[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (USN-2588-1)

[Oracle Ksplice]

Synopsis: USN-2588-1 can now be patched using Ksplice
CVEs: CVE-2015-2666 CVE-2015-2922

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2588-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Memory leak when reading parameters in BladeEngine 2 iSCSI driver.

Due to incorrect error handling in the be2iscsi driver, it is possible
to leak memory in error situations. In extreme situations, this could
force a reboot when all memory has been exhausted.


* Memory leak in BladeEngine 2 iSCSI driver when losing link.

In certain situations where there was outstanding IO while the link was
closed, the be2iscsi driver would not clean up SCSI commands properly,
leading to a memory leak.


* I/O errors and spurious warning in BladeEngine 2 iSCSI driver.

Due to a missing mailbox availability check in the BladeEngine 2
iSCSI driver, the driver could in certain high-pressure situations
attempt to request a non-existant mailbox and trigger a spurious
warning and potential I/O errors.


* Kernel panic during BladeEngine 2 iSCSI adapter initialization.

Due to premature exposure of BladeEngine 2 iSCSI adapter sysfs
files, it was possible to access these files before the adapter had
finished initializing. This would lead to a kernel panic.


* Device hang during cleanup in BladeEngine 2 iSCSI driver.

With certain firmware configurations, an incorrect cleanup sequence
could lead to the whole device entering a hung state.


* Memory leak when initialising ports in BladeEngine 2 iSCSI driver.

Incorrect error handling during port initialisation in the BladeEngine 2
iSCSI driver could lead to memory leaks when there is little free memory
available.


* Invalid memory free when setting management address in BladeEngine 2 iSCSI driver.

Incorrect error handling when changing the management IP address in the
BladeEngine 2 iSCSI driver could lead to freeing an invalid pointer. In
certain situations, this could lead to memory corruption and kernel crashes.


* Kernel panic during shutdown in Emulex BladeEngine 2 driver.

Due to an incorrect deinitialization sequence in the Emulex
BladeEngine 2 driver, a workqueue was being destroyed after
the adapter resources had already been freed. This could lead
to a kernel panic when rebooting or shutting down the machine.


* Kernel panic when probing iSCSI BladeEngine devices.

An invalid DMA configuration can trigger an assertion and kernel panic
when probing a iSCSI BladeEngine device.


* Information leak when reading IPv4 and IPv6 error queue.

The error queue mechanism (MSG_ERRQUEUE) in IPv4 and IPv6 sockets does
not correctly initialise kernel data-structures which causes the
contents of kernel memory to be leaked to userspace.


* Use-after-free when receiving IPv4 and IPv6 ICMP echo replies.

The kernel IPv4 and IPv6 subsystems incorrectly free memory when
receiving ICMP echo replies which can trigger a use-after-free condition
and kernel panic.


* Kernel panic when receiving compressed PPP data.

The kernel Point-to-Point networking implementation does not correctly
handle decompressing large PPP packets which can trigger an assertion
failure and kernel panic.


* Use-after-free in SMACK security module.

Incorrect locking in the SMACK security module can trigger a
use-after-free and kernel panic when looking up the credentials of a
userspace process. This flaw can be used by a local unprivileged user to
trigger a kernel panic or elevate privileges.


* Use-after-free in USB Host Controller Device driver.

Incorrect memory management in he USB Host Controller Driver (HCD) can
trigger a use-after-free condition and kernel panic.


* Security bypass in kernel pseudo terminal subsystem.

The kernel pseudo-terminal (PTY) subsystem does not enforce restrictions
on which users can signal processes which allows local unprivileged
users to send arbitrary signals to privileged process.


* Denial of service when decoding NFSv4.1 sequence operations.

The kernel NFSv4.1 client tries to free invalid memory when decoding NFS
sequence operations which can trigger a kernel panic. This flaw can be
triggered by remote users.


* Kernel bug when handling a huge page fault.

