Ubuntu

libcaca vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 12.04 ESM

Summary

Several security issues were fixed in libcaca.

Software Description

• libcaca - text mode graphics utilities

Details

USN-3860-1 fixed a vulnerability in libcaca. This update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-20544)

It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-20545, CVE-2018-20548, CVE-2018-20459)

It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to access sensitive information. (CVE-2018-20546, CVE-2018-20547)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 ESM

caca-utils - 0.99.beta17-2.1ubuntu2.1

libcaca0 - 0.99.beta17-2.1ubuntu2.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• USN-3860-1
• CVE-2018-20544
• CVE-2018-20545
• CVE-2018-20546
• CVE-2018-20547
• CVE-2018-20548
• CVE-2018-20549

libcaca vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS

Summary

Several security issues were fixed in libcaca.

Software Description

• libcaca - text mode graphics utilities

Details

It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to cause a denial of service. (CVE-2018-20544)

It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code. (CVE-2018-20545, CVE-2018-20548, CVE-2018-20459)

It was discovered that libcaca incorrectly handled certain images. An attacker could possibly use this issue to access sensitive information. (CVE-2018-20546, CVE-2018-20547)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10

caca-utils - 0.99.beta19-2ubuntu0.18.10.1

libcaca0 - 0.99.beta19-2ubuntu0.18.10.1

Ubuntu 18.04 LTS

caca-utils - 0.99.beta19-2ubuntu0.18.04.1

libcaca0 - 0.99.beta19-2ubuntu0.18.04.1

Ubuntu 16.04 LTS

caca-utils - 0.99.beta19-2ubuntu0.16.04.1

libcaca0 - 0.99.beta19-2ubuntu0.16.04.1

Ubuntu 14.04 LTS

caca-utils - 0.99.beta18-1ubuntu5.1

libcaca0 - 0.99.beta18-1ubuntu5.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2018-20544
• CVE-2018-20545
• CVE-2018-20546
• CVE-2018-20547
• CVE-2018-20548
• CVE-2018-20549

libarchive vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS

Summary

Several security issues were fixed in libarchive.

Software Description

• libarchive - Library to read/write archive files

Details

It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to cause a denial of service. CVE-2018-1000880 affected only Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-1000877, CVE-2018-1000878, CVE-2018-1000880)

It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2017-14502)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10

libarchive13 - 3.2.2-5ubuntu0.1

Ubuntu 18.04 LTS

libarchive13 - 3.2.2-3.1ubuntu0.2

Ubuntu 16.04 LTS

libarchive13 - 3.1.2-11ubuntu0.16.04.5

Ubuntu 14.04 LTS

libarchive13 - 3.1.2-7ubuntu2.7

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2017-14502
• CVE-2018-1000877
• CVE-2018-1000878
• CVE-2018-1000880

haproxy vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in HAProxy.

Software Description

• haproxy - fast and reliable load balancing reverse proxy

Details

It was discovered that HAProxy incorrectly handled certain requests. An attacker could possibly use this to expose sensitive information. (CVE-2018-20102)

It was discovered that HAProxy incorrectly handled certain requests. A attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-20103, CVE-2018-20615)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10

haproxy - 1.8.13-2ubuntu0.1

Ubuntu 18.04 LTS

haproxy - 1.8.8-1ubuntu0.3

Ubuntu 16.04 LTS

haproxy - 1.6.3-1ubuntu0.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2018-20102
• CVE-2018-20103
• CVE-2018-20615

php-pear vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

PEAR could be made to run programs if it processed a specially crafted file.

Software Description

• php-pear - PHP Extension and Application Repository

Details

Fariskhi Vidyan discovered that PEAR Archive_Tar incorrectly handled certain archive paths. A remote attacker could possibly use this issue to execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10

php-pear - 1:1.10.5+submodules+notgz-1ubuntu1.18.10.1

Ubuntu 18.04 LTS

php-pear - 1:1.10.5+submodules+notgz-1ubuntu1.18.04.1

Ubuntu 16.04 LTS

php-pear - 1:1.10.1+submodules+notgz-6ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2018-1000888

gnome-bluetooth vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS

Summary

GNOME Bluetooth could allow unintended access to devices.

