Synopsis: ELSA-2025-20553 can now be patched using Ksplice CVEs: CVE-2018-3646 CVE-2022-48773 CVE-2022-48828 CVE-2022-48829 CVE-2024-57996 CVE-2025-37752 CVE-2025-38083 CVE-2025-38086 CVE-2025-38108 CVE-2025-38111 CVE-2025-38115 CVE-2025-38147 CVE-2025-38181 CVE-2025-38184 CVE-2025-38190 CVE-2025-38194 CVE-2025-38212 CVE-2025-38222 CVE-2025-38328 CVE-2025-38332 CVE-2025-38337 CVE-2025-38352 CVE-2025-38430
Users with Oracle Linux Premier Support can now use Ksplice to patch against the latest Oracle Linux Security Advisory, ELSA-2025-20553. More information about this errata can be found at https://linux.oracle.com/errata/ELSA-2025-20553.html INSTALLING THE UPDATES We recommend that all users of Ksplice Uptrack running UEKR6 5.4.17 on OL7 and OL8 install these updates. On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf, these updates will be installed automatically and you do not need to take any action. Alternatively, you can install these updates by running: # /usr/sbin/uptrack-upgrade -y DESCRIPTION * CVE-2022-48773: Denial-of-service in RPC-over-RDMA transport driver. * CVE-2022-48828, CVE-2022-48829: Integer underflow in NFS server driver. * CVE-2024-57996, CVE-2025-37752: Out-of-bounds memory access in Stochastic Fairness Queueing (SFQ) driver. Orabug: 38377926 * CVE-2025-38083, CVE-2025-38108: Integer underflow in multiple network schedulers. * CVE-2025-38086: Use of uninitialized memory in QingHeng CH9200 USB ethernet driver. * CVE-2025-38111: Out-of-bounds memory usage in MDIO bus driver. * CVE-2025-38115: NULL pointer dereference in Stochastic Fairness Queueing (SFQ) network scheduler. * CVE-2025-38147: NULL pointer dereference in NetLabel subsystem. * CVE-2025-38181: NULL pointer dereference in NetLabel subsystem. * CVE-2025-38184: NULL pointer dereference in IP/UDP media type driver. * CVE-2025-38190: Memory leak in ATM networking stack. * CVE-2025-38194, CVE-2025-38328: Logic error in Journalling Flash File System v2 (JFFS2) driver. * CVE-2025-38212: Use-after-free in System V IPC driver. * CVE-2025-38222: Integer overflow in ext4 filesystem. * CVE-2025-38332: Kernel panic in Emulex LightPulse Fibre Channel driver. False positive with CONFIG_FORTIFY_SOURCE causes kernel crash. * CVE-2025-38337: NULL pointer dereference in JBD2 filesystem. * CVE-2025-38352: Missing check in POSIX clock/timer driver. * CVE-2025-38430: Remote kernel crash in NFSv4 server driver. A maliciously crafted RPC request can trigger undefined behaviour or kernel crash. * Improved fix for CVE-2018-3646: L1 Terminal Fault Reloaded. * Information leak on x86 CPUs (VMScape). Orabug: 38343661 * Note: Oracle has determined some CVEs are not applicable. The kernel is not affected by the following CVEs since the code under consideration is not compiled. CVE-2025-38090, CVE-2025-38135, CVE-2025-38136, CVE-2025-38145, CVE-2025-38153, CVE-2025-38163, CVE-2025-38173, CVE-2025-38203, CVE-2025-38204, CVE-2025-38219, CVE-2025-38237, CVE-2025-38286, CVE-2025-38313, CVE-2025-38416, CVE-2025-38428 SUPPORT Ksplice support is available at [email protected].
signature.asc
Description: This is a digitally signed message part
_______________________________________________ El-errata mailing list [email protected] https://oss.oracle.com/mailman/listinfo/el-errata
