In a recent security advisory, Canonical details two recently discovered security vulnerabilities (CVE-2019-11477 and CVE-2019-11478) affecting Linux kernel’s TCP retransmission queue implementation when handling some specific TCP Selective Acknowledgment (SACKs).
Both security vulnerabilities were discovered by Jonathan Looney and could allow a remote attacker to crash the affected system by causing a denial of service. Known as SACK Panic, they affect all supported Ubuntu Linux releases, including Ubuntu 19.04, Ubuntu 18.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS.
Canonical urges all users of the Ubuntu 19.04 (Disco Dingo), Ubuntu 18.10 (Cosmic Cuttlefish), Ubuntu 18.04 LTS (Bionic Beaver), and Ubuntu 16.04 LTS (Xenial Xerus) operating system series to update their installations immediately to the new kernel versions available in the official repositories.
Patched Linux kernel versions were made available for 32-bit and 64-bit systems, as well as Raspberry Pi 2, OEM processors, Snapdragon processors, cloud environments, Amazon Web Services (AWS-HWE) systems, Amazon Web Services (AWS) systems, Google Cloud Platform (GCP) systems, Oracle Cloud systems, and Microsoft Azure Cloud systems.
Linux hardware enablement (HWE) kernels are also available for Ubuntu 18.04.2 LTS systems using Ubuntu 18.10’s kernel and Ubuntu 16.04.6 LTS systems using Ubuntu 18.04 LTS’ kernel.
Submitted by: Arnfried Walbrecht