Ubuntu 19.04, 18.04 LTS, and 16.04 LTS are affected

Sep 3, 2019 10:32 GMT  ·  By

Canonical released new major Linux kernel security updates for all supported Ubuntu Linux operating systems to address up to 28 security vulnerabilities.

Affecting the Linux 5.0, 4.15, and 4.4 kernels of Ubuntu 19.04 (Disco Dingo), Ubuntu 18.04 LTS (Bionic Beaver), and Ubuntu 16.04 LTS (Xenial Xerus), the most critical vulnerability (CVE-2019-10638) fixed in this new security update was discovered by Amit Klein and Benny Pinkas in the Linux kernel when randomizing IP ID values generated for connectionless networking protocols, which could allow a remote attacker track particular Linux devices.

Also discovered by Amit Klein and Benny Pinkas, the security update addresses another critical vulnerability (CVE-2019-10639) in the Linux kernel, but only affecting the Linux 4.15 kernel used in the Ubuntu 18.04 LTS (Bionic Beaver) and Ubuntu 16.04 LTS (Xenial Xerus) systems. This could allow a remote attacker to exploit another vulnerability in the Linux kernel as the location of kernel addresses could exposed by the implementation of connection-less network protocols.

Two other important issues were fixed as well, a security flaw (CVE-2018-19985) discovered by Hui Peng and Mathias Payer in Linux kernel's Option USB High Speed driver and an issue (CVE-2019-0136) in the Intel Wi-Fi device driver when validating certain Tunneled Direct Link Setup (TDLS), both of which allowing a physically proximate attacker to cause a denial of service (DoS attack) and crash the system or disconnect the Wi-Fi.

Among other issues fixed in this major new Linux kernel security update, we can mention two issues in the floppy driver leading to division-by-zero or buffer overread, infinite loop vulnerabilities in the virtio net driver and the CFS Linux kernel process scheduler, a null pointer dereference vulnerability in the LSI Logic MegaRAID driver, as well as issues affecting Linux kernel's Bluetooth UART implementation and the GTCO tablet input driver.

Also addressed are a race condition in Linux kernel's DesignWare USB3 DRD Controller device driver, an out-of-bounds read in the QLogic QEDI iSCSI Initiator driver, a bug in the Raremono AM/FM/SW radio device driver, a double-free error in the USB Rio 500 device driver, as well as race conditions in the ALSA (Advanced Linux Sound Architecture) subsystem, USB YUREX device driver, CPiA2 video4linux device driver, and Softmac USB Prism54 device driver.

Users are urged to update their systems immediately

A use-after-free vulnerability discovered in Linux kernel's Appletalk implementation, as well as issues in the Siano USB MDTV receiver device driver, Line 6 POD USB device driver, Bluetooth protocol BR/EDR specification, and CAN implementation were addressed as well in this security update. Therefore, all Ubuntu users are urged to update their installations to the new Linux kernel versions as soon as possible.

While Ubuntu 19.04 and Ubuntu 18.04.3 LTS users using the Linux 5.0 HWE (Hardware Enablement) kernel must update to linux-image 5.0.0-27.28, Ubuntu 18.04 LTS and Ubuntu 16.04.6 LTS users using the Linux 4.15 HWE kernel need to update their systems to linux-image 4.15.0-60.67. Ubuntu 16.04 LTS users using the Linux 4.4 kernel will have to update as well, to linux-image 4.4.0-161.189.