Oracle Linux 6148 Published by

The following updates has been released for Oracle Linux 7:

ELBA-2018-3635 Oracle Linux 7 cronie bug fix and enhancement update (aarch64)
ELBA-2018-4286 Oracle Linux 7 libvirt bug fix update (aarch64)
ELBA-2018-4287 Oracle Linux 7 virt-manager bug fix update (aarch64)
ELSA-2018-4285 Important: Oracle Linux 7 qemu security update (aarch64)
New Ksplice updates for Oracle Enhanced RHCK 7 (ELSA-2018:3083)
New Ksplice updates for RHCK 7 (RHSA-2018:3083)



ELBA-2018-3635 Oracle Linux 7 cronie bug fix and enhancement update (aarch64)

Oracle Linux Bug Fix Advisory ELBA-2018-3635

http://linux.oracle.com/errata/ELBA-2018-3635.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

aarch64:
cronie-1.4.11-20.el7_6.aarch64.rpm
cronie-anacron-1.4.11-20.el7_6.aarch64.rpm
cronie-noanacron-1.4.11-20.el7_6.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/cronie-1.4.11-20.el7_6.src.rpm



Description of changes:

[1.4.11-20]
- Fix race condition when crontab is modified the same second
before and after reading the crontab
- Resolves: rhbz#1638691

ELBA-2018-4286 Oracle Linux 7 libvirt bug fix update (aarch64)

Oracle Linux Bug Fix Advisory ELBA-2018-4286

http://linux.oracle.com/errata/ELBA-2018-4286.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

aarch64:
libvirt-4.7.0-2.el7.aarch64.rpm
libvirt-bash-completion-4.7.0-2.el7.aarch64.rpm
libvirt-client-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-config-network-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-config-nwfilter-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-interface-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-lxc-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-network-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-nodedev-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-nwfilter-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-qemu-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-secret-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-storage-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-storage-core-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-storage-disk-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-storage-gluster-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-storage-iscsi-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-storage-logical-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-storage-mpath-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-storage-rbd-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-driver-storage-scsi-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-kvm-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-qemu-4.7.0-2.el7.aarch64.rpm
libvirt-devel-4.7.0-2.el7.aarch64.rpm
libvirt-docs-4.7.0-2.el7.aarch64.rpm
libvirt-libs-4.7.0-2.el7.aarch64.rpm
libvirt-admin-4.7.0-2.el7.aarch64.rpm
libvirt-daemon-lxc-4.7.0-2.el7.aarch64.rpm
libvirt-lock-sanlock-4.7.0-2.el7.aarch64.rpm
libvirt-login-shell-4.7.0-2.el7.aarch64.rpm
libvirt-nss-4.7.0-2.el7.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/libvirt-4.7.0-2.el7.src.rpm



Description of changes:

[4.7.0-2.el7]
- BUILDINFO: commit=e5b1a9fd903207e44ce6064240df0ef408d83862
- qemu: xml2argv, argv2xml fixes for mem-lock and cpu-pm targetted
guests (Wim ten Have) - qemu: parse and apply domain mem-lock and cpu-pm
if such applies (Wim ten Have) - domain: add hypervisor features
mem-lock and cpu-pm support for kvm (Wim ten Have) - qemu: xml2argv,
argv2xml fixes for kvm-hint-dedicated targetted guests (Wim ten Have) -
qemu: parse and apply domain kvm-hint-dedicated if such applies (Wim ten
Have) - domain: add hypervisor feature kvm-hint-dedicated support for
kvm (Wim ten Have)

[4.7.0-1]
- BUILDINFO: commit=a10b340b5eccf999f977bb5c29ec0498ee633663
- Revert "Add daemon 'config' hook"

ELBA-2018-4287 Oracle Linux 7 virt-manager bug fix update (aarch64)

Oracle Linux Bug Fix Advisory ELBA-2018-4287

http://linux.oracle.com/errata/ELBA-2018-4287.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

aarch64:
virt-install-1.5.0-3.el7.noarch.rpm
virt-manager-1.5.0-3.el7.noarch.rpm
virt-manager-common-1.5.0-3.el7.noarch.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/virt-manager-1.5.0-3.el7.src.rpm



