========================================================================== Kernel Live Patch Security Notice 0054-1 August 28, 2019 linux vulnerability ========================================================================== A security issue affects these releases of Ubuntu: | Series | Base kernel | Arch | flavors | |------------------+--------------+----------+------------------| | Ubuntu 18.04 LTS | 4.15.0 | amd64 | generic | | Ubuntu 18.04 LTS | 4.15.0 | amd64 | lowlatency | | Ubuntu 16.04 LTS | 4.4.0 | amd64 | generic | | Ubuntu 16.04 LTS | 4.4.0 | amd64 | lowlatency | | Ubuntu 16.04 LTS | 4.15.0 | amd64 | generic | | Ubuntu 16.04 LTS | 4.15.0 | amd64 | lowlatency | Summary: Several security issues were fixed in the kernel. Software Description: - linux: Linux kernel Details: It was discovered that the USB video device class implementation in the Linux kernel did not properly validate control bits, resulting in an out of bounds buffer read. A local attacker could use this to possibly expose sensitive information (kernel memory). (CVE-2019-2101) It was discovered that the Marvell Wireless LAN device driver in the Linux kernel did not properly validate the BSS descriptor. A local attacker could possibly use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-3846) It was discovered that a heap buffer overflow existed in the Marvell Wireless LAN device driver for the Linux kernel. An attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-10126) It was discovered that the PowerPC dlpar implementation in the Linux kernel did not properly check for allocation errors in some situations. A local attacker could possibly use this to cause a denial of service (system crash). (CVE-2019-12614) It was discovered that a NULL pointer dereference vulnerabilty existed in the Near-field communication (NFC) implementation in the Linux kernel. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12818) It was discovered that the MDIO bus devices subsystem in the Linux kernel improperly dropped a device reference in an error condition, leading to a use-after-free. An attacker could use this to cause a denial of service (system crash). (CVE-2019-12819) It was discovered that a NULL pointer dereference vulnerability existed in the Near-field communication (NFC) implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-12984) Jann Horn discovered that the ptrace implementation in the Linux kernel did not properly record credentials in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly gain administrative privileges. (CVE-2019-13272) Update instructions: The problem can be corrected by updating your livepatches to the following versions: | Kernel | Version | flavors | |--------------------------+----------+--------------------------| | 4.4.0-148.174 | 54.1 | lowlatency, generic | | 4.4.0-150.176 | 54.1 | generic, lowlatency | | 4.4.0-151.178 | 54.1 | lowlatency, generic | | 4.4.0-154.181 | 54.1 | lowlatency, generic | | 4.4.0-157.185 | 54.1 | lowlatency, generic | | 4.15.0-50.54 | 54.2 | generic, lowlatency | | 4.15.0-50.54~16.04.1 | 54.2 | generic, lowlatency | | 4.15.0-51.55 | 54.2 | generic, lowlatency | | 4.15.0-51.55~16.04.1 | 54.2 | generic, lowlatency | | 4.15.0-52.56 | 54.2 | lowlatency, generic | | 4.15.0-52.56~16.04.1 | 54.2 | generic, lowlatency | | 4.15.0-54.58 | 54.2 | generic, lowlatency | | 4.15.0-54.58~16.04.1 | 54.2 | generic, lowlatency | | 4.15.0-55.60 | 54.2 | generic, lowlatency | References: CVE-2018-1129, CVE-2019-2101, CVE-2019-3846, CVE-2019-10126, CVE-2019-12614, CVE-2019-12818, CVE-2019-12819, CVE-2019-12984, CVE-2019-13272 -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce