[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-4391-1)
Oracle Ksplice
ksplice-support_ww at oracle.com
Tue Jul 7 10:01:58 PDT 2020
Synopsis: USN-4391-1 can now be patched using Ksplice
CVEs: CVE-2019-19319 CVE-2020-0543 CVE-2020-10751 CVE-2020-12114 CVE-2020-12464 CVE-2020-12769 CVE-2020-12826 CVE-2020-1749 CVE-2020-8992
Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4391-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* Data corruption in the gfs2 filesystem.
A data race in the gfs2 filesystem due to inadequate exclusion could
lead to permanent data corruption after transient error. This could lead
to inadvertent data loss.
* Race condition in NFS client during unlink.
An race condition in the NFS client can lead to a LOCK request being
sent to the NFS server with an invalid state id. A local, unprivileged
user could exploit this flaw to cause a denial of service.
* Denial-of-service in ceph_get_caps of CEPH distributed filesystem.
A certain sequence of events in CEPH distributed filesystem could result
in infinite loop inside ceph_get_caps. The flaw could be exploited to
force the kernel to enter an infinite loop and lead to a denial of
service (DoS).
* NULL pointer dereference when accepting or peeling off a SCTP socket.
A logic error when accepting or peeling off a SCTP socket could lead to
a NuLL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.
* Task hang in FUSE filesystem abort waits.
Missing synchronization could result in missed wake-up events and a task
hang whilst waiting for completion.
* Denial-of-service in error handling of Tascam Audio USB driver.
NULL-pointer dereference in the error handling code of Tascam Audio USB
driver could result in a system crash. A local user could use this flaw
for a denial of service.
* Use after free in MAC-VLAN frame handling.
Incorrect reference counting when handling frames from a macvtap device
can trigger a use after free and kernel panic.
* Memory corruption when writing audit record to audit log.
Submitting a userspace audit record of an invalid length to the audit
log could result in a memory corruption and eventually kernel crash.
A local user having a permission to submit userspace audit records could
use this flaw.
* Denial-of-service in ioctl of NET/ROM layer when adding a new route.
A memory leak could happen in ioctl path of NET/ROM network layer when
calling nr_add_node() to add a new route. A local user could use this
flaw to cause a system to run out of kernel memory and
a denial-of-service.
* Data corruption in the HFS+ filesystem when deleting files.
A bug in extended attribute handling in the HFS+ filesystem causes
on-disk data corruption when deleting files. This could lead to
inadvertent data loss.
* NULL pointer dereference in RDS over TCP during accept().
A race condition in RDS over TCP protocol can trigger a NULL pointer
dereference and kernel panic.
* OOB access in search_memslots of KVM driver stack.
Out-of-bounds array access could happen in search_memslots() of
Kernel-based Virtual Machine support implementation when searching
memslots.
* Denial-of-service when performing fallocate in ocfs2 filesystem.
Incorrect handling of the fallocate syscall in the ocfs2 filesystem
could trigger a kernel BUG. An attacker could exploit this to cause a
denial-of-service.
* Kernel information leak in Chelsio iSCSI IPv6 route information.
The Chelsio iSCSI IPv6 route lookup does not initialize memory which leaks
the contents of kernel memory to userspace. A local user could use this flaw
to infer the layout of kernel memory.
* Denial-of-service in MAC-VLAN module when issuing ip-netns commands.
A NULL-pointer dereference in MAC-VLAN support module could result in
a kernel crash when issuing a certain sequence of ip-netns commands.
A local user with the ability to perform ip-netns commands could use
this flaw to cause a kernel crash.
* Denial-of-service in USB gadget DMA requests.
Missing resource releasing in the USB gadget driver could result in
failure to allocate DMA mappings. A local, privileged user could use
this flaw to cause a denial-of-service under specific conditions.
* OOB access in init_r_port() of Comtrol RocketPort driver.
Out-of-bounds array access could happen in init_r_port() of Comtrol
RocketPort driver when more than 4 PCI boards are in use.
* Use-after-free in RPC over RDPA transports.
Improper handling of pre-allocated backchannel requests could cause a
use-after-free on incoming backward calls.
* Kernel panic in resource tracking for Mellanox Ethernet devices.
The resource counting feature for Mellanox Ethernet devices does not
handle an unknown resource counter which can trigger a NULL pointer
dereference and kernel panic.
* Denial-of-service in hvc_alloc of HVC driver.
A memory corruption in Hypervisor Virtual Console driver could result
in a kernel crash when creating virtio-console devices. A local,
privileged user could use this flaw to crash the system by repeatedly
creating virtio_console devices.
* Invalid memory access in SiS USB video driver.
Invalid memory access in SiS USB video driver could happen due to
signed to unsigned integers mismatch and sign integer overflow.
* Kernel panic in Atheros wireless driver HTC frame handling.
The kernel Atheros wireless driver does not correctly handle malformed
HTC frames which can trigger kernel memory corruption. A unauthenticated
remote user can trigger this issue.
* CVE-2020-12464: Use-after-free in USB scatter-gather library.
Use-after-free could happen in usb_sg_cancel() of USB core scatter
gather implementation when cancellation of the S-G transfer races
with the transfer completion and could result in a system crash.
* CVE-2020-12114: Denial-of-service in pivot root reference counting.
A race condition in the reference counting implementation for mount
points can result in reference count corruption, leading to a
kernel crash. A local user could use this flaw to cause a
denial-of-service.
