[Ksplice][Ubuntu-13.10-Updates] New updates available via Ksplice (3.11.0-13.20)

[Oracle Ksplice]

Synopsis: 3.11.0-13.20 can now be patched using Ksplice
CVEs: CVE-2013-4343 CVE-2013-4350 CVE-2013-4387

Systems running Ubuntu 13.10 Saucy can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.11.0-13.20.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 13.10 Saucy
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory corruption in filesystem buffer management.

The kernel does not correctly map memory when copying large filesystem buffers
leading to memory corruption and a kernel panic.


* Data loss in block device writeback flushing.

The block device driver uses incorrect options when flushing data on a block
device with writeback enabled, leading to data corruption on the backing device.


* Use-after-free in kernel device management.

The kernel does not correctly manage reference counts when removing devices from
the system leading to a use-after-free condition and kernel panic.


* Kernel crash in Bluetooth HID reporting.

Out of bounds memory accesses could trigger a page fault and kernel
crash when reading data that was not naturally aligned.


* NULL pointer dereference in IPv6 FIB rule addition failure.

Incorrect error handling could trigger a NULL pointer dereference when
failing to add an IPv6 FIB rule and causing a kernel crash.


* NULL pointer dereference in netpoll driver cleanup.

Incorrect locking could result in a NULL pointer dereference when
cleaning up a netpoll device as used in netconsole resulting in a kernel
crash.


* CVE-2013-4343: Use-after-free in tun driver.

A use-after-free vulnerability in the tun driver allowed local users to
gain privileges by leveraging the CAP_NET_ADMIN capability and providing
an invalid tuntap interface name in a TUNSETIFF ioctl call.


* CVE-2013-4350: SCTP over IPv6 disables encryption.

When transporting SCTP data over an IPv6 link, an incorrect assumption in the
kernel IPv6 stack can disable IPv6 encryption leading to the SCTP data being
visible to malicious users on the network.


* Kernel crash in Xen netback frontend slot packing.

Under specific conditions the number of slots required to send packets
were incorrectly counted in the backend.  This could cause the frontend
to lose synchronization and later crash the guest kernel.


* NULL pointer dereference in bridge link handling.

Incorrect locking could result in a race condition and subsequent NULL
pointer dereference and kernel crash.


* NULL pointer dereference in bridge port removal.

Incorrect synchronization could cause a NULL pointer and kernel crash
when receiving a frame at the same time as removing the port.


* CVE-2013-4387: Memory corruption in IPv6 UDP fragmentation offload.

The kernel IPv6 stack does not correctly handle queuing multiple UDP fragments
when using UDP Fragmentation Offloading allowing a local unprivileged user to
cause kernel memory corruption and potentially gain privileged code execution.


* Predictable sequence numbers in network packets.

On a server that never opened a TCP socket, the networking secret used
to derive sequence numbers would never be initialized and could result
in predictable sequence numbers for other protocols.


* Use-after-free in IP tunnel transmission.

A use-after-free in packet transmission in an IP tunnel could result in
a kernel crash or memory corruption.


* Memory corruption in IP tunnel packet transmission.

Incorrect handling of the IP in IP header could result in heap memory
corruption when transmitting packets under specific conditions.


* Kernel panic in ELF coredumping with large number of mmapped files.

On a system where a large number of mappings are permitted, a local,
unprivileged user could trigger a NULL pointer dereference when writing
corefiles and storing the filenames of the mapped files.


* Kernel crash in max98095 audio codec driver.

Incorrect validation of user supplied data could allow a local user with
access to the codec device to trigger an out-of-bounds memory access and
kernel panic.


* Kernel crash in 88pm860x audio codec driver.

Missing validation of user supplied data could allow a local user with
access to the codec device to trigger an out of bounds memory access and
kernel panic.


* Kernel crash and information leak in ab8500 audio codec driver.

Missing validation of user supplied input could result in an
out-of-bounds memory access and kernel panic or stack information leak
if a local user has access to the audio codec device.


* Use-after-free in Linux Security Modules.

Incorrect synchronization could cause a race condition between security
and auditing checks.  This race could result in a use-after-free
triggering memory corruption or a kernel crash.


* NULL pointer dereference with invalid /proc/sys/kernel/core_pattern.

If /proc/sys/kernel/core_pattern contained only a single '|' character
then a NULL pointer dereference could crash the kernel.  This could only
be triggered by a local, privileged user.


* NULL pointer dereference in NFSv4.1 data server connection failure.

Failure to connect to an NFS data server could trigger a NULL pointer
dereference and kernel crash.


* Incorrect permission checks on networking sysctls.

Permission checks in the networking sysctl interface incorrectly use the
current uid/gid rather than the effective uid/gid which could allow an
unprivileged user to manipulate network settings using a setuid binary.


* NULL pointer dereference in MMC card removal.

Incorrect ordering of device removal could result in NULL pointer
dereference when removing an MMC card from the system.


* Kernel crash in btrfs backref checking.

Incorrect handling of backref checking for blocks could result in
hitting a kernel assertion and kernel crash.


* Use-after-free in btrfs reference handling.

Incorrect locking could lead to a use-after-free when processing btrfs
references.  This could result in a kernel crash or memory corruption.


* NULL pointer dereference in bcache write requests.

Missing initialization could cause a NULL pointer dereference when
writing a request from a bcache device, resulting in a kernel crash.


* Denial-of-service in ext4 extended attribute error handling.

Missing memory freeing in the error path of extended attribute handling
could cause a memory leak and denial of service under specific
circumstances.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.