Description of changes:

[1.5.0-3.el7]
- BUILDINFO: commit=f56741560d32633d2421b7ccd227e2f718e5bfe3
- virtinst: add KVM features kvm_cpu_pm, kv_mem_lock, and
kvm_hint_dedicated (Menno Lageman) - virtinst: add --exadata option
(Menno Lageman) - virtinst: add --vnuma autopartition option (Menno Lageman)

[1.5.0-2.el7]
- BUILDINFO: commit=3178e25b189b86defb1cb34d5ce21bb464131bd7
- virt-manager: buildrpm changes for OL7u4 build v1.5.0

ELSA-2018-4285 Important: Oracle Linux 7 qemu security update (aarch64)

Oracle Linux Security Advisory ELSA-2018-4285

http://linux.oracle.com/errata/ELSA-2018-4285.html

The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:

aarch64:
ivshmem-tools-3.0.0-1.el7.aarch64.rpm
qemu-3.0.0-1.el7.aarch64.rpm
qemu-block-gluster-3.0.0-1.el7.aarch64.rpm
qemu-block-iscsi-3.0.0-1.el7.aarch64.rpm
qemu-block-rbd-3.0.0-1.el7.aarch64.rpm
qemu-common-3.0.0-1.el7.aarch64.rpm
qemu-img-3.0.0-1.el7.aarch64.rpm
qemu-kvm-3.0.0-1.el7.aarch64.rpm
qemu-kvm-core-3.0.0-1.el7.aarch64.rpm
qemu-system-aarch64-3.0.0-1.el7.aarch64.rpm
qemu-system-aarch64-core-3.0.0-1.el7.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/qemu-3.0.0-1.el7.src.rpm



Description of changes:

