[Ksplice][Ubuntu-15.04-Updates] New updates available via Ksplice (USN-2684-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Fri Jul 24 01:07:58 PDT 2015 

Synopsis: USN-2684-1 can now be patched using Ksplice
CVEs: CVE-2015-4692 CVE-2015-4700

Systems running Ubuntu 15.04 Vivid can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2684-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 15.04 Vivid
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-4692: Denial-of-service when checking for events in the emulated KVM APIC.

A missing check for NULL in the KVM code when checking if there are any
pending events on the emulated interrupt controller could lead to NULL
pointer dereference.  A local user with access to /dev/kvm could use this
flaw to cause a denial-of-service.


* Use-after-free in USB gadget configfs filesystem.

Missing invalidation of a pointer during function removal could result
in a use-after-free and kernel crash.


* NULL pointer dereference in EXT4 journal restart failure.

A missing NULL pointer check could result in a NULL pointer dereference
and kernel crash when restarting the journal.  A local user could use a
maliciously crafted filesystem to crash the system.


* Denial-of-service in JBD2 journal recovery.

An integer overflow in the JBD2 journal could result in an out-of-bounds
memory access and kernel crash.  A local user could use a maliciously
crafted filesystem to crash the system.


* Kernel panic on changing the number of rings in Intel PCI-Express Ethernet driver.

Internal structures were not re-initialized properly when changing the
number of rings on the Intel PCI-Express Gigabit Ethernet driver, leading
to a Kernel panic.  A local, privileged user could use this flaw to cause a
denial-of-service.


* Denial-of-service in KVM APIC accesses.

Missing validation of the APIC page could allow userspace to unmap the
page, resulting in a host crash when running the guest.


* Kernel panic in the network scheduler on classifier module unload.

A missing RCU barrier when removing a queue discipline on concurrent module
unload could lead to the kernel calling unloaded code.  A local, privileged
user could use this flaw to cause a denial-of-service or potentially
escalate privileges.


* NULL pointer dereference when handling IPv4 errors.

A missing check for NULL could lead to a NULL pointer dereference when
handling IP errors when the network device is being removed.  An attacker
could use this flaw to cause a denial-of-service.


* CVE-2015-4700: Denial-of-service in the BSD Packet Filter just-in-time compiler.

A logic error in the BSD Packet Filter (BPF) just-in-time (jit) compiler
could lead the jit'ed program to contain only software breakpoints instead
of the intended opcodes.  A local, privileged user could use this flaw to
cause a denial-of-service by using a specially crafter BPF program.


* NULL pointer dereference in CAIF and Unix sockets on receival.

Lack of checking that the socket has been destroyed in the recvmsg()
handlers for CAIF and Unix sockets could lead to a NULL pointer
dereference.  A local, unprivileged user could use this flaw to cause a
denial-of-service.


* Kernel crash when attaching a new queue discipline in the network scheduler.

A flaw in the networking scheduler could lead to a use-after-free when
attaching a new queue discipline to a network device.  A local, privileged
user could use this flaw to cause a denial-of-service.


* NULL pointer dereference in the bridge driver when a query expires.

A logic error in the bridge driver when a query expires leads to setting to
NULL the wrong field of a structure.  A local, un-privileged user could use
this flaw to cause a denial-of-service.


* Memory corruption when replacing ECMP route on IPv6.

Replacing ECMP route on IPv6 replaces only the first matching route without
replacing the siblings, leading to a memory corruption.  A local,
privileged user could use this flaw to cause a denial-of-service.


* Kernel panic in Direct Rendering Manager mode fixup.

The Direct Rendering Manager (DRM) subsystem does not check for NULL
pointers when fixing up modes leading to a NULL pointer dereference and
kernel panic.


* Use-after-free in IP over InfiniBand device initialization.

Incorrect resource handling can cause the IP-over-InfiniBand subsystem
to release a workqueue with remaining work leading to a use-after-free
condition and kernel panic.


* Memory leak when releasing a IP-over-InfiniBand device.

Incorrect resource handling when releasing an IP-over-InfiniBand can
trigger a kernel memory leak. A local privileged attacker could use this
flaw to cause a denial of service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-15.04-updates mailing list