Oracle Linux 6277 Published by

The following updates has been released for Oracle Linux 5 and 6:

ELSA-2018-4301 Important: Oracle Linux 5 Extended Lifecycle Support (ELS) Unbreakable Enterprise kernel security update
ELSA-2018-4301 Important: Oracle Linux 6 Unbreakable Enterprise kernel security update
New Ksplice updates for UEKR2 2.6.39 on OL5 and OL6 (ELSA-2018-4301)
New Ksplice updates for UEKR3 3.8.13 on OL6 and OL7 (ELSA-2018-4300)



ELSA-2018-4301 Important: Oracle Linux 5 Extended Lifecycle Support (ELS) Unbreakable Enterprise kernel security update

Oracle Linux Security Advisory ELSA-2018-4301

http://linux.oracle.com/errata/ELSA-2018-4301.html

The following updated rpms for Oracle Linux 5 Extended Lifecycle Support
(ELS) have been uploaded to the Unbreakable Linux Network:

i386:
kernel-uek-2.6.39-400.304.1.el5uek.i686.rpm
kernel-uek-debug-2.6.39-400.304.1.el5uek.i686.rpm
kernel-uek-debug-devel-2.6.39-400.304.1.el5uek.i686.rpm
kernel-uek-devel-2.6.39-400.304.1.el5uek.i686.rpm
kernel-uek-doc-2.6.39-400.304.1.el5uek.noarch.rpm
kernel-uek-firmware-2.6.39-400.304.1.el5uek.noarch.rpm

x86_64:
kernel-uek-firmware-2.6.39-400.304.1.el5uek.noarch.rpm
kernel-uek-doc-2.6.39-400.304.1.el5uek.noarch.rpm
kernel-uek-2.6.39-400.304.1.el5uek.x86_64.rpm
kernel-uek-devel-2.6.39-400.304.1.el5uek.x86_64.rpm
kernel-uek-debug-devel-2.6.39-400.304.1.el5uek.x86_64.rpm
kernel-uek-debug-2.6.39-400.304.1.el5uek.x86_64.rpm




Description of changes:

[2.6.39-400.304.1.el5uek]
- mnt: Prevent pivot_root from creating a loop in the mount tree (Eric
W. Biederman) [Orabug: 26575709] {CVE-2014-7970} {CVE-2014-7970}
- vfs: more mnt_parent cleanups (Al Viro) [Orabug: 26575709] {CVE-2014-7970}
- vfs: new internal helper: mnt_has_parent(mnt) (Al Viro) [Orabug:
26575709] {CVE-2014-7970}
- ALSA: seq: Fix racy pool initializations (Takashi Iwai) [Orabug:
28459730] {CVE-2018-7566}
- xen-netback: calculate full_coalesce before the pre-estimation of ring
buffer slots to consume (Dongli Zhang) [Orabug: 28818690] - scsi: sg:
allocate with __GFP_ZERO in sg_build_indirect() (Alexander Potapenko)
[Orabug: 28892695] {CVE-2018-1000204}
- KVM: MTRR: remove MSR 0x2f8 (Andy Honig) [Orabug: 28901711]
{CVE-2016-3713} {CVE-2016-3713}
- cdrom: fix improper type cast, which can leat to information leak.
(Young_X) [Orabug: 28929788] {CVE-2018-16658} {CVE-2018-10940}
{CVE-2018-18710}
- udf: Check component length before reading it (Jan Kara) [Orabug:
28941923] {CVE-2014-9728}
- udf: Verify symlink size before loading it (Shan Hai) [Orabug:
28941923] {CVE-2014-9728}
- udf: Verify i_size when loading inode (Shan Hai) [Orabug: 28941923]
{CVE-2014-9728}
- floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
(Andy Whitcroft) [Orabug: 28956549] {CVE-2018-7755} {CVE-2018-7755}
- crypto: salsa20 - fix blkcipher_walk API usage (Eric Biggers) [Orabug:
28976586] {CVE-2017-17805}
- crypto: hmac - require that the underlying hash algorithm is unkeyed
(Eric Biggers) [Orabug: 28976655] {CVE-2017-17806}

ELSA-2018-4301 Important: Oracle Linux 6 Unbreakable Enterprise kernel security update