[15:3.0.0-1.el7]
- net: ignore packet size greater than INT_MAX (Jason Wang) [Orabug:
28763782] {CVE-2018-17963}
- pcnet: fix possible buffer overflow (Jason Wang) [Orabug: 28763774]
{CVE-2018-17962}
- rtl8139: fix possible out of bound access (Jason Wang) [Orabug:
28763765] {CVE-2018-17958}
- ne2000: fix possible out of bound access in ne2000_receive (Jason
Wang) [Orabug: 28763758] {CVE-2018-10839}
- seccomp: set the seccomp filter to all threads (Marc-André Lureau)
[Orabug: 28763748] {CVE-2018-15746}
- virtio_net: Introduce VIRTIO_NET_F_STANDBY feature bit to virtio_net
(Sridhar Samudrala) [Orabug: 28763724]
- kvm: add call to qemu_add_opts() for -overcommit option (Prasad
Singamsetty) - Document various CVEs as fixed (Mark Kanda) [Orabug:
28763710] {CVE-2017-10806} {CVE-2017-11334} {CVE-2017-12809}
{CVE-2017-13672} {CVE-2017-13673} {CVE-2017-13711} {CVE-2017-14167}
{CVE-2017-15038} {CVE-2017-15119} {CVE-2017-15124} {CVE-2017-15268}
{CVE-2017-15289} {CVE-2017-16845} {CVE-2017-17381} {CVE-2017-18030}
{CVE-2017-18043} {CVE-2017-2630} {CVE-2017-2633} {CVE-2017-5715}
{CVE-2017-5753} {CVE-2017-5754} {CVE-2017-7471} {CVE-2017-7493}
{CVE-2017-8112} {CVE-2017-8309} {CVE-2017-8379} {CVE-2017-8380}
{CVE-2017-9503} {CVE-2018-11806} {CVE-2018-12617} {CVE-2018-3639}
{CVE-2018-5683} {CVE-2018-7550} {CVE-2018-7858}
- qemu.spec: Initial qemu.spec (Mark Kanda) - virtio-pci: Set subsystem
vendor ID to Oracle (Mark Kanda) - qemu_regdump.py: Initial
qemu_regdump.py (Mark Kanda) - qmp-regdump: Initial qmp-regdump (Mark
Kanda) - bridge.conf: Initial bridge.conf (Mark Kanda) - kvm.conf:
Initial kvm.conf (Mark Kanda) - 80-kvm.rules: Initial 80-kvm.rules (Mark
Kanda) - Update version for v3.0.0 release (Peter Maydell) - Update
version for v3.0.0-rc4 release (Peter Maydell) - virtio-gpu: fix crashes
upon warm reboot with vga mode (Marc-André Lureau) - slirp: Correct size
check in m_inc() (Peter Maydell) - target/xtensa/cpu: Set owner of
memory region in xtensa_cpu_initfn (Thomas Huth) -
hw/intc/arm_gicv3_common: Move gicd shift bug handling to
gicv3_post_load (Peter Maydell) - hw/intc/arm_gicv3_common: Move
post_load hooks to top-level VMSD (Peter Maydell) - target/arm: Add
dummy needed functions to M profile vmstate subsections (Peter Maydell)
- hw/intc/arm_gicv3_common: Combine duplicate .subsections in
vmstate_gicv3_cpu (Peter Maydell) - hw/intc/arm_gicv3_common: Give
no-migration-shift-bug subsection a needed function (Peter Maydell) -
tcg/optimize: Do not skip default processing of dup_vec (Richard
Henderson) - tests/acpi: update tables after memory hotplug changes
(Michael S. Tsirkin) - pc: acpi: fix memory hotplug regression by
reducing stub SRAT entry size (Igor Mammedov) - tests/acpi-test: update
ACPI tables test blobs (Dou Liyang) - hw/acpi-build: Add a check for
memory-less NUMA nodes (Dou Liyang) - vhost: check region type before
casting (Tiwei Bie) - sam460ex: Fix PCI interrupts with multiple devices
(BALATON Zoltan) - hw/misc/macio: Fix device introspection problems in
macio devices (Thomas Huth) - Update version for v3.0.0-rc3 release
(Peter Maydell) - monitor: temporary fix for dead-lock on event
recursion (Marc-André Lureau) - linux-user: ppc64: don't use volatile
register during safe_syscall (Shivaprasad G Bhat) - tests: add
check_invalid_maps to test-mmap (Alex Bennée) - linux-user/mmap.c:
handle invalid len maps correctly (Alex Bennée) - s390x/sclp: fix maxram
calculation (Christian Borntraeger) - target/arm: Remove duplicate
'host' entry in '-cpu ?' output (Philippe Mathieu-Daudé) -
hw/misc/tz-mpc: Zero the LUT on initialization, not just reset (Peter
Maydell) - hw/arm/iotkit: Fix IRQ number for timer1 (Peter Maydell) -
armv7m_nvic: Fix m-security subsection name (Peter Maydell) -
hw/arm/sysbus-fdt: Fix assertion in copy_properties_from_host() (Geert
Uytterhoeven) - arm/smmuv3: Fix missing VMSD terminator (Dr. David Alan
Gilbert) - qemu-iotests: Test query-blockstats with -drive and -blockdev
(Kevin Wolf) - block/qapi: Include anonymous BBs in query-blockstats
(Kevin Wolf) - block/qapi: Add 'qdev' field to query-blockstats result
(Kevin Wolf) - file-posix: Fix write_zeroes with unmap on block devices
(Kevin Wolf) - block: Fix documentation for BDRV_REQ_MAY_UNMAP (Kevin
Wolf) - iotests: Add test for 'qemu-img convert -C' compatibility (Fam
Zheng) - qemu-img: Add -C option for convert with copy offloading (Fam
Zheng) - Revert "qemu-img: Document copy offloading implications with -S
and -c" (Fam Zheng) - iotests: Don't lock /dev/null in 226 (Fam Zheng) -
docs: Describe using images in writing iotests (Fam Zheng) - file-posix:
Handle EINTR in preallocation=full write (Fam Zheng) - qcow2: A grammar
fix in conflicting cache sizing error message (Leonid Bloch) - qcow: fix
a reference leak (KONRAD Frederic) - backends/cryptodev: remove dead
code (Jay Zhou) - timer: remove replay clock probe in deadline
calculation (Pavel Dovgalyuk) - i386: implement MSR_SMI_COUNT for TCG
(Paolo Bonzini) - i386: do not migrate MSR_SMI_COUNT on machine types
reset() vs event race (Stefan Hajnoczi) -
qdev: add HotplugHandler->post_plug() callback (Stefan Hajnoczi) -
hw/char/serial: retry write if EAGAIN (Marc-André Lureau) - PC Chipset:
Improve serial divisor calculation (Calvin Lee) - vhost-user-test: added
proper TestServer *dest initialization in test_migrate() (Emanuele
Giuseppe Esposito) - hyperv: ensure VP index equal to QEMU cpu_index
(Roman Kagan) - hyperv: rename vcpu_id to vp_index (Roman Kagan) -
accel: Fix typo and grammar in comment (Stefan Weil) - dump: add
kernel_gs_base to QEMU CPU state (Viktor Prutyanov) - monitor: Fix
tracepoint crash on JSON syntax error (Markus Armbruster) - MAINTAINERS:
New section "Incompatible changes", copy libvir-list (Markus Armbruster)
- qemu-doc: Move appendix "Deprecated features" to its own file (Markus
Armbruster) - cli qmp: Mark --preconfig, exit-preconfig experimental
(Markus Armbruster) - qapi: Do not expose "allow-preconfig" in
query-qmp-schema (Markus Armbruster) - sm501: Fix warning about
unreachable code (BALATON Zoltan) - sam460ex: Correct use after free
error (BALATON Zoltan) - etsec: fix IRQ (un)masking (Michael Davidsaver)
- ppc/xics: fix ICP reset path (Greg Kurz) - spapr: Correct inverted
test in spapr_pc_dimm_node() (David Gibson) - sm501: Update screen on
frame buffer address change (BALATON Zoltan) - Zero out the host's
`msg_control` buffer (Jonas Schievink) - linux-user: fix
mmap_find_vma_reserved() (Laurent Vivier) - linux-user: convert
remaining fcntl() to safe_fcntl() (Laurent Vivier) - linux-user: ppc64:
use the correct values for F_*LK64s (Shivaprasad G Bhat) - docs: Grammar
and spelling fixes (Ville Skyttä) - qemu-img: align result of
is_allocated_sectors (Peter Lieven) - scsi-disk: Block Device
Characteristics emulation fix (Daniel Henrique Barboza) - iotests: add
test 226 for file driver types (John Snow) - file-posix: specify
expected filetypes (John Snow) - iotests: nbd: Stop qemu-nbd before
remaking image (Fam Zheng) - iotests: 153: Fix dead code (Fam Zheng) -
ui/cocoa.m: replace scrollingDeltaY with deltaY (John Arbuckle) -
seccomp: allow sched_setscheduler() with SCHED_IDLE policy (Marc-André
Lureau) - vfio/pci: do not set the PCIDevice 'has_rom' attribute (Cédric
Le Goater) - monitor: fix double-free of request error (Marc-André
Lureau) - error: Remove NULL checks on error_propagate() calls (Philippe
Mathieu-Daudé) - s390x/storage attributes: fix CMMA_BLOCK_SIZE usage
(Claudio Imbrenda)

