[Ksplice][Ubuntu-Oracle-Updates] New Ksplice updates for Ubuntu OCI kernel (USN-5790-1)
Oracle Ksplice
quentin.casasnovas at oracle.com
Fri Jan 20 19:11:42 UTC 2023
Synopsis: USN-5790-1 can now be patched using Ksplice
CVEs: CVE-2021-4159 CVE-2022-2663 CVE-2022-3061 CVE-2022-3586 CVE-2022-39188 CVE-2022-40307 CVE-2022-4095
Systems running Ubuntu OCI kernel can now use Ksplice to patch against
the latest Ubuntu Security Notice, USN-5790-1.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Ubuntu OCI
kernel install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2022-2663: Firewall bypass in IRC connection tracking.
An issue in nf_conntrack_irc in unencrypted IRC protocol message
handling could result in messages being incorrectly matched by the
firewall. A remote user could use this flaw to bypass local firewall
rules.
* CVE-2021-4159: Information disclosure in eBPF verifier.
A flaw in eBPF verifier when handling internal data structures could
result in internal memory disclosure to userspace. A local user with
permissions to insert eBPF code could use this flaw for information
disclosure.
* CVE-2022-39188: Denial-of-service in MMU-based Paged Memory Management Support.
A flaw in MMU-based Paged Memory Management Support when unmapping
a memory region could result in a system crash. A local user could use
this flaw to cause a denial-of-service.
* CVE-2022-3586: Use-after-free in network scheduler.
A race condition in net scheduler when enqueuing a socket buffer into a
queue discipline may lead to a use-after-free. A local user could use
this flaw to cause a denial-of-service or disclose sensitive
information.
* Improved update to CVE-2022-3061: Denial-of-service in Intel740 framebuffer driver.
Improper validation of arguments provided from userspace through ioctl()
in i740fb may lead to a divide-by-zero bug. A local attacker could use
this flaw to cause a denial-of-service.
* CVE-2022-40307: Use-after-free in EFI capsule loader.
A race condition in EFI capsule loader when simultaneously performing a write
and a close operation on the device node may lead to a use-after-free. A local
user could use this flaw to cause a denial-of-service or escalate privileges.
* Memory leak when registering pvrusb2 driver.
A missing free of resources when registering pvrusb2 driver could lead
to a memory leak. A local attacker could use this flaw to cause a
denial-of-service.
* CVE-2022-4095: Use-after-free in rtl8712 USB networking driver.
A flaw in the rtl8712 driver may lead to a use-after-free when
processing the command queue. A local attacker could use this flaw to
cause a denial-of-service or escalate privileges.
SUPPORT
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the Ksplice-Ubuntu-Oracle-Updates
mailing list