Synopsis: ELSA-2023-13019 can now be patched using Ksplice CVEs: CVE-2023-39192 CVE-2023-39193 CVE-2023-4207 CVE-2023-45862 CVE-2023-4911
Users with Oracle Linux Premier Support can now use Ksplice to patch against the latest Oracle Linux Security Advisory, ELSA-2023-13019. More information about this errata can be found at https://linux.oracle.com/errata/ELSA-2023-13019.html INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on OL6 and OL7 install these updates. On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any action. Alternatively, you can install these updates by running: # /usr/sbin/uptrack-upgrade -y DESCRIPTION * CVE-2023-4911: Buffer overflow in the GNU C Library's dynamic loader while processing environment variables. Incorrect processing of environment variables in the GNU C Library's dynamic loader ld.so can result in buffer overflow. This flaw could allow a local attacker to elevate their privileges when launching binaries with SUID permission. * CVE-2023-4207: Use-after-free in netfilter classifiers. Incorrectly copied structures in the cls_fw netfilter classifier can lead to a use-after-free when updating a filter bound to a class. An attacker could use this flaw for privilege escalation or cause a denial-of-service. Orabug: 35707466 * CVE-2023-39192: Out-of-bounds access in Netfilter xt_u32 module. Incomplete input validation in Netfilter xt_u32 extension module allows a local privileged user to cause an out-of-bounds read. This can lead to a denial-of-service or information disclosure. Orabug: 35923470 * CVE-2023-39193: Out-of-bounds access in Netfilter xt_sctp module. Incomplete input validation in Netfilter xt_sctp extension module allows a local user with CAP_NET_ADMIN privileges to cause an out-of-bounds read. This can lead to a denial-of-service or information disclosure. Orabug: 35923500 * CVE-2023-45862: Out-of-bounds read in USB ENE card reader when reading bootblock. An incorrect allocation size when allocating a page buffer could lead to a memory out-of-bounds array read. A local user with physical access could potentially use this flaw to leak kernel memory or cause a denial-of-service. Orabug: 35924058 SUPPORT Ksplice support is available at [email protected]. _______________________________________________ El-errata mailing list [email protected] https://oss.oracle.com/mailman/listinfo/el-errata
