Oracle Linux 6277 Published by

The following Ksplice updates has been released for Oracle Linux:

New Ksplice updates for UEKR2 2.6.39 on OL5 and OL6 (ELSA-2018-4110)
New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2018-4108)



New Ksplice updates for UEKR2 2.6.39 on OL5 and OL6 (ELSA-2018-4110)

Synopsis: ELSA-2018-4110 can now be patched using Ksplice
CVEs: CVE-2017-16532 CVE-2017-16537 CVE-2017-16643 CVE-2017-17558 CVE-2018-10323 CVE-2018-1068 CVE-2018-1093 CVE-2018-5332

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4110.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR2 2.6.39 on
OL5 and OL6 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2018-10323: NULL pointer dereference when converting extents-format to B+tree in XFS filesystem.

A logic error when converting extents-format to B+tree in XFS filesystem
could lead to a NULL pointer dereference. A local attacker could use
this flaw with a crafted XFS image to cause a denial-of-service.

Orabug: 27989490


* CVE-2018-5332: Out-of-bounds write when sending messages through Reliable Datagram Sockets.

A missing check when sending messages through Reliable Datagram Sockets
could lead to an out-of-bounds write in the heap. A local attacker could
use this flaw to cause a denial-of-service.

Orabug: 27934081


* CVE-2017-17558: Buffer overrun in USB core via integer overflow.

Failing to sanitize the bNumInterfaces field in a USB device descriptor
could allow a malicious device to induce a buffer overrun, potentially
causing a denial-of-service.

Orabug: 27898064


* CVE-2018-1093: Denial-of-service in ext4 bitmap block validity check.

A failure to correctly validate bitmap information from an ext4
filesystem can result in an out-of-bounds read, leading to a Kernel
crash. A local user with the ability to mount an ext4 filesystem could
use this flaw to cause a denial-of-service.

Orabug: 27854370


* CVE-2018-1068: Privilege escalation in bridging interface.

Lack of userspace parameter sanitization in the 32-bit syscall interface
for bridging allows a user with limited privilege to write into kernel
memory. This flaw could be exploited to escalate privilege.

Orabug: 27774010


* Task hang in block device journalling layer fsync.

A transaction ID wraparound could cause a task hang when performing a
sync() operation on a filesystem using the JBD journalling layer under
IO load.

Orabug: 27734012


* IO stalls with FUSE filesystem lock contention.

Incorrect lock ordering in FUSE filesystems could result in a deadlock
and IO stalls or a system hang.

Orabug: 27719848


* CVE-2017-16532: NULL pointer dereference when running USB tests with a crafted USB device.

A missing check when running USB tests with a USB device exposing
invalid endpoints configuration could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.

Orabug: 27602321


* NULL pointer dereference when using bind system call on RDS over Infiniband socket.

A logic error when using bind system call on RDS over Infiniband
instance could lead to a NULL pointer dereference. A local attacker
could use this flaw to cause a denial-of-service.

Orabug: 27241654


* CVE-2017-16643: Out-of-bounds access in GTCO CalComp/InterWrite USB tablet HID parsing.

A validation failure when parsing a HID report from a GTCO
CalComp/InterWrite USB tablet can result in an out-of-bounds memory
access. A user with physical access to a system could use this flaw to
cause undefined behaviour or potentially escalate privileges.

Orabug: 27215095


* CVE-2017-16537: NULL pointer dereference when registering SoundGraph iMON Receiver and Display driver.

A missing check when registering SoundGraph iMON Receiver and Display
driver could lead to a NULL pointer dereference. A local attacker could
use this flaw to cause a denial-of-service.

Orabug: 27208383


* Improved CPU feature detection on microcode updates.

Incorrect handling of new CPU features introduced with a microcode
update could fail to be detected by the system or propagated to guest
VMs.

Orabug: 27915355, 27878228


* Improve sysfs attributes to control Spectre mitigations.

Incorrect reporting or setting of spectre mitigations through sysfs
attributes could fool the user about available and enabled mitigations.

Orabug: 27788624, 27811437, 27795350

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.


New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2018-4108)

Synopsis: ELSA-2018-4108 can now be patched using Ksplice
CVEs: CVE-2017-15129 CVE-2017-15299 CVE-2017-16994 CVE-2017-17448 CVE-2017-17449 CVE-2017-17741 CVE-2017-7294 CVE-2018-5332

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018-4108.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2017-15129: Use-after-free in network namespace when getting namespace ids.

A race condition in the net namespace code could lead to a double
free and memory corruption. A local attacker could use this flaw to
cause a denial-of-service.

Orabug: 27934789


* CVE-2018-5332: Out-of-bounds write when sending messages through Reliable Datagram Sockets.

A missing check when sending messages through Reliable Datagram Sockets
could lead to an out-of-bounds write in the heap. A local attacker could
use this flaw to cause a denial-of-service.

Orabug: 27934066


* CVE-2017-7294: Denial-of-service when creating surface using DRM driver for VMware Virtual GPU.

A missing parameter check when using "surface define" ioctl of DRM
driver for VMware Virtual GPU could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.

Orabug: 27913367


* CVE-2017-15299: Denial-of-service in uninstantiated key configuration.

A failure to check whether or not a key is instantiated before
performing operations on it can result in a NULL pointer dereference,
leading to a kernel crash. A local user could use this flaw to cause a
denial-of-service.

Orabug: 27913330


* CVE-2017-16994: Information leak when using mincore system call.

A logic error with huge TLBs when using mincore system call could lead
to an information leak. A local attacker could use this flaw to leak
information about running kernel and facilitate an attack.

Orabug: 27913118


* CVE-2017-17449: Missing permission check in netlink monitoring.

Netlink monitoring is not correctly restricted to the local namespace.
Nlmon can currently be used to sniff packets on the entire system.

Orabug: 27260799


* CVE-2017-17448: Unprivileged access to netlink namespace creation.

net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4
does not require the CAP_NET_ADMIN capability for new, get, and del
operations, which allows local users to bypass intended access
restrictions because the nfnl_cthelper_list data structure is shared
across all net namespaces.

Orabug: 27260771


* NULL pointer dereference when rebuilding caches in Reliable Datagram Sockets protocol.

A logic error when rebuilding caches in Reliable Datagram Sockets
protocol could lead to a NULL pointer dereference. A local
attacker could use this flaw to cause a denial-of-service.

Orabug: 27924161


* CVE-2017-17741: Denial-of-service in kvm_mmio tracepoint.

An out-of-bounds access in the kvm_mmio tracepoint could result in a
kernel crash. A malicious guest could use this flaw to crash the
virtualization host.

Orabug: 27290606


* Denial-of-service of KVM L1 nested hypervisor when exiting L2 guest.

A logic error when setting back CR4 register in KVM L1 nested hypervisor
when exiting L2 guest could lead to a kernel panic. A local attacker
could use this flaw to cause a denial-of-service.

Orabug: 27720128


* Improved CPU feature detection on microcode updates.

Incorrect handling of new CPU features introduced with a microcode
update could fail to be detected by the system or propagated to guest
VMs.

Orabug: 27878230

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.