[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (4.4.0-47.68)

[Oracle Ksplice]

Synopsis: 4.4.0-47.68 can now be patched using Ksplice
CVEs: CVE-2016-7042

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.4.0-47.68.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* Data loss when setting ext4 encryption policy.

Missing validation when processing the EXT4_IOC_SET_ENCRYPTION_POLICY
ioctl can allow a user to set the encryption policy on a read-only
filesystem which can potentially cause data loss.


* Memory leak when creating NFSv4 callbacks.

Incorrect reference counting when creating NFSv4 callbacks can trigger a
kernel memory leak and subsequent memory leak.


* Use after free in AUDIT_EXE audit filter.

Incorrect reference counting when using an AUDIT_EXE filter can trigger
a use after free and kernel memory corruption.


* Kernel panic when reading from Analog Devices AD799x device.

A logic error when attempting to read from an Analog Devices AD799x
device can trigger a NULL pointer dereference and kernel panic.


* Denial of service in generic 8250 serial driver.

A logic error when setting the baud rate of a generic 8250 serial device
can trigger a division by zero and kernel panic.


* Kernel oops in Cavium Thunder ethernet driver.

Attempting to dump a Cavium Thunder ethernet device's registers using
e.g. ethtool could cause a bus error and a kernel oops. A local user
with the CAP_NET_ADMIN could potentially use this to cause denial of
service.


* NULL pointer dereference in log writes device mapper target.

An invalid error check could in certain low-memory situations cause a
NULL pointer dereference. A malicious local user could use this to cause
denial of service.


* Kernel crash in crypto daemon when importing hash request.

Incorrect initialization when importing a hash request could cause a
kernel crash in the software asynchronous crypto daemon. A malicious
user could potentially use this to cause denial of service.


* Memory corruption when writing btrfs logs.

A logic error when synchronizing a btrfs log to disk can trigger a use
after free and kernel panic.


* Deadlock when performing direct IO to FUSE device.

Incorrect locking when performing a direct IO operation to a FUSE device
can trigger a deadlock and subsequent kernel panic.


* Kernel panic when querying Atheros ath9k state.

A logic error when querying the state of Atheros 9000 device before it
has associated can trigger a kernel panic.


* Kernel panic in IPv4 when reading /proc/net/route.

Due to a race condition, it is possible to crash the kernel when reading
the routing table while it is being modified. An unprivileged user could
potentially use this to cause denial of service.


* Memory leak in IPv6 ping transmission.

A reference counting error when transmitting a IPv6 ping packet can
trigger a kernel memory leak and subsequent kernel panic.


* NULL pointer dereference in the crypto block cypher sub-system.

A logic error when walking to the next block in the crypto sub-system could
lead to a NULL pointer dereference when the host is on low memory.


* Denial-of-service when converting and migrating concurrently on OCFS2.

A race condition in the OCFS2 filesystem when converting and migrating
concurrently could lead to a kernel BUG assertion to trigger.  A local user
with mount privileges could use this flaw to cause a denial-of-service.


* Kernel panic in when rebonding networking interface.

A logic error when bonding a network interface which is already bonded
can trigger a kernel panic.


* Denial of service in Infrared IAP setup.

A kernel panic can be triggered when a memory allocation fails during
infrared Information Access Protocol (IAP) connection setup.


* Denial of service in TIPC connection shutdown.

A kernel panic can be triggered when a memory allocation fails when
shutting down a TIPC connection.


* Memory leaks when tracing splice operations.

A failure to trace splice operations would cause a memory leak.  A local,
unprivileged user could use this flaw to exhaust the memory on the system
by issuing repeated slice system calls if he knows they are being traced.


* Out of bounds memory read when switching WiFi channel.

A logic error in the WiFi netlink interface in the kernel could lead to out
of bounds read and kernel panic if the number of probe response counters
was too big.  A local user with privileges to configure the WiFi through
netlink could use this flaw to cause a denial-of-service.


* Denial-of-service when issuing ioctl on executable files on Btrfs.

Missing checks that the files being passed are directories in various
ioctls in Btrfs could lead to a kernel panic.  A local user with the
privileges to issue subvol/snapshot/create or destroy ioctls could use this
flaw to cause a denial-of-service.


* Memory corruption in the QXL virtual GPU for Spice when creating a color palette.

Incorrect result checking after mapping memory into kernel space could lead
to memory corruptions and kernel panic.


* Kernel panic in the HostFS driver on mount.

A logic error in the HostFS driver could lead to freeing an invalid point
under low memory condition.  A local user with the privileges to use mount
a hostfs filesystem could use this flaw to cause a denial-of-service.


* Page fault in Intel WiFi driver when transmitting packets.

The Intel Next-Gen AGN WiFi driver can incorrectly read over a page
boundary in its command buffer when sending a packet and cause a denial
of service.


* Memory corruption in IPoIB connection code causes denial of service.

A dangling pointer when connecting IP over InfiniBand could cause
memory corruption, leading to a kernel panic and denial of service.


* Use-after-free in InfiniBand group membership message.

A race condition when an InfiniBand device sends a specific multicast
message can trigger kernel memory corruption and a kernel panic.


* NULL pointer dereference when probing Lego Mindstorms infrared device.

A race condition when probing Lego Mindstorms infrared device can trigger
a NULL pointer dereference and cause a local denial of service.


* Denial of service in filesystem encryption policy.

A logic error in filesystem encryption support can allow a user without
read access to a directory to still change the encryption policy which
can deny access to legitimate users, causing a denial of service.


* Memory leaks in Broadcom IEEE802.11 driver could cause denial of service.

Missing calls to free memory in uncommon error cases could cause poor
performance and eventually a kernel panic and denial of service.


* Kernel crash in ceph when filling certain pages in the page cache.

A logic error in the ceph filesystem code could cause invalid pointers
to be stored in the page cache leading to a potential crash when they
are used.


* Incorrect permissions on autofs mounts.

A bug in the autofs user and group handling causes autofs mounts
requested by a user to be owned by root instead of the user that
requested the mount.


* Memory leak in lightnvm page allocation failure.

If the lightnvm driver fails to allocate a memory pool it will leak
memory. In a low memory situation this could be used to further exhaust
memory and crash the system.


* Kernel crash when page allocation fails during OOM in ext4.

In low memory conditions, freeing blocks in an ext4 filesystem can cause
the kernel to crash.


* CVE-2016-7042: Denial-of-service when reading /proc/keys.

A local, unprivileged user can cause a denial-of-service due to kernel
stack corruption when reading from /proc/keys

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.