[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (USN-2240-1)

Mon Jun 9 07:52:06 PDT 2014

Synopsis: USN-2240-1 can now be patched using Ksplice
CVEs: CVE-2014-2568 CVE-2014-3122 CVE-2014-3153

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2240-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2014-3153: Local privilege escalation in futex requeueing.

Invalid parameters to the futex() syscall may break assumptions made in
the kernel and would leave dangling pointers that could be exploited
to gain root privileges.

* Memory corruption when sending Infiniband QLogic HTX diagnostic packets.

An integer overflow when sending diagnostic packets over a Infiniband QLogic
HTX device can trigger memory corruption and a kernel panic.

* NULL pointer deference when creating Infiniband NetEffect queue pairs.

A NULL pointer is dereferenced when creating a queue pair for a Infiniband
NetEffect RNIC device causing a kernel panic.

* Use-after-free in mac80211 BSS.

The mac80211 code was incorrectly using the bss struct after
it may have been freed in ieee80211_rx_bss_put, leading to a
kernel panic.

* Memory corruption in NFSv4.1 extended attributes.

Missing bounds checking in the NFSv4.1 server when encoding extended file
attributes could lead to memory corruption and kernel panic.

* Kernel BUG in NFS lockd socket creation.

When socket creation failed during lockd_up, all live sockets
were not getting properly cleaned up, causing a kernel BUG.

* Memory corruption in OCFS2 file and directory creation.

The kernel OCFS2 filesystem driver incorrectly frees memory when creating
files, directories, symlinks and devices on a OCFS2 volume leading to kernel
panic.

* Kernel panic when recovering iSCSI target connections.

An invalid pointer is dereferenced when recovering a dropped iSCSI connection,
triggering a kernel panic.

* Kernel panic in SCSI Block Command parsing.

The kernel does not correctly initialise data structures when parsing a SCSI
COMPARE_AND_WRITE command leading to a kernel panic.

* CVE-2014-3122: Denial-of-service in non-linear memory mappings.

An assertion failure and kernel panic can be triggered when unmapping a
non-linear memory mapping.  This could be exploited by a local,
unprivileged user to crash the system.

* Machine check exception in b43 wireless driver.

An improper access to a register in the b43 wireless driver can
lead to a CPU exception and kernel panic.

* Kernel panic in Infiniband SRP DMA.

A kernel panic can be triggered when transferring data over DMA to a device
supporting Infiniband SCSI RDMA.

* Audit bypass with process namespaces with PPID based filters.

The audit logging used the PPID from inside the namespace rather than
the ID from the initial namespace.  This could allow malicious processes
to bypass audit rules.

* Memory leak in RAID1 buffer allocation failure.

Incorrect handling of memory allocation failure could result in failure
to free existing allocations.  This memory leak could result in an
eventual out-of-memory condition and kernel crash.

* Double-free in OCFS2 block writing.

Under specific conditions, the OCFS2 filesystem could perform a
double-free on a buffer head resulting in a kernel crash.

* Kernel crash in QXL virtual graphics adapter object reference counting.

Incorrect handling of unreferenced objects could result in hitting a
kernel assertion and crashing the system.

* CVE-2014-2568: Information leak in netlink packet copying.

A reference counting error in the netlink net-filter subsystem can cause the
contents of kernel memory to be leaked to unprivileged users in netlink packets.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.