You are here
Home > Preporuke > Sigurnosni nedostaci jezgre operacijskog sustava

Sigurnosni nedostaci jezgre operacijskog sustava

==========================================================================
Ubuntu Security Notice USN-3848-1
December 20, 2018

linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
– linux: Linux kernel
– linux-aws: Linux kernel for Amazon Web Services (AWS) systems
– linux-kvm: Linux kernel for cloud environments
– linux-raspi2: Linux kernel for Raspberry Pi 2
– linux-snapdragon: Linux kernel for Snapdragon processors

Details:

It was discovered that a double free existed in the AMD GPIO driver in the
Linux kernel. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2017-18174)

It was discovered that an integer overrun vulnerability existed in the
POSIX timers implementation in the Linux kernel. A local attacker could use
this to cause a denial of service. (CVE-2018-12896)

Kanda Motohiro discovered that writing extended attributes to an XFS file
system in the Linux kernel in certain situations could cause an error
condition to occur. A local attacker could use this to cause a denial of
service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the
CDROM driver of the Linux kernel. A local attacker could use this to expose
sensitive information (kernel memory). (CVE-2018-18710)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
linux-image-4.4.0-1039-kvm 4.4.0-1039.45
linux-image-4.4.0-1074-aws 4.4.0-1074.84
linux-image-4.4.0-1102-raspi2 4.4.0-1102.110
linux-image-4.4.0-1106-snapdragon 4.4.0-1106.111
linux-image-4.4.0-141-generic 4.4.0-141.167
linux-image-4.4.0-141-generic-lpae 4.4.0-141.167
linux-image-4.4.0-141-lowlatency 4.4.0-141.167
linux-image-4.4.0-141-powerpc-e500mc 4.4.0-141.167
linux-image-4.4.0-141-powerpc-smp 4.4.0-141.167
linux-image-4.4.0-141-powerpc64-emb 4.4.0-141.167
linux-image-4.4.0-141-powerpc64-smp 4.4.0-141.167
linux-image-aws 4.4.0.1074.76
linux-image-generic 4.4.0.141.147
linux-image-generic-lpae 4.4.0.141.147
linux-image-kvm 4.4.0.1039.38
linux-image-lowlatency 4.4.0.141.147
linux-image-powerpc-e500mc 4.4.0.141.147
linux-image-powerpc-smp 4.4.0.141.147
linux-image-powerpc64-emb 4.4.0.141.147
linux-image-powerpc64-smp 4.4.0.141.147
linux-image-raspi2 4.4.0.1102.102
linux-image-snapdragon 4.4.0.1106.98

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3848-1
CVE-2017-18174, CVE-2018-12896, CVE-2018-18690, CVE-2018-18710

Package Information:
https://launchpad.net/ubuntu/+source/linux/4.4.0-141.167
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1074.84
https://launchpad.net/ubuntu/+source/linux-kvm/4.4.0-1039.45
https://launchpad.net/ubuntu/+source/linux-raspi2/4.4.0-1102.110
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.4.0-1106.111

—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAlwcKicACgkQLwmejQBe
gfRwThAAr/2/voG0xgPIlRvYbWfYQSUX9NC9Heo7MsO2VaZm9Fnjrx52v2OlLthy
jvTPSCPg3yvJX79SpqF3WkcI41Ur8abtXBJfEbzZiiQ7C8jExHXtuCDeQBckw/Yz
Y057ga4EUm0MxhBJ+uDXIkKe7Kbw2Bk4IuPYRakzXvBPlzAGy2EocaH1ffouHZ5g
Z7+28MHNQza5YD3qNCB0jUULisJtR31hJ5MinVPmbVNwBUafD83BVZ3wVas/zUUp
k621PEmwQIqB9CMCjxDKq92RABtsEA+umFo/HHD1iZqmEA1jDImrK/Y9LdBIqSIu
6GH4sJKz3kR2pPjGVAmAPYJhfMfTDRKjHzxfx/WetEXHOwTSzJaG1hutwqRIQB6l
Mpg7qJ56uSqj9gXm1r7FUrdpg1HFpjkcPm31+swmMlcZHwOv8a3ou2jKaBmOV+42
BgfZB3Py4JoYPjDXmjyfR/mcgaqnJ12RglLPlF0ljASnRywmvLLtJv/meSQ+QhqA
0mlyxaQHveXKDEehFL4wtyG4vEdRc7z80i8bRNHL+ZH1In24PzjzBEDQGZhdYefn
/uE/LGCehh37CuaV19BLbREkh31VQaWeN1Y+qRnmnh3wVEHzX4WHpCgXQ/BmR35B
UspDfNdBqh/HL8Zqg9kgazbJnaBp+VHzYcxAKgJbsErgriSeAyI=
=z1LZ
—–END PGP SIGNATURE—–

ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

==========================================================================
Ubuntu Security Notice USN-3847-3
December 20, 2018

linux-azure vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
– linux-azure: Linux kernel for Microsoft Azure Cloud systems

Details:

USN-3847-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04
LTS. This update provides the corresponding updates for the Linux
kernel for Microsoft Azure Cloud systems for Ubuntu 14.04 LTS.

It was discovered that a race condition existed in the raw MIDI driver for
the Linux kernel, leading to a double free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the
POSIX timers implementation in the Linux kernel. A local attacker could use
this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the
Infiniband implementation in the Linux kernel. An attacker could use this
to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did
not properly restrict user space reads or writes. A physically proximate
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2018-16276)

It was discovered that the BPF verifier in the Linux kernel did not
correctly compute numeric bounds in some situations. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2018-18445)

Kanda Motohiro discovered that writing extended attributes to an XFS file
system in the Linux kernel in certain situations could cause an error
condition to occur. A local attacker could use this to cause a denial of
service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the
CDROM driver of the Linux kernel. A local attacker could use this to expose
sensitive information (kernel memory). (CVE-2018-18710)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
linux-image-4.15.0-1036-azure 4.15.0-1036.38~14.04.2
linux-image-azure 4.15.0.1036.23

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3847-3
https://usn.ubuntu.com/usn/usn-3847-1
CVE-2018-10902, CVE-2018-12896, CVE-2018-14734, CVE-2018-16276,
CVE-2018-18445, CVE-2018-18690, CVE-2018-18710

Package Information:
https://launchpad.net/ubuntu/+source/linux-azure/4.15.0-1036.38~14.04.2

—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAlwcKhQACgkQLwmejQBe
gfSv+BAAnFtOw1TNE9Ke5lypOUXjXp8sMTCgeX2BgLHN871pUxjVcJzOCjdLvima
if8BpOsts1i5cJNNCqfFsOU0+n7NPqfl27l2p/fnnPjYtEJa76DGrkQetmM1KJr5
lKbuBGgkXD8j+lOvMjjr+bAK/UYnFNk+1ORKzw0/XpAvRKGcZof3S1j8dbmzA+cz
GmMiBhWTtYF5Yx+PVG9jt8rCa9EeKC5rBTnXQWt6FF4HorlIKDDvUeDG4ri739N/
Y/AbABeWoThS+MxX2iEqMzmbu0J4WJ52TXhKw0qmB8sRgY2fNc45g5BBq4yps7qk
YhVmD+xXZaj726IMzscARuNdq/pS0ozjpZ1BZKxJuwSLA1ixN+PDSw9YPxq0BGJ+
wklsxGFNQilL7kEb6FcMIDpZ/pu7d62pUXLsWXLSKVAb3W3VxCjd0H7eIKMhFCAE
Gwyo8Fbhk6RpjgJ637eY7MOBzNCxQHtd+KnT+4T+gvxmxYihUJjwIH8kJRSuYbIf
wjxhhl8m3LBln9JpO4PkXAYgX8wl6WWVsE6S84Jy2u/iBkm5A6aoW7pCHTrIIVm0
jTTxyIux78xrfeMPMgn3m/eYg4n7StqeVTzoYJxZQGv5IsM40VpC+vGdIqvYFZJS
/o5cdco3IKB/Nj9N4MOeP2YU3Zkbze5+HbmW43MWJXZg409sdG8=
=y37D
—–END PGP SIGNATURE—–

ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

==========================================================================
Ubuntu Security Notice USN-3846-1
December 20, 2018

linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 18.10

Summary:

The system could be made to expose sensitive information.

Software Description:
– linux: Linux kernel
– linux-aws: Linux kernel for Amazon Web Services (AWS) systems
– linux-azure: Linux kernel for Microsoft Azure Cloud systems
– linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
– linux-kvm: Linux kernel for cloud environments
– linux-raspi2: Linux kernel for Raspberry Pi 2

Details:

It was discovered that an integer overflow vulnerability existed in the
CDROM driver of the Linux kernel. A local attacker could use this to expose
sensitive information (kernel memory).

