Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1945 linux vulnerability on amd64 patched in Ubuntu LTS versions 5 July 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kernel Publisher: Ubuntu Operating System: Ubuntu Platform: amd64 Impact/Access: Access Privileged Data -- Existing Account Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-7755 CVE-2018-3665 CVE-2018-1093 CVE-2018-1092 Reference: ESB-2018.1917 ESB-2018.1916 ESB-2018.1738.2 ESB-2018.1335 Original Bulletin: https://lists.ubuntu.com/archives/ubuntu-security-announce/2018-July/004476.html - --------------------------BEGIN INCLUDED TEXT-------------------- ========================================================================== Kernel Live Patch Security Notice 0040-1 July 03, 2018 linux vulnerability ========================================================================== A security issue affects these releases of Ubuntu: | Series | Base kernel | Arch | flavors | |------------------+--------------+----------+------------------| | Ubuntu 14.04 LTS | 4.4.0 | amd64 | generic | | Ubuntu 14.04 LTS | 4.4.0 | amd64 | lowlatency | | Ubuntu 16.04 LTS | 4.4.0 | amd64 | generic | | Ubuntu 16.04 LTS | 4.4.0 | amd64 | lowlatency | | Ubuntu 18.04 LTS | 4.15.0 | amd64 | generic | | Ubuntu 18.04 LTS | 4.15.0 | amd64 | lowlatency | Summary: Several security issues were fixed in the kernel. Software Description: - - linux: Linux kernel Details: Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 file system that caused a denial of service (system crash) when mounted. (CVE-2018-1093) Wen Xu discovered that the ext4 filesystem implementation in the Linux kernel did not properly handle corrupted meta data in some situations. An attacker could use this to specially craft an ext4 file system that caused a denial of service (system crash) when mounted. (CVE-2018-1092) It was discovered that an information leak vulnerability existed in the floppy driver in the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2018-7755) Julian Stecklina and Thomas Prescher discovered that FPU register states (such as MMX, SSE, and AVX registers) which are lazy restored are potentially vulnerable to a side channel attack. A local attacker could use this to expose sensitive information. (CVE-2018-3665) Update instructions: The problem can be corrected by updating your livepatches to the following versions: | Kernel | Version | flavors | |--------------------------+----------+--------------------------| | 4.4.0-124.148 | 40.6 | lowlatency, generic | | 4.4.0-124.148~14.04.1 | 40.6 | generic, lowlatency | | 4.4.0-127.153 | 40.6 | lowlatency, generic | | 4.4.0-127.153~14.04.1 | 40.6 | lowlatency, generic | | 4.4.0-128.154 | 40.6 | generic, lowlatency | | 4.4.0-128.154~14.04.1 | 40.6 | generic, lowlatency | | 4.15.0-20.21 | 40.7 | generic, lowlatency | | 4.15.0-22.24 | 40.7 | lowlatency, generic | | 4.15.0-23.25 | 40.7 | lowlatency, generic | References: CVE-2018-1093, CVE-2018-1092, CVE-2018-7755, CVE-2018-3665 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWz1erWaOgq3Tt24GAQgP8g//eIKLY9etyC37yVbGaQe9hfR5mcslm5oc DLgCUJL6vu4AgMA3XF45FJahWecLOyFLDdsXL0uY7nB8qtGIe9Bfp754l2Oo0xcW OsTJgtEST0bT9Ohu8ZVwj9+UPrW7eIK23sUw2p7oPxD07NyKqCtNI/v7JHHvET1S MPqCYZ2zwGBV3uVMbNixjWEIhGGCPeiW0ILoU0tGEtI+sbjV+TJO3izyuijFYJ4T rqMFJ/dklRFyD1oGEPFn9e5QY60jk1Kysbjot1rgcByS/9qPZsDUtvebyTvAREBB E3ei99Ly2b9xWreMnmMfMxy5emHoCWzeALh4tWmMpa/8fbIhLVBWq6T422DmlJ2P m9B5EGGFQJUkpYk66We0wT2T6iDo0xoV6KEPT8Ymy6fXXPZSvbPUBJ/QbJCTyVC9 qhApJji49O6RFH0Rt1iUGNt0moUhXprVVA2Hjm0w976tySd+4c1oRP7a4jhIfSVD eUrFeLmDkBAx1IaLPbBD5FV7t9s8BqfhYp2oNXl5zxd91ibZr9YH72lTa8HNZjeL hwn5E9s+LNF8kuz6jzae0/I3V9ELGT/vH0JvGiDhgvEp94KOuysYFq+ZfH9F3X0v pv9crI+RFIDhuAGg9RdhIdT5Ds6URdfvoTLAqMe3UAkf2AdiKFjRJ2sJ+1gvDo7V sQApgcpg/vk= =Ukc+ -----END PGP SIGNATURE-----