* CVE-2020-10751: SELinux bypass in netlink message validation.
A failure to correctly process multiple netlink messages in the SELinux
implementation can result in incorrectly allowing messages to be sent. A
local user could use this flaw to bypass SELinux restrictions.
* CVE-2020-1749: Information disclosure in IPv6 IPSec tunneling.
A logic error in the IPv6 implementation of IPSec can lead to some
protocols being routed outside of the IPSec tunnel in an unencrypted
form. A network based attacker could use this flaw to read confidential
information.
* CVE-2020-12769: Denial-of-service in Designware SPI transfers.
A race condition between reading and writing in the Designware SPI
driver can result in a kernel crash. A local user could use this flaw to
cause a denial-of-service.
* CVE-2020-12826: Privilege escalation in process signal handling.
A logic error in the way signal are passed from child to parent could
lead to a child sending any signal to a parent. A local attacker could
use this flaw to escalate privileges.
* CVE-2019-19319, CVE-2020-8992: Deadlock with too big journal size on ext4 filesystem.
Using a too big journal size on ext4 filesystem could lead to a
deadlock. A local attacker could use a specially crafted ext4 filesystem
to cause a denial-of-service.
* Denial-of-service in device open of data acquisition driver.
A memory leak could happen in the error handling path of device open
method in Control and Measurement Interface (Comedi). A local user could
use this flaw to cause a system to run out of kernel memory and
a denial-of-service.
* Denial-of-service in Network File System due to queued up requests leak.
A flaw in Network File System implementation of mirroring stopping could
cause a memory leak of queued up requests. A local user could use this
flaw to cause a denial of service (DoS).
* Information leak in ioctls of frame buffer driver.
A flaw in ioctl of frame buffer driver could lead to an out-of-bounds
read causing the information leak when accessing the frame buffer
driver. A local user could use this flaw to get memory disclosure.
* Denial-of-service in receives of CCITT X.25 Packet Layer.
A memory leak could happen in one of the frame receive paths of CCITT
X.25 Packet Layer. A local user could use this flaw to cause a system
to run out of kernel memory and a denial-of-service.
* Denial-of-service in error handling paths of AMD GPU HSA driver.
A flaw in Network File System implementation of direct read and direct
write error handling could lead to a memory leak. A local user could
use this flaw to cause a denial-of-service (DoS).
* Data-race when writing to an inode in ext4 filesystem.
A concurrency bug in the ext4 filesystem causes data race when writing
to an inode. This could lead to data corruption and inadvertent
data loss.
* Memory leak in NFS connection creation.
A failure to correctly handle an error case during creation of an NFC
connection could result in a memory leak.
* Denial-of-service in IP transform policy dump.
A failure to correctly handle error cases when dumping policy
information for IP transformation can result in the use of uninitialised
memory, leading to a kernel crash.
* Denial-of-service in QXL buffer management.
Multiple failures to correctly free memory in the QXL display driver can
result in memory leaks or slab corruption, leading to a kernel crash. A
local user could use this flaw to cause a denial of service.
* Denial-of-service in BATMAN VLAN packet reception.
An assertion failure in the VLAN packet handling for the BATMAN
subsystem can be repeatedly triggered by incoming VLAN packets. A
remote user on the same network could use this flaw to cause a
denial-of-service.
* Stack corruption when reading SFC ethernet driver statistics.
A logic error when operating upon statistics from the SFC ethernet
driver can result in stack corruption, leading to undefined behavior.
* Out-of-bounds access in remoteproc ring buffer management.
A logic error when calculating a ring buffer address can result in an
out-of-bounds write.
* Denial-of-service in IrDA accept error handling.
A failure to free memory when errors occur during the accept
implementation of the IrDA protocol can result in a memory leak. A local
user could use this flaw to exhaust system memory, resulting in a
denial-of-service.
* Denial-of-service in BTRFS transaction failure handling.
An assertion failures was incorrectly triggered as a result of failing
to perform a transaction related to merging of reloc roots. A local user
with access to a BTRFS filesystem could use this flaw to cause a
denial-of-service.
* Kernel crash due to xenbus ring allocation failure.
A failure to check for an error code from the Xen hypervisor when
mapping memory for the xenbus interface can result in a kernel crash.
* Denial-of-service in UDPLite multicast delivery.
A logic error when performing a table lookup can result in
misinterpreting an address, leading to an invalid memory access. A local
user with the ability to use UDPLite multicast could use this flaw to
cause a denial-of-service.
* Denial-of-service in gfs2 file lock handling.
A logic error in the lock management of gfs2 can result in an assertion
failure, leading to a kernel crash. A local user with access to a gfs2
filesystem could use this flaw to cause a denial-of-service.
* Denial-of-service in NFS access control list reference counting.
A reference count manipulation error when freeing NFSv3 access control
lists can result in a memory leak. A local user with the ability to
configure access control lists could use this flaw to cause a
denial-of-service.
* CVE-2020-0543: Side-channel information leak using SRBDS.
A side-channel information leak on some generations of Intel processors
could allow the leaking of internal microarchitectural buffers used by
instructions like RDRAND, RDSEED and SGX EGETKEY.
Updated microcode is required for this vulnerability to be mitigated.
The status of the mitigation can be found using the following command:
$ cat /sys/devices/system/cpu/vulnerabilities/srbds
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-16.04-updates
mailing list