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
linux-image-4.18.0-1005-gcp 4.18.0-1005.6
linux-image-4.18.0-1006-kvm 4.18.0-1006.6
linux-image-4.18.0-1007-aws 4.18.0-1007.9
linux-image-4.18.0-1007-azure 4.18.0-1007.7
linux-image-4.18.0-1008-raspi2 4.18.0-1008.10
linux-image-4.18.0-13-generic 4.18.0-13.14
linux-image-4.18.0-13-generic-lpae 4.18.0-13.14
linux-image-4.18.0-13-lowlatency 4.18.0-13.14
linux-image-4.18.0-13-snapdragon 4.18.0-13.14
linux-image-aws 4.18.0.1007.7
linux-image-azure 4.18.0.1007.8
linux-image-gcp 4.18.0.1005.5
linux-image-generic 4.18.0.13.14
linux-image-generic-lpae 4.18.0.13.14
linux-image-gke 4.18.0.1005.5
linux-image-kvm 4.18.0.1006.6
linux-image-lowlatency 4.18.0.13.14
linux-image-raspi2 4.18.0.1008.5
linux-image-snapdragon 4.18.0.13.14

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3846-1
CVE-2018-18710

Package Information:
https://launchpad.net/ubuntu/+source/linux/4.18.0-13.14
https://launchpad.net/ubuntu/+source/linux-aws/4.18.0-1007.9
https://launchpad.net/ubuntu/+source/linux-azure/4.18.0-1007.7
https://launchpad.net/ubuntu/+source/linux-gcp/4.18.0-1005.6
https://launchpad.net/ubuntu/+source/linux-kvm/4.18.0-1006.6
https://launchpad.net/ubuntu/+source/linux-raspi2/4.18.0-1008.10

—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAlwcKdkACgkQLwmejQBe
gfTaGg/+LblIArsXQ7bOjes0tvefbuIlE5h2AIml6+Y+IuUOE+YEykWF5mDgJNky
gSIMybExw9vgK8L9TA9wqDdQuRc4mwNkwn48qXc9nOI8z0EmJacUGqQ8A7IMmsdz
FTo1FavzG8KArckUZo+i9OI+0OuNqW3thVQt4HTx436+s/eEgqpXqQhTMSPz5iQe
qO0QTmfXGvYfvKF1POT1NO8TivpvMwhLkiLuns0blT5wCS0Za0j5hcL6NWZwFDyf
DuiP7YV0ilaxKm9q67lEW8fmMGvRDoedAmz/z8ILdrpEXzWo/xNzAzPBt2iGzG4+
OKIrupQTPh0JThujmPVaN5MjuqqPYi3YfgkhQnXt1uUsDSRPsJyXFTlyWt+fSM5m
fQS7NYZZ9XI4t2RzcdMLqlURU3x9lzgTNbYXFS/LsTV50fwOYYTRiV7E90yThqm4
bLMIBw2rEVdA34xs/592wU9UC1n/5floMSZnq1MWGUXi1/VaZaBO8hngSubaT3oc
VClGXZktrFIX3rsr8bUAoPa3CS8mToXYc2vxrp/8SzzHcz26tVA1dePwv4hd45jy
acZV3oos1750WZg+v6rc+O6dDnbmNQgPvMl2TXy4sGA64cFPUc1zrba18GJM/LYw
uyo09xm/ZcfoqvR/BhN0nf38+/veoWyRMbevC6D37ZnYzy2CpX8=
=HfxA
—–END PGP SIGNATURE—–

ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

==========================================================================
Ubuntu Security Notice USN-3848-2
December 20, 2018

linux-lts-xenial, linux-aws vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
– linux-aws: Linux kernel for Amazon Web Services (AWS) systems
– linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty

Details:

USN-3848-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

It was discovered that a double free existed in the AMD GPIO driver in the
Linux kernel. A local attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code. (CVE-2017-18174)

It was discovered that an integer overrun vulnerability existed in the
POSIX timers implementation in the Linux kernel. A local attacker could use
this to cause a denial of service. (CVE-2018-12896)

