You are here
Home > Preporuke > Sigurnosni nedostaci programske jezgre

Sigurnosni nedostaci programske jezgre

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LUB

==========================================================================
Ubuntu Security Notice USN-3630-1
April 23, 2018

linux, linux-raspi2 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 17.10

Summary:

The system could be made to crash under certain conditions.

Software Description:
– linux: Linux kernel
– linux-raspi2: Linux kernel for Raspberry Pi 2

Details:

It was discovered that the Broadcom UniMAC MDIO bus controller driver in
the Linux kernel did not properly validate device resources. A local
attacker could use this to cause a denial of service (system crash).

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
linux-image-4.13.0-1017-raspi2 4.13.0-1017.18
linux-image-4.13.0-39-generic 4.13.0-39.44
linux-image-4.13.0-39-generic-lpae 4.13.0-39.44
linux-image-4.13.0-39-lowlatency 4.13.0-39.44
linux-image-generic 4.13.0.39.42
linux-image-generic-lpae 4.13.0.39.42
linux-image-lowlatency 4.13.0.39.42
linux-image-raspi2 4.13.0.1017.15

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3630-1
CVE-2018-8043

Package Information:
https://launchpad.net/ubuntu/+source/linux/4.13.0-39.44
https://launchpad.net/ubuntu/+source/linux-raspi2/4.13.0-1017.18

—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAlrew7AACgkQLwmejQBe
gfTqBQ//aVZ+vFb080moPEptt7BJgfXgMhgl7FA1IUMU9oUFHdEtiSnT+VdymyLZ
O11c3n24gtVYjM4bXKc9hhKLDWDLrx9e5DXpyHstYWx4FvNHabQfMLByequ5KL9Q
XJNbsW11oF5u2qU2T3z6dbN2ROnRQDuvSfPE55VY/KUaaJIhjISzUKdd8h9spGsK
czAdMbR93XEVL6hPxKR0t6aqVg3dKl8drc+uQedhVtXyiK7vaudSLokqVWWvg/3h
nnS3Z0TtAxUEHRRGWuQS5cAKveLEuphRn77/A9AyPaM8LQSEXI7FMtCvXBviDd9b
oehtLc4ePeGrXwICNbP5i1sIivJWl0FjiJ3BWo/ZBnlYgYwIxy8bO8SbUFGzkJY9
LG9rMke0UcrbH40t3rTU5nQiseYNo3mqsBldcUONaczJ6AtTpoNoH0/yJFld6Thb
ZvQPqmT+COMrDJevzmevGavdfaifuffbWgfm/9oXWXLZ1n+rtzglZWuUpMbVSi/D
6XVajAAPpDyMO5ghr5mqk+tYr2od9MNjY9bjPH8mxXNqfdx1N5KTLOMTrJkW/EpH
obV9Zva0vZ34MArES0GNPMhBvOxgW5X8GUwuLuCFxGyYxDICWB/jjTSBmyyuzy5Q
0++Zvv3F1snXU+lR7XZ5T0/JyLx8NPmfBSfsbt29FY+olpj2lZI=
=RZCg
—–END PGP SIGNATURE—–

ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

==========================================================================
Ubuntu Security Notice USN-3630-2
April 24, 2018

linux-hwe, linux-gcp, linux-oem vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 16.04 LTS

Summary:

The system could be made to crash under certain conditions.

Software Description:
– linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems
– linux-hwe: Linux hardware enablement (HWE) kernel
– linux-oem: Linux kernel for OEM processors

Details:

USN-3630-1 fixed a vulnerability in the Linux kernel for Ubuntu 17.10.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu 16.04 LTS.

It was discovered that the Broadcom UniMAC MDIO bus controller driver in
the Linux kernel did not properly validate device resources. A local
attacker could use this to cause a denial of service (system crash).

