El-errata: New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2022-9969)
Synopsis: ELSA-2022-9969 can now be patched using Ksplice
CVEs: CVE-2015-1350 CVE-2017-13166 CVE-2020-10690 CVE-2020-12654 CVE-2020-12655 CVE-2021-42739 CVE-2022-3239 CVE-2022-36946
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2022-9969.
More information about this errata can be found at
https://linux.oracle.com/errata/ELSA-2022-9969.html
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
DESCRIPTION
* CVE-2022-36946: Denial-of-service in netfilter packet handling.
A missing check in netfilter packet handling could lead to an assert.
A remote attacker could use this flaw to cause a denial-of-service.
Orabug: 34475433
* CVE-2020-12655: Denial-of-service when syncing data on XFS filesystem.
On logic error when syncing data on a specially crafted XFS filesystem
could let an attacker cause a denial-of-service.
Orabug: 31350923
* CVE-2020-12654: Denial-of-service when querying WMM status in mwifiex driver.
If an AP sends a malicious query to the station for WMM status, a buffer
overflow could occur. If an attacker can compromise the AP, this bug
could be triggered to cause a denial-of-service.
Orabug: 31350517
* CVE-2021-42739: Buffer overflow in FireDTV firewire DVB receiver driver.
The FireDTV firewire DVB receiver driver contains a buffer overflow when
processing a Program Map Table entry. A malicious device might exploit
this to overwrite memory and cause a denial-of-service.
Orabug: 33488041
* CVE-2015-1350: Denial-of-service in VFS subsystem.
An incomplete set of requirements for setattr operations in VFS
subsystem could result in a denial of elevated permissions from valid
users, services, or applications. A local, non-privileged user could
use this flaw to cause a denial-of-service.
Orabug: 20429825
* CVE-2017-13166: Privilege escalation when using V4L2 ioctls.
Logic errors in multiple V4L2 ioctls could lead to arbitrary execution
of user space defined addresses. A local attacker could use this flaw to escalate
privileges.
Orabug: 28036613
* CVE-2022-3239: Use-after-free when probing Empia 28xx based TV cards.
Lack of intialization of a reference counter before using leads to a
use-after-free. A local user with the ability to plug such cards on the
host physical machine could use this flaw to potentially escalate their
privileges.
Orabug: 34619522
* Note: Oracle will not provide zero-downtime update for CVE-2020-10690.
The vulnerability requires module loading/unloading privileges to cause a
use-after-free.
Orabug: 31350707
SUPPORT
Ksplice support is available at ksplice-support_ww@oracle.com.
_______________________________________________
New Ksplice updates for UEKR4 4.1.12 on Oracle Linux 6 and 7 has been released.
