[Ksplice][Ubuntu-24.04-Updates] New Ksplice updates for Ubuntu 24.04 Noble (USN-7402-1)

Oracle Ksplice gregory.herrero at oracle.com
Mon May 19 19:17:30 UTC 2025 

Synopsis: USN-7402-1 can now be patched using Ksplice
CVEs: CVE-2024-50009 CVE-2024-50028 CVE-2024-50033 CVE-2024-50035 CVE-2024-50036 CVE-2024-50045 CVE-2024-50066 CVE-2024-50076 CVE-2024-50195 CVE-2024-50210 CVE-2024-50302 CVE-2024-53063 CVE-2024-53140 CVE-2024-53170 CVE-2024-56582 CVE-2024-56595 CVE-2024-56596 CVE-2024-56597 CVE-2024-56598 CVE-2024-56658 CVE-2024-56672 CVE-2024-57798

Systems running Ubuntu 24.04 Noble can now use Ksplice to patch
against the latest Ubuntu Security Notice, USN-7402-1.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Ubuntu 24.04
Noble install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2024-50009: Denial-of-service in CPU Frequency scaling driver.

A missing check when using the CPU Frequency scaling driver could lead
to a NULL pointer dereference. A local attacker could use this flaw to
cause a denial-of-service.


* CVE-2024-50028: Memory corruption in Thermal netlink management driver.

Incorrect reference counting when using the Thermal netlink management
driver could lead to a use-after-free. A local attacker could use this
flaw to cause memory corruption.


* CVE-2024-50033: Privilege escalation in SLHC driver.

A logic error when using the Van Jacobson TCP/IP Serial Line Header
Compression (SLHC) driver could lead to an out-of-bounds memory access.
A local attacker could use this flaw to escalate privileges.


* CVE-2024-50035: Information leak in PPP (point-to-point protocol) networking stack.

A missing check when transmitting using the PPP networking stack could
lead to use of uninitialized memory. A local attacker could use this
flaw to extract sensitive information.


* CVE-2024-50036: Privilege escalation in Networking driver.

A logic error when using the Networking driver could lead to a
use-after-free. A local attacker could use this flaw to escalate
privileges.


* CVE-2024-50045: Denial-of-service in bridge netfilter driver.

A logic error when sending traffic using the bridge netfilter driver
could lead to a NULL pointer dereference. A local attacker could use
this flaw to cause a denial-of-service.


* CVE-2024-50066: Privilege escalation in Memory Management subsystem.

A race condition when using the Memory Management subsystem could lead
to page directory corruption. A local attacker could use this flaw to
escalate privileges.


* CVE-2024-50076: Information leak in virtual terminal driver.

A missing initialization of allocated memory when getting font
information in the virtual console driver could lead to use of
uninitialized memory. A local attacker could use this flaw to
extract sensitive information.


* CVE-2024-50195, CVE-2024-50210: Denial-of-service in dynamic POSIX clock driver.

A missing check when using the dynamic POSIX clock driver could lead to
invalid time being set. A local attacker could use this flaw to cause a
denial-of-service or other types of attacks (since other kernel parts or
drivers may depend on the set time).


* CVE-2024-50302: Information leak in HID bus driver.

A missing variable initialization when using the HID bus driver could
lead to use of uninitialized memory. A local attacker could use this
flaw to extract sensitive information.


* CVE-2024-53063: Denial-of-service in DVB core driver.

A logic error when using the DVB core driver could lead to a memory
leak. A local attacker could use this flaw to cause a denial-of-service.


* CVE-2024-53140: Privilege escalation in netlink driver.

A logic error when using the netlink driver could lead to a
use-after-free. A local attacker could use this flaw to escalate
privileges.


* CVE-2024-53170: Memory corruption in Block layer subsystem.

A logic error when using the Block layer subsystem could lead to a
use-after-free. A local attacker could use this flaw to cause memory
corruption.


* CVE-2024-56582: Memory corruption in Btrfs filesystem driver.

Incorrect reference counting when using the Btrfs filesystem driver
could lead to a use-after-free. A local attacker could use this flaw to
cause memory corruption.


* CVE-2024-56595, CVE-2024-56596, CVE-2024-56597, CVE-2024-56598: Code execution in JFS filesystem driver.

A missing check when using the JFS filesystem driver could lead to an
out-of-bounds memory access. A local attacker could use this flaw to
execute arbitrary code in kernel mode.


* CVE-2024-56658: Memory corruption in Network namespace subsystem.

A race condition when using the Network namespace subsystem could lead
to a use-after-free. A local attacker could use this flaw to cause
memory corruption.


* CVE-2024-56672: Privilege escalation in Block IO Control Groups subsystem.

A logic error when using the Block IO Control Groups subsystem could
lead to a use-after-free. A local attacker could use this flaw to
escalate privileges.


* CVE-2024-57798: Memory corruption in DRM DisplayPort subsystem.

A locking error when using the DRM DisplayPort subsystem could lead to a
use-after-free. A local attacker could use this flaw to cause memory
corruption.


* Note: Oracle has determined some CVEs are not applicable.

The kernel is not affected by the following CVEs
since the code under consideration is not compiled.

CVE-2024-50026, CVE-2024-50068, CVE-2024-50069, CVE-2024-50070,
CVE-2024-50075, CVE-2024-50084, CVE-2024-50193, CVE-2024-50196,
CVE-2024-53165

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the Ksplice-Ubuntu-24.04-updates mailing list