[12:2.11.1-2.el7]
- hw/acpi-build: build SRAT memory affinity structures for DIMM devices
(Haozhong Zhang) [Orabug: 27509753]
- qmp: distinguish PC-DIMM and NVDIMM in MemoryDeviceInfoList (Haozhong
Zhang) [Orabug: 27509753]
- pc-dimm: make qmp_pc_dimm_device_list() sort devices by address
(Haozhong Zhang) [Orabug: 27509753]
- nvdimm: add a macro for property "label-size" (Haozhong Zhang)
[Orabug: 27509753]
- nvdimm: add 'unarmed' option (Haozhong Zhang) [Orabug: 27509753]
- block: Fix NULL dereference on empty drive error (Kevin Wolf)
[Orabug: 27832106]
- Revert "IDE: Do not flush empty CDROM drives" (Stefan Hajnoczi)
[Orabug: 27832106]
- block: test blk_aio_flush() with blk->root == NULL (Kevin Wolf)
[Orabug: 27832106]
- block: add BlockBackend->in_flight counter (Stefan Hajnoczi) [Orabug:
27832106]
- block: extract AIO_WAIT_WHILE() from BlockDriverState (Stefan
Hajnoczi) [Orabug: 27832106]
- aio: rename aio_context_in_iothread() to in_aio_context_home_thread()
(Stefan Hajnoczi) [Orabug: 27832106]
- qemu.spec: Add dependency for libiscsi 1.9.0-8 (Mark Kanda) [Orabug:
27832300]
- multiboot.c: Document as fixed against CVE-2018-7550 (Jack Schwartz)
[Orabug: 27832332] {CVE-2018-7550}
- CVE-2017-18030: cirrus_invalidate_region() lets priv guest user cause
DoS (Mark Kanda) [Orabug: 27832319] {CVE-2017-18030}
- vga: fix region calculation (Gerd Hoffmann) [Orabug: 27832309]
{CVE-2018-7858}
- keymap: use glib hash for kbd_layout_t (Gerd Hoffmann) [Orabug: 27663795]
- qemu.spec: Enable coroutine pool and vhost-vsock (Karl Heubaum)
[Orabug: 27832337]

