[Ksplice][Ubuntu-14.04-Updates] New Ksplice updates for Ubuntu 14.04 Trusty (USN-3933-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Wed Apr 3 06:22:37 PDT 2019
Synopsis: USN-3933-1 can now be patched using Ksplice
CVEs: CVE-2017-1000410 CVE-2017-18360 CVE-2018-19824 CVE-2019-3459 CVE-2019-3460 CVE-2019-6974 CVE-2019-7222 CVE-2019-9213
Systems running Ubuntu 14.04 Trusty can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-3933-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 14.04
Trusty install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2019-6974: Use-after-free in KVM device creation.
A reference count manipulation error when creating a KVM device can result in
an early free, leading to a use-after-free. A local user with access to KVM
could use this flaw to cause a kernel crash or potentially escalate privileges.
* CVE-2019-7222: Information disclosure in KVM VMX emulation.
Incorrectly handling a page fault exception while emulating VMX instructions
can result in leaking host stack information to a guest. A guest VM could use
this flaw to facilitate a further attack on the host.
* CVE-2018-19824: Use-after-free when connecting ALSA USB sound device.
A use-after-free when connecting an ALSA USB sound device could result
in memory corruption, potentially allowing a malicious user to corrupt
memory or escalate privileges.
* CVE-2017-1000410: Information leak in Bluetooth L2CAP messages.
Incorrect handling of short EFS elements in an L2CAP message could allow
an attacker to leak the contents of kernel memory.
* CVE-2019-9213: Bypass of mmap_min_addr restriction.
An incorrect capability check in the mmap memory expansion implementation can
result in applications being able to bypass the minimum mmap address
restriction. A local user on a system without SMAP enabled could use this flaw
to exploit kernel NULL pointer dereferences.
* CVE-2019-3459: Information leak when processing L2CAP options controlled by an attacker.
Missing checks on options lengths when processing L2CAP options could lead
to an information leak. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.
* CVE-2019-3460: Information leak when parsing L2CAP options received from userspace.
Missing checks when parsing L2CAP option received from userspace could
lead to an information leak. A local attacker could use this flaw to
leak information about running kernel and facilitate an attack.
* CVE-2017-18360: Divide-by-zero error when setting port option of USB Inside Out Edgeport Serial Driver.
A missing check when setting port option of USB Inside Out Edgeport
Serial Driver could lead to a divide-by-zero error. A local attacker
could use this flaw to cause a denial-of-service.
* NULL pointer dereference when using Intel(R) 10GbE PCI Express adapters.
A missing check when using Intel(R) 10GbE PCI Express adapters could
lead to a NULL pointer dereference. A local attacker could use this flaw
to cause a denial-of-service.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-14.04-updates
mailing list