Software Description

• gnome-bluetooth - GNOME Bluetooth tools

Details

Chris Marchesi discovered that BlueZ incorrectly handled disabling Bluetooth visibility. A remote attacker could possibly pair to devices, contrary to expectations. This update adds a workaround to GNOME Bluetooth to fix the issue.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

gnome-bluetooth - 3.28.0-2ubuntu0.1

libgnome-bluetooth13 - 3.28.0-2ubuntu0.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

• CVE-2018-10910

systemd vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in systemd.

Software Description

• systemd - system and service manager

Details

It was discovered that systemd-journald allocated variable-length buffers for certain message fields on the stack. A local attacker could potentially exploit this to cause a denial of service, or execute arbitrary code. (CVE-2018-16864)

It was discovered that systemd-journald allocated variable-length arrays of objects representing message fields on the stack. A local attacker could potentially exploit this to cause a denial of service, or execute arbitrary code. (CVE-2018-16865)

An out-of-bounds read was discovered in systemd-journald. A local attacker could potentially exploit this to obtain sensitive information and bypass ASLR protections. (CVE-2018-16866)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10

systemd - 239-7ubuntu10.6

Ubuntu 18.04 LTS

systemd - 237-3ubuntu10.11

Ubuntu 16.04 LTS

systemd - 229-4ubuntu21.15

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References

• CVE-2018-16864
• CVE-2018-16865
• CVE-2018-16866

webkit2gtk vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.10
• Ubuntu 18.04 LTS

Summary

Several security issues were fixed in WebKitGTK+.

Software Description

• webkit2gtk - Web content engine library for GTK+

Details

A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10

libjavascriptcoregtk-4.0-18 - 2.22.5-0ubuntu0.18.10.1

libwebkit2gtk-4.0-37 - 2.22.5-0ubuntu0.18.10.1

Ubuntu 18.04 LTS

libjavascriptcoregtk-4.0-18 - 2.22.5-0ubuntu0.18.04.1

libwebkit2gtk-4.0-37 - 2.22.5-0ubuntu0.18.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any applications that use WebKitGTK+, such as Epiphany, to make all the necessary changes.

References

• CVE-2018-4437

gnupg2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.10
• Ubuntu 18.04 LTS

Summary

GnuPG could allow unintended access to network services.

Software Description

• gnupg2 - GNU privacy guard - a free PGP replacement

Details

Ben Fuhrmannek discovered that GnuPG incorrectly handled Web Key Directory lookups. A remote attacker could possibly use this issue to cause a denial of service, or perform Cross-Site Request Forgery attacks.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10

gnupg - 2.2.8-3ubuntu1.1

gpg-wks-client - 2.2.8-3ubuntu1.1

Ubuntu 18.04 LTS

gnupg - 2.2.4-1ubuntu1.2

gpg-wks-client - 2.2.4-1ubuntu1.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2018-1000858

exiv2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Exiv2.

Software Description

• exiv2 - EXIF/IPTC/XMP metadata manipulation tool

Details

It was discovered that Exiv2 incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. CVE-2017-9239 only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-11591, CVE-2017-11683, CVE-2017-14859, CVE-2017-14862, CVE-2017-14864, CVE-2017-17669, CVE-2017-9239, CVE-2018-16336, CVE-2018-1758)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10

exiv2 - 0.25-4ubuntu0.1

libexiv2-14 - 0.25-4ubuntu0.1

Ubuntu 18.04 LTS

exiv2 - 0.25-3.1ubuntu0.18.04.2

libexiv2-14 - 0.25-3.1ubuntu0.18.04.2

Ubuntu 16.04 LTS

exiv2 - 0.25-2.1ubuntu16.04.3

libexiv2-14 - 0.25-2.1ubuntu16.04.3

Ubuntu 14.04 LTS

exiv2 - 0.23-1ubuntu2.2

libexiv2-12 - 0.23-1ubuntu2.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2017-11591
• CVE-2017-11683
• CVE-2017-14859
• CVE-2017-14862
• CVE-2017-14864
• CVE-2017-17669
• CVE-2017-9239
• CVE-2018-16336
• CVE-2018-17581

python-django vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS

Summary

Django could be made to expose spoofed information over the network.

