Category Archives: Ubuntu

Ubuntu Security Notices

USN-3382-2: PHP vulnerabilities

Ubuntu Security Notice USN-3382-2

18th December, 2017

php5 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in PHP.

Software description

  • php5
    – HTML-embedded scripting language interpreter

Details

USN-3382-1 fixed several vulnerabilities in PHP. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that the PHP URL parser incorrectly handled certain URI
components. A remote attacker could possibly use this issue to bypass
hostname-specific URL checks. (CVE-2016-10397)

It was discovered that PHP incorrectly handled certain boolean parameters
when unserializing data. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. (CVE-2017-11143)

Sebastian Li, Wei Lei, Xie Xiaofei, and Liu Yang discovered that PHP
incorrectly handled the OpenSSL sealing function. A remote attacker could
possibly use this issue to cause PHP to crash, resulting in a denial of
service. (CVE-2017-11144)

Wei Lei and Liu Yang discovered that the PHP date extension incorrectly
handled memory. A remote attacker could possibly use this issue to disclose
sensitive information from the server. (CVE-2017-11145)

It was discovered that PHP incorrectly handled certain PHAR archives. A
remote attacker could use this issue to cause PHP to crash or disclose
sensitive information. This issue only affected Ubuntu 14.04 LTS.
(CVE-2017-11147)

Wei Lei and Liu Yang discovered that PHP incorrectly handled parsing ini
files. An attacker could possibly use this issue to cause PHP to crash,
resulting in a denial of service. (CVE-2017-11628)

It was discovered that PHP mbstring incorrectly handled certain regular
expressions. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
php5-cli

5.3.10-1ubuntu3.28
php5

5.3.10-1ubuntu3.28
libapache2-mod-php5

5.3.10-1ubuntu3.28
php5-fpm

5.3.10-1ubuntu3.28
php5-cgi

5.3.10-1ubuntu3.28

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-10397,

CVE-2017-11143,

CVE-2017-11144,

CVE-2017-11145,

CVE-2017-11147,

CVE-2017-11628,

CVE-2017-9224,

CVE-2017-9226,

CVE-2017-9227,

CVE-2017-9228,

CVE-2017-9229

Read More

USN-3509-4: Linux kernel (Xenial HWE) regression

Ubuntu Security Notice USN-3509-4

15th December, 2017

linux-lts-xenial, linux-aws regression

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

USN-3509-2 introduced a regression in the Linux HWE kernel for Ubuntu 14.04 LTS.

Software description

  • linux-aws
    – Linux kernel for Amazon Web Services (AWS) systems

  • linux-lts-xenial
    – Linux hardware enablement kernel from Xenial for Trusty

Details

USN-3509-2 fixed vulnerabilities in the Linux Hardware Enablement
kernel for Ubuntu 14.04 LTS. Unfortunately, it also introduced a
regression that prevented the Ceph network filesystem from being
used. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)

Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array
implementation in the Linux kernel sometimes did not properly handle adding
a new entry. A local attacker could use this to cause a denial of service
(system crash). (CVE-2017-12193)

Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB
driver for the Linux kernel. A physically proximate attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-16643)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
linux-image-powerpc-smp-lts-xenial 4.4.0.104.87
linux-image-lowlatency-lts-xenial 4.4.0.104.87
linux-image-4.4.0-104-powerpc64-smp

4.4.0-104.127~14.04.1
linux-image-4.4.0-104-lowlatency

4.4.0-104.127~14.04.1
linux-image-4.4.0-104-powerpc64-emb

4.4.0-104.127~14.04.1
linux-image-generic-lpae-lts-xenial 4.4.0.104.87
linux-image-generic-lts-xenial 4.4.0.104.87
linux-image-4.4.0-104-powerpc-smp

4.4.0-104.127~14.04.1
linux-image-4.4.0-104-powerpc-e500mc

4.4.0-104.127~14.04.1
linux-image-4.4.0-1006-aws

4.4.0-1006.6
linux-image-aws 4.4.0.1006.6
linux-image-powerpc64-smp-lts-xenial 4.4.0.104.87
linux-image-powerpc64-emb-lts-xenial 4.4.0.104.87
linux-image-4.4.0-104-generic

4.4.0-104.127~14.04.1
linux-image-4.4.0-104-generic-lpae

4.4.0-104.127~14.04.1
linux-image-powerpc-e500mc-lts-xenial 4.4.0.104.87

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

LP: 1737033,

https://www.ubuntu.com/usn/usn-3509-2

Read More

USN-3509-3: Linux kernel regression

Ubuntu Security Notice USN-3509-3

15th December, 2017

linux, linux-aws, linux-kvm, linux-raspi2 regression

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS

Summary

USN-3509-1 introduced a regression in the Linux kernel for Ubuntu 16.04 LTS.

