Synopsis: ELSA-2021-9564 can now be patched using Ksplice CVEs: CVE-2020-3702 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-3732 CVE-2021-3744 CVE-2021-38205 CVE-2021-42008
Users with Oracle Linux Premier Support can now use Ksplice to patch against the latest Oracle Linux Security Advisory, ELSA-2021-9564. More information about this errata can be found at https://linux.oracle.com/errata/ELSA-2021-9564.html INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack running UEKR6 5.4.17 on OL7 and OL8 install these updates. On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any action. Alternatively, you can install these updates by running: # /usr/sbin/uptrack-upgrade -y DESCRIPTION * Note: Oracle has determined that CVE-2021-38205 is not applicable. The kernel is not affected by CVE-2021-38205 since the code under consideration is not compiled. * CVE-2021-3732: Information disclosure in OverlayFS when mounting a filesystem. A logic flaw in mounting functionality of OverlayFS subsystem could allow an unprivileged local user with permissions to mount a filesystem to access hidden files that should not be accessible in the original mount. An unprivileged local attacker could use this flaw for information disclosure. * CVE-2021-3744: Denial-of-service in AMD Cryptographic Coprocessor driver. Error handling flaws in AMD Cryptographic Coprocessor driver could cause memory leaks due to a failure to free memory allocated to process some software operations. A local user could use this flaws to cause a denial of service. Orabug: 33406845 * Failure to invalidate cached ACL information on directories in OCFS2. When performing ACL changes on directories on one node in OCFS2 the ACL information doesn't get refreshed on the other nodes due to a failure to invalidate cached ACL information and resulting in stale information from VFS layer to be seen on the other notes. Orabug: 33407843 * CVE-2020-3702: Information disclosure in Atheros Wireless Card drivers. A race condition flaw in layer 2 Wi-Fi encryption of Atheros Wireless Card drivers could result in improper encryption. A specifically handcrafted traffic could be created by a remote attacker and cause information disclosure. * Note: Oracle has determined that CVE-2021-42008 is not applicable. The kernel is not affected by CVE-2021-42008 since the code under consideration is not compiled. SUPPORT Ksplice support is available at [email protected]. _______________________________________________ El-errata mailing list [email protected] https://oss.oracle.com/mailman/listinfo/el-errata