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
linux-image-4.13.0-1013-gcp 4.13.0-1013.17
linux-image-4.13.0-1024-oem 4.13.0-1024.27
linux-image-4.13.0-39-generic 4.13.0-39.44~16.04.1
linux-image-4.13.0-39-generic-lpae 4.13.0-39.44~16.04.1
linux-image-4.13.0-39-lowlatency 4.13.0-39.44~16.04.1
linux-image-gcp 4.13.0.1013.15
linux-image-generic-hwe-16.04 4.13.0.39.58
linux-image-generic-lpae-hwe-16.04 4.13.0.39.58
linux-image-gke 4.13.0.1013.15
linux-image-lowlatency-hwe-16.04 4.13.0.39.58
linux-image-oem 4.13.0.1024.28

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3630-2
https://usn.ubuntu.com/usn/usn-3630-1
CVE-2018-8043

Package Information:
https://launchpad.net/ubuntu/+source/linux-gcp/4.13.0-1013.17
https://launchpad.net/ubuntu/+source/linux-hwe/4.13.0-39.44~16.04.1
https://launchpad.net/ubuntu/+source/linux-oem/4.13.0-1024.27

—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAlrew78ACgkQLwmejQBe
gfT4lhAAoFGYEB9my5VAd81a0j967lTvTBsUfC9R5sqEz11qLO8W/88fxREQvbiU
z3emDzdlHMDcLkPGeM/DrbFBvv6FU9JZ/QVmpHEgVlLzE9xXDu0UdMk5onI7QU63
zSACwUKA79E6prGVSG1NqXH5zcGAjg3EmlbO6+CpJ2DCnzi87G1WMsYyhQmmx0ae
8ylSaiTgyAqHEBbcFwEY4N3OFcF0Z+2K2OTz47nKwMWleIR0KxI9T6VqJIune1bb
G+2qkJJNNQsSyxaZSpCmxuT62jEY6ICj8evLs8c2nO2uTjrzq0BWGc27b4ubKrXi
oNr1z3GJCeU+RsNpxRXCwdFzUIHi0mZBJj20NtEf2qW54QRDCzzZmCLVMLmPXop/
1BwJw8ZjGOtUaaNldvfYM8kYPcJR9im3RU9cnxIYTmaoas8krNsxbgQ7or0QShsD
YDWSPMJC9ixc3oO5ByLVPBr/9Tv/Twsi0yqKQsQ0lVoOz6FTJj7Rnt8rH8NrSNxD
Malz0sdDbptmqR0VfIqCGBBX4JOOq2dkPikBIJQ+U2Ovxt3PaGldkq0ac7IKsW/H
tXWepOum+8QxW3/5w1aRBSz+Ey/4N/2EedAUcYQ3rQ79+kIoG0Hg7CFlt3s/Q0RI
bPTZxbX5iVxWZM5ooFhShkDYbGVnb6Rc6stga/3nsPWML1YbDCc=
=/frz
—–END PGP SIGNATURE—–

ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

==========================================================================
Ubuntu Security Notice USN-3631-1
April 24, 2018

linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
– linux: Linux kernel
– linux-aws: Linux kernel for Amazon Web Services (AWS) systems
– linux-kvm: Linux kernel for cloud environments
– linux-raspi2: Linux kernel for Raspberry Pi 2
– linux-snapdragon: Linux kernel for Snapdragon processors

Details:

It was discovered that a buffer overread vulnerability existed in the
keyring subsystem of the Linux kernel. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2017-13305)

It was discovered that the DM04/QQBOX USB driver in the Linux kernel did
not properly handle device attachment and warm-start. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2017-16538)

Luo Quan and Wei Yang discovered that a race condition existed in the
Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when
handling ioctl()s. A local attacker could use this to cause a denial of
service (system deadlock). (CVE-2018-1000004)

Wang Qize discovered that an information disclosure vulnerability existed
in the SMBus driver for ACPI Embedded Controllers in the Linux kernel. A
local attacker could use this to expose sensitive information (kernel
pointer addresses). (CVE-2018-5750)

