[Ksplice][Ubuntu-24.04-Updates] New Ksplice updates for Ubuntu 24.04 Noble (USN-6893-1)

Wed Jul 31 13:15:55 UTC 2024

Synopsis: USN-6893-1 can now be patched using Ksplice
CVEs: CVE-2024-26921 CVE-2024-26923 CVE-2024-26925 CVE-2024-26993 CVE-2024-27016 CVE-2024-35890 CVE-2024-35897 CVE-2024-35900 CVE-2024-35901 CVE-2024-35910 CVE-2024-35926 CVE-2024-35950 CVE-2024-35973

Systems running Ubuntu 24.04 Noble can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-6893-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 24.04
Noble install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2024-26921: Code execution in TCP/IP networking.

A logic error when handling IP packet fragments in TCP/IP networking
could lead to a use-after-free. A local attacker could use this flaw to
execute arbitrary code in kernel mode.

* CVE-2024-26923: Privilege escalation in Unix domain sockets.

A race condition when using Unix domain sockets could lead to garbage
collector racing with the connect() syscall. A local attacker could use
this flaw to escalate privileges.

* CVE-2024-26925, CVE-2024-35897, CVE-2024-35900: Privilege escalation in netfilter subsystem.

A logical error in the netfilter subsystem in handling asynchronous
garbage collection and table updates can lead to a double free. A
local attacker can exploit this flaw to escalate privileges or aid
in other types of attacks.

* CVE-2024-26993: Resource leak in SysFS filesystem.

A logic error in the SysFS filesystem can lead to a resource leak.
An attacker can exploit this flaw to cause a denial-of-service or
aid in other types of attacks.

* CVE-2024-27016: Denial-of-service in Network packet filtering framework (Netfilter).

A missing check when handling Point-to-Point Protocol over Ethernet
(PPPoE) headers in Network packet filtering framework (Netfilter) could lead
to use of uninitialized memory. A local attacker could use this flaw to
cause a denial-of-service.

* CVE-2024-35890: Denial-of-service in Generic Receive Offload driver.

An incorrect handling logic of frames in Generic Receive Offload code
in the Linux kernel networking stack can result in an internal
assertion triggering. An attacker can use this flaw to cause
denial-of-service.

* CVE-2024-35901: Denial-of-service in Microsoft Azure Network Adapter (MANA) driver.

An alignment error in Microsoft Azure Network Adapter (MANA) driver
could lead to a kernel panic due to a packet of an unexpected size.
An attacker could use this flaw to cause a denial-of-service.

* CVE-2024-35910: Denial-of-service in IPv4 TCP networking stack.

A logical error in IPv4 TCP networking stack when handling timers upon
a kernel socket release can lead to a NULL pointer dereference. A local
attacker can exploit this flaw to cause a denial-of-service.

* CVE-2024-35926: Resource leak in Intel's IAA Compression Accelerator driver.

A missing check in Intel's IAA Compression Accelerator driver in the
Linux kernel can lead to a resource leak. A local attacker can use
this flaw to cause denial-of-service.

* CVE-2024-35950: Memory corruption in Direct Rendering Manager.

A locking error when using Direct Rendering Manager driver could lead to
a use-after-free. A local attacker could use this flaw to cause memory
corruption.

* CVE-2024-35973: Denial-of-service in Generic Network Virtualization Encapsulation.

A logic error when using Generic Network Virtualization Encapsulation
driver could lead to use of uninitialized memory. A local attacker could
use this flaw to cause a denial-of-service.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.