[12:2.11.1-1.el7]
- BUILDINFO: commit=9fc0f70c83d6de5667c45cd1e420a080e75c7d04
- Update qemu.spec version for 2.11.1

New Ksplice updates for Oracle Enhanced RHCK 7 (ELSA-2018:3083)

Synopsis: ELSA-2018:3083 can now be patched using Ksplice CVEs:
CVE-2015-8830 CVE-2016-4913 CVE-2017-0861 CVE-2017-10661 CVE-2017-17805
CVE-2017-18208 CVE-2017-18344 CVE-2018-1000026 CVE-2018-10322
CVE-2018-10878 CVE-2018-10879 CVE-2018-10881 CVE-2018-10883 CVE-2018-10902
CVE-2018-1092 CVE-2018-1094 CVE-2018-10940 CVE-2018-1118 CVE-2018-1120
CVE-2018-1130 CVE-2018-13405 CVE-2018-5344 CVE-2018-5803 CVE-2018-5848
CVE-2018-7740 CVE-2018-7757 CVE-2018-8781

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2018:3083.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running Oracle Enhanced
RHCK 7 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION


* CVE-2015-8830: Kernel crash in Asynchronous IO subsystem with large IO vector sizes.

Improper bounds checking on the transfer size of individual asynchronous
requests can lead to a kernel crash.


* CVE-2016-4913: Information leak in ISO9660 filename parsing.

Incorrect handling of NUL termination bytes could result in reading
excessive data from a kernel buffer into user-space. A local user with
permissions to mount a maliciously crafted filesystem could use this
flaw to leak the contents of sensitive memory.


* CVE-2017-0861: Use-after-free in ALSA sound subsystem.

A race condition when closing an ALSA device descriptor could cause a
use-after-free, potentially allowing an attacker to write to protected
memory and cause a privilege escalation.


* CVE-2017-10661: Data race when canceling timer file descriptors causes denial-of-service.

Missing serialization when canceling timer file descriptors could cause
the cancels to race, causing a data race or use-after-free, potentially
resulting in a kernel crash and denial-of-service.


* CVE-2017-17805: Denial-of-service in SALSA20 block cipher.

Incorrect handling of zero length buffers could result in an invalid
pointer dereference and kernel crash. A local, unprivileged user could
use this flaw to crash the system, or potentially, escalate privileges.


* CVE-2017-18208: Denial-of-service when using madvise system call.

A logic error when using madvise system call with WILLNEED option on a
Direct Access filesystem could lead to a deadlock. A local attacker
could use this flaw to cause a denial-of-service.


