[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (3.13.0-53.87)
Oracle Ksplice
ksplice-support_ww at oracle.com
Wed May 20 10:25:29 PDT 2015
Synopsis: 3.13.0-53.87 can now be patched using Ksplice
CVEs: CVE-2014-9715 CVE-2015-2150 CVE-2015-3331
Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.13.0-53.87.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Information leak in the USB stack when sending signals to userspace.
A lack of clearing a struct siginfo sent to user-space leads to leaking
kernel stack content to userspace. A local, unprivileged user could use
this flaw to gain information about the running kernel, facilitating an
attack.
* Use-after-free in USB serial stack on failure to probe a device.
A logic error in the USB serial stack could lead to a use-after-free and
kernel panic on failure to probe a device. A local, privileged user could
use this flaw to cause a denial-of-service.
* NULL pointer dereference in Radeon DRM_IOCTL_RADEON_CS ioctl().
Incorrect initialization could result in a NULL pointer dereference when
performing a DRM_IOCTL_RADEON_CS ioctl(). A local user with access to
the DRM device could use this flaw to trigger a denial-of-service
attack.
* Denial-of-service in btrfs when reading extended ref.
Improper pointer arithmetic when calculating the address of the extended
ref could lead to an out of bounds memory read and kernel panic. A local
attacker could use this flaw to cause a denial-of-service.
* Kernel crash in netfilter socket matching.
Incorrect use of stack-allocated variables could result in accessing
stale data. This could potentially be used by a local, privileged user
to cause a denial-of-service or potentially, escalate privileges.
* Remote memory leak in SUNRPC stack when accepting a GSSP connection.
A missing clean-up for allocated resources in the error path of
gssp_accept_sec_context_upcall() in the SUNRPC stack leads to a memory leak
of 512 bytes. A remote attacker could use this flaw to exhaust the memory
on the host and cause a denial-of-service.
* NULL pointer dereference in the Team driver on concurrent device un-registering.
A race condition in the network Team driver could lead to NULL pointer
dereference on concurrent network device un-registering. A local,
privileged user could use this flaw to cause a denial-of-service.
* Use-after-free in the extended matches network classifier.
A logic error in the extended matches (ematch) network classifier could
lead to a use-after-free and kernel panic. A local, privileged user could
use this flaw to cause a denial-of-service.
* Out of bounds memory write in macvtap driver with IPv6.
A logic error in the macvtap driver when allocating room in the socket
buffer for the ethernet header potentially leads to a two bytes memory
overwrites. A local, unprivileged user could use this flaw to cause a
denial-of-service.
* Denial-of-service when binding an ICMP socket on IPv6.
A logic error in the IPv6 stack could lead to a kernel panic when
user-space binds an IPv4 ICMP socket. A local, privileged user could use
this flaw to cause a denial-of-service.
* Kernel crash in SAS driver during expander discovery.
Incorrect handling of expander device discovery could result in a NULL
pointer dereference and kernel crash.
* Kernel crash in controller area network (CAN) sockets.
Incorrect initialization of CAN sockets could result in a kernel crash
when using AF_PACKET sockets.
* Use-after-free in Kvaser CAN to USB drivers when failing to send a URB.
An extra kfree() call in the error path of kvaser_usb_start_xmit() leads to
a double-free and potentially kernel panic. An attacker could use this
flaw to cause a denial-of-service.
* CVE-2015-2150: Denial-of-service in Xen PCI passthrough devices.
Incorrect restrictions to PCI device configuration could allow a
privileged user in a Xen guest to trigger a fatal NMI in the host. A
privileged, local user could use this flaw to cause a denial-of-service.
* Deadlock during NILFS2 filesystem recovery.
Mounting a NILFS2 filesystem could cause deadlock if roll-forward
recovery was required. This could happen after a crash during a
datasync write.
* Resource leak in IP virtual server backup sync protocol.
Missing resource freeing could result in a memory leak and failure to
remove an IP virtual server instance.
* Memory corruption in Multiple Device driver when destroying a device.
Incorrect locking in the Multiple Device driver when destroying a device
could lead to memory corruptions and kernel panic. A local, privileged
user could use this flaw to cause a denial-of-service.
* Frames filtering bypass in mesh forwarding in mac80211 stack.
A flaw in the mac80211 mesh forwarding allows un-encrypted frames to pass
through. A remote attacker could use this flaw to inject un-encrypted
frames to an otherwise encrypted network.
* Denial-of-service in Intel Memory Protection Extensions.
Incorrect checking for user mode tasks could result in a
denial-of-service when handling bounds faults on a system with MPX
available.
* CVE-2015-3331: Denial-of-service in Intel AES RFC4106 decryption.
Incorrect mapping of buffers in the Intel AES RFC4106 implementation
could result in a kernel crash. A local, unprivileged user with access
to AF_ALG(aead) sockets could use this flaw to trigger a
denial-of-service.
* Information leak in /proc/PID/pagemap.
/proc/PID/pagemap includes the virtual to physical mappings and could be
accessed by a local, unprivileged user. This could be used in
conjuction with flaws such as ROWHAMMER to elevate privileges.
* Use-after-free in ISCSI target connection closing.
A race condition in the ISCSI target connection closing procedure could
result in a use-after-free condition and subsequent kernel crash.
* Denial-of-service in pSCSI backend.
A missing NULL pointer check could result in a denial-of-service,
triggerable by a local, unprivileged user for incomplete configurations.
* NULL pointer dereference during Target device initialization failure.
Failure to create a workqueue when initializing a target device could
result in a NULL pointer dereference and kernel crash under specific
conditions.
* Denial-of-service in network packet transmission and reception.
Missing validation of the net.core.rmem_default and
net.core.wmem_default controls could allow a local, privileged user to
trigger a denial-of-service by setting low values for these parameters
and sending or receiving large packets.
* Kernel crash in IPv4 socket monitoring interface.
Incorrect allocation could result in a heap overflow and subsequent
kernel crash when receiving diagnostics for an IPv4 socket.
* Kernel crash in compat sendmsg/recvmsg calls.
Incorrect validation of user supplied data could result in memory
corruption when sending or receiving messages to a datagram socket and
the audit subsystem was enabled.
* Memory leak when adding a vlan device to a shut down interface.
A lack of un-registering stacked devices in the error path of rtnl_newlink()
leads to a memory leak. A local, privileged user could use this flaw to
exhaust the memory on the system and cause a denial-of-service.
* Memory corruption when configuring a virtual interface link through netlink.
A minimum length was mistakenly interpreted as a maximum length when
configuring a virtual interface link through netlink, leading to memory
corruption and potentially a kernel panic. A local, privileged user could
use this flaw to cause a denial-of-service.
* Kernel crash in Network Block Device request completion.
A race condition during completion of NBD image requests could result in
incorrectly hitting a kernel assertion and crashing the system.
* Data loss in BTRFS file synchronization.
A race during synchronizing files with the filesystem could result in
data loss under specific conditions.
* CVE-2014-9715: Remote code execution in the netfilter connection tracking subsystem.
The netfilter connection tracking subsystem uses a too small type to store
the size and offset of an extension which could lead to memory corruptions.
A remote attacker could potentially use this flaw to cause a
denial-of-service or to gain code execution.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-14.04-updates
mailing list