14 DAY TRIAL // Canonical released today new kernel security updates for its Ubuntu 17.10 (Artful Aardvark) and Ubuntu 16.04 LTS (Xenial Xerus) operating system series to address several recently discovered security vulnerabilities.
For Ubuntu 17.10 (Artful Aardvark) users, today's security update addresses a bug (CVE-2018-8043) in Linux kernel's Broadcom UniMAC MDIO bus controller driver, which improperly validated device resources, allowing a local attacker to crash the vulnerable system by causing a denial of service (DoS attack).
For Ubuntu 16.04 LTS (Xenial Xerus) users, the security patch fixes a buffer overread vulnerability (CVE-2017-13305) in Linux kernel's keyring subsystem and an information disclosure vulnerability (CVE-2018-5750) in the SMBus driver for ACPI Embedded Controllers. Both issues could allow a local attacker to expose sensitive information.
Additionally, it fixes two race condition issues (CVE-2018-1000004 and CVE-2018-7566) discovered in Linux kernel's Advanced Linux Sound Architecture (ALSA) subsystem, which could allow a local attacker to either cause a system deadlock or access /dev/snd/seq and crash the vulnerable system.
Lastly, the update addresses a security issue (CVE-2017-16538) discovered in Linux kernel's DM04/QQBOX USB driver, which improperly handled device attachment and warm-start, thus allowing a physically proximate attacker to either execute arbitrary code or crash the system by causing a denial of service.
Security updates for Ubuntu's kernel for Microsoft Azure and Intel Euclid systems
With today's security updates, Canonical also patched the Ubuntu 16.04 LTS kernels for Microsoft Azure Cloud and Intel Euclid systems, the latter including only a fix for an issue (CVE-2017-16995) discovered by Jann Horn in Linux kernel's Berkeley Packet Filter (BPF) implementation, which could allow a local attacker to crash the system or run arbitrary code.
A total of fifteen security vulnerabilities were addressed for the Ubuntu 16.04 LTS kernel for Microsoft Azure Cloud systems. Complete details about all the fixes can be found here, and users are urged to update their installations to the linux-image-4.13.0-1014-azure-4.13.0-1014.17 kernel as soon as possible.
Canonical also recommends Ubuntu 17.10 users to update to linux-image-4.13.0-39.44 on 64-bit or 32-bit installations, as well as to linux-image-4.13.0-1017-raspi2-4.13.0-1017.18 on Ubuntu 17.10 for Raspberry Pi 2. Ubuntu 16.04.4 LTS users using the Ubuntu 17.10 HWE kernel need to update to linux-image-4.13.0-39.44~16.04.1.
Ubuntu 16.04 LTS users need to update their systems to linux-image-4.4.0-121.145 on 64-bit and 32-bit machines, linux-image-4.4.0-1087-raspi2-4.4.0-1087.95 on Raspberry Pi 2 computers, linux-image-aws-4.4.0-1055.64 on AWS, linux-image-snapdragon-4.4.0-1090.95 on Snapdragon, and linux-image-kvm-4.4.0-1021.26 on cloud environments.
As expected, an Ubuntu 16.04 LTS HWE (Hardware Enablement) kernel for Ubuntu 14.04.5 LTS (Trusty Tahr) users is available, and Canonical recommends updating your installations to linux-image-4.4.0-121.145~14.04.1 on 64-bit and 32-bit systems or linux-image-aws-4.4.0-1017.17 on AWS systems. To update, follow the instructions at https://wiki.ubuntu.com/Security/Upgrades.