[Ksplice][Ubuntu-15.04-Updates] New updates available via Ksplice (USN-2719-1)

[Oracle Ksplice]

Synopsis: USN-2719-1 can now be patched using Ksplice

Systems running Ubuntu 15.04 Vivid can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2719-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 15.04 Vivid
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Denial-of-service in SonicBlue Optimized MPEG File System mounting.

Missing mount option termination could allow a user with permission to
mount filesystems to trigger a denial-of-service by passing an
unrecognized mount option.


* Denial-of-service in SonicBlue Optimized MPEG File System superblock bitmap.

An integer overflow in the superblock parsing of an SonicBlue Optimized
MPEG File System could result in an out-of-bounds memory access and
memory corruption.  A local user with permission to mount filesystems
could use this flaw to trigger a denial-of-service, or possibly escalate
privileges with a maliciously crafted filesystem.


* NULL pointer dereference in Broadcom IEEE802.11n packet transmission+reception.

Missing NULL pointer checks could result in a NULL pointer dereference
when receiving and transmitting packets in the Broadcom IEEE802.11n
driver.


* Denial-of-service in userspace string handling.

An incorrect length check could result in accessing beyond a
validated buffer.  A local, unprivileged user could use this flaw to
crash the kernel in specific conditions.


* Use-after-free in packet generation state.

Incorrect locking the network transformation (XFRM) subsystem can
trigger a use-after-free condition and kernel panic when generating
packets.


* Kernel panic on Intel VT/d iommu in passthrough mode.

A flaw in the Intel VT/d iommu driver when configured in passthrough mode
could lead to an invalid pointer dereference on translation-disabled
devices.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Information leak in CFG80211 WiFi extension.

A lack of zeroing a stack allocated structure used for statistics in the
CFG80211 WiFi extension could result in information leaks from one device
to another.  A local, unprivileged user could use this flaw to gain
knowledge about network traffic on other devices.


* Kernel BUG when migrating compound pages on NUMA.

A flaw in the memory migrating code could result in compound pages being
marked for migration which later causes a kernel assertion to trigger,
resulting in a denial-of-service.


* Kernel hang in generic block driver.

The generic block driver was calling a function not intended to run in both
interrupt and process context. In certain cases, this could lead to the
kernel hanging.


* Infinite loop when bridging IGMP traffic.

Incorrect reference counting in the network bridge subsystem can trigger
an infinite loop when processing IGMP traffic causing further bridged
network traffic to be dropped.


* Use-after-free in iSER target.

The iSCSI RDMA extensions had a possible use-after-free which an
attacker could use to cause a denial of service.


* Memory corruption when processing SCTP ASCONF packets.

Incorrect locking in the SCTP subsystem can trigger memory corruption
and a kernel panic when processing ASCONF packets.


* Use-after-free in network bridging when changing ports.

Incorrect locking when adding or removing bridge ports can trigger a
use-after-free condition. A privileged user could use this flaw to gain
kernel code execution.


* Denial of service in networking packet fanout.

Incorrect locking in the networking subsystem can trigger a
divide-by-zero and kernel panic when a userspace process uses the
PACKET_FANOUT socket option.


* Kernel panic in networking round-robin packet fanout.

Incorrect synchronization can trigger an out-of-bound read and kernel
panic when a userspace process uses the PACKET_FANOUT_LB socket option.


* Use-after-free when updating networking neighbors.

Incorrect locking in the generic networking subsystem can trigger a
use-after-free condition when updating stale network neighbor
information. This flaw can trigger kernel memory corruption.


* Denial of service when processing OOTB SCTP packets.

A race condition between processing 'out-of-the-blue' OOTB packets and
removing a SCTP route can trigger a NULL pointer dereference and kernel
panic. A remote attacker could use this flaw to trigger a denial of
service.


* Privilege escalation when writing to setuid files.

A logic error in the file I/O subsystem can cause the setuid bit to be
set on world-writable files when root modifies a file. This could allow
unprivileged users to elevate privileges by modifying a setuid file.


* Multiple privilege escalations in DVB frontends.

Missing user input validation could allow a local user with access to
the device to trigger buffer overflows when reading or writing data.
This out of bounds access could result in an out-of-bounds access and
kernel crash or potentially escalate privileges.


* Information leak in syslog with security modules.

Incorrect ordering could cause do_syslog() to fail to call the security
hooks for syslog allowing an unprivileged user to access the syslog
without the required permissions.


* Heap overflow in Atheros ath9k driver.

The ath9k driver incorrectly used the bitmask operators that would
result in accessing beyond the bounds of the bitmask.  This could result
in heap memory corruption, crashing the kernel or potentially escalating
privileges.


* Filesystem corruption on Plan 9 9p filesystem during abort.

Aborted transactions were incorrectly handled resulting in corruption of
future requests.  This could corrupt the filesystem or provide incorrect
data to applications.


* NULL pointer dereference in Amateur Radio ROSE protocol.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when killing a ROSE device.


* Kernel crash in ext4 during truncate + write race.

Incorrect locking could result in a kernel crash when threads raced
between writing a journalled page and truncation.


* Stack buffer overflow in regulator device registration.

Insufficient buffer sizing could result in a stack buffer overflow when
registering a regulator device.


* NULL pointer dereference in VIA VT6655 packet reception.

A race condition between receiving a packet and interrupt processing
could result in a NULL pointer dereference and kernel crash.


* Remote privilege escalation in RealTek RTL8712U USB driver.

Incorrect buffer sizing could result in a heap buffer overflow when
receiving a fragmented packet.  A remote user could use this flaw to
crash the system or potentially escalate privileges in rare conditions.


* Use-after-free in MTD block device.

Missing locking could result in a use-after-free when accessing an MTD
block device.  A local user with access to the MTD device could use this
flaw to crash the system.


* Use-after-free in SPI transfers.

Missing locking could result in a use-after-free condition when
finalizing a transfer.


* Memory corruption in IP-VLAN hash lists.

Incorrect list initialization could result in a kernel crash and memory
corruption when IP-VLAN devices were taken down.


* Memory corruption in SUNRPC sockets during reconnect.

Incorrect ordering of transport reset could result in incorrect locking
and memory corruption when reconnecting a SUNRPC socket.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.