El-errata: New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2023-12323)
Synopsis: ELSA-2023-12323 can now be patched using Ksplice
CVEs: CVE-2022-4095 CVE-2023-1513 CVE-2023-23559 CVE-2023-26545 CVE-2023-28772
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2023-12323.
More information about this errata can be found at
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
* CVE-2023-26545: Stale pointer in MultiProtocol Label Switching subsystem.
Incorrect error handling in the MultiProtocol Label Switching subsystem
(MPLS) during the renaming of a device can lead to double free. This could
allow a local user to write to arbitrary memory locations or cause
* CVE-2023-28772: Buffer overflow in seq_buf helper.
A missing check in the seq_buf helper to write raw memory into a buffer
in ASCII hex could lead to a buffer overflow. A local attacker could use
this flaw to cause a denial-of-service.
* CVE-2023-23559: Buffer overflow in driver for RNDIS-based wireless USB devices.
A buffer overflow exists in the driver code for wireless USB devices based on
Remote Network Driver Interface Specification (RNDIS). This could allow a local
user to cause denial-of-service.
* CVE-2022-4095: Use-after-free in rtl8712 USB networking driver.
A flaw in the rtl8712 driver may lead to a use-after-free when
processing the command queue. A local attacker could use this flaw to
cause a denial-of-service or escalate privileges.
* CVE-2023-1513: Information leak in KVM ioctl.
Incomplete initialization of structure returned to user during KVM's
KVM_GET_DEBUGREGS ioctl can lead to information leak. This can allow a local
user to access to privileged data.
Ksplice support is available at firstname.lastname@example.org.
New Ksplice updates for UEKR4 4.1.12 on Oracle Linux 6 and 7 are available.