[월:] 2018년 01월

USN-3522-3: Linux kernel regression Ubuntu Security Notice USN-3522-3 10th January, 2018 linux regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Summary USN-3522-1 introduced a regression in the Linux kernel. Software description linux – Linux kernel Details USN-3522-1 fixed a vulnerability in the Linux kernel to addressMeltdown (CVE-2017-5754). Unfortunately, that update introduceda regression where a few systems failed to boot successfully. Thisupdate fixes the problem. We apologize for the inconvenience. Original advisory details: Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 16.04 LTS: linux-image-generic 4.4.0.109.114 linux-image-4.4.0-109-lowlatency [ more… ]

USN-3522-4: Linux kernel (Xenial HWE) regression Ubuntu Security Notice USN-3522-4 10th January, 2018 linux-lts-xenial regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 14.04 LTS Summary USN-3522-2 introduced a regression in the Linux Hardware Enablement kernel. Software description linux-lts-xenial – Linux hardware enablement kernel from Xenial for Trusty Details USN-3522-2 fixed a vulnerability in the Linux Hardware Enablementkernel for Ubuntu 14.04 LTS to address Meltdown (CVE-2017-5754).Unfortunately, that update introduced a regression where a few systemsfailed to boot successfully. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Jann Horn discovered that microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Meltdown. A local attacker could use this to expose sensitive information, including kernel memory. Update instructions The problem can be [ more… ]

USN-3526-1: SSSD vulnerability Ubuntu Security Notice USN-3526-1 10th January, 2018 sssd vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Ubuntu 16.04 LTS Summary SSSD could be made to expose sensitive information. Software description sssd – System Security Services Daemon — metapackage Details It was discovered that SSSD incorrectly handled certain inputs when queryingits local cache. An attacker could use this to inject arbitrary code and exposesensitive information. Update instructions The problem can be corrected by updating your system to the following package version: Ubuntu 17.04: sssd 1.15.2-1ubuntu1.1 sssd-common 1.15.2-1ubuntu1.1 sssd-tools 1.15.2-1ubuntu1.1 Ubuntu 16.04 LTS: sssd 1.13.4-1ubuntu1.10 sssd-common 1.13.4-1ubuntu1.10 sssd-tools 1.13.4-1ubuntu1.10 To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. References CVE-2017-12173 Source: USN-3526-1: SSSD vulnerability

USN-3523-2: Linux kernel (HWE) vulnerabilities Ubuntu Security Notice USN-3523-2 10th January, 2018 linux-hwe, linux-azure, linux-gcp, linux-oem vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 LTS Summary Several security issues were fixed in the Linux kernel. Software description linux-azure – Linux kernel for Microsoft Azure Cloud systems linux-gcp – Linux kernel for Google Cloud Platform (GCP) systems linux-hwe – Linux hardware enablement (HWE) kernel linux-oem – Linux kernel for OEM processors Details USN-3523-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.10.This update provides the corresponding updates for the LinuxHardware Enablement (HWE) kernel from Ubuntu 17.10 for Ubuntu16.04 LTS. Jann Horn discovered that microprocessors utilizing speculative executionand indirect branch prediction may allow unauthorized memory reads viasidechannel attacks. This flaw is known as Meltdown. A local attacker coulduse this to expose sensitive information, including kernel memory.(CVE-2017-5754) [ more… ]

USN-3523-3: Linux kernel (Raspberry Pi 2) vulnerabilities Ubuntu Security Notice USN-3523-3 10th January, 2018 linux-raspi2 vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.10 Summary Several security issues were fixed in the Linux kernel. Software description linux-raspi2 – Linux kernel for Raspberry Pi 2 Details Jann Horn discovered that the Berkeley Packet Filter (BPF) implementationin the Linux kernel did not properly check the relationship between pointervalues and the BPF stack. A local attacker could use this to cause a denialof service (system crash) or possibly execute arbitrary code.(CVE-2017-17863) Jann Horn discovered that the Berkeley Packet Filter (BPF) implementationin the Linux kernel improperly performed sign extension in some situations.A local attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2017-16995) Alexei Starovoitov discovered that the Berkeley Packet Filter (BPF)implementation [ more… ]