Kanda Motohiro discovered that writing extended attributes to an XFS file
system in the Linux kernel in certain situations could cause an error
condition to occur. A local attacker could use this to cause a denial of
service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the
CDROM driver of the Linux kernel. A local attacker could use this to expose
sensitive information (kernel memory). (CVE-2018-18710)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
linux-image-4.4.0-1037-aws 4.4.0-1037.40
linux-image-4.4.0-141-generic 4.4.0-141.167~14.04.1
linux-image-4.4.0-141-generic-lpae 4.4.0-141.167~14.04.1
linux-image-4.4.0-141-lowlatency 4.4.0-141.167~14.04.1
linux-image-4.4.0-141-powerpc-e500mc 4.4.0-141.167~14.04.1
linux-image-4.4.0-141-powerpc-smp 4.4.0-141.167~14.04.1
linux-image-4.4.0-141-powerpc64-emb 4.4.0-141.167~14.04.1
linux-image-4.4.0-141-powerpc64-smp 4.4.0-141.167~14.04.1
linux-image-aws 4.4.0.1037.37
linux-image-generic-lpae-lts-xenial 4.4.0.141.121
linux-image-generic-lts-xenial 4.4.0.141.121
linux-image-lowlatency-lts-xenial 4.4.0.141.121
linux-image-powerpc-e500mc-lts-xenial 4.4.0.141.121
linux-image-powerpc-smp-lts-xenial 4.4.0.141.121
linux-image-powerpc64-emb-lts-xenial 4.4.0.141.121
linux-image-powerpc64-smp-lts-xenial 4.4.0.141.121

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3848-2
https://usn.ubuntu.com/usn/usn-3848-1
CVE-2017-18174, CVE-2018-12896, CVE-2018-18690, CVE-2018-18710

Package Information:
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1037.40
https://launchpad.net/ubuntu/+source/linux-lts-xenial/4.4.0-141.167~14.04.1

—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAlwcKjIACgkQLwmejQBe
gfQePw/+KhFqfm+7NsF0AXC5LYK1/ca8x0eCs32vwbgP+9stISvaIssOFvAALGry
yVNYKZsiHS7WRl2dQlurJzlg5gQTfbmsYGtOAhKjaX6uoafhfEf1otTnoSBTVDPx
6HVf0aYG+Y+xF4JU2VXpW1IjtmzULbgFgMYfgem7/dHK+7jBghIfpdE5WzbDHgkv
h7PZp2z0U123Jb+FcqzxxP5kmozyzofNNBB4tHZ0cPsfsRaLpltelgXlza9OJqP1
h7sO7nklCKacx8tagikwTYwNNUQu/VcsgN5OF16NKoKCUbHdmv8FfMk/KzJmDsSP
HtVxbDX99Yn3/YwP2ahBzvkqpRg19iiOfSJFt/bYmdjshqpdqk+wkYAIMwCyIYkz
8Fb7UCsSBZe0Mzg9RRhITwn3jmYcM/DAu8WBqCL/x6Vyvb6YmVAV7AdkzCMSgTcw
dG7YWd0Z7yMKHMZL7pburnTVEWYPAsZ+HqrnUlbqOUTOZcNRE6mLsHXY8so2wwLh
KEtgptNR8zWOFvjzgfaDeQNEtg57rotRL7dY4NJEqf5wJpDipdpbS+JS6bypHMyU
YO+WxqGENN2XwCLO61TNODAFy2gxuueNvVS7GlselXCXnnDeU4tvlowUxI3Pvzc5
W1PikH6akJvnMUgmnDFfb42vYImT562JniFywmTT2KiRcshdZ6o=
=r5A5
—–END PGP SIGNATURE—–

ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

==========================================================================
Ubuntu Security Notice USN-3847-1
December 20, 2018

linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem,
linux-raspi2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
– linux: Linux kernel
– linux-aws: Linux kernel for Amazon Web Services (AWS) systems
– linux-azure: Linux kernel for Microsoft Azure Cloud systems
– linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
– linux-kvm: Linux kernel for cloud environments
– linux-oem: Linux kernel for OEM processors
– linux-raspi2: Linux kernel for Raspberry Pi 2

Details:

It was discovered that a race condition existed in the raw MIDI driver for
the Linux kernel, leading to a double free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the
POSIX timers implementation in the Linux kernel. A local attacker could use
this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the
Infiniband implementation in the Linux kernel. An attacker could use this
to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did
not properly restrict user space reads or writes. A physically proximate
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2018-16276)

