14 DAY TRIAL // On November 30, 2016, after publishing new kernel updates for all of its supported Ubuntu Linux releases, Canonical, through Luis Henriques, announced the availability of the second kernel live patch security update to Ubuntu 16.04 LTS.
If you're using the Canonical Livepatch Service on your 64-bit Ubuntu 16.04 LTS (Xenial Xerus) machine, you can now download the kernel packages using this rebootless technology. The latest update patches a total of four kernel vulnerabilities discovered recently by various hackers and security researchers.
The first security issue, CVE-2016-7042, was discovered by Ondrej Kozina in Linux kernel's keyring interface as a buffer overflow that could appear when displaying timeout events via the /proc/keys interface, allowing a local attacker to crash the affected system.
The second vulnerability, documented as CVE-2016-7117, was a use-after-free discovered by Dmitry Vyukov in Linux kernel's recvmmsg implementation during error processing, which could have allowed a remote attacker to crash the system or execute arbitrary code.
The third security flaw, CVE-2016-7425, was discovered by Marco Grassi in Linux kernel's driver for Areca RAID Controllers, which didn't correctly validate control messages, thus allowing a local attacker to either gain administrative privileges or crash the vulnerable system.
The last security issue (CVE-2016-8658) patched in this update was a stack-based buffer overflow discovered by Daxing Guo in Linux kernel's Broadcom IEEE802.11n FullMAC driver, which could have allowed a local attacker to cause a denial of service or gain administrative privileges.
Ubuntu 16.04 LTS users with Canonical Livepatch Service need to update now
Canonical recommends all Ubuntu 16.04 LTS (Xenial Xerus) users using the Canonical Livepatch Service to update their systems as soon as possible. The security problems mentioned above can be patched by updating your livepatches to the 4.4.0-21.37 kernel version, which is available in generic and lowlatency variants.
Of course, there's no need to reboot your system after applying the new kernel updates, but it looks like Canonical suggests that users can also install an updated kernel patched against these vulnerabilities through the standard APT-based update method and reboot at their convenience.