[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-4145-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Mon Oct 14 02:44:09 PDT 2019
Synopsis: USN-4145-1 can now be patched using Ksplice
CVEs: CVE-2016-10905 CVE-2017-18509 CVE-2018-20961 CVE-2018-20976 CVE-2019-0136 CVE-2019-10207 CVE-2019-11487 CVE-2019-13631 CVE-2019-15211 CVE-2019-15215 CVE-2019-15926
Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4145-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2017-18509: Memory corruption in IPv6 via setting socket options.
A missing check in the IPv6 ip6mr code could allow a privileged attacker
to control a pointer in kernel land, potentially causing a general
protection fault or being able to execute arbitrary code.
* CVE-2019-15215: Denial-of-service when disconnecting CPiA2 USB camera.
A use-after-free vulnerability in the V4L2 interface for CPiA2 USB
camera allows a malicious USB device to crash the kernel. An attacker
could exploit this to cause a denial-of-service.
* CVE-2019-10207: NULL pointer dereference in Bluetooth TTY operations.
A missing check in some Bluetooth drivers could lead to a NULL
pointer dereference triggered by an unprivileged user while executing
certain tty operations. This could be exploited to cause a denial of
service attack.
* CVE-2019-15926: Out-of-bounds access in Atheros mobile chipsets driver.
A missing check on received network packet in Atheros mobile chipsets
driver could lead to an out-of-bounds access. A local attacker could use
this flaw to cause a denial-of-service.
* CVE-2019-0136: Denial-of-service in Intel(R) wifi driver.
Insufficient access control in the Intel(R) PROSet/Wireless WiFi driver
may allow an unauthenticated user in the same network to cause a
denial-of-service.
* CVE-2018-20976: Use-after-free when mounting XFS filesystem.
A logic error when mounting XFS filesystem fails during super block
creation, could lead to a use-after-free. A local attacker could use
this flaw to cause a denial-of-service.
* CVE-2018-20961: Use-after-free when using USB f_midi gadget.
A logic error when reconfiguring interface in USB f_midi gadget driver
could lead to a use-after-free. A local attacker could use this flaw to
cause a denial-of-service.
* CVE-2019-11487: Invalid memory access when overflowing pages refcount.
A reference count issue could let an attacker overflow pages reference
count and leads to invalid memory accesses. A local attacker could use
this flaw to cause a denial-of-service.
* CVE-2016-10905: Use-after-free in GFS2 file system.
A logic error when using resource group to keep track of block
allocation in GFS2 filesystem could lead to a use-after-free. A local
attacker could use this flaw to cause a denial-of-service.
* CVE-2019-13631: Denial-of-service in GTCO CalComp/InterWrite tablet.
Missing range checks could allow an out-of-bounds stack memory write
when parsing USB descriptors. A physically present user could use a
malicious device to trigger an out-of-bounds access leading to a kernel
crash.
* Note: Oracle will not provide a zero-downtime update for CVE-2019-15211.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-16.04-updates
mailing list