* CVE-2017-18344: Information disclosure in POSIX timers.

Incorrect validation of POSIX timers could allow a local, unprivileged
user to leak the contents of arbitrary memory through /proc/$PID/timers.


* CVE-2018-1092: NULL pointer dereference when using unallocated root directory on ext4 filesystem.

A missing check when using unallocated root directory on ext4 filesystem
could lead to a NULL pointer dereference. A local attacker could mount a
crafted ext4 filesystem and cause a denial-of-service.


* CVE-2018-1094: NULL pointer dereference when filling extended attributes on ext4 filesystem.

A missing initialization of crypto driver used to fill extended
attributes on ext4 filesystem could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.


* CVE-2018-1118: Information leak when creating a new message in vhost driver.

A missing initialization of a variable passed to user space when
creating a new message in vhost driver could lead to an information
leak. A local attacker could use this flaw to get information about
running kernel and facilitate an attack.


* CVE-2018-1120: Denial-of-service when mmapping specifc part of process memory on a slow filesystem.

A missing check when an user mmap() specific part of process memory on a
slow filesystem could lead to delay in accessing those specific part
from kernel side. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-1130: Denial-of-service in DCCP message send.

A logic error in the dccp code could lead to a NULL pointer dereference
when transmitting messages, leading to a kernel panic. An attacker could
use this to cause a denial-of-service.


* CVE-2018-5344: Use-after-free when opening a loopback device.

A race condition between opening and releasing a loopback device could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2018-5803: Denial-of-service when receiving forged packet over SCTP socket.

A missing check when receiving a forged packet with custom properties
over SCTP socket could lead to a kernel assert. A remote attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-5848: Privilege escalation in the Wilocity Atheros driver.

Improper length validation could lead to integer overdlow and undefined
behaviour. A local user could use this flaw to cause a memory corruption
and potentially escalate privileges.


* CVE-2018-7740: Denial-of-service when using remap_file_pages() system call.

A logic error in HugeTLB file system when using remap_file_pages()
system call could lead to a kernel assert. A local attacker could use
this flaw to cause a denial-of-service.


* CVE-2018-7757: Memory leak when reading invalid_dword_count attribute of SAS Domain Transport driver.

A missing free when reading invalid_dword_count attribute of SAS Domain
Transport driver could lead to a memory leak. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.


* CVE-2018-8781: Integer overflow when mapping memory in USB Display Link video driver.

A missing check on user input when mapping memory in USB Display Link
video driver could lead to an integer overflow. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-10878: Out-of-bounds access when initializing ext4 block bitmap.

A logic error when initializing ext4 block bitmap could lead to an
out-of-bounds access. A local attacker could use this flaw with a
crafted ext4 image to cause a denial-of-service.


* CVE-2018-10879: Use-after-free when setting extended attribute entry on ext4 filesystem.

A logic error when setting extended attribute entry on ext4 filesystem
could lead to a use-after-free. A local attacker could use this flaw
with a crafted ext4 filesystem to cause a denial-of-service.


* CVE-2018-10881: Data corruption when using indirect blocks with ext4 filesystem.

A missing data zeroing when using indirect blocks with ext4 filesystem
could lead to data corruption or a kernel assert. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-10883: Out-of-bounds access in ext4 block journal handling.

A logic error in ext4 block journal handling could lead to an
out-of-bounds access. A local attacker could use this flaw with a
crafted ext4 filesystem to cause a denial-of-service.


* CVE-2018-10902: Denial-of-service in ALSA rawmidi ioctl.

Race conditions in the SNDRV_RAWMIDI_IOCTL_PARAMS ioctl code could result
in memory corruption. This could be exploited to cause a denial-of-service.


* CVE-2018-10940: Information leak in CD-ROM status ioctl.

An incorrect bounds check in the CD-ROM driver could allow an
out-of-bounds access and kernel information leak to an unprivileged
user.


* CVE-2018-13405: Permissions bypass when creating file in SGID directory.