Software Description

• python-django - High-level Python web development framework

Details

It was discovered that Django incorrectly handled the default 404 page. A remote attacker could use this issue to spoof content using a malicious URL.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10

python-django - 1:1.11.15-1ubuntu1.1

python3-django - 1:1.11.15-1ubuntu1.1

Ubuntu 18.04 LTS

python-django - 1:1.11.11-1ubuntu1.2

python3-django - 1:1.11.11-1ubuntu1.2

Ubuntu 16.04 LTS

python-django - 1.8.7-1ubuntu5.7

python3-django - 1.8.7-1ubuntu5.7

Ubuntu 14.04 LTS

python-django - 1.6.11-0ubuntu1.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-3498

nss vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.10
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS

Summary

Several security issues were fixed in NSS.

Software Description

• nss - Network Security Service library

Details

Keegan Ryan discovered that NSS incorrectly handled ECDSA key generation. A local attacker could possibly use this issue to perform a cache-timing attack and recover private ECDSA keys. (CVE-2018-0495)

It was discovered that NSS incorrectly handled certain v2-compatible ClientHello messages. A remote attacker could possibly use this issue to perform a replay attack. (CVE-2018-12384)

It was discovered that NSS incorrectly handled certain padding oracles. A remote attacker could possibly use this issue to perform a variant of the Bleichenbacher attack. (CVE-2018-12404)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10

libnss3 - 2:3.36.1-1ubuntu1.1

Ubuntu 18.04 LTS

libnss3 - 2:3.35-2ubuntu2.1

Ubuntu 16.04 LTS

libnss3 - 2:3.28.4-0ubuntu0.16.04.4

Ubuntu 14.04 LTS

libnss3 - 2:3.28.4-0ubuntu0.14.04.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any applications that use NSS, such as Evolution, to make all the necessary changes.

References

• CVE-2018-0495
• CVE-2018-12384
• CVE-2018-12404

linux-lts-xenial, linux-aws vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux-aws - Linux kernel for Amazon Web Services (AWS) systems
• linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty

Details

USN-3848-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.

It was discovered that a double free existed in the AMD GPIO driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18174)

It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2018-12896)

Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 LTS

linux-image-4.4.0-1037-aws - 4.4.0-1037.40

linux-image-4.4.0-141-generic - 4.4.0-141.167~14.04.1

linux-image-4.4.0-141-generic-lpae - 4.4.0-141.167~14.04.1

linux-image-4.4.0-141-lowlatency - 4.4.0-141.167~14.04.1

linux-image-4.4.0-141-powerpc-e500mc - 4.4.0-141.167~14.04.1

linux-image-4.4.0-141-powerpc-smp - 4.4.0-141.167~14.04.1

linux-image-4.4.0-141-powerpc64-emb - 4.4.0-141.167~14.04.1

linux-image-4.4.0-141-powerpc64-smp - 4.4.0-141.167~14.04.1

linux-image-aws - 4.4.0.1037.37

linux-image-generic-lpae-lts-xenial - 4.4.0.141.121

linux-image-generic-lts-xenial - 4.4.0.141.121

linux-image-lowlatency-lts-xenial - 4.4.0.141.121

linux-image-powerpc-e500mc-lts-xenial - 4.4.0.141.121

linux-image-powerpc-smp-lts-xenial - 4.4.0.141.121

linux-image-powerpc64-emb-lts-xenial - 4.4.0.141.121

linux-image-powerpc64-smp-lts-xenial - 4.4.0.141.121

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• USN-3848-1
• CVE-2017-18174
• CVE-2018-12896
• CVE-2018-18690
• CVE-2018-18710

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 12.04 ESM

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux-lts-trusty - Linux hardware enablement kernel from Trusty for Precise ESM

Details

USN-3849-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM.

