[Ksplice][Ubuntu-15.04-Updates] New updates available via Ksplice (USN-2779-1)

[Oracle Ksplice]

Synopsis: USN-2779-1 can now be patched using Ksplice
CVEs: CVE-2015-0272 CVE-2015-5156 CVE-2015-6937 CVE-2015-7312

Systems running Ubuntu 15.04 Vivid can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-2779-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on Ubuntu 15.04 Vivid
install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-0272: Remote denial-of-service in IPv6 address autoconfiguration.

Incorrect handling of MTU sysctl setting for an IPv6 device could allow
a remote attacker to trigger packet loss and a denial-of-service under
certain system configurations.


* CVE-2015-5156: Denial-of-service in Virtio network device.

Incorrect handling of fragmented socket buffers could result in a buffer
overflow when performing receive offload under specific conditions.  A
local, unprivileged user could use this flaw to crash the system.


* CVE-2015-6937: NULL pointer dereference in RDS socket creation.

Failure to check for binding to a transport could result in a NULL
pointer dereference when creating an RDS socket.  A local, unprivileged
user could use this flaw to crash the system.


* Kernel panic when encoding NFSv4 security label.

The kernel NFSv4 server does not correctly support encoding security
labels in file attributes which can trigger an assertion failure and
kernel panic. A remote attacker could use this flaw to cause a denial of
service.


* Kernel BUG in Xen front-end block device driver.

A logic error in the Xen front-end block device driver could in certain
circumstances cause a kernel BUG while freeing the block device.


* Kernel panic in hardware RNG driver initialization.

The kernel hardware RNG driver does not correctly handle failing to
initialize a helper thread which can trigger a kernel panic.


* Deadlock in USB XHCI memory cleanup.

Incorrect locking the USB XHCI controller can trigger a deadlock when
removing a USB device.


* Deadlock when reclaiming pages from page cache.

The pagecache does not correctly handle reclaiming pages from the
filesystem cache which can lead to a deadlock under low memory
conditions.


* Use-after-free in filesystem notification marking.

Incorrect locking in the filesystem notification (fsnotify) subsystem
can trigger a use-after-free condition and kernel panic when marking
groups.


* Infinite loop during connection teardown iSCSI library code.

Incorrect locking in the iSCSI library code could cause the kernel to
enter an infinite loop.


* Double free in FibreChannel library code.

In certain circumstances, receiving a local port request could cause a
double free and subsequent kernel crash.


* Kernel BUG in FibreChannel library code during SCSI device reset.

Incorrect locking in FibreChannel library code could cause a reschedule
while a spinlock was held, thus potentially causing either a kernel
assertion failure or a deadlock. A malicious local user with access to
the SCSI device could use this to cause denial of service.


* Kernel hang in VMware Virtual GPU DRM driver.

In certain low-memory situations, incorrect locking in the VMware
Virtual GPU driver could cause a kernel hang. A malicious user with
access to the device could use this to cause denial of service.


* Use-after-free in IPC semaphores during task exit.

Due to incorrect locking, two tasks with shared IPC semaphore references
could exit and simultaneously try to free the semaphores. This could lead
to a use-after-free and memory corruption, allowing a malicious local user
to cause denial of service.


* Kernel crash in IPC semaphores when waiting on semaphore array.

A missing memory barrier could allow certain memory accesses to happen
outside the intended critical section. A malicious local user could
potentially use this to cause invalid memory accesses and denial of
service.


* Deadlock during command queueing in Cisco FNIC driver.

Incorrect locking in the Cisco FNIC driver could cause a deadlock during
command queueing.


* Kernel crash in Batman translation table removal.

Missing locking could result in memory corruption when removing entries
from the translation table.  Under specific conditions, this could
result in a kernel crash.


* Kernel warnings during perf event migration.

In certain circumstances, perf could attempt to stop or restart an event
on the wrong CPU. A malicious local user with perf access privileges
could cause warnings to appear in the kernel log.


* NULL pointer dereference in Batman address translation.

Multiple missing NULL pointer checks could result in a kernel crash when
manipulating the address translation table.


* Denial-of-service in IP datagram socket connection.

Missing locking when creating an IP datagram socket could result in list
corruption.  A local, unprivileged user could use this flaw to trigger a
denial-of-service.


* Denial-of-service in Netlink mmapped socket release.

Incorrect locking could result in deadlock when releasing a netlink
socket that was mmapped.  A local, unprivileged user could use this flaw
to crash the system.


* Use-after-free in MD block driver array stopping.

Failure to flush a workqueue during array stop could result in a
use-after-free and kernel crash.


* Disable modification of LDT by userspace processes.

The seldom-used modify_ldt syscall allowing processes to modify their local
descriptor table has several vulnerabilities allowing local unprivileged
users to elevate privileges.

This update disables by default the modify_ldt syscall and introduces a new
sysctl 'ksplice_modify_ldt' to allow administrators to re-enable it.
Re-enabling the syscall will make the machine vulnerable.

To re-enable modify_ldt, run the following command as root:

  sysctl ksplice_modify_ldt=1

To disable, run:

  sysctl ksplice_modify_ldt=0

This mitigates CVE-2015-3290, CVE-2015-3291 and CVE-2015-5157.


* Memory corruption in bridge netlink notifications.

The bridge subsystem does not correctly allocate memory when notifying
listeners about changes in port information via netlink sockets which
can trigger a kernel memory corruption.


* CVE-2015-7312: Denial-of-service in Advanced multi layered unification filesystem mmap().

Incorrect reference counting performing an madvise() or mmap() on an
aufs file could result in a race condition.  A local user with access to
the AUFS filesystem could use this flaw to crash the system, or
potentially, escalate privileges.


* Memory leak when removing ports from Rocker network devices.

The rocker network driver does not correctly free resources when
removing ports from a rocker device which can trigger a kernel memory
leak.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.