It was discovered that the BPF verifier in the Linux kernel did not
correctly compute numeric bounds in some situations. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2018-18445)

Kanda Motohiro discovered that writing extended attributes to an XFS file
system in the Linux kernel in certain situations could cause an error
condition to occur. A local attacker could use this to cause a denial of
service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the
CDROM driver of the Linux kernel. A local attacker could use this to expose
sensitive information (kernel memory). (CVE-2018-18710)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
linux-image-4.15.0-1026-gcp 4.15.0-1026.27
linux-image-4.15.0-1028-kvm 4.15.0-1028.28
linux-image-4.15.0-1030-oem 4.15.0-1030.35
linux-image-4.15.0-1030-raspi2 4.15.0-1030.32
linux-image-4.15.0-1031-aws 4.15.0-1031.33
linux-image-4.15.0-1036-azure 4.15.0-1036.38
linux-image-4.15.0-43-generic 4.15.0-43.46
linux-image-4.15.0-43-generic-lpae 4.15.0-43.46
linux-image-4.15.0-43-lowlatency 4.15.0-43.46
linux-image-4.15.0-43-snapdragon 4.15.0-43.46
linux-image-aws 4.15.0.1031.30
linux-image-azure 4.15.0.1036.36
linux-image-gcp 4.15.0.1026.28
linux-image-generic 4.15.0.43.45
linux-image-generic-lpae 4.15.0.43.45
linux-image-gke 4.15.0.1026.28
linux-image-kvm 4.15.0.1028.28
linux-image-lowlatency 4.15.0.43.45
linux-image-oem 4.15.0.1030.35
linux-image-raspi2 4.15.0.1030.28
linux-image-snapdragon 4.15.0.43.45

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3847-1
CVE-2018-10902, CVE-2018-12896, CVE-2018-14734, CVE-2018-16276,
CVE-2018-18445, CVE-2018-18690, CVE-2018-18710

Package Information:
https://launchpad.net/ubuntu/+source/linux/4.15.0-43.46
https://launchpad.net/ubuntu/+source/linux-aws/4.15.0-1031.33
https://launchpad.net/ubuntu/+source/linux-azure/4.15.0-1036.38
https://launchpad.net/ubuntu/+source/linux-gcp/4.15.0-1026.27
https://launchpad.net/ubuntu/+source/linux-kvm/4.15.0-1028.28
https://launchpad.net/ubuntu/+source/linux-oem/4.15.0-1030.35
https://launchpad.net/ubuntu/+source/linux-raspi2/4.15.0-1030.32

—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAlwcKfcACgkQLwmejQBe
gfQVeQ//TAve7mZFUyfhl1MRwbPO7McUQmqsv47UsYB1rk+nwmdXvIFOZWUOxrF9
+XitTzvI32SJq4TPhxV8We1R98Pb978INovURMWzYyYUfvA6V4PBXoCcdwp9sSX/
EJmpn3dXJ8IP7KZWp2UB7LufUAfZPx74mQsn8BgkL9Qs28oHRyELJSbRIy8CH/KT
G+dU/dqpKMXF1j9uYWdbB7kMRUb3j5WOG1Q2gCUHmJFpWXQSm0ir+miTp0BSscjp
NiRiIUg/r5qytdYVVzG34wmJORvz9LsvS0ArB7l0sp/13qWF044msNSmp2LNL6Fg
EXmZlB49FAS6clfjOByQ4ocC+Ox3KvXiGw/3pff7yelmNFHdsI+UPS3I/71NGV7B
NJd2ZdoAId7m2jr3JR4SK9H170dnOZn+/aJx2305u6Osu6QWM1LRETnAhHddQAFY
wcoeD2GLYyBY2UICSkxD7CmpT4zkzeGfGXQc2K7GoJcDZxsTUSjfHWu+mF5Fi0PQ
tIl1z4av0VJ8LtggKtAvqVlvuytguQ2oGulopUMwfBmFPukmCcuw5gawxK7d4xDD
r3rSU4L0S8Ldtk9TTA09YkzAvqN2BHcsVCs1ThDgYaCLjCnZUwfGpzliaRIyPvGG
ZGr41qfPoZUr1LnKGWrqOowMJ4JCQOnn/Yd/zTYOp84TpsX16WM=
=yRiR
—–END PGP SIGNATURE—–

ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

==========================================================================
Ubuntu Security Notice USN-3849-2
December 20, 2018

linux-lts-trusty vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
– linux-lts-trusty: Linux hardware enablement kernel from Trusty for Precise ESM

Details:

USN-3849-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 ESM.