Creating an executable file in an SGID directory can result in the file
having the group ownership of the directory. This can be exploited to
elevate privileges if the file is created in a directory owned by a
privileged group.


* CVE-2018-1000026: Denial-of-service when receiving invalid packet on bnx2x network card.

A missing input validation when receiving invalid packet on bnx2x
network card could lead to network outage. A remote attacker could use
this flaw to cause a denial-of-service.


* CVE-2018-10322: NULL pointer dereference when mounting crafted XFS image.

Untrusted input from an XFS image was not validated properly before being
used, lead to an invalid pointer dereference. A local, privileged user
with the ability to mount XFS images could use this flaw to cause a
denial-of-service.


SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.



New Ksplice updates for RHCK 7 (RHSA-2018:3083)

Synopsis: RHSA-2018:3083 can now be patched using Ksplice CVEs:
CVE-2015-8830 CVE-2016-4913 CVE-2017-0861 CVE-2017-10661 CVE-2017-17805
CVE-2017-18208 CVE-2017-18344 CVE-2018-1000026 CVE-2018-10322
CVE-2018-10878 CVE-2018-10879 CVE-2018-10881 CVE-2018-10883 CVE-2018-10902
CVE-2018-1092 CVE-2018-1094 CVE-2018-10940 CVE-2018-1118 CVE-2018-1120
CVE-2018-1130 CVE-2018-13405 CVE-2018-5344 CVE-2018-5803 CVE-2018-5848
CVE-2018-7740 CVE-2018-7757 CVE-2018-8781

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle kernel update, RHSA-2018:3083.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running RHCK 7 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2015-8830: Kernel crash in Asynchronous IO subsystem with large IO vector sizes.

Improper bounds checking on the transfer size of individual asynchronous
requests can lead to a kernel crash.


* CVE-2016-4913: Information leak in ISO9660 filename parsing.

Incorrect handling of NUL termination bytes could result in reading
excessive data from a kernel buffer into user-space. A local user with
permissions to mount a maliciously crafted filesystem could use this
flaw to leak the contents of sensitive memory.


* CVE-2017-0861: Use-after-free in ALSA sound subsystem.

A race condition when closing an ALSA device descriptor could cause a
use-after-free, potentially allowing an attacker to write to protected
memory and cause a privilege escalation.


* CVE-2017-10661: Data race when canceling timer file descriptors causes denial-of-service.

Missing serialization when canceling timer file descriptors could cause
the cancels to race, causing a data race or use-after-free, potentially
resulting in a kernel crash and denial-of-service.


* CVE-2017-17805: Denial-of-service in SALSA20 block cipher.

Incorrect handling of zero length buffers could result in an invalid
pointer dereference and kernel crash. A local, unprivileged user could
use this flaw to crash the system, or potentially, escalate privileges.


* CVE-2017-18208: Denial-of-service when using madvise system call.

A logic error when using madvise system call with WILLNEED option on a
Direct Access filesystem could lead to a deadlock. A local attacker
could use this flaw to cause a denial-of-service.


* CVE-2017-18344: Information disclosure in POSIX timers.

Incorrect validation of POSIX timers could allow a local, unprivileged
user to leak the contents of arbitrary memory through /proc/$PID/timers.


* CVE-2018-1092: NULL pointer dereference when using unallocated root directory on ext4 filesystem.

A missing check when using unallocated root directory on ext4 filesystem
could lead to a NULL pointer dereference. A local attacker could mount a
crafted ext4 filesystem and cause a denial-of-service.


* CVE-2018-1094: NULL pointer dereference when filling extended attributes on ext4 filesystem.

A missing initialization of crypto driver used to fill extended
attributes on ext4 filesystem could lead to a NULL pointer dereference.
A local attacker could use this flaw to cause a denial-of-service.


* CVE-2018-1118: Information leak when creating a new message in vhost driver.

A missing initialization of a variable passed to user space when
creating a new message in vhost driver could lead to an information
leak. A local attacker could use this flaw to get information about
running kernel and facilitate an attack.


