Synopsis: ELSA-2025-20271 can now be patched using Ksplice CVEs: CVE-2021-47498 CVE-2024-47707 CVE-2024-49884 CVE-2024-49936 CVE-2024-53124 CVE-2024-56631 CVE-2025-21638 CVE-2025-21639 CVE-2025-21640 CVE-2025-21687 CVE-2025-21699 CVE-2025-21703
Users with Oracle Linux Premier Support can now use Ksplice to patch against the latest Oracle Linux Security Advisory, ELSA-2025-20271. More information about this errata can be found at https://linux.oracle.com/errata/ELSA-2025-20271.html INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack running UEKR6 5.4.17 on OL7 and OL8 install these updates. On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any action. Alternatively, you can install these updates by running: # /usr/sbin/uptrack-upgrade -y DESCRIPTION * CVE-2021-47498: Denial-of-service in multi-device driver (RAID/LVM). A missing check when using the multi-device driver (RAID/LVM) could lead to a kernel panic. A local attacker could use this flaw to cause a denial-of-service. Orabug: 37010188 * CVE-2024-47707: Denial-of-service in Linux INET6 driver. A missing check when closing network interface in the Linux INET6 driver could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * CVE-2024-49884: Privilege escalation in EXT4 filesystem driver. A logic error when adding extent in the EXT4 filesystem driver could lead to a use-after-free. A local attacker could use this flaw to escalate privileges. * CVE-2024-49936: Privilege escalation in Xen backend network device driver. A locking error when using the Xen backend network device driver could lead to a use-after-free. An attacker from a guest VM could use this flaw to escalate privileges. * CVE-2024-56631: Privilege escalation in SCSI generic driver. A locking error when releasing data in the SCSI generic driver could lead to a use-after-free. A local attacker could use this flaw to escalate privileges. * CVE-2025-21638, CVE-2025-21639, CVE-2025-21640: Denial-of-service in SCTP protocol networking stack. A logic error when using the SCTP protocol networking stack could lead to a NULL pointer dereference. A local attacker could use this flaw to cause a denial-of-service. * CVE-2025-21687: Privilege escalation in platform device VFIO driver. A missing check when using the platform device VFIO driver allows read/write outside the alloted boundaries. A local attacker could use this flaw to escalate privileges, execute arbitrary code, or extract sensitive information from kernel memory. * CVE-2025-21699: Disk corruption in GFS2 filesystem. There is a logic error in the GFS2 filesystem code's handling of the FS_IOC_SETFLAGS ioctl call, which sets the flags for an inode and is used by the `chattr` command. A local attacker could use this flaw to cause disk corruption. This update fixes the logic error so the handling is fixed and later usage of the ioctl results in correct behaviour, but doesn't actively attempt to fix the existing filesystem inodes. * CVE-2025-21703: Privilege escalation in network emulator. A logic error when using the network emulator could lead to a use-after-free. A local attacker could use this flaw to escalate privileges. * Privilege escalation in Control Group (cgroup) layer. A locking error when using cgroups could lead to a use-after-free. A local attacker could use this flaw to escalate privileges. Orabug: 37621585 * Note: Oracle has determined some CVEs are not applicable. The kernel is not affected by the following CVEs since the code under consideration is not compiled. CVE-2024-57904, CVE-2024-57906, CVE-2024-57908, CVE-2024-57910, CVE-2024-57911, CVE-2024-57912, CVE-2024-57913, CVE-2025-21647, CVE-2025-21697 SUPPORT Ksplice support is available at [email protected].
signature.asc
Description: This is a digitally signed message part
_______________________________________________ El-errata mailing list [email protected] https://oss.oracle.com/mailman/listinfo/el-errata
