[Ksplice][Ubuntu-11.10-Updates] New updates available via Ksplice (3.0.0-16.29)

Fri Mar 9 21:26:31 PST 2012

Synopsis: 3.0.0-16.29 can now be patched using Ksplice
CVEs: CVE-2009-4307 CVE-2011-4127

Systems running Ubuntu 11.10 Oneiric can now use Ksplice to patch
against the latest Ubuntu kernel update, Ubuntu-3.0.0-16.29.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 11.10 Oneiric
install these updates.  You can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any additional action.

DESCRIPTION

* Improved fix to CVE-2009-4307.

The original vendor fix to CVE-2009-4307 did not cover all cases,
especially on x86.

* Denial of service in NFS callback sequence numbers.

An off-by-one error in validate_seqid may allow a malformed NFS
callback sequence number to cause access of an invalid NFS slot.

* Use after free in UBI driver.

The error path in erase_worker in the UBI (unsorted block images)
driver may allow an erase entry object to be used after it is freed.

* Denial of service in Video4Linux2 ioctls.

An integer overflow in video_usercopy in the Video4Linux2 subsystem
may cause access to invalid memory.

* Double free on NFS server shutdown.

Shutting down an NFS server after changing its pool mode may lead to a
double free.

* CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.

Using the SG_IO IOCTL to issue SCSI requests to partitions or LVM
volumes resulted in the requests being passed to the underlying block
device. If a privileged user only had access to a single partition or
LVM volume, they could use this flaw to bypass those restrictions and
gain read and write access (and be able to issue other SCSI commands)
to the entire block device.

In KVM (Kernel-based Virtual Machine) environments using raw format
virtio disks backed by a partition or LVM volume, a privileged guest
user could bypass intended restrictions and issue read and write
requests (and other SCSI commands) on the host, and possibly access
the data of other guests that reside on the same underlying block
device.

* NULL dereference in the NCR53C8XX/SYM53C8XX SCSI controller drivers.

During the destruction of a driver instance, a NULL dereference will occur if
the driver wasn't successfully allocated at the initialization function.

* Denial of service in eCryptfs.

A user may trigger heavy reclaim or even the OOM-killer by writing large
amount of data to a eCryptfs device.

* Memory corruption in the Direct Rendering Manager.

A race condition in the Direct Rendering Manager may allow an
unprivileged user to corrupt kernel memory.

* Bad SHA512 calculation under heavy load.

If the SHA512 hash function is being used under heavy load it may silently
calculate a wrong hash for the given data.

This may allow an attacker to cause invalid hash calculations by
repeatedly calling the hash function.

* NULL dereference in the L2TP subsystem.

A NULL pointer dereference may occur when receiving L2TP packets while
using IP link encapsulation.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.