14 DAY TRIAL // Canonical informs Ubuntu users that it updated the systemd packages in the Ubuntu 16.10 (Yakkety Yak) and Ubuntu 17.04 (Zesty Zapus) operating systems to patch a recently discovered security issue.
The new systemd vulnerability (CVE-2017-9445) appears to affect the systemd-resolved component, which could allow a remote attacker to crash the systemd daemon by causing a denial of service or run malicious programs on the vulnerable, unpatched machines by using a specially crafted DNS response.
"In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it," reads Canonical's security advisory.
Users urged to update their systems immediately
In the security report, Canonical says that the systemd vulnerability affects Ubuntu 16.10 and Ubuntu 17.04 releases, as well as all of its official derivatives, including but not limited to Kubuntu, Lubuntu, Xubuntu, Ubuntu MATE, Ubuntu GNOME, Ubuntu Kylin, Ubuntu Studio, Ubuntu Server, and Ubuntu Cloud.
To patch the security flaw, Canonical recommends users to update their systems immediately to the new systemd versions that are already available for installation in the stable repositories. Ubuntu 17.04 users need to update to systemd 232-21ubuntu5 and Ubuntu 16.10 users to systemd 231-9ubuntu5.
Detailed instructions on how to update your Ubuntu system is provided by Canonical at https://wiki.ubuntu.com/Security/Upgrades. We always recommend our readers to keep their devices and computers up-to-date all times by running a full system update at least once a day. This issue doesn't affect other supported Ubuntu releases, such as Ubuntu 16.04 LTS (Xenial Xerus) or Ubuntu 14.04 LTS (Trusty Tahr).