It was discovered that a NULL pointer dereference existed in the keyring subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2647)

It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the Infiniband implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did not properly restrict user space reads or writes. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16276)

Tetsuo Handa discovered a logic error in the TTY subsystem of the Linux kernel. A local attacker with access to pseudo terminal devices could use this to cause a denial of service. (CVE-2018-18386)

Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 ESM

linux-image-3.13.0-164-generic - 3.13.0-164.214~precise1

linux-image-3.13.0-164-generic-lpae - 3.13.0-164.214~precise1

linux-image-generic-lpae-lts-trusty - 3.13.0.164.154

linux-image-generic-lts-trusty - 3.13.0.164.154

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• USN-3849-1
• CVE-2017-2647
• CVE-2018-10902
• CVE-2018-12896
• CVE-2018-14734
• CVE-2018-16276
• CVE-2018-18386
• CVE-2018-18690
• CVE-2018-18710

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux - Linux kernel

Details

It was discovered that a NULL pointer dereference existed in the keyring subsystem of the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-2647)

It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the Infiniband implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did not properly restrict user space reads or writes. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16276)

Tetsuo Handa discovered a logic error in the TTY subsystem of the Linux kernel. A local attacker with access to pseudo terminal devices could use this to cause a denial of service. (CVE-2018-18386)

Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 LTS

linux-image-3.13.0-164-generic - 3.13.0-164.214

linux-image-3.13.0-164-generic-lpae - 3.13.0-164.214

linux-image-3.13.0-164-lowlatency - 3.13.0-164.214

linux-image-3.13.0-164-powerpc-e500 - 3.13.0-164.214

linux-image-3.13.0-164-powerpc-e500mc - 3.13.0-164.214

linux-image-3.13.0-164-powerpc-smp - 3.13.0-164.214

linux-image-3.13.0-164-powerpc64-emb - 3.13.0-164.214

linux-image-3.13.0-164-powerpc64-smp - 3.13.0-164.214

linux-image-generic - 3.13.0.164.174

linux-image-generic-lpae - 3.13.0.164.174

linux-image-lowlatency - 3.13.0.164.174

linux-image-powerpc-e500 - 3.13.0.164.174

linux-image-powerpc-e500mc - 3.13.0.164.174

linux-image-powerpc-smp - 3.13.0.164.174

linux-image-powerpc64-emb - 3.13.0.164.174

linux-image-powerpc64-smp - 3.13.0.164.174

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• CVE-2017-2647
• CVE-2018-10902
• CVE-2018-12896
• CVE-2018-14734
• CVE-2018-16276
• CVE-2018-18386
• CVE-2018-18690
• CVE-2018-18710

linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux - Linux kernel
• linux-aws - Linux kernel for Amazon Web Services (AWS) systems
• linux-kvm - Linux kernel for cloud environments
• linux-raspi2 - Linux kernel for Raspberry Pi 2
• linux-snapdragon - Linux kernel for Snapdragon processors

Details

It was discovered that a double free existed in the AMD GPIO driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-18174)

It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2018-12896)

Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

linux-image-4.4.0-1039-kvm - 4.4.0-1039.45

linux-image-4.4.0-1074-aws - 4.4.0-1074.84

linux-image-4.4.0-1102-raspi2 - 4.4.0-1102.110

linux-image-4.4.0-1106-snapdragon - 4.4.0-1106.111

linux-image-4.4.0-141-generic - 4.4.0-141.167

linux-image-4.4.0-141-generic-lpae - 4.4.0-141.167

linux-image-4.4.0-141-lowlatency - 4.4.0-141.167

linux-image-4.4.0-141-powerpc-e500mc - 4.4.0-141.167

linux-image-4.4.0-141-powerpc-smp - 4.4.0-141.167

linux-image-4.4.0-141-powerpc64-emb - 4.4.0-141.167

linux-image-4.4.0-141-powerpc64-smp - 4.4.0-141.167

linux-image-aws - 4.4.0.1074.76

linux-image-generic - 4.4.0.141.147

linux-image-generic-lpae - 4.4.0.141.147

linux-image-kvm - 4.4.0.1039.38

linux-image-lowlatency - 4.4.0.141.147

linux-image-powerpc-e500mc - 4.4.0.141.147

linux-image-powerpc-smp - 4.4.0.141.147

linux-image-powerpc64-emb - 4.4.0.141.147

linux-image-powerpc64-smp - 4.4.0.141.147

linux-image-raspi2 - 4.4.0.1102.102

linux-image-snapdragon - 4.4.0.1106.98

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• CVE-2017-18174
• CVE-2018-12896
• CVE-2018-18690
• CVE-2018-18710

linux-azure vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux-azure - Linux kernel for Microsoft Azure Cloud systems

Details

USN-3847-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux kernel for Microsoft Azure Cloud systems for Ubuntu 14.04 LTS.

It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the Infiniband implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did not properly restrict user space reads or writes. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16276)

It was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445)

Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 LTS

linux-image-4.15.0-1036-azure - 4.15.0-1036.38~14.04.2

linux-image-azure - 4.15.0.1036.23

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• USN-3847-1
• CVE-2018-10902
• CVE-2018-12896
• CVE-2018-14734
• CVE-2018-16276
• CVE-2018-18445
• CVE-2018-18690
• CVE-2018-18710

linux-hwe, linux-aws-hwe, linux-azure, linux-gcp vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux-aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems
• linux-azure - Linux kernel for Microsoft Azure Cloud systems
• linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
• linux-hwe - Linux hardware enablement (HWE) kernel

Details

USN-3847-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 18.04 LTS for Ubuntu 16.04 LTS.

It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the Infiniband implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did not properly restrict user space reads or writes. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16276)

It was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445)

Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.04 LTS

linux-image-4.15.0-1026-gcp - 4.15.0-1026.27~16.04.1

linux-image-4.15.0-1031-aws - 4.15.0-1031.33~16.04.1

linux-image-4.15.0-1036-azure - 4.15.0-1036.38~16.04.1

linux-image-4.15.0-43-generic - 4.15.0-43.46~16.04.1

linux-image-4.15.0-43-generic-lpae - 4.15.0-43.46~16.04.1

linux-image-4.15.0-43-lowlatency - 4.15.0-43.46~16.04.1

linux-image-aws-hwe - 4.15.0.1031.32

linux-image-azure - 4.15.0.1036.41

linux-image-gcp - 4.15.0.1026.40

linux-image-generic-hwe-16.04 - 4.15.0.43.64

linux-image-generic-lpae-hwe-16.04 - 4.15.0.43.64

linux-image-gke - 4.15.0.1026.40

linux-image-lowlatency-hwe-16.04 - 4.15.0.43.64

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• USN-3847-1
• CVE-2018-10902
• CVE-2018-12896
• CVE-2018-14734
• CVE-2018-16276
• CVE-2018-18445
• CVE-2018-18690
• CVE-2018-18710

linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oem, linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software Description

• linux - Linux kernel
• linux-aws - Linux kernel for Amazon Web Services (AWS) systems
• linux-azure - Linux kernel for Microsoft Azure Cloud systems
• linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
• linux-kvm - Linux kernel for cloud environments
• linux-oem - Linux kernel for OEM processors
• linux-raspi2 - Linux kernel for Raspberry Pi 2

Details

It was discovered that a race condition existed in the raw MIDI driver for the Linux kernel, leading to a double free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-10902)

