[Ksplice][Ubuntu-22.04-Updates] New Ksplice updates for Ubuntu 22.04 Jammy (USN-6172-1)
Oracle Ksplice
quentin.casasnovas at oracle.com
Thu Jun 22 09:02:54 UTC 2023
Synopsis: USN-6172-1 can now be patched using Ksplice
CVEs: CVE-2022-1679 CVE-2023-1076 CVE-2023-1077 CVE-2023-1079 CVE-2023-1670 CVE-2023-1859 CVE-2023-1998 CVE-2023-25012 CVE-2023-2985
Systems running Ubuntu 22.04 Jammy can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-6172-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu 22.04
Jammy install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2023-1670: Use-after free in Xircom PCMCIA ethernet driver.
A race condition when attempting to unload the Xircom ethernet driver
can lead to a use-after-free. This flaw could be exploited by a local
attacker to cause a denial-of-service or to escalate their privileges.
* CVE-2023-1079: Use-after-free in HID driver for Asus notebook built-in keyboard.
Insufficient locking the HID driver for Asus notebook built-in keyboard can
allow a malicious USB device which advertises itself as an Asus device to
trigger a use-after-free. This may allow a local user to cause memory
corruption.
* CVE-2023-1077: Memory Corruption in Real-Time Scheduling Class.
Incorrect error checking logic in the Real-Time Scheduling Class can lead to
memory corruption. This can allow a local user to cause denial-of-service or
escalate privileges.
* CVE-2023-1076: Permission bypass in tun/tap sockets.
Incorrect initialization in the tun/tap socket code could allow sockets
to be treated incorrectly in filtering and routing decisions. This could
allow bypassing of network filters.
* Improved update to CVE-2022-1679: Use-after-free in Atheros ath9k wireless device driver.
Improper handling of some error conditions in Atheros ath9k wireless
device driver could lead to a use-after-free. A local user could use
this flaw to cause a denial of service or execute arbitrary code.
* CVE-2023-1859: Use-after-free in Plan 9 Resource Sharing Xen Support.
A race condition in 9P Xen Support when removing the driver can lead to
a use-after-free. A local user could use this flaw to cause a denial of
service or elevate privileges on the system.
* CVE-2023-1998: Information disclosure due to disabled Single Thread Indirect Branch Predictors.
With legacy Indirect Branch Restricted Speculation (IBRS), Single Thread
Indirect Branch Predictors (STIBP) was incorrectly determined to be not
needed. This could allow cross-thread branch target injection and
information disclosure.
* CVE-2023-2985: Use-after-free in Apple Extended HFS file system support.
A flaw in HFS+ may lead to a use-after-free. A local user could use this
to cause a denial-of-service.
* CVE-2023-25012: Use-after-free in HID driver for BigBen Interactive Kids' gamepad.
Insufficient locking in the bigben HID driver can allow a malicious USB
device which advertises itself as a BigBen device to trigger a
use-after-free. This may allow a local user to cause memory corruption.
* Use-after-free in wireless LAN (802.11) configuration API.
Improperly reset information from previous connections in cfg80211
during reconnect may lead to a use-after-free. A remote user could
use this flaw to cause a denial-of-service or possibly execute arbitrary
code.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-22.04-updates
mailing list