[Ksplice][Ubuntu-13.10-Updates] New updates available via Ksplice (3.11.0-14.21)

[Jamie Iles]

Synopsis: 3.11.0-14.21 can now be patched using Ksplice
CVEs: CVE-2013-4299

Systems running Ubuntu 13.10 Saucy can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.11.0-14.21.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 13.10 Saucy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Data loss in ecryptfs on 32-bit systems.

An integer overflow in the ecryptfs driver can lead to data loss when writing to
files that are over 4GB in size.


* Kernel crash in TCP stack with cloned socket buffers.

Incorrect management of cloned socket buffers could result in a kernel
crash when retransmitting TCP packets.


* Use-after-free in IP TIME_WAIT sockets.

Incorrect reference counting in the kernel IP stack when handling receiving data
on TIME_WAIT sockets can trigger a use-after-free condition and cause a kernel
panic.


* Information leak in netlink connector.

When sending messages through the netlink connector, some elements of the message
are not initialised causing the contents of kernel memory to be exposed to
userspace.


* Soft lockup in L2TP during packet transmission.

Incorrect locking could result in a kernel hang when transmitting
packets over a layer 2 tunnel under specific conditions.


* Memory leak in Network Emulator scheduler during queue reset.

The Network Emulator scheduler does not free memory when a network queue is reset
leading to a kernel memory leak.


* Information leak in FarSync network driver ioctl.

The SIOCWANDEV ioctl in the FarSync T-Series network driver does not initialise
memory before returning data to userspace, causing the contents of kernel memory
to be leaked to userspace.


* Information leak in Unix socket monitoring interface.

The Unix socket monitoring interface does not initialise memory when sending
information over a netlink socket causing the contents of kernel memory to be
leaked to userspace.


* Kernel panic in netlink kernel/userspace connector.

An incorrect length check when processing netlink messages in the kernel/
userspace connector can cause an out-of-bounds access and kernel panic.


* Information leak in wanXL IF_GET_IFACE ioctl.

The SBE wanXL network driver does not initialise memory when handling the
IF_GET_IFACE ioctl causing the contents of kernel memory to be leaked to
userspace.


* Denial-of-service in IPv4 CIPSO header validation.

The kernel IPv4 stack does not correctly handle malformed CIPSO headers in IPv4
packets leading to an infinite loop and kernel panic.


* Memory corruption in socket buffer.

When writing three frames to a corked UDP socket, if the first and third frame
are smaller than the MTU and the second one is bigger, it leads to a memory
corruption.


* Use-after-free in temporary files on ext3 and ext4 filesystems.

When opening a file on an ext3 or ext4 filesystem using the __O_TMPFILE flag, the
kernel does not correctly manage reference counts leading to a use-after-free
condition and kernel panic.


* CVE-2013-4299: Information leak in device mapper persistent snapshots.

An information leak flaw was found in the way Linux kernel's device
mapper subsystem, under certain conditions, interpreted data written to
snapshot block devices. An attacker could use this flaw to read data
from disk blocks in free space, which are normally inaccessible.


* Denial-of-service in transparent huge pages with MADV_DONTNEED madvise().

Incorrect handling of copy-on-write huge pages could lead to a kernel
BUG_ON() and kernel crash triggerable by an unprivileged user.


* Denial-of-service in 802.11 radiotap packet parsing.

The kernel 802.11 radiotap interface does not correctly handle malformed packets
allowing a remote attacker to trigger an out-of-bounds read leading to a kernel
panic.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.