[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (3.13.0-53.87)

[Oracle Ksplice]

Synopsis: 3.13.0-53.87 can now be patched using Ksplice
CVEs: CVE-2014-9715 CVE-2015-2150 CVE-2015-3331

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.13.0-53.87.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Information leak in the USB stack when sending signals to userspace.

A lack of clearing a struct siginfo sent to user-space leads to leaking
kernel stack content to userspace.  A local, unprivileged user could use
this flaw to gain information about the running kernel, facilitating an
attack.


* Use-after-free in USB serial stack on failure to probe a device.

A logic error in the USB serial stack could lead to a use-after-free and
kernel panic on failure to probe a device.  A local, privileged user could
use this flaw to cause a denial-of-service.


* NULL pointer dereference in Radeon DRM_IOCTL_RADEON_CS ioctl().

Incorrect initialization could result in a NULL pointer dereference when
performing a DRM_IOCTL_RADEON_CS ioctl().  A local user with access to
the DRM device could use this flaw to trigger a denial-of-service
attack.


* Denial-of-service in btrfs when reading extended ref.

Improper pointer arithmetic when calculating the address of the extended
ref could lead to an out of bounds memory read and kernel panic.  A local
attacker could use this flaw to cause a denial-of-service.


* Kernel crash in netfilter socket matching.

Incorrect use of stack-allocated variables could result in accessing
stale data.  This could potentially be used by a local, privileged user
to cause a denial-of-service or potentially, escalate privileges.


* Remote memory leak in SUNRPC stack when accepting a GSSP connection.

A missing clean-up for allocated resources in the error path of
gssp_accept_sec_context_upcall() in the SUNRPC stack leads to a memory leak
of 512 bytes.  A remote attacker could use this flaw to exhaust the memory
on the host and cause a denial-of-service.


* NULL pointer dereference in the Team driver on concurrent device un-registering.

A race condition in the network Team driver could lead to NULL pointer
dereference on concurrent network device un-registering.  A local,
privileged user could use this flaw to cause a denial-of-service.


* Use-after-free in the extended matches network classifier.

A logic error in the extended matches (ematch) network classifier could
lead to a use-after-free and kernel panic.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Out of bounds memory write in macvtap driver with IPv6.

A logic error in the macvtap driver when allocating room in the socket
buffer for the ethernet header potentially leads to a two bytes memory
overwrites.  A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Denial-of-service when binding an ICMP socket on IPv6.

A logic error in the IPv6 stack could lead to a kernel panic when
user-space binds an IPv4 ICMP socket.  A local, privileged user could use
this flaw to cause a denial-of-service.


* Kernel crash in SAS driver during expander discovery.

Incorrect handling of expander device discovery could result in a NULL
pointer dereference and kernel crash.


* Kernel crash in controller area network (CAN) sockets.

Incorrect initialization of CAN sockets could result in a kernel crash
when using AF_PACKET sockets.


* Use-after-free in Kvaser CAN to USB drivers when failing to send a URB.

An extra kfree() call in the error path of kvaser_usb_start_xmit() leads to
a double-free and potentially kernel panic.  An attacker could use this
flaw to cause a denial-of-service.


* CVE-2015-2150: Denial-of-service in Xen PCI passthrough devices.

Incorrect restrictions to PCI device configuration could allow a
privileged user in a Xen guest to trigger a fatal NMI in the host.  A
privileged, local user could use this flaw to cause a denial-of-service.


* Deadlock during NILFS2 filesystem recovery.

Mounting a NILFS2 filesystem could cause deadlock if roll-forward
recovery was required.  This could happen after a crash during a
datasync write.


* Resource leak in IP virtual server backup sync protocol.

Missing resource freeing could result in a memory leak and failure to
remove an IP virtual server instance.


* Memory corruption in Multiple Device driver when destroying a device.

Incorrect locking in the Multiple Device driver when destroying a device
could lead to memory corruptions and kernel panic.  A local, privileged
user could use this flaw to cause a denial-of-service.


* Frames filtering bypass in mesh forwarding in mac80211 stack.

A flaw in the mac80211 mesh forwarding allows un-encrypted frames to pass
through.  A remote attacker could use this flaw to inject un-encrypted
frames to an otherwise encrypted network.


* Denial-of-service in Intel Memory Protection Extensions.

Incorrect checking for user mode tasks could result in a
denial-of-service when handling bounds faults on a system with MPX
available.


* CVE-2015-3331: Denial-of-service in Intel AES RFC4106 decryption.

Incorrect mapping of buffers in the Intel AES RFC4106 implementation
could result in a kernel crash.  A local, unprivileged user with access
to AF_ALG(aead) sockets could use this flaw to trigger a
denial-of-service.


* Information leak in /proc/PID/pagemap.

/proc/PID/pagemap includes the virtual to physical mappings and could be
accessed by a local, unprivileged user.  This could be used in
conjuction with flaws such as ROWHAMMER to elevate privileges.


* Use-after-free in ISCSI target connection closing.

A race condition in the ISCSI target connection closing procedure could
result in a use-after-free condition and subsequent kernel crash.


* Denial-of-service in pSCSI backend.

A missing NULL pointer check could result in a denial-of-service,
triggerable by a local, unprivileged user for incomplete configurations.


* NULL pointer dereference during Target device initialization failure.

Failure to create a workqueue when initializing a target device could
result in a NULL pointer dereference and kernel crash under specific
conditions.


* Denial-of-service in network packet transmission and reception.

Missing validation of the net.core.rmem_default and
net.core.wmem_default controls could allow a local, privileged user to
trigger a denial-of-service by setting low values for these parameters
and sending or receiving large packets.


* Kernel crash in IPv4 socket monitoring interface.

Incorrect allocation could result in a heap overflow and subsequent
kernel crash when receiving diagnostics for an IPv4 socket.


* Kernel crash in compat sendmsg/recvmsg calls.

Incorrect validation of user supplied data could result in memory
corruption when sending or receiving messages to a datagram socket and
the audit subsystem was enabled.


* Memory leak when adding a vlan device to a shut down interface.

A lack of un-registering stacked devices in the error path of rtnl_newlink()
leads to a memory leak.  A local, privileged user could use this flaw to
exhaust the memory on the system and cause a denial-of-service.


* Memory corruption when configuring a virtual interface link through netlink.

A minimum length was mistakenly interpreted as a maximum length when
configuring a virtual interface link through netlink, leading to memory
corruption and potentially a kernel panic.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Kernel crash in Network Block Device request completion.

A race condition during completion of NBD image requests could result in
incorrectly hitting a kernel assertion and crashing the system.


* Data loss in BTRFS file synchronization.

A race during synchronizing files with the filesystem could result in
data loss under specific conditions.


* CVE-2014-9715: Remote code execution in the netfilter connection tracking subsystem.

The netfilter connection tracking subsystem uses a too small type to store
the size and offset of an extension which could lead to memory corruptions.
A remote attacker could potentially use this flaw to cause a
denial-of-service or to gain code execution.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.