[Ksplice][Ubuntu-14.04-Updates] New Ksplice updates for Ubuntu 14.04 Trusty (3.13.0-161.211)
Jamie Iles
jamie.iles at oracle.com
Thu Dec 20 05:24:17 PST 2018
Synopsis: 3.13.0-161.211 can now be patched using Ksplice
CVEs: CVE-2015-8539 CVE-2016-7913 CVE-2017-0794 CVE-2017-15299 CVE-2017-18216 CVE-2018-1000004 CVE-2018-5390 CVE-2018-7566 CVE-2018-9518
Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.13.0-161.211.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 14.04
Trusty install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2017-18216: NULL pointer dereference while deleting OCFS2 node.
A race condition when deleting OCFS2 node could lead to a NULL pointer
dereference. A local attacker could use this flaw to cause a
denial-of-service.
* CVE-2018-7566, CVE-2018-1000004: Denial-of-service in ALSA sequencer library.
Multiple race conditions in the ALSA sequencer library could lead to
use-after-free or out-of-bounds memory accesses. A local user could use
these flaws to cause a denial-of-service or potentially escalate
privileges.
* CVE-2015-8539: Denial-of-service when updating a negatively instantiated user cryptographic key.
A lack of checking the key was not negatively instantiated when updating a
user cryptographic key could lead to a BUG assertion to trigger. A local,
unprivileged user could use this flaw to cause a denial-of-service.
* CVE-2017-15299: Denial-of-service in uninstantiated key configuration.
A failure to check whether or not a key is instantiated before
performing operations on it can result in a NULL pointer dereference,
leading to a kernel crash. A local user could use this flaw to cause a
denial-of-service.
* CVE-2018-9518: Buffer overflow in NFC URI parsing.
A failure to check the length of a URI can result in a buffer overflow,
leading to a kernel crash or other undefined behavior. A local user
could use this flaw to potentially escalate privileges.
* CVE-2017-0794: Privilege escalation in SCSI.
A race condition in the generic SCSI driver can result in concurrent
access to a variable intended for exclusive use, leading to undefined
behavior. A local user with access to an sg device could use this flaw
to escalate privileges.
* Improved fix for CVE-2018-5390: Denial-of-service when receiving misordered TCP packets.
The original fix did not correctly keep track of the size of the TCP
socket buffer, leading to undefined behavior.
* CVE-2016-7913: Use-after-free when configuring xc2028 tuner driver.
A use-after-free vulnerability in xc2028 tuner driver allows local
users to gain privileges or cause a denial of service by omitting the
firmware name from a certain data structure.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-14.04-updates
mailing list