[Ksplice][Ubuntu-11.10-Updates] New updates available via Ksplice (3.0.0-27.44)

Sonja Tideman sonja.tideman at oracle.com
Thu Nov 15 10:28:30 PST 2012 

Synopsis: 3.0.0-27.44 can now be patched using Ksplice

Systems running Ubuntu 11.10 Oneiric can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.0.0-27.44.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 11.10 Oneiric
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Prepare Ksplice options for entry.S.




* Clear garbage data on the kernel stack when handling signals.




* IRQ stack overflow in apparmor.

A profile replacement can lead to an IRQ stack overflow in apparmor.  This
can result in memory corruption and a kernel crash.


* Kernel panic in packet scheduler.

A missing bounds check in the network packet scheduler can lead to
a kernel panic.


* Stack overflow in ISDN loop device initialisation.

Incorrect string handling could result in a kernel stack overflow and
kernel crash when reporting the driver revision.


* Kernel panic in packet ring-buffer.

An invalid assumption between the kernel and a userspace process can lead
to a kernel panic when destroying packets in a ring-buffer.


* Information leak in ATM socket options.

The SO_ATMPCV socket option allows malicious users to disclose the
contents of kernel memory.


* Information leak in ATM socket name.

An malicious user can disclose the contents of kernel memory by calling
getsockname() on an ATM socket.


* Information leak in Bluetooth socket name.

A malicious user can disclose the contents of kernel memory by calling
getsockname() on a Bluetooth socket.


* Information leak in Bluetooth RFCOMM ioctl.

The RFCOMMGETDEVLIST ioctl allows malicious users to disclose the
contents of kernel memory.


* Information leak in Bluetooth RFCOMM socket name.

A malicious user can disclose the contents of kernel memory by calling
getsockname() on an Bluetooth RFCOMM socket.


* Information leak in Bluetooth L2CAP socket name.

A malicious user can disclose the contents of kernel memory by calling
getsockname() on an Bluetooth L2CAP socket.


* Information leak in LLC socket name.

A malicious user can disclose the contents of kernel memory by calling
getsockname() on an LLC socket.


* Information leak in DCCP socket options.

The DCCP_SOCKOPT_CCID_TX_INFO socket option allows malicious users to
disclose the contents of kernel memory.


* Information leak in IP Virtual Server socket options.

A malicious user can disclose the contents of kernel memory by calling
getsockopt() on an IP virtual server socket.


* Information leak in socket compatibility ioctl.

The SIOCGIFCONF socket option allows malicious users to disclose the
contents of kernel memory.


* Netlink spoofing allows privilege elevation.

A local user may be able to elevate privileges by spoofing the source
of a netlink message.


* Kernel crash when removing net namespace.

Invalid ordering of operations can lead to a kernel crash in ipv4
ipmr when removing net namespace.


* Kernel panic in netconsole bridge device.

A reference-counting error can cause a kernel panic when removing a
bridge device which has a netconsole running on it.


* Kernel panic in Broadcom 5709 driver.

A kernel panic can be triggered when a Broadcom 5709 device is under
heavy load.


* Data corruption in HP Smart Array SCSI driver.

An unhandled protocol error could result in data corruption when
configured in a multipath system.


* Use-after-free in TI High End CAN controller.

The TI High End CAN controller driver freed I/O memory before it was
finished with on module unload resulting in a use-after-free condition
and kernel crash.


* Deadlock in cfg80211 wireless subsystem.

Incorrect locking could result in circular locking leading to deadlock
and a system hang.


* Logic error in NFSv4 server.

A logic error in the NFSv4 server implementation can cause malformed NFS
open requests to be considered valid.


* Invalid memory access in xHCI ring queue handling.

An incorrect dequeuing of items from the xHCI ring queue can
cause general protection faults by accessing invalid memory regions.


* Possible denial of service in drop_monitor.

drop_monitor may sleep while holding a spinlock, which could lead
to a possible deadlock situation.


* Invalid resource freeing in UBI layer.

The UBI layer incorrectly freed resources when handling eraseblocks
resulting in memory corruption and memory leaks.


* Deadlock in VFS file renaming.

A deadlock can be triggered in the VFS subsystem when multiple processes
attempt to rename the same file.


* Kernel panic in TTY driver.

An invalid assumption in the TTY driver can lead to a kernel
panic (BUG_ON) when reading data from a TTY using the normal
line discipline.


* Kernel panic in Broadcom 43xx wireless driver.

A kernel panic can be triggered when unloading the legacy
Broadcom wireless driver when no firmware is present.


* Kernel panic in coredumping.

An unprivileged user can cause a double-free when constructing a
coredump under low-memory conditions.


* Use-after-free in IP over Infiniband.

A use-after-condition condition can be triggered when processing
multicast IP packets over an Infiniband device.


* Use-after-free in Infiniband RDMA driver.

A use-after-free condition triggered in the Infiniband RDMA driver
when resetting an Infiniband device.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-11.10-Updates mailing list