[Ksplice][Ubuntu-14.10-Updates] New updates available via Ksplice (USN-2616-1)

Wed May 20 10:16:45 PDT 2015

Synopsis: USN-2616-1 can now be patched using Ksplice
CVEs: CVE-2015-3331 CVE-2015-3332

Systems running Ubuntu 14.10 Utopic can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2616-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 14.10 Utopic
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* Memory corruption in Multiple Device driver when destroying a device.

Incorrect locking in the Multiple Device driver when destroying a device
could lead to memory corruptions and kernel panic.  A local, privileged
user could use this flaw to cause a denial-of-service.

* Frames filtering bypass in mesh forwarding in mac80211 stack.

A flaw in the mac80211 mesh forwarding allows un-encrypted frames to pass
through.  A remote attacker could use this flaw to inject un-encrypted
frames to an otherwise encrypted network.

* Denial-of-service in Intel Memory Protection Extensions.

Incorrect checking for user mode tasks could result in a
denial-of-service when handling bounds faults on a system with MPX
available.

* CVE-2015-3331: Denial-of-service in Intel AES RFC4106 decryption.

Incorrect mapping of buffers in the Intel AES RFC4106 implementation
could result in a kernel crash.  A local, unprivileged user with access
to AF_ALG(aead) sockets could use this flaw to trigger a
denial-of-service.

* Information leak in /proc/PID/pagemap.

/proc/PID/pagemap includes the virtual to physical mappings and could be
accessed by a local, unprivileged user.  This could be used in
conjuction with flaws such as ROWHAMMER to elevate privileges.

* Use-after-free in ISCSI target connection closing.

A race condition in the ISCSI target connection closing procedure could
result in a use-after-free condition and subsequent kernel crash.

* Denial-of-service in pSCSI backend.

A missing NULL pointer check could result in a denial-of-service,
triggerable by a local, unprivileged user for incomplete configurations.

* NULL pointer dereference during Target device initialization failure.

Failure to create a workqueue when initializing a target device could
result in a NULL pointer dereference and kernel crash under specific
conditions.

* Out-of-bounds memory access in multiqueue block core segment merging.

An incorrect array index could result in accessing beyond the bounds of
an array when merging requests.  This could result in a crash or other,
undefined behaviour.

* Kernel crash in physical to virtual reverse mapping lookup.

Incorrect error handling when adjusting a virtual memory area could
result in integer underflow and a crash in the address reverse mapping
code.

* Data corruption on hfsplus filesystem when inserting node at position zero.

A logic error in the hfsplus filesystem driver leads to on-disk data
corruption when inserting a node at position zero.

* Use-after-free in Industrial I/O core error handling.

Incorrect error handling in the Industrial I/O device registration
function could result in a double-free and kernel crash.

* Use-after-free in CIFS page writing during intermittent network connectivity.

Incorrect error handling during loss of network connection could result
in a use-after-free when writing pages on a CIFS filesystem.

* NULL pointer dereference in Analog Devices IMU SPI driver.

Missing reference counting could result in a NULL pointer dereference in
the Analog Devices IMU SPI driver during removal if the trigger was
changed.

* Kernel panic when chowning files on NFS mount.

Under specific circumstances chowning a file on an NFS mount can trigger
an assertion failure and cause a kernel panic.

* CVE-2015-3332: Kernel BUG in TCP Fast Open when using GSO.

Incorrect initialisation of Fast Open SYN packets when using GSO could
cause a subsequent kernel BUG. Under certain circumstances, a local
user could take advantage of this to crash the kernel.

* Information leak in Infiniband Userspace events.

The Infiniband uverbs driver did not clear the events structure
resulting in leaking 4-8 bytes of kernel stack contents to userspace.

* Use-after-free in network namespace device moving.

Incorrect linked list manipulation could result in a use-after-free and
kernel crash when moving devices between namespaces.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.