范龙飞 discovered that a race condition existed in the Advanced Linux
Sound Architecture (ALSA) subsystem of the Linux kernel that could lead to
a use-after-free or an out-of-bounds buffer access. A local attacker with
access to /dev/snd/seq could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2018-7566)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
linux-image-4.4.0-1021-kvm 4.4.0-1021.26
linux-image-4.4.0-1055-aws 4.4.0-1055.64
linux-image-4.4.0-1087-raspi2 4.4.0-1087.95
linux-image-4.4.0-1090-snapdragon 4.4.0-1090.95
linux-image-4.4.0-121-generic 4.4.0-121.145
linux-image-4.4.0-121-generic-lpae 4.4.0-121.145
linux-image-4.4.0-121-lowlatency 4.4.0-121.145
linux-image-4.4.0-121-powerpc-e500mc 4.4.0-121.145
linux-image-4.4.0-121-powerpc-smp 4.4.0-121.145
linux-image-4.4.0-121-powerpc64-emb 4.4.0-121.145
linux-image-4.4.0-121-powerpc64-smp 4.4.0-121.145
linux-image-aws 4.4.0.1055.57
linux-image-generic 4.4.0.121.127
linux-image-generic-lpae 4.4.0.121.127
linux-image-kvm 4.4.0.1021.20
linux-image-lowlatency 4.4.0.121.127
linux-image-powerpc-e500mc 4.4.0.121.127
linux-image-powerpc-smp 4.4.0.121.127
linux-image-powerpc64-emb 4.4.0.121.127
linux-image-powerpc64-smp 4.4.0.121.127
linux-image-raspi2 4.4.0.1087.87
linux-image-snapdragon 4.4.0.1090.82

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3631-1
CVE-2017-13305, CVE-2017-16538, CVE-2018-1000004, CVE-2018-5750,
CVE-2018-7566

Package Information:
https://launchpad.net/ubuntu/+source/linux/4.4.0-121.145
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1055.64
https://launchpad.net/ubuntu/+source/linux-kvm/4.4.0-1021.26
https://launchpad.net/ubuntu/+source/linux-raspi2/4.4.0-1087.95
https://launchpad.net/ubuntu/+source/linux-snapdragon/4.4.0-1090.95

—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAlrexEQACgkQLwmejQBe
gfTRGRAAiOUbaXQdve1U4nbk30a8zDxV7afyBbjPz67HvZpJKqJZmNqq73lR73us
r6N26T+Aqnko+lmFasMm5HEl4PqF57ZqrSSNFNU/+YUl2k0wBaUg/jpEd8srDpJ1
5oQjP+OxV+IzKE1/O0zeRs4m04aOuJPyUBlJdVF2alp9g66m3RLiZ0uNrFv3peEm
nxzg7SLGNEJVGVeJ5vqrRhjTCD0dU/WsrDD5fJ/WT5R51GNRjNKdh7pgPPVNsPji
mSJac9oABsi/MyQsfmrf9R2WPGITrWoJzWsN1fQXl/iiorVy8JgJ7WDaY/SVIk4q
akIzUJodSu394D/mulo3+MWpVCd0bzIDH+yU5Nq8YgenjXLSmbkqv9a3dSTPwB5a
6BhiF1CWim9KNSb4nRSM+qOLbDvPIJW7GQjtoUNX7lpKqLmP42o3dmP5zQr35YbA
aGgA6+2nH3ahuo3A9B4Z5pBMsqwbwr7qwgucCDs5MY9fcgMISOlCuyllpo80U99P
myg58fDwGCJRFIRzZJxOksrSCzIWdh/o5jr496d+nMMdX+BIUEJkXxD74D5yDVX3
5n/nsFTtLJOihuxdjWFKJ7YNVpg5hneR0bZJka4l/JlJfB0wWrHEtpTgGPigEHTM
cpO5qgrYtswNNFqwVf70T8+Mg7vwwJRm7pmp3jtwilUG8BJRwSE=
=RGDM
—–END PGP SIGNATURE—–

ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

==========================================================================
Ubuntu Security Notice USN-3631-2
April 24, 2018

linux-lts-xenial, linux-aws vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
– linux-aws: Linux kernel for Amazon Web Services (AWS) systems
– linux-lts-xenial: Linux hardware enablement kernel from Xenial for Trusty

Details:

USN-3631-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

It was discovered that a buffer overread vulnerability existed in the
keyring subsystem of the Linux kernel. A local attacker could possibly use
this to expose sensitive information (kernel memory). (CVE-2017-13305)