Software description

  • linux
    – Linux kernel

  • linux-aws
    – Linux kernel for Amazon Web Services (AWS) systems

  • linux-kvm
    – Linux kernel for cloud environments

  • linux-raspi2
    – Linux kernel for Raspberry Pi 2

Details

USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. Unfortunately, it also introduced a regression that prevented the
Ceph network filesystem from being used. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)

Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array
implementation in the Linux kernel sometimes did not properly handle adding
a new entry. A local attacker could use this to cause a denial of service
(system crash). (CVE-2017-12193)

Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB
driver for the Linux kernel. A physically proximate attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-16643)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
linux-image-powerpc-smp 4.4.0.104.109
linux-image-powerpc-e500mc 4.4.0.104.109
linux-image-4.4.0-1013-kvm

4.4.0-1013.18
linux-image-4.4.0-104-powerpc64-smp

4.4.0-104.127
linux-image-4.4.0-104-lowlatency

4.4.0-104.127
linux-image-generic 4.4.0.104.109
linux-image-4.4.0-104-powerpc64-emb

4.4.0-104.127
linux-image-powerpc64-emb 4.4.0.104.109
linux-image-4.4.0-104-powerpc-smp

4.4.0-104.127
linux-image-4.4.0-104-powerpc-e500mc

4.4.0-104.127
linux-image-powerpc64-smp 4.4.0.104.109
linux-image-generic-lpae 4.4.0.104.109
linux-image-4.4.0-104-generic-lpae

4.4.0-104.127
linux-image-aws 4.4.0.1044.46
linux-image-kvm 4.4.0.1013.13
linux-image-4.4.0-1044-aws

4.4.0-1044.53
linux-image-4.4.0-1080-raspi2

4.4.0-1080.88
linux-image-lowlatency 4.4.0.104.109
linux-image-raspi2 4.4.0.1080.80
linux-image-4.4.0-104-generic

4.4.0-104.127

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

LP: 1737033

Read More

USN-3513-2: libxml2 vulnerability

Ubuntu Security Notice USN-3513-2

13th December, 2017

libxml2 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

libxml2 could be made to crash or run arbitrary code if it
opened a specially crafted file.

Software description

  • libxml2
    – GNOME XML library

Details

USN-3513-1 fixed a vulnerability in libxml2. This update provides
the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that libxml2 incorrecty handled certain files. An attacker
could use this issue with specially constructed XML data to cause libxml2 to
consume resources, leading to a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
libxml2

2.7.8.dfsg-5.1ubuntu4.20
libxml2-utils

2.7.8.dfsg-5.1ubuntu4.20
python-libxml2

2.7.8.dfsg-5.1ubuntu4.20

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-15412

Read More

USN-3513-1: libxml2 vulnerability

Ubuntu Security Notice USN-3513-1

13th December, 2017

libxml2 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

libxml2 could be made to crash or run arbitrary code if it
opened a specially crafted file.

Software description

  • libxml2
    – GNOME XML library

Details

It was discovered that libxml2 incorrecty handled certain files. An attacker
could use this issue with specially constructed XML data to cause libxml2 to
consume resources, leading to a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
libxml2

