[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-5854-1)
Oracle Ksplice
quentin.casasnovas at oracle.com
Wed Feb 22 19:03:45 UTC 2023
Synopsis: USN-5854-1 can now be patched using Ksplice
CVEs: CVE-2022-20369 CVE-2022-2663 CVE-2022-3646 CVE-2022-3649 CVE-2022-41849 CVE-2022-41850 CVE-2022-43750
Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-5854-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2022-3646: Memory-leak in NILFS2 file system.
A flaw in NILFS2 when failing to create a log writer thread could lead to
a memory leak. A local attacker could use this flaw to exhaust system
memory and cause a denial-of-service.
* CVE-2022-41850: Use-after-free during roccat device event processing.
A race condition can occur when processing events for roccat
devices, which ultimately leads to a use-after-free. This flaw could
be exploited by a malicious local user to cause a denial-of-service, or
to aid in another type of attack.
* Improved update to CVE-2022-2663: Firewall bypass in IRC connection tracking.
An issue in nf_conntrack_irc in unencrypted IRC protocol message
handling could result in messages being incorrectly matched by the
firewall. A remote user could use this flaw to bypass local firewall
rules.
* CVE-2022-3649: Use-after-free in NILFS2 file system.
A missing sanity check in nilfs2 when handling corrupted on-disk
filesystem data could lead to a use-after-free. An attacker could use
this flaw to cause a denial-of-service or escalate privileges.
* CVE-2022-20369: Privilege escalation in V4L2 memory-to-memory framework.
Improper input validation in the Video for Linux API version 2 subsystem
can lead to an out-of-bounds write. This could lead to a local privilege
escalation or denial-of-service.
* CVE-2022-43750: Use-after-free in USB monitor.
Incorrect permission flags set on userspace memory mappings in usbmon
could lead to a use-after-free. A local attacker could use this flaw for
a denial-of-service or escalate privileges.
* CVE-2022-41849: Use-after-free when removing SMSC UFX USB device.
A race condition in the SMSC UFX USB video device driver between activating
and deactivating the device could result in a NULL-pointer dereference.
A malicious device might exploit this to cause a denial-of-service.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-Oracle-Updates
mailing list