It was discovered that a NULL pointer dereference existed in the keyring
subsystem of the Linux kernel. A local attacker could use this to cause a
denial of service (system crash). (CVE-2017-2647)

It was discovered that a race condition existed in the raw MIDI driver for
the Linux kernel, leading to a double free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the
POSIX timers implementation in the Linux kernel. A local attacker could use
this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the
Infiniband implementation in the Linux kernel. An attacker could use this
to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did
not properly restrict user space reads or writes. A physically proximate
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2018-16276)

Tetsuo Handa discovered a logic error in the TTY subsystem of the Linux
kernel. A local attacker with access to pseudo terminal devices could use
this to cause a denial of service. (CVE-2018-18386)

Kanda Motohiro discovered that writing extended attributes to an XFS file
system in the Linux kernel in certain situations could cause an error
condition to occur. A local attacker could use this to cause a denial of
service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the
CDROM driver of the Linux kernel. A local attacker could use this to expose
sensitive information (kernel memory). (CVE-2018-18710)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
linux-image-3.13.0-164-generic 3.13.0-164.214~precise1
linux-image-3.13.0-164-generic-lpae 3.13.0-164.214~precise1
linux-image-generic-lpae-lts-trusty 3.13.0.164.154
linux-image-generic-lts-trusty 3.13.0.164.154

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3849-2
https://usn.ubuntu.com/usn/usn-3849-1
CVE-2017-2647, CVE-2018-10902, CVE-2018-12896, CVE-2018-14734,
CVE-2018-16276, CVE-2018-18386, CVE-2018-18690, CVE-2018-18710

—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAlwcKkwACgkQLwmejQBe
gfSnTg/+IxqBpr9Y55FsD9oMezLNa1qnUnnjkNhwG455XJLa8+7MGX26ARpiE9cO
tRIwKIGrbBLFW3YsFqYz1oaIL0TbjhjMQtMaUKpfZ9wYDQnxwdEzpav9QOye24KI
mE+sA4xQUcl0fhjvnpm+k3MoHswmVpXX1H4/z6ftrmGHXqGJAAYjkajEIhSazihn
v27rNAc546hBYCJSPtdU1VnlJedEZceerv15gR8gGrh3bED3BYEIuYYAsddAniTt
EzFskP/zPvhMDPnnK1AMBIKkOkF3gJpDmzuZz2uTGHW8UVlsE4V5OE/mgh3nogS1
O5ciBL/gJQ3RJs5nb5CLF2Z4+LpVmyPfzbpHKNoIFOSsrTXhgByMIaNdRHqZ8xYH
/cnp+hP8k9Gd5VVGX+V/Lg8Le2pWOV5yQxXWKsDKDBKfgQDXxFFsY99yJOqdqg55
hDSPrTRF3+LTu8tKfBxesI3VZyI8Vbl0k7zWIvPeFZyInWQ7unqs7jBFJBPxEx8T
0iqM0QICTuVmIrEaZUOofP7JHtQEiwWJi1EJAputblVnB8EqAWqtJS4T5Hod6lbZ
jGTnOpHwOfqeC9cD0z9sY/xv5KDBiDPmKUGu3HVJX03En9yqq7gw/BIE4t3FID0z
PeKp5tqLj4w3Jw+SZz5j09UIIpUhJr6OR+1jzSR7BN0MsFFTUMA=
=XMli
—–END PGP SIGNATURE—–

ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

==========================================================================
Ubuntu Security Notice USN-3849-1
December 20, 2018

linux vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
– linux: Linux kernel

Details:

It was discovered that a NULL pointer dereference existed in the keyring
subsystem of the Linux kernel. A local attacker could use this to cause a
denial of service (system crash). (CVE-2017-2647)

It was discovered that a race condition existed in the raw MIDI driver for
the Linux kernel, leading to a double free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the
POSIX timers implementation in the Linux kernel. A local attacker could use
this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the
Infiniband implementation in the Linux kernel. An attacker could use this
to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did
not properly restrict user space reads or writes. A physically proximate
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2018-16276)

