The Linux kernel security update addresses three vulnerabilities, including a race condition (CVE-2019-6133) in Linux kernel’s fork() system call, which could allow a local attacker to gain access to services were authorizations are cached, and a flaw (CVE-2018-18397) in the userfaultd implementation, which could allow a local attacker to modify files. Both issues were discovered by Jann Horn.
Furthermore, the kernel security patch addresses a vulnerability (CVE-2018-19854) in Linux kernel’s crypto subsystem, which leads to leaked uninitialized memory to user space under certain situations. This would allow a local attacker to expose sensitive information (kernel memory). These security vulnerabilities affect Ubuntu 18.04 LTS and all of its official or unofficial derivatives.
Canonical urges all Ubuntu 18.04 LTS (Bionic Beaver) users, as well as users of the Ubuntu 16.04 LTS (Xenial Xerus) and Ubuntu 14.04 LTS (Trusty Tahr) operating systems who are using the Linux 4.15 kernel from Ubuntu 18.04 LTS, to update their installations as soon as possible. The new kernel versions users have to update their machines to are linux-image 4.15.0-46.49 for Ubuntu 18.04 LTS systems, linux-image 4.15.0-46.49~16.04.1 for Ubuntu 16.04 LTS systems, and linux-image 4.15.0-1040.44~14.04.1 for Ubuntu 14.04 LTS systems on Azure.
Submitted by: Arnfried Walbrecht