It is recommended to update your systems immediately

Feb 22, 2017 23:40 GMT  ·  By

We reported earlier that Canonical published multiple security advisories to inform Ubuntu users about the availability of new kernel updates that patch several flaws discovered recently by various developers.

We've already told you about the issues that are affecting Ubuntu 16.04 LTS and Ubuntu 16.04.1 LTS (Xenial Xerus) users, so check that article to see how you can update your systems if you're still using the Linux 4.4 LTS kernel. But if you managed to upgrade to Ubuntu 16.04.2 LTS, which uses Ubuntu 16.10 (Yakkety Yak)'s Linux 4.8 kernel, then you need to read the following.

Affecting Ubuntu 16.10 users, a security issue (CVE-2016-9588) discovered by Jim Mattson in Linux kernel's KVM (Kernel-based Virtual Machine) implementation, which improperly managed #OF and #BP exceptions, could allow a local attacker in guest VM to crash the guest operating system by causing a denial of service.

Also affecting Ubuntu 16.10, including Raspberry Pi 2 users, there's a Linux kernel vulnerability (CVE-2016-10088) discovered in the generic SCSI block layer, which incorrectly restricted write operations, allowing a local attacker to either gain root access or crash the vulnerable system by causing a denial of service.

Two use-after-free vulnerabilities (CVE-2016-7910 and CVE-2016-7911) discovered (the second by Dmitry Vyukov) in Linux kernel's block device layer and sys_ioprio_get() function are affecting Ubuntu 12.04 LTS (Precise Pangolin), including OMAP4, and Ubuntu 14.04 LTS (Trusty Tahr) users, and could allow a local attacker to either gain root access or crash the affected system by causing a denial of service.

The last one is also a use-after-free vulnerability (CVE-2017-6074), but affecting all three versions, namely Ubuntu 16.10, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS, and it was discovered by Andrey Konovalov in Linux kernel's DCCP (Datagram Congestion Control Protocol) implementation, which could allow a local attacker to either crash the vulnerable system by causing a denial of service or gain root access.

Update your systems as soon as possible

Canonical recommends all Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 16.10 users to update the kernel packages on all of their systems as soon as possible. The new kernel versions are linux-image-3.2.0-123-generic 3.2.0-123.166 for Ubuntu 12.04 LTS, linux-image-3.13.0-110-generic 3.13.0-110.157 for Ubuntu 14.04 LTS or linux-image-4.4.0-64-generic 4.4.0-64.85~14.04.1 if you're using Ubuntu 14.04.5 LTS.

Ubuntu 16.10 users need to update their kernel packages to linux-image-4.8.0-39-generic 4.8.0-39.42 or linux-image-4.8.0-1026-raspi2 4.8.0-1026.29 if they are using Ubuntu 16.10 for Raspberry Pi 2. To update, simply run the Software Update tool and apply all available updates, then reboot your PC. More details are provided by Canonical at https://wiki.ubuntu.com/Security/Upgrades.

A Yakkety HWE kernel for Ubuntu 16.04.2 LTS users is yet to be released.