El-errata: New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2022-9969)
Synopsis: ELSA-2022-9969 can now be patched using Ksplice
CVEs: CVE-2015-1350 CVE-2017-13166 CVE-2020-10690 CVE-2020-12654 CVE-2020-12655 CVE-2021-42739 CVE-2022-3239 CVE-2022-36946
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2022-9969.
More information about this errata can be found at
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
* CVE-2022-36946: Denial-of-service in netfilter packet handling.
A missing check in netfilter packet handling could lead to an assert.
A remote attacker could use this flaw to cause a denial-of-service.
* CVE-2020-12655: Denial-of-service when syncing data on XFS filesystem.
On logic error when syncing data on a specially crafted XFS filesystem
could let an attacker cause a denial-of-service.
* CVE-2020-12654: Denial-of-service when querying WMM status in mwifiex driver.
If an AP sends a malicious query to the station for WMM status, a buffer
overflow could occur. If an attacker can compromise the AP, this bug
could be triggered to cause a denial-of-service.
* CVE-2021-42739: Buffer overflow in FireDTV firewire DVB receiver driver.
The FireDTV firewire DVB receiver driver contains a buffer overflow when
processing a Program Map Table entry. A malicious device might exploit
this to overwrite memory and cause a denial-of-service.
* CVE-2015-1350: Denial-of-service in VFS subsystem.
An incomplete set of requirements for setattr operations in VFS
subsystem could result in a denial of elevated permissions from valid
users, services, or applications. A local, non-privileged user could
use this flaw to cause a denial-of-service.
* CVE-2017-13166: Privilege escalation when using V4L2 ioctls.
Logic errors in multiple V4L2 ioctls could lead to arbitrary execution
of user space defined addresses. A local attacker could use this flaw to escalate
* CVE-2022-3239: Use-after-free when probing Empia 28xx based TV cards.
Lack of intialization of a reference counter before using leads to a
use-after-free. A local user with the ability to plug such cards on the
host physical machine could use this flaw to potentially escalate their
* Note: Oracle will not provide zero-downtime update for CVE-2020-10690.
The vulnerability requires module loading/unloading privileges to cause a
Ksplice support is available at firstname.lastname@example.org.
New Ksplice updates for UEKR4 4.1.12 on Oracle Linux 6 and 7 has been released.