Oracle Linux 6255 Published by

The following updates has been released for Oracle Linux 7:

ELSA-2018-2692 Critical: Oracle Linux 7 firefox security update
New Ksplice updates for UEKR5 4.14.35 on OL7 (ELBA-2018-4212)



ELSA-2018-2692 Critical: Oracle Linux 7 firefox security update

Oracle Linux Security Advisory ELSA-2018-2692

http://linux.oracle.com/errata/ELSA-2018-2692.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

x86_64:
firefox-60.2.0-1.0.1.el7_5.i686.rpm
firefox-60.2.0-1.0.1.el7_5.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/firefox-60.2.0-1.0.1.el7_5.src.rpm



Description of changes:

[60.2.0-1.0.1]
- Add firefox-oracle-default-prefs.js and remove the corresponding Red
Hat file

[60.2.0-1]
- Update to 60.2.0 ESR

[60.1.0-9]
- Do not set user agent (rhbz#1608065)
- GTK dialogs are localized now (rhbz#1619373)
- JNLP association works again (rhbz#1607457)

[60.1.0-8]
- Fixed homepage and bookmarks (rhbz#1606778)
- Fixed missing file associations in RHEL6 (rhbz#1613565)

[60.1.0-7]
- Run at-spi-bus if not running already (for the bundled gtk3)

[60.1.0-6]
- Fix for missing schemes for bundled gtk3

[60.1.0-5]
- Added mesa-libEGL dependency to gtk3/rhel6

New Ksplice updates for UEKR5 4.14.35 on OL7 (ELBA-2018-4212)

Synopsis: ELBA-2018-4212 can now be patched using Ksplice
CVEs: CVE-2018-10021 CVE-2018-13405 CVE-2018-15471

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Bug Fix Advisory, ELBA-2018-4212.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* NULL-pointer dereference in FUSE when failing to create inode.

If inode creation fails for a Filesystem in Userspace file, the
connection teardown to the FUSE service might improperly try to cleanup
the non-existent inode, resulting in a NULL-pointer dereference and
denial-of-service.

Orabug: 28434194


* Use-after-free in FUSE when failing to create superblock.

If an error occurs while creating a Filesystem in Userspace superblock
after the connection to the FUSE service is made, the connection is not
torn down, resulting in a use-after-free and potential denial-of-service
when the superblock is freed.

Orabug: 28434194


* CVE-2018-13405: Permissions bypass when creating file in SGID directory.

Creating an executable file in an SGID directory can result in the file
having the group ownership of the directory. This can be exploited to
elevate privileges if the file is created in a directory owned by a
privileged group.

Orabug: 28459475


* CVE-2018-10021: Denial-of-service in SAS device abort and failover.

Incorrect error handling when aborting or failing over a SAS device
could result in resource starvation and IO hangs. A physically present
malicious user could use this flaw to cause a denial of service.

Orabug: 28459683


* NULL pointer dereference in LSI SYM53C8XX SCSI driver.

Missing pointer checks in debug statements could result in a NULL
pointer dereference and kernel crash under specific conditions.

Orabug: 28481892


* CVE-2018-15471: Privilege escalation in Xen network backend.

A validation failure in the Xen network backend driver can result in an
out-of-bounds memory access. A guest operating system could use this
flaw to potentially escalate privileges or cause a denial-of-service.

Orabug: 28460239

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.