Oracle Linux 6277 Published by

New Ksplice updates for UEKR5 4.14.35 on Oracle Linux 7 has been released.



El-errata: New Ksplice updates for UEKR5 4.14.35 on OL7 (ELSA-2021-9460)


Synopsis: ELSA-2021-9460 can now be patched using Ksplice
CVEs: CVE-2021-3564 CVE-2021-3573 CVE-2021-3655 CVE-2021-3679 CVE-2021-38160 CVE-2021-40490

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2021-9460.
More information about this errata can be found at
  https://linux.oracle.com/errata/ELSA-2021-9460.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR5 4.14.35
on OL7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2021-3679: Denial-of-service in kernel tracing subsystem.

A logic error when constructing certain calls to the kernel tracing
subsystem may lead to a deadloop. This may allow a privileged local
user to cause a denial-of-service.

Orabug: 33369954

* CVE-2021-40490: Race condition in ext4 subsystem.

A logic error in the ext4 subsystem may lead to a race condition. This
may allow a local attacker to undermine system integrity and possibly
execute arbitrary code.

Orabug: 33369956

* CVE-2021-3564: Denial-of-service in bluetooth subsystem.

An ordering issue whilst handling data flushes may lead to a
double-free. This could allow a local attacker to cause a
denial-of-service.

Orabug: 33369947

* CVE-2021-3573: Use-after-free in bluetooth subsystem.

A logic error in the handling of HCI ioctls, may lead to a double
free. A local privileged user could use this flaw to cause a
denial-of-service, or possible elevate privileges.

Orabug: 33369947

* CVE-2021-38160: Buffer overflow in virtual console.

A logic error in virtual console subsystem may lead to a buffer
overflow. This may allow an untrusted device to corrupt data.

Orabug: 33369953

* CVE-2021-3655: Information disclosure in SCTP Network subsystem.

Missing input validations in the SCTP networking subsystem may lead to
reading of uninitialized data. This may allow an attacker on the local
area network to cause an information disclosure.

Orabug: 33369952

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.