow a local,
unprivileged user to cause a denial of service.

SUPPORT

Ksplice support is available at support at ksplice.com or +1 765-577-5423.