It was discovered that the DM04/QQBOX USB driver in the Linux kernel did
not properly handle device attachment and warm-start. A physically
proximate attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2017-16538)

Luo Quan and Wei Yang discovered that a race condition existed in the
Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when
handling ioctl()s. A local attacker could use this to cause a denial of
service (system deadlock). (CVE-2018-1000004)

Wang Qize discovered that an information disclosure vulnerability existed
in the SMBus driver for ACPI Embedded Controllers in the Linux kernel. A
local attacker could use this to expose sensitive information (kernel
pointer addresses). (CVE-2018-5750)

范龙飞 discovered that a race condition existed in the Advanced Linux
Sound Architecture (ALSA) subsystem of the Linux kernel that could lead to
a use-after-free or an out-of-bounds buffer access. A local attacker with
access to /dev/snd/seq could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2018-7566)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
linux-image-4.4.0-1017-aws 4.4.0-1017.17
linux-image-4.4.0-121-generic 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-generic-lpae 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-lowlatency 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-powerpc-e500mc 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-powerpc-smp 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-powerpc64-emb 4.4.0-121.145~14.04.1
linux-image-4.4.0-121-powerpc64-smp 4.4.0-121.145~14.04.1
linux-image-aws 4.4.0.1017.17
linux-image-generic-lpae-lts-xenial 4.4.0.121.102
linux-image-generic-lts-xenial 4.4.0.121.102
linux-image-lowlatency-lts-xenial 4.4.0.121.102
linux-image-powerpc-e500mc-lts-xenial 4.4.0.121.102
linux-image-powerpc-smp-lts-xenial 4.4.0.121.102
linux-image-powerpc64-emb-lts-xenial 4.4.0.121.102
linux-image-powerpc64-smp-lts-xenial 4.4.0.121.102

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3631-2
https://usn.ubuntu.com/usn/usn-3631-1
CVE-2017-13305, CVE-2017-16538, CVE-2018-1000004, CVE-2018-5750,
CVE-2018-7566

Package Information:
https://launchpad.net/ubuntu/+source/linux-aws/4.4.0-1017.17
https://launchpad.net/ubuntu/+source/linux-lts-xenial/4.4.0-121.145~14.04.1

—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAlrexFsACgkQLwmejQBe
gfSDixAAiSujaOBVTzoHNC+iMaffNn/+mZDdaqcOwm43Ms5Y4mUhgSrw/zEHRyJn
WqMDp8wJ2g1DddcW1BUPg+8Hx3AhL5HYezcOhkzt0CjBbffiucPDi60C1WtHxDpk
4079OrFPp/D7qJZEsy/Yz0Wy60xRuqitqdZvjUCbjB5O0bhwEBnHxrL1XwFU5/6Y
oFV4Oy0BzDEnXiLMZaP3jQwOCpB7fH7crDOuNu+nfDx62m6YRMmguaoupYTNB0Pz
QgdVYElv1MEA/Riey+VlAJrgLZ9gwrg6ywZpXH5Oaews6VA93p9iua6o7PPxBZB5
vdBrWk0Xg16gLImU0JP3dUUsKR+5QcDCUxWORmTfUEzNkZARxZ7UVly+O4eWeHR1
+jBnTxgNih3nAmKDP2jNbrylvo8qLfkFDfepgku68LgESlpFVJiwQP4iwFeY5D9+
b8ocBbxKQTsTheOOqSD0Pd75buItPSli24N8BIw0HnpGAGBNTfeeYnTk8xuaRagX
26di3DItq8xL8p4tY8EMEnylALqc6WsMCraRDpvVFf6CJha5qIK7Zh6z7Axoa17G
rHRJ/7Qmrp3RqYwBfLtChRK3mhdpVAnr9nkQDD7ylind1N/96sCPu/iPhEn68vpq
k3rbHziXwaCPpKmI7RyRyvEQrS+QfbAMgvwBl9RiM87erwrzB5c=
=gyAH
—–END PGP SIGNATURE—–

ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

==========================================================================
Ubuntu Security Notice USN-3632-1
April 24, 2018

linux-azure vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:
– linux-azure: Linux kernel for Microsoft Azure Cloud systems

Details:

It was discovered that a race condition leading to a use-after-free
vulnerability existed in the ALSA PCM subsystem of the Linux kernel. A
local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-0861)

It was discovered that the KVM implementation in the Linux kernel allowed
passthrough of the diagnostic I/O port 0x80. An attacker in a guest VM
could use this to cause a denial of service (system crash) in the host OS.
(CVE-2017-1000407)

It was discovered that a use-after-free vulnerability existed in the
network namespaces implementation in the Linux kernel. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2017-15129)

It was discovered that the HugeTLB component of the Linux kernel did not
properly handle holes in hugetlb ranges. A local attacker could use this to
expose sensitive information (kernel memory). (CVE-2017-16994)

It was discovered that the netfilter component of the Linux did not
properly restrict access to the connection tracking helpers list. A local
attacker could use this to bypass intended access restrictions.
(CVE-2017-17448)

It was discovered that the netfilter passive OS fingerprinting (xt_osf)
module did not properly perform access control checks. A local attacker
could improperly modify the system-wide OS fingerprint list.
(CVE-2017-17450)

Dmitry Vyukov discovered that the KVM implementation in the Linux kernel
contained an out-of-bounds read when handling memory-mapped I/O. A local
attacker could use this to expose sensitive information. (CVE-2017-17741)

It was discovered that the Salsa20 encryption algorithm implementations in
the Linux kernel did not properly handle zero-length inputs. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2017-17805)

It was discovered that the HMAC implementation did not validate the state
of the underlying cryptographic hash algorithm. A local attacker could use
this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-17806)

It was discovered that the keyring implementation in the Linux kernel did
not properly check permissions when a key request was performed on a task’s
default keyring. A local attacker could use this to add keys to
unauthorized keyrings. (CVE-2017-17807)

It was discovered that the Broadcom NetXtremeII ethernet driver in the
Linux kernel did not properly validate Generic Segment Offload (GSO) packet
sizes. An attacker could use this to cause a denial of service (interface
unavailability). (CVE-2018-1000026)

It was discovered that the Reliable Datagram Socket (RDS) implementation in
the Linux kernel contained an out-of-bounds write during RDMA page
allocation. An attacker could use this to cause a denial of service (system
crash) or possibly execute arbitrary code. (CVE-2018-5332)

Mohamed Ghannam discovered a null pointer dereference in the RDS (Reliable
Datagram Sockets) protocol implementation of the Linux kernel. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2018-5333)

范龙飞 discovered that a race condition existed in loop block device
implementation in the Linux kernel. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2018-5344)

It was discovered that the Broadcom UniMAC MDIO bus controller driver in
the Linux kernel did not properly validate device resources. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2018-8043)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
linux-image-4.13.0-1014-azure 4.13.0-1014.17
linux-image-azure 4.13.0.1014.16

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3632-1
CVE-2017-0861, CVE-2017-1000407, CVE-2017-15129, CVE-2017-16994,
CVE-2017-17448, CVE-2017-17450, CVE-2017-17741, CVE-2017-17805,
CVE-2017-17806, CVE-2017-17807, CVE-2018-1000026, CVE-2018-5332,
CVE-2018-5333, CVE-2018-5344, CVE-2018-8043

Package Information:
https://launchpad.net/ubuntu/+source/linux-azure/4.13.0-1014.17