2.9.4+dfsg1-4ubuntu1.2
libxml2-utils

2.9.4+dfsg1-4ubuntu1.2
python-libxml2

2.9.4+dfsg1-4ubuntu1.2
python3-libxml2

2.9.4+dfsg1-4ubuntu1.2
Ubuntu 17.04:
libxml2

2.9.4+dfsg1-2.2ubuntu0.3
libxml2-utils

2.9.4+dfsg1-2.2ubuntu0.3
python-libxml2

2.9.4+dfsg1-2.2ubuntu0.3
python3-libxml2

2.9.4+dfsg1-2.2ubuntu0.3
Ubuntu 16.04 LTS:
libxml2

2.9.3+dfsg1-1ubuntu0.5
libxml2-utils

2.9.3+dfsg1-1ubuntu0.5
python-libxml2

2.9.3+dfsg1-1ubuntu0.5
Ubuntu 14.04 LTS:
libxml2

2.9.1+dfsg1-3ubuntu4.12
libxml2-utils

2.9.1+dfsg1-3ubuntu4.12
python-libxml2

2.9.1+dfsg1-3ubuntu4.12

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-15412

Read More

USN-3512-1: OpenSSL vulnerabilities

Ubuntu Security Notice USN-3512-1

11th December, 2017

openssl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10
  • Ubuntu 17.04
  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in OpenSSL.

Software description

  • openssl
    – Secure Socket Layer (SSL) cryptographic library and tools

Details

David Benjamin discovered that OpenSSL did not correctly prevent
buggy applications that ignore handshake errors from subsequently calling
certain functions. (CVE-2017-3737)

It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery
multiplication procedure. While unlikely, a remote attacker could possibly
use this issue to recover private keys. (CVE-2017-3738)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
libssl1.0.0

1.0.2g-1ubuntu13.3
Ubuntu 17.04:
libssl1.0.0

1.0.2g-1ubuntu11.4
Ubuntu 16.04 LTS:
libssl1.0.0

1.0.2g-1ubuntu4.10

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-3737,

CVE-2017-3738

Read More

USN-3508-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-3508-1

7th December, 2017

linux, linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.04

Summary

Several security issues were fixed in the Linux kernel.

Software description

  • linux
    – Linux kernel

  • linux-raspi2
    – Linux kernel for Raspberry Pi 2

Details

Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)

Yonggang Guo discovered that a race condition existed in the driver
subsystem in the Linux kernel. A local attacker could use this to possibly
gain administrative privileges. (CVE-2017-12146)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.04:
linux-image-4.10.0-42-generic-lpae

4.10.0-42.46
linux-image-generic-lpae 4.10.0.42.42
linux-image-4.10.0-42-generic

4.10.0-42.46
linux-image-4.10.0-1023-raspi2

4.10.0-1023.26
linux-image-generic 4.10.0.42.42
linux-image-4.10.0-42-lowlatency

4.10.0-42.46
linux-image-lowlatency 4.10.0.42.42
linux-image-raspi2 4.10.0.1023.24

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000405,

CVE-2017-12146,

CVE-2017-16939

Read More

USN-3507-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-3507-1

7th December, 2017

linux, linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 17.10

Summary

Several security issues were fixed in the Linux kernel.

Software description

  • linux
    – Linux kernel

  • linux-raspi2
    – Linux kernel for Raspberry Pi 2

Details

Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)

Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array
implementation in the Linux kernel sometimes did not properly handle adding
a new entry. A local attacker could use this to cause a denial of service
(system crash). (CVE-2017-12193)

Eric Biggers discovered that the key management subsystem in the Linux
kernel did not properly restrict adding a key that already exists but is
uninstantiated. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2017-15299)

It was discovered that a null pointer dereference error existed in the
PowerPC KVM implementation in the Linux kernel. A local attacker could use
this to cause a denial of service (system crash). (CVE-2017-15306)

Eric Biggers discovered a race condition in the key management subsystem of
the Linux kernel around keys in a negative state. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-15951)

Andrey Konovalov discovered that the USB subsystem in the Linux kernel did
not properly validate USB BOS metadata. A physically proximate attacker
could use this to cause a denial of service (system crash).
(CVE-2017-16535)

Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB
driver for the Linux kernel. A physically proximate attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-16643)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 17.10:
linux-image-4.13.0-19-generic

4.13.0-19.22
linux-image-4.13.0-19-generic-lpae

4.13.0-19.22
linux-image-generic-lpae 4.13.0.19.20
linux-image-4.13.0-19-lowlatency

4.13.0-19.22
linux-image-generic 4.13.0.19.20
linux-image-4.13.0-1008-raspi2

4.13.0-1008.8
linux-image-lowlatency 4.13.0.19.20
linux-image-raspi2 4.13.0.1008.6

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000405,

CVE-2017-12193,

CVE-2017-15299,

CVE-2017-15306,

CVE-2017-15951,

CVE-2017-16535,

CVE-2017-16643,

CVE-2017-16939

Read More

USN-3509-2: Linux kernel (Xenial HWE) vulnerabilities

Ubuntu Security Notice USN-3509-2

7th December, 2017

linux-lts-xenial, linux-aws vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software description