A race condition in the huge page fault handler could lead to a BUG()
assertion to be hit, causing a denial-of-service.


* Denial-of-service in the mmap() system call.

An integer overflow in the routine checking if there is enough memory to
satisfy an allocation request leads all future allocations to fail.  A
local, unprivileged user could use this flaw to cause a denial-of-service.


* Denial-of-service when reading physical memory from user-space.

The routine generic_phys_access(), used by the /dev/mem and userspace IO
drivers, was only re-mapping one page of IO memory when the request could
span a bigger range, causing out of bounds memory accesses and kernel
panic.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Denial-of-service when soft-offlining a page on concurrent migration.

A race condition in the memory subsystem when soft-offlining a page being
migrated could lead to a BUG_ON() assertion to be triggered.  An attacker
could use this flaw to cause a denial-of-service.


* Memory corruption when mounting malformed JFFS2 disk images.

The kernel JFFS2 filesystem driver does no validate the eraseblock which
can trigger an assertion and kernel panic.


* Multiple data losses on TCM Storage Engine.

Lack of input validation and range checks in the TCM Storage Engine (Target
Core) driver could lead to data loss or data corruption under certain
circumstances.


* Use-after-free in the Multiple devices driver when taking a reference count.

Incorrect locking in the Multiple devices driver (RAID and LVM) could lead
to a use-after-free.  A local, privileged user could use this flaw to cause
a denial-of-service.


* Use-after-free in the Multiple devices driver when taking a snapshot.

An internal structure of the Multiple devices (RAID and LVM) driver was
being accessed after it was released.  An attacker could use this flaw to
cause a denial-of-service.


* Use-after-free on removing from procfs on concurrent symlink traversal.

A race condition in the procfs filesystem could lead to a use-after-free
when removing inodes from procfs concurrently with traversing symlinks.  A
local, privileged user could use this flaw to cause a denial-of-service.


* Out of bounds memory access in autofs4 filesystem ioctl.

A time of check to time of use vulnerability when validating the size of
the ioctl input buffer in the autofs4 could lead to out of bounds memory
access.  A local, unprivileged user could use this flaw to cause a
denial-of-service or potentially escalate their privileges.


* Denial of service in XFS quota management.

The kernel XFS filesystem driver does not reset quota metadata when
removing and creating files which can trigger an assertion failure and
kernel panic. A local user able to write to an XFS filesystem could use
this flaw to trigger a denial of service.


* CVE-2015-2922: Denial-of-service of IPv6 networks when handling router advertisements.

A flaw in the IPv6 stack allowed a remote attacker on the same network to
set the hop limit to a smaller value than the default one, preventing
devices on that network to send or receive.


* CVE-2015-2666: Privilege escalation in the Intel early microcode loader.

A lack of bounds checking when writing to an on-stack array when parsing
the microcode headers in the Intel early loader could cause a kernel panic
or potentially leads to kernel execution.  A local, privileged user could
use this flaw to escalate their privileges.


* NULL pointer dereference when closing connection in Emulex BladeEngine 2 driver.

Due to a missing NULL check in the Emulex BladeEngine 2 driver, closing
a connection could attempt to process some events after resources had
already been freed. This would lead to a NULL pointer dereference and
kernel crash.


* Denial-of-service when changing permissions of a huge page.

A race condition when changing the permissions of a huge page on concurrent
migration could lead to kernel panic and denial-of-service.  An attacker
could use this flaw to cause a denial-of-service.


* Use-after-free when disconnecting CephFS client.

A race condition when closing a connection to a CephFS service can
trigger a use-after-free condition and kernel panic.


* Denial of service when routing IPv6 atomic fragments.

The kernel IPv6 implementation processes atomic fragments according to
the IPv6 RFC. However, remote attackers can leverage a feature of
atomic fragments to stop the routing of IPv6 traffic, causing a denial
of service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.