[Ksplice][Ubuntu-14.04-Updates] New updates available via Ksplice (3.13.0-63.103)

Oracle Ksplice ksplice-support_ww at oracle.com
Thu Sep 3 13:00:34 PDT 2015 

Synopsis: 3.13.0-63.103 can now be patched using Ksplice
CVEs: CVE-2015-5707

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.13.0-63.103.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.04 Trusty
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-5707: Privilege escalation in generic SCSI character device.

An integer overflow in the SCSI generic driver in the Linux kernel could
allow a local user with write permission on a SCSI generic device to
escalate privileges.


* BTRFS data loss during append writes and hard links.

Under specific conditions, appending to a file after creating a hard
link could result in loss of the appended data.


* NULL pointer dereference in OS/2 HPFS filesystem remount.

Remounting an HPFS filesystem under low-memory conditions could result
in a NULL pointer dereference and kernel crash.


* Delayed inode freeing in directory cache.

A bug in the dcache code when using file handles could cause inodes to
remain on disk (taking up space) indefinitely after deletion. A
malicious local user could use this to fill up a filesystem.


* Denial-of-service in BTRFS extent_same ioctl().

A missing memory free() could result in a memory leak and memory
exhaustion when performing the extent_same ioctl() on a BTRFS
filesystem.  A local user with access to the filesystem device could use
this flaw to trigger a denial-of-service.


* Denial-of-service in network device queue allocation.

A kernel assertion could be triggered from user-space when adding a
network device.  A local, privileged user could use this flaw to crash
the system.


* Denial-of-service in Distributed Switch Architecture device probing.

Missing range checks when probing a DSA device from a Device Tree could
result in an out-of-bounds access.  Malicious firmware or a privileged
user could use this flaw to crash the system.


* Denial-of-service in BTRFS inode cache during deletion.

Missing locking during inode unpinning could result in memory
corruption.  A local user with access to the BTRFS filesystem could use
this flaw to trigger a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-14.04-updates mailing list