Coming hot on the heels of the last Linux kernel security updates released by Canonical last week for all supported Ubuntu Linux releases, this new kernel live patch is now available for users of the Ubuntu 18.04 LTS (Bionic Beaver) and Ubuntu 16.04 LTS (Xenial Xerus) operating systems who use the Canonical Livepatch Service to apply rebootless kernel updates. It fixes five security issues, including a race condition (CVE-2019-11815), which could lead to a use-after-free, in Linux kernel’s RDS (Reliable Datagram Sockets) protocol implementation that may allow a local attacker to crash the system or execute arbitrary code, as well as a flaw (CVE-2019-2054) affecting ARM CPUs, which lets local attackers to bypass seccomp restrictions. Also patched are two issues (CVE-2019-11833 and CVE-2019-11884) discovered in Linux kernel’s EXT4 file system and Bluetooth Human Interface Device Protocol (HIDP) implementations, which could allow a local attacker to expose sensitive information (kernel memory) as the Linux kernel failed to properly zero out memory or verify NULL-terminated strings in certain situations. Additionally, the kernel live patch includes a fix for an eight-years-old exploit (CVE-2011-1079) discovered by Vasiliy Kulikov in Linux kernel’s Bluetooth stack, which could allow a local attacker to crash the system, which could lead to a denial of service or the leak of contents of kernel stack memory, putting the privacy of users at risk. All users of the Ubuntu 18.04 LTS (Bionic Beaver) and Ubuntu 16.04 LTS (Xenial Xerus) operating system series using the Canonical Livepatch Service can now apply the rebootless kernel live patch on their installations. The version of the kernel liv patch that needs to installed is 53.1 for both generic and low-latency flavors.
Submitted by: Arnfried Walbrecht