[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (4.4.0-140.166)

[Oracle Ksplice]

Synopsis: 4.4.0-140.166 can now be patched using Ksplice
CVEs: CVE-2018-10879

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu kernel update, 4.4.0-140.166.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL pointer dereference in IP transform.

A failure to handle an error case in the IP transform subsystem can
result in a NULL pointer dereference leading to a kernel crash.


* CVE-2018-10879: Use-after-free when setting extended attribute entry on ext4 filesystem.

A logic error when setting extended attribute entry on ext4 filesystem
could lead to a use-after-free. A local attacker could use this flaw
with a crafted ext4 filesystem to cause a denial-of-service.


* NULL pointer dereference during Elastic Network Adapter bringup.

A race condition during the initialization of the ENA network driver can
result in a kernel crash.


* Information disclosure via bind mount manipulation.

A logic error when checking mount permissions can result in a namespaced
process being able to view filesystem content outside of its namespace.
A local user could use this flaw to view restricted information.


* Kernel crash during device mapper cache resize operation.

A failure to reload dm-cache information during a resize operation can
result in a kernel crash.


* Deadlock in CPU hotplug cgroup migration.

A logic error can result in a terminating process causing a deadlock if
it is migrated between cpuset cgroups whilst it is being terminated.


* Use-after-free in ath10k command tracing.

A race condition in the ath10k driver can result in a tracepoint handler
accessing memory which has already been freed.


* Use-after-free during RMDA Userspace Connection Manager close.

A race condition between closing a userspace RDMA connection and an IP
resolution call can result in a use-after-free. A local user with access
to RDMA could use this flaw to cause a kernel crash or potentially
escalate privileges.


* NULL pointer dereference during UBIFS mount.

A missing NULL pointer check when reading the device name in a UBIFS
filesystem can result in a NULL pointer dereference, leading to a kernel
crash.


* Kernel crash during ath10k scan operation.

A logic error when calculating the size of a scan message in the ath10k
driver can result in an out-of-bounds write, leading to memory
corruption and a kernel crash.


* Kernel crash in ebtables target validation.

A failure to validate information from userspace can result in an
out-of-bounds memory access leading to a kernel crash.


* Kernel crash during HD audio device initialisation.

A race condition during initialisation of an HD audio device can result
in an interrupt being delivered before the driver is ready to receive
it, leading to a kernel crash.


* Kernel crash in ACPI i2c transaction execution.

A failure to correctly set the length of an i2c transaction can result
in the kernel reading an invalid value, leading to a kernel crash.


* Denial-of-service in JFFS2 extended attribute read.

A validation failure when reading extended attributes from a JFFS2
filesystem can result it an out-of-bounds memory write, leading to a
kernel crash. A local user with the ability to mount a crafted
filesystem could use this flaw to cause a denial-of-service.


* Denial-of-service in IPv4 and IPv4 tunnel packet transmission.

An incorrect assumption in the IPv4 and IPv6 tunnel implementations can
result in attempting to access uninitialized memory, leading to undefined
behavior. A local user with access to an IP tunnel could use this flaw
to cause a denial of service.


* Use-after-free in IP ancillary message reception.

Reading a stale IP header value in the ancillary message path can result
in a use-after-free.


* Denial-of-service in netlink IPv4 netlabel management.

An incorrect assumption about the format of a netlink netlabel request
can result in a NULL pointer dereference, leading to a kernel crash. A
local user with the ability to configure netlabels could use this flaw
to cause a kernel crash.


* Out-of-bounds write in AF9035 DVB tuner i2c implementation.

A logic error when transferring a small number of bytes via an i2c
interface to an AF9035 DVB tuner can result in an integer underflow,
leading to an out-of-bounds memory write. A local user with access to an
AF9035 DVB tuner could use this flaw to cause a denial-of-service.


* Kernel crash during USB serial gadget TTY close.

A race condition when closing a TTY session for a USB serial device
gadget can result in a NULL pointer dereference, leading to a kernel
crash.


* Kernel crash during Elastic Network Appliance removal.

A logic error when freeing an ENA instance can result in accessing an
invalid pointer, leading to a kernel crash.


* Kernel crash during SMSC75xx unbinding.

A failure to cancel delayed work in the SMSC75xx USB network driver can result
in a NULL pointer dereference after the driver has been unbound.


* Deadlock during enslave of network interface to team device.

Attaching the same network interface to a team device can result in a double
lock, leading to a deadlock. A local user with the ability to configure network
interfaces could use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.