[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-4657-1)

[Oracle Ksplice]

Synopsis: USN-4657-1 can now be patched using Ksplice
CVEs: CVE-2020-10135 CVE-2020-12352 CVE-2020-14351 CVE-2020-14390 CVE-2020-24490 CVE-2020-25211 CVE-2020-25284 CVE-2020-25643 CVE-2020-25645 CVE-2020-25705 CVE-2020-28915

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4657-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2020-14351: Privilege escalation in perf subsystem due to use-after-free.

A flaw in the perf subsystem could lead to a use-after-free memory
error. This flaw could allow a local attacker with permission to monitor
perf events to corrupt memory and possibly escalate privileges.


* CVE-2020-25284: Permission bypass when creating or removing a Rados block device.

A non-comprehensive privilege check may allow to create or remove Rados
block devices.  A privileged in a user namespace with user id zero could
use this flaw to cause a denial-of-service.


* CVE-2020-25645: Possible information leak between encrypted geneve endpoints.

A logic error may end up inadvertently transmitting data between two
geneve endpoints unencrypted. This may allow unintended parties to view
confidential network data.


* CVE-2020-25211: Denial-of-service in Netfilter due to out-of-bounds memory access.

A flaw in Netfilter framework implementation could lead to
a out-of-bounds memory access. A local user could use this flaw to cause
a system crash and a denial-of-service.

Orabug: 31872865


* CVE-2020-24490: Privilege escalation in Bluetooth subsystem due to heap buffer overflow.

A flaw in Bluetooth implementation could lead to a heap buffer overflow
when processing extended advertising report events. A remote attacker
could use this flaw to cause a denial of service or to potentially
execute arbitrary code on the system by sending a specially crafted
Bluetooth packet.


* CVE-2020-28915: Information leak due to out-of-bounds read in Framebuffer Console.

A flaw in the font handling code of the Framebuffer Console could lead to
an out-of-bounds read of kernel memory. A local attacker could use this
flaw to cause an information leak and the system's memory disclosure.


* CVE-2020-25643: Memory corruption in WAN HDLC-PPP due to missing error checking.

A missing error handling code in WAN HDLC-PPP implementation could lead
to a memory corruption. A local user could use this flaw to cause
a denial-of-service or an arbitrary code execution.


* CVE-2020-12352: Information leak when handling AMP packets in Bluetooth stack.

A missing zeroing of stack memory when handling AMP packets in Bluetooth
stack could lead to an information leak. A remote attacker could use this
flaw to leak information about running kernel and facilitate an attack.


* CVE-2020-14390: Memory corruption when resizing the framebuffer.

A logic error when handling framebuffer resizing and scrollbacks could
lead to memory corruption.  A local user could use this to cause a
denial-of-service or possibly arbitrary code execution or privilege
escalation.


* CVE-2020-10135: Bluetooth devices can be paired without proper credentials.

Logic errors in the Bluetooth pairing code path can allow unauthenticated users
to pair devices without proper credentials.  An attacker in close proximity to
a target system could use this flaw to pair malicious Bluetooth devices to that
system without proper authentication.


* CVE-2020-25705: ICMP rate-limiter can indirectly leak UDP port information.

The predictability of the rate at which ICMP messages are rate-limited
can be used by attackers to effectively scan for open UDP ports on a
remote system.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.