  • linux-aws
    – Linux kernel for Amazon Web Services (AWS) systems

  • linux-lts-xenial
    – Linux hardware enablement kernel from Xenial for Trusty

Details

USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)

Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array
implementation in the Linux kernel sometimes did not properly handle adding
a new entry. A local attacker could use this to cause a denial of service
(system crash). (CVE-2017-12193)

Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB
driver for the Linux kernel. A physically proximate attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-16643)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
linux-image-powerpc-smp-lts-xenial 4.4.0.103.86
linux-image-powerpc64-emb-lts-xenial 4.4.0.103.86
linux-image-4.4.0-1005-aws

4.4.0-1005.5
linux-image-generic-lts-xenial 4.4.0.103.86
linux-image-4.4.0-103-powerpc64-smp

4.4.0-103.126~14.04.1
linux-image-lowlatency-lts-xenial 4.4.0.103.86
linux-image-4.4.0-103-powerpc-smp

4.4.0-103.126~14.04.1
linux-image-powerpc-e500mc-lts-xenial 4.4.0.103.86
linux-image-generic-lpae-lts-xenial 4.4.0.103.86
linux-image-4.4.0-103-powerpc64-emb

4.4.0-103.126~14.04.1
linux-image-4.4.0-103-generic

4.4.0-103.126~14.04.1
linux-image-4.4.0-103-generic-lpae

4.4.0-103.126~14.04.1
linux-image-powerpc64-smp-lts-xenial 4.4.0.103.86
linux-image-aws 4.4.0.1005.5
linux-image-4.4.0-103-powerpc-e500mc

4.4.0-103.126~14.04.1
linux-image-4.4.0-103-lowlatency

4.4.0-103.126~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000405,

CVE-2017-12193,

CVE-2017-16643,

CVE-2017-16939

Read More

USN-3509-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-3509-1

7th December, 2017

linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software description

  • linux
    – Linux kernel

  • linux-aws
    – Linux kernel for Amazon Web Services (AWS) systems

  • linux-kvm
    – Linux kernel for cloud environments

  • linux-raspi2
    – Linux kernel for Raspberry Pi 2

  • linux-snapdragon
    – Linux kernel for Snapdragon processors

Details

Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)

It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)

Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array
implementation in the Linux kernel sometimes did not properly handle adding
a new entry. A local attacker could use this to cause a denial of service
(system crash). (CVE-2017-12193)

Andrey Konovalov discovered an out-of-bounds read in the GTCO digitizer USB
driver for the Linux kernel. A physically proximate attacker could use this
to cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2017-16643)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
linux-image-powerpc-e500mc 4.4.0.103.108
linux-image-4.4.0-103-powerpc64-smp

4.4.0-103.126
linux-image-4.4.0-103-generic

4.4.0-103.126
linux-image-4.4.0-103-powerpc-e500mc

4.4.0-103.126
linux-image-4.4.0-1012-kvm

4.4.0-1012.17
linux-image-4.4.0-103-generic-lpae

4.4.0-103.126
linux-image-4.4.0-103-powerpc64-emb

4.4.0-103.126
linux-image-generic 4.4.0.103.108
linux-image-snapdragon 4.4.0.1081.73
linux-image-powerpc64-emb 4.4.0.103.108
linux-image-4.4.0-103-powerpc-smp

4.4.0-103.126
linux-image-4.4.0-1079-raspi2

4.4.0-1079.87
linux-image-aws 4.4.0.1043.45
linux-image-kvm 4.4.0.1012.12
linux-image-4.4.0-103-lowlatency

4.4.0-103.126
linux-image-raspi2 4.4.0.1079.79
linux-image-powerpc-smp 4.4.0.103.108
linux-image-generic-lpae 4.4.0.103.108
linux-image-4.4.0-1043-aws

4.4.0-1043.52
linux-image-powerpc64-smp 4.4.0.103.108
linux-image-4.4.0-1081-snapdragon

4.4.0-1081.86
linux-image-lowlatency 4.4.0.103.108

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-1000405,

CVE-2017-12193,

CVE-2017-16643,

CVE-2017-16939

Read More