New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2023-12565)
Synopsis: ELSA-2023-12565 can now be patched using Ksplice
CVEs: CVE-2022-1679 CVE-2022-20141 CVE-2022-3424 CVE-2023-1118 CVE-2023-2269 CVE-2023-3159 CVE-2023-34256
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2023-12565.
More information about this errata can be found at
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
* CVE-2022-20141: Privilege escalation in inet sockets.
A locking error when opening/closing inet sockets could lead to a
use-after-free. A local attacker could use this flaw to escalate
privileges or cause a denial-of-service.
* CVE-2022-3424: Denial-of-service in SGI GRU driver.
A logic error when using SGI GRU driver could lead to a use-after-free.
A local attacker could use this flaw to cause a denial-of-service.
* CVE-2023-1118: Use-after-free in ENE eHome Receiver/Transceiver driver.
A logic error in the ENE integrated infrared receiver/transceiver leads
to a use-after-free. A local user can use this flaw to cause
denial-of-service or escalate privileges.
* CVE-2022-1679: Use-after-free in Atheros ath9k wireless device driver.
Improper handling of some error conditions in Atheros ath9k wireless
device driver could lead to a use-after-free. A local user could use
this flaw to cause a denial of service or execute arbitrary code.
* CVE-2023-34256: Out-of-bounds read in ext4 checksum handling.
An arithmetic error in a checksum generation routine in the ext4 driver
can lead to an out-of-bounds read. This flaw could be exploited by a
malicious local user to leak sensitive information or to aid in another
type of attack.
* CVE-2023-2269: Denial-of-service in Device Mapper-Multipathing subsystem.
A possible recursive locking scenario in Linux Kernel Device Mapper
Multipathing subsystem can lead to a deadlock. A local user can use
this flaw to cause denial of service.
* CVE-2023-3159: Use-after-free in Firewire driver.
A data race in Firewire driver could lead to a use-after-free. A local
attacker with special privilege could use this flaw to cause a denial
of service or execute arbitrary code.
Ksplice support is available at email@example.com.
New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 are available.