Oracle Linux Security Advisory ELSA-2018-4301

http://linux.oracle.com/errata/ELSA-2018-4301.html

The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:

i386:
kernel-uek-2.6.39-400.304.1.el6uek.i686.rpm
kernel-uek-debug-2.6.39-400.304.1.el6uek.i686.rpm
kernel-uek-debug-devel-2.6.39-400.304.1.el6uek.i686.rpm
kernel-uek-devel-2.6.39-400.304.1.el6uek.i686.rpm
kernel-uek-doc-2.6.39-400.304.1.el6uek.noarch.rpm
kernel-uek-firmware-2.6.39-400.304.1.el6uek.noarch.rpm

x86_64:
kernel-uek-firmware-2.6.39-400.304.1.el6uek.noarch.rpm
kernel-uek-doc-2.6.39-400.304.1.el6uek.noarch.rpm
kernel-uek-2.6.39-400.304.1.el6uek.x86_64.rpm
kernel-uek-devel-2.6.39-400.304.1.el6uek.x86_64.rpm
kernel-uek-debug-devel-2.6.39-400.304.1.el6uek.x86_64.rpm
kernel-uek-debug-2.6.39-400.304.1.el6uek.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol6/SRPMS-updates/kernel-uek-2.6.39-400.304.1.el6uek.src.rpm



Description of changes:

[2.6.39-400.304.1.el6uek]
- mnt: Prevent pivot_root from creating a loop in the mount tree (Eric
W. Biederman) [Orabug: 26575709] {CVE-2014-7970} {CVE-2014-7970}
- vfs: more mnt_parent cleanups (Al Viro) [Orabug: 26575709] {CVE-2014-7970}
- vfs: new internal helper: mnt_has_parent(mnt) (Al Viro) [Orabug:
26575709] {CVE-2014-7970}
- ALSA: seq: Fix racy pool initializations (Takashi Iwai) [Orabug:
28459730] {CVE-2018-7566}
- xen-netback: calculate full_coalesce before the pre-estimation of ring
buffer slots to consume (Dongli Zhang) [Orabug: 28818690] - scsi: sg:
allocate with __GFP_ZERO in sg_build_indirect() (Alexander Potapenko)
[Orabug: 28892695] {CVE-2018-1000204}
- KVM: MTRR: remove MSR 0x2f8 (Andy Honig) [Orabug: 28901711]
{CVE-2016-3713} {CVE-2016-3713}
- cdrom: fix improper type cast, which can leat to information leak.
(Young_X) [Orabug: 28929788] {CVE-2018-16658} {CVE-2018-10940}
{CVE-2018-18710}
- udf: Check component length before reading it (Jan Kara) [Orabug:
28941923] {CVE-2014-9728}
- udf: Verify symlink size before loading it (Shan Hai) [Orabug:
28941923] {CVE-2014-9728}
- udf: Verify i_size when loading inode (Shan Hai) [Orabug: 28941923]
{CVE-2014-9728}
- floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
(Andy Whitcroft) [Orabug: 28956549] {CVE-2018-7755} {CVE-2018-7755}
- crypto: salsa20 - fix blkcipher_walk API usage (Eric Biggers) [Orabug:
28976586] {CVE-2017-17805}
- crypto: hmac - require that the underlying hash algorithm is unkeyed
(Eric Biggers) [Orabug: 28976655] {CVE-2017-17806}

New Ksplice updates for UEKR2 2.6.39 on OL5 and OL6 (ELSA-2018-4301)

Synopsis: ELSA-2018-4301 can now be patched using Ksplice
CVEs: CVE-2014-7970 CVE-2014-9728 CVE-2016-3713 CVE-2017-17805 CVE-2017-17806 CVE-2018-1000204 CVE-2018-18710 CVE-2018-7566 CVE-2018-7755

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4301.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR2 2.6.39 on
OL5 and OL6 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-17806: Denial-of-service in HMAC algorithms.

Invalid algorithm combinations could result in buffer overflows or other
undefined behaviour when using a keyed hash algorithm. A local,
unprivileged user could use this flaw to crash the system, or
potentially, escalate privileges.

Orabug: 28976655


* CVE-2017-17805: Denial-of-service in SALSA20 block cipher.

Incorrect handling of zero length buffers could result in an invalid
pointer dereference and kernel crash. A local, unprivileged user could
use this flaw to crash the system, or potentially, escalate privileges.

Orabug: 28976586


* CVE-2018-7755: Information leak through floppy disk driver ioctl.

A logic error when using floppy disk driver ioctl could lead to a kernel
address leak. A local attacker could use this flaw to get address of
running kernel and facilitate an attack.

Orabug: 28956549


* CVE-2014-9728: Information link in UDF filesystem symlinks.

Missing validation of symlinks could allow a local attacker with a
maliciously crafted filesystem to leak the contents of kernel memory to
user-space.

Orabug: 28941923


* CVE-2018-18710: Information leak when checking the CD-ROM slot status.