—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAlre1A8ACgkQLwmejQBe
gfRx4w//ebfwHofgYeNDgLJSVL0trFhlYm27rFGykM1S/MBG5u7w9EsHIII2qfgZ
NNLq7a1ophEPp1Ij7r2P3EPtiSLy3Ioppnjlw+xuQgwtAuzfbjMjKKL7ymR5Dh8E
VUxhzUn/q5Cpu6HnIBqZUz+q74VcLA+3FqlZwuqlMtkd9mNIYKqthcw4+W24cav9
jqSiyWDE4OD51CNGNrF9DfwGWZwdAvVXDeOMAyYnFgbs+M/qLtBy+8gPW4j6xptB
R3e/iKoQS6q2UijZQsGEniRqMOib+hLPn3OG1lvpXjzI1w225eX5BGL5pQGJ7AnV
LO6/AUV6XjJQFhwPKN5YvRfXLIYVhB4WMC+bfsDxghmtoTWNXHv1ID1I63UpUit/
iYGqpyF+GoESqtHnP8HLt6ZleTkwpmz4sKVAzJpGipln4EkPX+7Wz8p6eE0GyFcR
+u8OUWo+aRAJSkxab9ycHPyxV3sSTKbpoC0+fwtpLZdTCXNExIJa2uULpK7/rmT4
GvPM7JZ7EhJX4N3NHtzqk1ttu9Oc3vti8O3i0R4MU0dkCYtJYLDEaPBlVBPbhac8
ztXZlPhLsJs0vjL/SlmhQfxv8dnv+WGYamUQXrW1yoQmbXM7VFeZ5GVzU4Ub5oYF
mSBg8/qIBjmHf7w5tvKr1FbXGjKvHHhSIaKaX0Ok4BPV0PIgU2c=
=elA8
—–END PGP SIGNATURE—–

ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

==========================================================================
Ubuntu Security Notice USN-3633-1
April 24, 2018

linux-euclid vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 16.04 LTS

Summary:

The system could be made to crash or run programs as an administrator.

Software Description:
– linux-euclid: Linux kernel for Intel Euclid systems

Details:

Jann Horn discovered that the Berkeley Packet Filter (BPF) implementation
in the Linux kernel improperly performed sign extension in some situations.
A local attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2017-16995)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
linux-image-4.4.0-9026-euclid 4.4.0-9026.28
linux-image-euclid 4.4.0.9026.27

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References:
https://usn.ubuntu.com/usn/usn-3633-1
CVE-2017-16995

Package Information:
https://launchpad.net/ubuntu/+source/linux-euclid/4.4.0-9026.28

—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEpgY7tWAjCaQ8jrvULwmejQBegfQFAlre1BsACgkQLwmejQBe
gfQRvhAAm9F6JWZzjad0UdS2le3Qe/3aBRA9MFXu+YPSQsHQS9tH6n4FrTHE0Ka8
x7pEMpuXOSBsqSeowPzC3OeVf87L0VfeQtRg5rEZJQRXECz0j0PC9G37dHmcDecs
BXasz+xKP/zKVuOeCxscd5hMPG0S4ik3+W9R5HnZXYkpK4w/eX+CrN5giUx8WLy4
Xc1NRSMpkuTmI9Q7J7jfNRqjI5B9NXvCNsIvV5pLCm318a9DJPYySUEePtMWqSKo
T9BYHNBVHP371tNVxH/3UvWJ5YZ9QZJhFLrWSmUugt29LPZOSyyGVE8QatXNe6qM
3SR5vCPRSpBK2jCzyYTWP9JG7UiBMJWLtyb4t6xpT5jQZnxUbEsL9A5qnnwy095t
XUsew4zsEUM2TZUhcCnkjKScB2O1+UrQWn+mbfinDx0Yp8d/Z7I3a7Lh04Oku41z
2A3Ejo552qKdpO9W1rTGFJ9t/Mmfr7LcFuBg19zmJpLCoZRXxY51+VeFjE2jSBp9
8xbnxkYTEySsszlZyXEHERALvRUA3hVVw/o3HMeDGdCmK+EuMxmsamXbW0qi562p
NRAUXZmqVhlmwo1r72SkgxdXkiJxJZV5XADnUzqBq/dtscy8aFhQZhxBzhDijsaA
wja4eCN4YTw7EFGIbWJLeQR4yfxIu8YpyNweaLmzOkDWvxTYJyA=
=hU6F
—–END PGP SIGNATURE—–

AutorPetar Bertok
Cert idNCERT-REF-2018-04-0001-ADV
CveCERT-CVE-DUMMY
ID izvornikaCERT-ORIGID-DUMMY
ProizvodCERT-DUMMY-PRODUCT
IzvorAdobe
Top
More in Preporuke
Sigurnosni nedostaci programskog paketa hdf5

Otkriveni su sigurnosni nedostaci u programskom paketu hdf5 za operacijski sustav openSUSE. Otkriveni nedostaci potencijalnim napadačima omogućuju zaobilaženje sigurnosnih ograničenja...

Close