Tetsuo Handa discovered a logic error in the TTY subsystem of the Linux
kernel. A local attacker with access to pseudo terminal devices could use
this to cause a denial of service. (CVE-2018-18386)

Kanda Motohiro discovered that writing extended attributes to an XFS file
system in the Linux kernel in certain situations could cause an error
condition to occur. A local attacker could use this to cause a denial of
service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the
CDROM driver of the Linux kernel. A local attacker could use this to expose
sensitive information (kernel memory). (CVE-2018-18710)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
linux-image-3.13.0-164-generic 3.13.0-164.214
linux-image-3.13.0-164-generic-lpae 3.13.0-164.214
linux-image-3.13.0-164-lowlatency 3.13.0-164.214
linux-image-3.13.0-164-powerpc-e500 3.13.0-164.214
linux-image-3.13.0-164-powerpc-e500mc 3.13.0-164.214
linux-image-3.13.0-164-powerpc-smp 3.13.0-164.214
linux-image-3.13.0-164-powerpc64-emb 3.13.0-164.214
linux-image-3.13.0-164-powerpc64-smp 3.13.0-164.214
linux-image-generic 3.13.0.164.174
linux-image-generic-lpae 3.13.0.164.174
linux-image-lowlatency 3.13.0.164.174
linux-image-powerpc-e500 3.13.0.164.174
linux-image-powerpc-e500mc 3.13.0.164.174
linux-image-powerpc-smp 3.13.0.164.174
linux-image-powerpc64-emb 3.13.0.164.174
linux-image-powerpc64-smp 3.13.0.164.174

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3849-1
CVE-2017-2647, CVE-2018-10902, CVE-2018-12896, CVE-2018-14734,
CVE-2018-16276, CVE-2018-18386, CVE-2018-18690, CVE-2018-18710

Package Information:
https://launchpad.net/ubuntu/+source/linux/3.13.0-164.214

—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAlwcKkEACgkQLwmejQBe
gfTB1w//YP1UBwNzpbq+i4auct+dI6ZW4aDp6rp4fv4+HfNGtw6jtH67y/8/UeOe
oKOLIYQbl3envXDpaWtsFHM4gCmwSwQy+S5A0SjDybRGhAw6C7QuIVKtvUu/7KB2
qscEIxejB4tVI28GSf43eN7dsOByCJJj0dC6QAkLdzr0IuKskwmZazjJKieFNTYG
PDNKouHcns6oWdOF8nnEWHN2l0iaj4eU25aUZ2LbEHnQV+BdfdOwPsElVx2ldVzJ
+3NrEfP3lAfHXYXMp9Z0ZE0BRZedKhluhCacPXUBz/u7rm6t/t3+2TbYh+b+eK2H
KO2f323KNGxUfQD03Q1aFZlsS6yQL59zxqGY7+gS0s8D4C1xHW2cMp+Mq8InU7ZH
dD7217mb0aCqkd3ixQOPMstR7v7weGADpMy5v+XuoZTc0oVevGRC+gQ0gRW+mAFG
dO3BrVXa4ilk4ExaqjuVz9L7Dv3rd/ZuaR9I4N0HEGAaNE4TKoH7+kEq13tpY4g+
YGM58dvj8hubT8dLzJrcl7bFYjUMlTcsrrENp2eXk0MR6bAZ3+L+pQ3EOnJR24Pq
F/THCQGg6GzIAAqSmpuYrhg+eZ3nGYocOeMDBQrReYcOId0x5wfYNVgzNmZDPodP
kdaEyK/sC+a7GL/4YSaUvFUkRGc+Px4XjtoZmvi31Hc9WyKu9uw=
=/GQD
—–END PGP SIGNATURE—–

ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

==========================================================================
Ubuntu Security Notice USN-3847-2
December 20, 2018

linux-hwe, linux-aws-hwe, linux-azure, linux-gcp vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
– linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems
– linux-azure: Linux kernel for Microsoft Azure Cloud systems
– linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
– linux-hwe: Linux hardware enablement (HWE) kernel

Details:

USN-3847-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu
16.04 LTS.