An incorrect bounds check in the CD-ROM driver could allow an out-of-bounds
access and kernel information leak to an unprivileged user.

Orabug: 28929788


* CVE-2016-3713: Privilege escalation in KVM MTRR emulation.

Incorrect validation of emulated MTRR MSRs can allow a guest VM to read
and write memory in the KVM host. This may allow a privileged guest to
gain code execution in the KVM host.

Orabug: 28901711


* CVE-2018-1000204: Kernel information leak when performing SG_IO ioctl.

A vulnerability in the SCSI subsystem allows copying uninitialized
kernel memory to userspace. This could provide an attacker with
sensitive kernel information.

Orabug: 28892695


* CVE-2018-7566: Denial-of-service when initializing ALSA sequence pool.

A race condition when initializing ALSA sequence pool leads to
use-after-free and out-of-bound memory access. An attacker can exploit
this to cause denial-of-service.

Orabug: 28459730


* CVE-2014-7970: Memory corruption when using pivot_root.

A flaw in the pivot_root syscall leads to a corruption of the mount tree
when calling with a directory outside a chroot. A local user could use this
flaw to cause a memory corruption and likely a denial-of-service.

Orabug: 26575709

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.

New Ksplice updates for UEKR3 3.8.13 on OL6 and OL7 (ELSA-2018-4300)

Synopsis: ELSA-2018-4300 can now be patched using Ksplice
CVEs: CVE-2014-9728 CVE-2016-3713 CVE-2017-13168 CVE-2017-17805 CVE-2017-17806 CVE-2018-1000204 CVE-2018-10021 CVE-2018-10902 CVE-2018-18710 CVE-2018-7755

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4300.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR3 3.8.13 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-17806: Denial-of-service in HMAC algorithms.

Invalid algorithm combinations could result in buffer overflows or other
undefined behaviour when using a keyed hash algorithm. A local,
unprivileged user could use this flaw to crash the system, or
potentially, escalate privileges.

Orabug: 28976654


* CVE-2017-17805: Denial-of-service in SALSA20 block cipher.

Incorrect handling of zero length buffers could result in an invalid
pointer dereference and kernel crash. A local, unprivileged user could
use this flaw to crash the system, or potentially, escalate privileges.

Orabug: 28976585


* CVE-2018-7755: Information leak through floppy disk driver ioctl.

A logic error when using floppy disk driver ioctl could lead to a kernel
address leak. A local attacker could use this flaw to get address of
running kernel and facilitate an attack.


* CVE-2018-18710: Information leak when checking the CD-ROM slot status.

An incorrect bounds check in the CD-ROM driver could allow an out-of-bounds
access and kernel information leak to an unprivileged user.

Orabug: 28929777


* CVE-2016-3713: Privilege escalation in KVM MTRR emulation.

Incorrect validation of emulated MTRR MSRs can allow a guest VM to read
and write memory in the KVM host. This may allow a privileged guest to
gain code execution in the KVM host.

Orabug: 28901657


* CVE-2018-10902: Denial-of-service in ALSA rawmidi ioctl.

Race conditions in the SNDRV_RAWMIDI_IOCTL_PARAMS ioctl code could result
in memory corruption. This could be exploited to cause a denial-of-service.

Orabug: 28898650


* CVE-2018-1000204: Kernel information leak when performing SG_IO ioctl.

A vulnerability in the SCSI subsystem allows copying uninitialized
kernel memory to userspace. This could provide an attacker with
sensitive kernel information.

Orabug: 28892683


* CVE-2017-13168: Denial-of-service in sg read/write implementation.

An unsafe implementation of read/write in the sg driver can result in
userspace being able to corrupt Kernel memory. A local user with access
to an sg device could use this flaw to cause undefined behaviour or a
Kernel crash, leading to a denial-of-service.

Orabug: 28824742


* CVE-2018-10021: Denial-of-service in SAS device abort and failover.

Incorrect error handling when aborting or failing over a SAS device
could result in resource starvation and IO hangs. A physically present
malicious user could use this flaw to cause a denial of service.

Orabug: 28459689


* Divide by zero in Intel power state driver when scaling the frequency.

A logic error in the Intel power state driver could lead to a divide by
zero when timers are being delayed for too long. A local, un-privileged
user could use this flaw to cause a denial-of-service.

Orabug: 28005134


* CVE-2014-9728: Out-of-bounds memory accesses in UDF filesystem driver.

A lack of input validation in the UDF filesystem driver could lead to an
out-of-bound memory access and potentially to a kernel panic. An
attacker could use a specially crafted filesystem to cause a
denial-of-service.

Orabug: 21193696

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.