It was discovered that an integer overrun vulnerability existed in the POSIX timers implementation in the Linux kernel. A local attacker could use this to cause a denial of service. (CVE-2018-12896)

Noam Rathaus discovered that a use-after-free vulnerability existed in the Infiniband implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2018-14734)

It was discovered that the YUREX USB device driver for the Linux kernel did not properly restrict user space reads or writes. A physically proximate attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-16276)

It was discovered that the BPF verifier in the Linux kernel did not correctly compute numeric bounds in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2018-18445)

Kanda Motohiro discovered that writing extended attributes to an XFS file system in the Linux kernel in certain situations could cause an error condition to occur. A local attacker could use this to cause a denial of service. (CVE-2018-18690)

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-18710)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS

linux-image-4.15.0-1026-gcp - 4.15.0-1026.27

linux-image-4.15.0-1028-kvm - 4.15.0-1028.28

linux-image-4.15.0-1030-oem - 4.15.0-1030.35

linux-image-4.15.0-1030-raspi2 - 4.15.0-1030.32

linux-image-4.15.0-1031-aws - 4.15.0-1031.33

linux-image-4.15.0-1036-azure - 4.15.0-1036.38

linux-image-4.15.0-43-generic - 4.15.0-43.46

linux-image-4.15.0-43-generic-lpae - 4.15.0-43.46

linux-image-4.15.0-43-lowlatency - 4.15.0-43.46

linux-image-4.15.0-43-snapdragon - 4.15.0-43.46

linux-image-aws - 4.15.0.1031.30

linux-image-azure - 4.15.0.1036.36

linux-image-gcp - 4.15.0.1026.28

linux-image-generic - 4.15.0.43.45

linux-image-generic-lpae - 4.15.0.43.45

linux-image-gke - 4.15.0.1026.28

linux-image-kvm - 4.15.0.1028.28

linux-image-lowlatency - 4.15.0.43.45

linux-image-oem - 4.15.0.1030.35

linux-image-raspi2 - 4.15.0.1030.28

linux-image-snapdragon - 4.15.0.43.45

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• CVE-2018-10902
• CVE-2018-12896
• CVE-2018-14734
• CVE-2018-16276
• CVE-2018-18445
• CVE-2018-18690
• CVE-2018-18710

linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 18.10

Summary

The system could be made to expose sensitive information.

Software Description

• linux - Linux kernel
• linux-aws - Linux kernel for Amazon Web Services (AWS) systems
• linux-azure - Linux kernel for Microsoft Azure Cloud systems
• linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
• linux-kvm - Linux kernel for cloud environments
• linux-raspi2 - Linux kernel for Raspberry Pi 2

Details

It was discovered that an integer overflow vulnerability existed in the CDROM driver of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory).

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.10

linux-image-4.18.0-1005-gcp - 4.18.0-1005.6

linux-image-4.18.0-1006-kvm - 4.18.0-1006.6

linux-image-4.18.0-1007-aws - 4.18.0-1007.9

linux-image-4.18.0-1007-azure - 4.18.0-1007.7

linux-image-4.18.0-1008-raspi2 - 4.18.0-1008.10

linux-image-4.18.0-13-generic - 4.18.0-13.14

linux-image-4.18.0-13-generic-lpae - 4.18.0-13.14

linux-image-4.18.0-13-lowlatency - 4.18.0-13.14

linux-image-4.18.0-13-snapdragon - 4.18.0-13.14

linux-image-aws - 4.18.0.1007.7

linux-image-azure - 4.18.0.1007.8

linux-image-gcp - 4.18.0.1005.5

linux-image-generic - 4.18.0.13.14

linux-image-generic-lpae - 4.18.0.13.14

linux-image-gke - 4.18.0.1005.5

linux-image-kvm - 4.18.0.1006.6

linux-image-lowlatency - 4.18.0.13.14

linux-image-raspi2 - 4.18.0.1008.5

linux-image-snapdragon - 4.18.0.13.14

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well.

References

• CVE-2018-18710