It was discovered that a race condition existed in the raw MIDI driver for
the Linux kernel, leading to a double free vulnerability. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the
POSIX timers implementation in the Linux kernel. A local attacker could use
this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the
Infiniband implementation in the Linux kernel. An attacker could use this
to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did
not properly restrict user space reads or writes. A physically proximate
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2018-16276)

It was discovered that the BPF verifier in the Linux kernel did not
correctly compute numeric bounds in some situations. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2018-18445)

Kanda Motohiro discovered that writing extended attributes to an XFS file
system in the Linux kernel in certain situations could cause an error
condition to occur. A local attacker could use this to cause a denial of
service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the
CDROM driver of the Linux kernel. A local attacker could use this to expose
sensitive information (kernel memory). (CVE-2018-18710)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
linux-image-4.15.0-1026-gcp 4.15.0-1026.27~16.04.1
linux-image-4.15.0-1031-aws 4.15.0-1031.33~16.04.1
linux-image-4.15.0-1036-azure 4.15.0-1036.38~16.04.1
linux-image-4.15.0-43-generic 4.15.0-43.46~16.04.1
linux-image-4.15.0-43-generic-lpae 4.15.0-43.46~16.04.1
linux-image-4.15.0-43-lowlatency 4.15.0-43.46~16.04.1
linux-image-aws-hwe 4.15.0.1031.32
linux-image-azure 4.15.0.1036.41
linux-image-gcp 4.15.0.1026.40
linux-image-generic-hwe-16.04 4.15.0.43.64
linux-image-generic-lpae-hwe-16.04 4.15.0.43.64
linux-image-gke 4.15.0.1026.40
linux-image-lowlatency-hwe-16.04 4.15.0.43.64

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3847-2
https://usn.ubuntu.com/usn/usn-3847-1
CVE-2018-10902, CVE-2018-12896, CVE-2018-14734, CVE-2018-16276,
CVE-2018-18445, CVE-2018-18690, CVE-2018-18710

Package Information:
https://launchpad.net/ubuntu/+source/linux-aws-hwe/4.15.0-1031.33~16.04.1
https://launchpad.net/ubuntu/+source/linux-azure/4.15.0-1036.38~16.04.1
https://launchpad.net/ubuntu/+source/linux-gcp/4.15.0-1026.27~16.04.1
https://launchpad.net/ubuntu/+source/linux-hwe/4.15.0-43.46~16.04.1

—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAlwcKgcACgkQLwmejQBe
gfS/JxAAojk+cNpNcpBzbHzs6VJ8XUultYVyTNWvAcSVpVeaExjFAGcJ/SvjjK67
YpklzOT/I8F2p63ypo++XVBE+E24lNLzjtMjhXi674HxMZXAHRZVPKdtXZUH//ix
bXH6meCRPjLzucWt19J2SZ5OoT47576hfQ05eIrCTs7aevGb0q0H0xNSeUuovLcK
U4aeYKLc6JO9yO5vBwyZU7/K+npQz+9Wuagk2vOA0wN9wGnTysfXZ6WtJ8lkvpbm
/Hckc4zGlcLewx2ChF9aKycpB97NUGAqvewwWddYMJ+Moq5JEspG4PgenxGZX3nI
MSaTTeFuAbFwSw/jOIETGNBZAqnrJEHRBg8VBLnGFU9sK6jzQrzr2ymuQKlzqjs3
ircQr594jJdoJ0gFLi3Tas1wFRm9FcS7qz9mwGtd6K2UYbooam45kG6JJhTw2O7w
0cJuFvHI4iIj6mGedZ8P8hoxnSQybLqPVttWaNqI/DGL8xc8Nj6uVNJV4uHqRGzy
g5hnUii3Ba3it3FQVrO9t3yh+mC++0qofnxi8B/Y9XJFeAfp/SseOG30UvPGDk3h
QzJbsw2k3kkbHqF6JRWo5vrQebnPkHJZ2bcSfKowFxOeRTPTXMhBs0uFyKV9/La9
t5PJxp52hV2xQp1c20ZFAzSFYqLV+l0VHGbnNg/LsJPO1kYky7w=
=vpn0
—–END PGP SIGNATURE—–

Top
More in Preporuke
Sigurnosni nedostatak programskog paketa netatalk

Otkriven je sigurnosni nedostatak u programskom paketu netatalk za operacijski sustav Debian. Otkriveni nedostatak potencijalnim napadačima omogućuje izvršavanje proizvoljnog programskog...

Close