[Ksplice][Ubuntu-14.10-Updates] New updates available via Ksplice (3.16.0-30.40)

[Oracle Ksplice]

Synopsis: 3.16.0-30.40 can now be patched using Ksplice

Systems running Ubuntu 14.10 Utopic can now use Ksplice to patch
against the latest Ubuntu kernel update, 3.16.0-30.40.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.10 Utopic
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Kernel panic in emulated low-rate wireless personal area network.

A flaw in the fake LR-WPAN driver leads to unregistering a network device
before its registration in certain circumstances. This could lead to a
kernel panic and denial-of-service.


* Information leak in point-to-point tunneling protocol.

A lack of on-stack structure initialization in the ppptp_getname() function
leads to leaking 16 bytes of kernel stack to userspace when using
getsockname(). This information could be used to facilitate an attack on
the running kernel.


* Deadlock in Novell networking protocol when using recvmsg.

Incorrect locking in the Novell networking protocol (IPX) recvmsg function
causes a deadlock when waiting for new data.


* Kernel crash Target Core Mod when sending zero-length command.

A missing check to validate that a command contains data could lead to a
kernel crash depending on the transport driver. A local attacker could use
this flaw to cause a denial-of-service.


* Kernel BUG in mac80211 when decrypting empty packets.

A lack of validating a packet is not empty before trying to decrypt it
causes a kernel bug assertion to be triggered. A remote attacker could use
this flaw to cause a denial-of-service.


* Memory corruption in Realtek 2x00 WiFi driver when re-transmitting a frame.

A logic error in the Realtek 2x00 WiFi driver consumes 4 bytes of a socket
buffer at each retransmission, leading to a kernel panic. A remote attacker
could potentially use this flaw to cause a denial-of-service.


* Integer overflow when generating a mask in bitops header file.

A flaw in the way the macros GENMASK() and GENMASK_ULL() were implemented
could lead to an integer overflow, potentially causing memory corruption
and a kernel panic.


* Use-after-free in WM Audio DSP driver when loading coefficients to the DSP.

A logic error in the WM Audio DSP driver leads to releasing resources
while there are still being used, potentially causing a kernel panic. A
local user could use this flaw to cause a denial-of-service.


* Memory leak when unbinding Electronic System Design CAN-USB driver.

Private structures used by the Electronic System Design (ESD) CAN-USB
driver are not properly released when un-binding the driver. A local,
privileged user could use this flaw to exhaust the memory on the system and
cause a denial-of-service.


* Incorrect executable permission on kernel memory.

A logic error in the mark_rodata_ro() function leaves some kernel memory
with the executable bit set when they aren't supposed to be
executable. This flaw could facilitate an attack by allowing an attacker to
run code in this memory area.


* Memory corruption in SUNRPC stack when handling channel reply receive.

Incorrect locking in the SUNRPC stack when handling a channel reply receive
could lead to race condition when looking up a request buffer, potentially
leading to a memory corruption and kernel panic.  An attacker could use
this flaw to cause a denial-of-service.


* Memory corruption in QLogic NetXtreme II FCoE driver.

A logic error in the BNX2FC driver leads to an early removal of a shared
socket buffer, and corruptions of the other references. An attacker could
use this flaw to cause a denial-of-service.


* Data loss in frontswap page invalidation.

If the kernel frontswap subsystem fails to store a newer version of a
swap page then data corruption can occur leading to data loss.


* Use after free in VXLAN socket release.

Incorrect reference counting when releasing a VXLAN socket can lead to a
use after free condition and kernel panic. A local user could use this
flaw to trigger kernel memory corruption and escalate their privileges.


* Kernel panic in network bonding netlink configuration.

The netlink interface for managing bonded network interfaces does not
validate the length of configuration data leading to a possible out of
bounds read and kernel panic.


* Use-after-free in netlink routing interface.

The kernel netlink routing interface does not correctly release
resources when a permissions error is encountered leading to a
use-after-free condition and kernel panic.


* Kernel panic in transmission of tunnelled SCTP packets.

The kernel SCTP stack does not correctly allocate memory for SCTP
packets which are sent via a tunnel which can trigger an assertion and
kernel panic.


* Use-after-free in Intel 10GbE PCI Express Ethernet probe/removal.

Missing NULL pointer checks could result in a NULL pointer dereference
or use-after-free when adding or removing an Intel 10GbE network
adapter.


* Information leak with btrfs compression streams.

Incorrect handling of compression streams that might return less data
than expected could result in leaking the contents of kernel heap memory
to userspace.  A maliciously crafted filesystem image could be used to
leak kernel information.


* Kernel crash in Marvell bluetooth adapter probing.

An invalid error check could result in dereferencing an invalid pointer
and a kernel crash when adding a new adapter.


* Predictable IPv6 fragment IDs with Virtio UFO packets.

UDPv6 with offloading enabled on a virtio device would have a static
fragment ID of 0.  A remote attacker could use this to gain information
about the host or potentially perform a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.