[Ksplice][Ubuntu-14.04-Updates] New Ksplice updates for Ubuntu 14.04 Trusty (3.13.0-161.211)

Jamie Iles jamie.iles at oracle.com
Thu Dec 20 05:24:17 PST 2018 

Synopsis: 3.13.0-161.211 can now be patched using Ksplice
CVEs: CVE-2015-8539 CVE-2016-7913 CVE-2017-0794 CVE-2017-15299 CVE-2017-18216 CVE-2018-1000004 CVE-2018-5390 CVE-2018-7566 CVE-2018-9518

Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.13.0-161.211.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 14.04
Trusty install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-18216: NULL pointer dereference while deleting OCFS2 node.

A race condition when deleting OCFS2 node could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-7566, CVE-2018-1000004: Denial-of-service in ALSA sequencer library.

Multiple race conditions in the ALSA sequencer library could lead to
use-after-free or out-of-bounds memory accesses.  A local user could use
these flaws to cause a denial-of-service or potentially escalate
privileges.


* CVE-2015-8539: Denial-of-service when updating a negatively instantiated user cryptographic key.

A lack of checking the key was not negatively instantiated when updating a
user cryptographic key could lead to a BUG assertion to trigger.  A local,
unprivileged user could use this flaw to cause a denial-of-service.


* CVE-2017-15299: Denial-of-service in uninstantiated key configuration.

A failure to check whether or not a key is instantiated before
performing operations on it can result in a NULL pointer dereference,
leading to a kernel crash. A local user could use this flaw to cause a
denial-of-service.


* CVE-2018-9518: Buffer overflow in NFC URI parsing.

A failure to check the length of a URI can result in a buffer overflow,
leading to a kernel crash or other undefined behavior. A local user
could use this flaw to potentially escalate privileges.


* CVE-2017-0794: Privilege escalation in SCSI.

A race condition in the generic SCSI driver can result in concurrent
access to a variable intended for exclusive use, leading to undefined
behavior. A local user with access to an sg device could use this flaw
to escalate privileges.


* Improved fix for CVE-2018-5390: Denial-of-service when receiving misordered TCP packets.

The original fix did not correctly keep track of the size of the TCP
socket buffer, leading to undefined behavior.


* CVE-2016-7913: Use-after-free when configuring xc2028 tuner driver.

A use-after-free vulnerability in xc2028 tuner driver allows local
users to gain privileges or cause a denial of service by omitting the
firmware name from a certain data structure.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-14.04-updates mailing list