The following updates has been released for Ubuntu Linux:
LSN-0039-1: Linux kernel vulnerability
USN-3661-1: Batik vulnerability
USN-3662-1: NVIDIA graphics drivers vulnerabilities
LSN-0039-1: Linux kernel vulnerability
USN-3661-1: Batik vulnerability
USN-3662-1: NVIDIA graphics drivers vulnerabilities
LSN-0039-1: Linux kernel vulnerability
==========================================================================
Kernel Live Patch Security Notice LSN-0039-1
May 25, 2018
linux vulnerability
==========================================================================
A security issue affects these releases of Ubuntu:
| Series | Base kernel | Arch | flavors |
|------------------+--------------+----------+------------------|
| Ubuntu 14.04 LTS | 4.4.0 | amd64 | generic |
| Ubuntu 14.04 LTS | 4.4.0 | amd64 | lowlatency |
| Ubuntu 16.04 LTS | 4.4.0 | amd64 | generic |
| Ubuntu 16.04 LTS | 4.4.0 | amd64 | lowlatency |
| Ubuntu 18.04 LTS | 4.15.0 | amd64 | generic |
| Ubuntu 18.04 LTS | 4.15.0 | amd64 | lowlatency |
Summary:
Several security issues were fixed in the kernel.
Software Description:
- linux: Linux kernel
Details:
Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF)
implementation in the Linux kernel contained a branch-pruning logic issue
around unreachable code. A local attacker could use this to cause a denial
of service. (CVE-2017-17862)
The ext4_iget function in fs/ext4/inode.c in the Linux kernel through
4.15.15 mishandles the case of a root directory with a zero i_links_count,
which allows attackers to cause a denial of service
(ext4_process_freed_data NULL pointer dereference and OOPS) via a crafted
ext4 image. (CVE-2018-1092)
The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the Linux
kernel through 4.15.15 allows attackers to cause a denial of service
(out-of-bounds read and system crash) via a crafted ext4 image because
balloc.c and ialloc.c do not validate bitmap block numbers. (CVE-2018-1093)
A memory leak in the hwsim_new_radio_nl function in
drivers/net/wireless/mac80211_hwsim.c in the Linux kernel through 4.15.9
allows local users to cause a denial of service (memory consumption) by
triggering an out-of-array error case. (CVE-2018-8087)
Luo Quan and Wei Yang discovered that a race condition existed in the
Advanced Linux Sound Architecture (ALSA) subsystem of the Linux kernel when
handling ioctl()s. A local attacker could use this to cause a denial of
service (system deadlock). (CVE-2018-1000004)
Update instructions:
The problem can be corrected by updating your livepatches to the following
versions:
| Kernel | Version | flavors |
|---------------------------+----------+--------------------------|
| 4.4.0-124.148 | 39.1 | generic, lowlatency |
| lts-4.4.0-124.148~14.04.1 | 39.1 | generic, lowlatency |
| 4.15.0-20.21 | 39.3 | generic, lowlatency |
Additionally, you should install an updated kernel with these fixes and
reboot at your convienience.
References:
CVE-2017-17862, CVE-2018-1092, CVE-2018-1093, CVE-2018-8087, CVE-2018-1000004
USN-3661-1: Batik vulnerability
==========================================================================
Ubuntu Security Notice USN-3661-1
May 29, 2018
batik vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
Summary:
Batik could be made to expose sensitive information if it received
a specially crafted XML.
Software Description:
- batik: SVG Library
Details:
It was discovered that Batik incorrectly handled certain XML.
An attacker could possibly use this to expose sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
libbatik-java 1.7.ubuntu-8ubuntu2.14.04.3
In general, a standard system update will make all the necessary
changes.
References:
https://usn.ubuntu.com/usn/usn-3661-1
CVE-2018-8013
Package Information:
https://launchpad.net/ubuntu/+source/batik/1.7.ubuntu-8ubuntu2.14.04.3
USN-3662-1: NVIDIA graphics drivers vulnerabilities
==========================================================================
Ubuntu Security Notice USN-3662-1
May 29, 2018
nvidia-graphics-drivers-384 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 17.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
NVIDIA graphics drivers could be made to crash or run programs as an
administrator.
Software Description:
- nvidia-graphics-drivers-384: NVIDIA binary X.Org driver
Details:
It was discovered that the NVIDIA graphics drivers contained flaws in the
kernel mode layer. A local attacker could use these issues to cause a
denial of service or potentially escalate their privileges on the system.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 17.10:
nvidia-384 384.130-0ubuntu0.17.10.1
Ubuntu 16.04 LTS:
nvidia-384 384.130-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
nvidia-384 384.130-0ubuntu0.14.04.1
After a standard system update you need to reboot your computer to make
all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3662-1
CVE-2018-6249, CVE-2018-6253
Package Information:
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-384/384.130-0ubuntu0.17.10.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-384/384.130-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/nvidia-graphics-drivers-384/384.130-0ubuntu0.14.04.1
