14 DAY TRIAL // Canonical released what it would appear to be the first security patch for the kernel packages of the recently released Ubuntu 17.04 (Zesty Zapus) operating system, addressing a total of six vulnerabilities discovered by various developers.
Announced a month ago, on April 13, 2017, Ubuntu 17.04 shipped with a kernel from the Linux 4.10 series, which is still maintained upstream receiving weekly patches that fix bugs and security issues, but also update drivers and add new functionality. But the time has come for Ubuntu 17.04 users to update their kernels.
According to Ubuntu Security Notice USN-3293-1, multiple security issues are affecting the linux-generic (including lpae), linux-lowlatency, and linux-raspi2 kernel packages of Ubuntu 17.04 and its official derivatives using the same kernels, such as Kubuntu, Lubuntu, Xubuntu, Ubuntu MATE, Ubuntu GNOME, etc.
Users are urged to update their systems immediately
The first kernel vulnerability (CVE-2017-2596) patched was discovered by Dmitry Vyukov in Linux kernel's KVM implementation, which inappropriately emulated the VMXON instruction, allowing a local attacker in a guest OS to cause a denial of service (memory consumption) in the host OS.
Also discovered by Dmitry Vyukov, the second security (CVE-2017-7187) issue appears to be a stack-based buffer overflow in Linux kernel's generic SCSI (sg) subsystem, which could have allowed a local attacker that had access to an sg device to crash the system by causing a denial of service or execute random code.
Discovered by Li Qiang, the third security flaw (CVE-2017-7294) is an integer overflow vulnerability in Linux kernel's Direct Rendering Manager (DRM) driver for VMWare devices, and it could allow a local attacker to crash the affected system by causing a denial of service or execute arbitrary code.
The fourth security issue (CVE-2017-7477) is a heap overflow discovered by Jason Donenfeld in Linux kernel's MACsec module, which lets an attacker to either execute arbitrary code or cause a denial of service, thus crashing the vulnerable, unpatched system.
Another security issue (CVE-2017-7261) was discovered in Linux kernel's Direct Rendering Manager (DRM) driver for VMWare devices, a NULL pointer dereference that could have allowed a local attacker to crash the affected system via a denial of service attack.
Lastly, an information leak (CVE-2017-7616) was discovered in Linux kernel's mbind compat and set_mempolicy syscalls, which lets a local attacker to expose sensitive information from kernel memory. Therefore, all Ubuntu 17.04 (Zesty Zapus) users are urged to update their systems as soon as possible.
To update, simply fire up the Software Updater utility or the Terminal app, download and install all available updates, and then reboot your computer. The kernel versions are linux-image-generic 4.10.0.21.23 for 64-bit and 32-bit systems and linux-image-raspi2 4.10.0.1005.7 for Raspberry Pi 2 devices.
Canonical also released new kernel security updates for all other supported Ubuntu releases, including Ubuntu 16.10, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS. More details on how to update your Ubuntu operating system are provided by Canonical at https://wiki.ubuntu.com/Security/Upgrades.