El-errata: New Ksplice updates for Oracle Enhanced RHCK 7 (ELBA-2020-5437-1)
Synopsis: ELBA-2020-5437-1 can now be patched using Ksplice
CVEs: CVE-2019-18282 CVE-2020-10769 CVE-2020-14314 CVE-2020-14385 CVE-2020-24394 CVE-2020-25212 CVE-2020-25643
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Bug Fix Advisory, ELBA-2020-5437-1.
More information about this errata can be found at
https://linux.oracle.com/errata/ELBA-2020-5437-1.html
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running Oracle Enhanced
RHCK 7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2020-25212: Out-of-bounds writes in RPC operations of Network File System.
Out-of-bounds writes in RPC operations of Network File System
could cause a system crash. This flaw could allow a local user
to crash the system and cause a denial-of-service or potentially
escalating their privileges on the system.
Orabug: 31872895
* Note: Oracle is still investigating potential zero-downtime mitigations for CVE-2019-18282.
Fixes for this CVE are still undergoing analysis and testing.
A zero-downtime update may be provided at a later date.
* CVE-2020-14385: Denial of service in XFS filesystem.
A flaw in XFS filesystem could cause an inode with a valid extended
attribute to be wrongly flagged as corrupted leading to the XFS
filesystem shutdown. A local, unprivileged user could use this flaw for
a denial-of-service.
Orabug: 31895365
* CVE-2020-25643: Memory corruption in WAN HDLC-PPP due to missing error checking.
A missing error handling code in WAN HDLC-PPP implementation could lead
to a memory corruption. A local user could use this flaw to cause
a denial-of-service or an arbitrary code execution.
* CVE-2020-14314: Denial-of-service in ext4 file system due to a broken indexing.
A memory out-of-bounds reads could happen in ext4 file system due to
a broken indexing. This flaw could allow a local user to crash the
system and cause a denial-of-service.
Orabug: 31895332
* CVE-2020-10769: Out-of-bounds memory access in authenticated encryption key parsing.
A logic error when reading unaligned keys for authenticated encryption can lead
to an integer underflow and result in a out-of-bounds memory access, leading to
a kernel crash. A local user could use this flaw to cause a denial-of-service.
* CVE-2020-24394: Information leak when exporting a filesystem over NFS.
A logic error when exporting a filesystem without ACL support over NFS
could lead to wrong permissions being used for newly created files. An
attacker could use this flaw to leak information stored in this
filesystem.
* Add ftrace safety guard for existing Ksplice updates.
Ftrace is generally incompatible with Ksplice's patching process; it must
be disabled when patches are applied. Prevent crashes in patching due to
functions under active ftrace while patching.
* Clean up ftrace safety guard for existing Ksplice updates.
Ftrace is generally incompatible with Ksplice's patching process; it must
be disabled when patches are applied. Prevent crashes in patching due to
functions under active ftrace while patching.
SUPPORT
Ksplice support is available at ksplice-support_ww@oracle.com.
New Ksplice updates for Oracle Enhanced RHCK 7 has been released.
