[El-errata] New Ksplice updates for Oracle Enhanced RHCK 7 (ELBA-2022-0063-1)

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Jan 20 00:16:00 UTC 2022 

Synopsis: ELBA-2022-0063-1 can now be patched using Ksplice
CVEs: CVE-2020-25704 CVE-2020-36322 CVE-2021-28950 CVE-2021-42739

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Bug Fix Advisory, ELBA-2022-0063-1.
More information about this errata can be found at
https://linux.oracle.com/errata/ELBA-2022-0063-1.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Oracle Enhanced
RHCK 7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2021-42739: Buffer overflow in FireDTV firewire DVB receiver driver.

The FireDTV firewire DVB receiver driver contains a buffer overflow when
processing a Program Map Table entry. A malicious device might exploit
this to overwrite memory and cause a denial-of-service.


* CVE-2020-25704: Denial-of-service in the performance monitoring subsystem.

A possible memory leak when setting performance monitoring filter could lead to
kernel memory exhaustion. A local attacker could use this flaw to cause a
denial-of-service.


* Note: Oracle will not provide a zero-downtime update for CVE-2020-36322 and CVE-2021-28950.

CVE-2020-36322 and CVE-2021-28950 are both scored CVSSv3 5.5 and are
present in the fuse driver, which allows userspace drivers for
filesystems. Both CVEs allow an unprivileged user with access to
a mounted fuse filesystem to potentially cause a denial-of-service
through either a crash of the filesystem driver or infinite loop in
kernel.

Hosts without the fuse driver loaded or without any fuse filesystems
mounted are not affected by this issue.

Oracle has determined that patching CVE-2020-36322 and CVE-2021-28950 on
a running system would not be safe and recommends a reboot if fuse is
used on the host and unprivileged users are allowed to access a mounted
fuse filesystem.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.

More information about the El-errata mailing list