A total of five issues affect Ubuntu 14.04, 16.04, and 17.04

Oct 11, 2017 19:57 GMT  ·  By

Canonical released new kernel updates for all supported Ubuntu Linux releases, including Ubuntu 14.04 LTS (Trusty Tahr), Ubuntu 16.04 LTS (Xenial Xerus), and Ubuntu 17.04 (Zesty Zapus), fixing a total of five security vulnerabilities.

Affecting all three Ubuntu releases, as well as all official derivatives, such as Kubuntu, Xubuntu, Lubuntu, Ubuntu MATE, etc., a divide-by-zero error (CVE-2017-14106) was discovered by Andrey Konovalov in Linux kernel's TCP stack implementation, allowing a local attacker to crash the system by causing a denial of service.

Affecting Ubuntu 14.04 LTS systems and derivaties, as well as Ubuntu 12.04.5 ESM (Extended Security Maintenance) machines, a buffer overflow (CVE-2016-8633) was discovered by Eyal Itkin in Linux kernel's IP over IEEE 1394 (FireWire) implementation when handling fragmented packets.

The security vulnerability is important and known to allow a remote attacker to gain administrative privileges by executing arbitrary code. Ubuntu users running Ubuntu 14.04 LTS with the linux-image-3.13.0 kernel are urged to update to linux-image 3.13.0.133.142 or 3.13.0-133.182, depending on the architecture used.

Canonical urges all Ubuntu users to update immediately

Two security issues affect Ubuntu 16.04 LTS systems and derivatives, as well as Ubuntu 14.04.5 LTS machines running the Xenial HWE (Hardware Enablement) kernel. The first (CVE-2017-14140) was discovered by Otto Ebeling in Linux kernel's memory manager and allowed a local attacker to expose sensitive information.

The second security issue (CVE-2017-12134) was discovered by Jan H. Schönherr in the Xen subsystem, which incorrectly handled block IO merges, allowing an attacker in a guest vm to crash the vulnerable, unpatched host by causing a denial of service or gain administrative privileges in the respective host.

Lastly, the fifth security issue (CVE-2017-1000255) affects only Ubuntu 17.04 systems and derivaties, as the Linux kernel incorrectly sanitized the signal stack when handling the sigreturn() function on the PowerPC architectures, which could allow a local attacker to crash the vulnerable system via a DoS (Denial of Service) attack or execute arbitrary code.

Canonical urges all Ubuntu users to update their systems immediately to the new kernel versions that are already available in the main repositories. To update your system, simply run the "sudo apt update && sudo apt dist-upgrade" command in the Terminal app or use the Software Updater tool. For more details, please follow the instructions at https://wiki.ubuntu.com/Security/Upgrades.