* CVE-2018-1120: Denial-of-service when mmapping specifc part of process memory on a slow filesystem.

A missing check when an user mmap() specific part of process memory on a
slow filesystem could lead to delay in accessing those specific part
from kernel side. A local attacker could use this flaw to cause a
denial-of-service.


* CVE-2018-1130: Denial-of-service in DCCP message send.

A logic error in the dccp code could lead to a NULL pointer dereference
when transmitting messages, leading to a kernel panic. An attacker could
use this to cause a denial-of-service.


* CVE-2018-5344: Use-after-free when opening a loopback device.

A race condition between opening and releasing a loopback device could
lead to a use-after-free. A local attacker could use this flaw to cause
a denial-of-service.


* CVE-2018-5803: Denial-of-service when receiving forged packet over SCTP socket.

A missing check when receiving a forged packet with custom properties
over SCTP socket could lead to a kernel assert. A remote attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-5848: Privilege escalation in the Wilocity Atheros driver.

Improper length validation could lead to integer overdlow and undefined
behaviour. A local user could use this flaw to cause a memory corruption
and potentially escalate privileges.


* CVE-2018-7740: Denial-of-service when using remap_file_pages() system call.

A logic error in HugeTLB file system when using remap_file_pages()
system call could lead to a kernel assert. A local attacker could use
this flaw to cause a denial-of-service.


* CVE-2018-7757: Memory leak when reading invalid_dword_count attribute of SAS Domain Transport driver.

A missing free when reading invalid_dword_count attribute of SAS Domain
Transport driver could lead to a memory leak. A local attacker could use
this flaw to exhaust kernel memory and cause a denial-of-service.


* CVE-2018-8781: Integer overflow when mapping memory in USB Display Link video driver.

A missing check on user input when mapping memory in USB Display Link
video driver could lead to an integer overflow. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-10878: Out-of-bounds access when initializing ext4 block bitmap.

A logic error when initializing ext4 block bitmap could lead to an
out-of-bounds access. A local attacker could use this flaw with a
crafted ext4 image to cause a denial-of-service.


* CVE-2018-10879: Use-after-free when setting extended attribute entry on ext4 filesystem.

A logic error when setting extended attribute entry on ext4 filesystem
could lead to a use-after-free. A local attacker could use this flaw
with a crafted ext4 filesystem to cause a denial-of-service.


* CVE-2018-10881: Data corruption when using indirect blocks with ext4 filesystem.

A missing data zeroing when using indirect blocks with ext4 filesystem
could lead to data corruption or a kernel assert. A local attacker could
use this flaw to cause a denial-of-service.


* CVE-2018-10883: Out-of-bounds access in ext4 block journal handling.

A logic error in ext4 block journal handling could lead to an
out-of-bounds access. A local attacker could use this flaw with a
crafted ext4 filesystem to cause a denial-of-service.


* CVE-2018-10902: Denial-of-service in ALSA rawmidi ioctl.

Race conditions in the SNDRV_RAWMIDI_IOCTL_PARAMS ioctl code could result
in memory corruption. This could be exploited to cause a denial-of-service.


* CVE-2018-10940: Information leak in CD-ROM status ioctl.

An incorrect bounds check in the CD-ROM driver could allow an
out-of-bounds access and kernel information leak to an unprivileged
user.


* CVE-2018-13405: Permissions bypass when creating file in SGID directory.

Creating an executable file in an SGID directory can result in the file
having the group ownership of the directory. This can be exploited to
elevate privileges if the file is created in a directory owned by a
privileged group.


* CVE-2018-1000026: Denial-of-service when receiving invalid packet on bnx2x network card.

A missing input validation when receiving invalid packet on bnx2x
network card could lead to network outage. A remote attacker could use
this flaw to cause a denial-of-service.


* CVE-2018-10322: NULL pointer dereference when mounting crafted XFS image.

Untrusted input from an XFS image was not validated properly before being
used, lead to an invalid pointer dereference. A local, privileged user
with the ability to mount XFS images could use this flaw to cause a
denial-of-service.


SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.