[Ksplice][Ubuntu-16.04-Updates] New Ksplice updates for Ubuntu 16.04 Xenial (USN-4681-1)

Oracle Ksplice ksplice-support_ww at oracle.com
Wed Jan 13 09:12:35 PST 2021 

Synopsis: USN-4681-1 can now be patched using Ksplice
CVEs: CVE-2019-0148 CVE-2020-25656 CVE-2020-25668 CVE-2020-27675 CVE-2020-28974

Systems running Ubuntu 16.04 Xenial can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-4681-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 16.04
Xenial install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2020-25668: Race condition when sending ioctls to a virtual terminal.

A race condition can possibly occur when sending ioctls to a tty device may
cause a use-after-free. A local attacker may use this to cause memory
corruption or a denial-of-service.


* CVE-2020-25656: Use-after-free in console subsystem.

Specific ioctls sent to the console subsystem could lead to a use-after-free.
A local attacker could use this flaw to read confidential data.


* CVE-2020-28974: Invalid memory access when manipulating framebuffer fonts.

A logic error when manipulating framebuffer console fonts may cause an
out-of-bounds memory read. A local attacker could use this flaw to read
privileged information or potentially cause a denial-of-service.


* CVE-2020-27675: Race condition when reconfiguring para-virtualized Xen devices.

An event-channel removal when reconfiguring paravirtualized devices may cause a
race condition leading to a null pointer dereference. A local attacker could use
this flaw to cause a denial-of-service on a dom0.


* CVE-2019-0148: Memory leak in i40e controller causes denial-of-service.

Improper truncation of integer values in the Intel i40e ethernet
controller driver could result in error conditions being incorrectly
handled, and memory being leaked. An authenticated user might exploit
this to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-16.04-updates mailing list