The new security updates are here to address a race condition (CVE-2019-11599) in Linux kernel when performing core dumps, and an integer overflow (CVE-2019-11487) when referencing counting pages. Both issues affect only Ubuntu 19.04 systems and could allow a local attacker to crash the system by causing a denial of service (DoS attack) or possibly execute arbitrary code. On Ubuntu 18.04 LTS systems, the new security patch fixes a flaw (CVE-2019-11085) discovered by Adam Zabrocki in Linux kernel’s Intel i915 kernel mode graphics driver, which failed to correctly restrict mmap() ranges under certain situations, allowing local attackers to either execute arbitrary code or cause a denial of service attack and crash the system. Moreover, Ubuntu 18.04 LTS systems were affected by a race condition (CVE-2019-11815) discovered in Linux kernel’s RDS (Reliable Datagram Sockets) protocol implementation, which is blacklisted by default. If the RDS protocol was enabled, the flaw could allow a local attacker to cause crash the system or execute arbitrary code. These Linux kernel security updates also address an issue (CVE-2019-11833) discovered in the EXT4 file system, which failed to zero out memory under certain situations, and a problem (CVE-2019-11884) discovered in the Bluetooth Human Interface Device Protocol (HIDP) implementation, which improperly verified strings in certain situations.These two issues affect both Ubuntu 19.04 and Ubuntu 18.04 LTS systems, and they could allow local attackers to expose sensitive information (kernel memory). The updated Ubuntu 18.04 LTS kernel is also available for users of the Ubuntu 16.04.6 LTS (Xenial Xerus) operating system series using the HWE (Hardware Enablement) Linux kernel packages from Ubuntu 18.04 LTS.
Submitted by: Arnfried Walbrecht
Comments are closed.