Canonical has released Linux kernel security updates for all supported Ubuntu Versions.
This release fixes 4 vulnerabilities against varies Linux Kernel packages.
Issue Reported On: N/A
Fix Released On: 04-June-2019
Severity Level: Medium
Affected Packages: linux-lts-xenial, linux-aws, linux-aws-hwe, linux-hwe, linux-oracle, linux, linux-gcp, linux-kvm, linux-oem, linux-raspi2, linux-snapdragon
- linux – Linux kernel
- linux-hwe – Linux hardware enablement (HWE) kernel
- linux-lts-xenial – Linux hardware enablement kernel from Xenial for Trusty
- linux-aws – Linux kernel for Amazon Web Services (AWS) systems
- linux-aws-hwe – Linux kernel for Amazon Web Services (AWS-HWE) systems
- linux-oracle – Linux kernel for Oracle Cloud systems
- linux-kvm – Linux kernel for cloud environments
- linux-raspi2 – Linux kernel for Raspberry Pi 2
- linux-snapdragon – Linux kernel for Snapdragon processors
- linux-gcp – Linux kernel for Google Cloud Platform (GCP) systems
- linux-oem – Linux kernel for OEM processors
Affected Operating System & Version:
- Ubuntu-18.10, Ubuntu-19.04, Ubuntu-18.04 LTS, Ubuntu-16.04 LTS, Ubuntu-14.04 ESM
Multiple security issues were found in Linux kernel. Multiple vulnerabilities may lead to the execution of arbitrary code or denial of service. A local attacker could use this to cause a denial of service (system crash).
CVE-2019-11190: Robert Święcki discovered that the Linux kernel did not properly apply Address Space Layout Randomization (ASLR) in some situations for setuid elf binaries. A local attacker could use this to improve the chances of exploiting an existing vulnerability in a setuid elf binary.
CVE-2019-11191: Federico Manuel Bento discovered that the Linux kernel did not properly apply Address Space Layout Randomization (ASLR) in some situations for setuid a.out binaries. A local attacker could use this to improve the chances of exploiting an existing vulnerability in a setuid a.out binary.
CVE-2019-11810: It was discovered that a null pointer deference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash).
CVE-2019-11815: It was discovered that a race condition leading to a use-after-free existed in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel. The RDS protocol is blacklisted by default in Ubuntu. If enabled, a local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
It’s recommended to update your system kernel to latest available version ASAP.
For more details about the security issues, and other related information, refer to the CVE pages.
Ubuntu Security Advisory References:
Security Database References (CVE):
Run the following command to install the above updates.
$ sudo apt upgrade linux-* or $ sudo apt install unattended-upgrades
The installed security fixes can be verified in the package change log using the following methods.
Using manual method.
$ zgrep -i "CVE-2019-11190\|CVE-2019-11191\|CVE-2019-11810\|CVE-2019-11815" /usr/share/doc/linux-*/changelog.Debian.gz
Using debsecan command.
$ debsecan | grep linux-*