[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (3.13.0-33.58)

[Oracle Ksplice]

Synopsis: 3.13.0-33.58 can now be patched using Ksplice
CVEs: CVE-2014-3917 CVE-2014-5077

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.13.0-33.58.

Please note that the Ksplice update for CVE-2014-5077 is not part of the
distribution release, but our audit showed that a number of our customers
were affected by the vulnerability so we felt it was important to ship early.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.

Linux kernel built with the support for Stream Control Transmission
Protocol is vulnerable to a NULL pointer dereference flaw. It could occur
when simultaneous new connections are initiated between the same pair of
hosts. A remote user/program could use this flaw to crash the system kernel
resulting in denial-of-service.


* Kernel bug in network stack generic segmentation offload.

A logic error in the network stack when using both generic segmentation
offload (GSO) and generic receive offload could potentially trigger a
BUG_ON() assertion, leading to a denial-of-service.


* CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.

Linux kernel built with the system-call auditing support is vulnerable to a
kernel crash or information disclosure flaw caused by out of bounds memory
access.  When system call audit rules are present on a system, an
unprivileged user could use this flaw to leak kernel memory or cause a
denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.