Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2378
USN-4041-1, USN-4041-2: Linux kernel updates
1 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: linux kernel
Publisher: Ubuntu
Operating System: Ubuntu
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11479
Reference: ASB-2019.0172
ESB-2019.2293
ESB-2019.2292
ESB-2019.2132.3
Original Bulletin:
https://usn.ubuntu.com/4041-1/
https://usn.ubuntu.com/4041-2/
Comment: This bulletin contains two (2) Ubuntu security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
USN-4041-1: Linux kernel update
29 June 2019
linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-hwe,
linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon update
A security issue affects these releases of Ubuntu and its derivatives:
o Ubuntu 19.04
o Ubuntu 18.10
o Ubuntu 18.04 LTS
o Ubuntu 16.04 LTS
Summary
Several security issues were fixed in the Linux kernel.
Software Description
o linux - Linux kernel
o linux-aws - Linux kernel for Amazon Web Services (AWS) systems
o linux-azure - Linux kernel for Microsoft Azure Cloud systems
o linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems
o linux-kvm - Linux kernel for cloud environments
o linux-raspi2 - Linux kernel for Raspberry Pi 2
o linux-snapdragon - Linux kernel for Snapdragon processors
o linux-gke-4.15 - Linux kernel for Google Container Engine (GKE) systems
o linux-hwe - Linux hardware enablement (HWE) kernel
o linux-oem - Linux kernel for OEM processors
o linux-oracle - Linux kernel for Oracle Cloud systems
o linux-aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems
Details
USN-4017-1 fixed vulnerabilities in the Linux kernel for Ubuntu. Unfortunately,
the update introduced a regression that interfered with networking applications
that setup very low SO_SNDBUF values. This update fixes the problem.
We apologize for the inconvenience.
Jonathan Looney discovered that the Linux kernel could be coerced into
segmenting responses into multiple TCP segments. A remote attacker could
construct an ongoing sequence of requests to cause a denial of service.
Update instructions
The problem can be corrected by updating your system to the following package
versions:
Ubuntu 19.04
linux-image-5.0.0-1010-aws - 5.0.0-1010.11
linux-image-5.0.0-1010-azure - 5.0.0-1010.10
linux-image-5.0.0-1010-gcp - 5.0.0-1010.10
linux-image-5.0.0-1010-kvm - 5.0.0-1010.11
linux-image-5.0.0-1012-raspi2 - 5.0.0-1012.12
linux-image-5.0.0-1016-snapdragon - 5.0.0-1016.17
linux-image-5.0.0-20-generic - 5.0.0-20.21
linux-image-5.0.0-20-generic-lpae - 5.0.0-20.21
linux-image-5.0.0-20-lowlatency - 5.0.0-20.21
linux-image-aws - 5.0.0.1010.10
linux-image-azure - 5.0.0.1010.9
linux-image-gcp - 5.0.0.1010.10
linux-image-generic - 5.0.0.20.21
linux-image-generic-lpae - 5.0.0.20.21
linux-image-gke - 5.0.0.1010.10
linux-image-kvm - 5.0.0.1010.10
linux-image-lowlatency - 5.0.0.20.21
linux-image-raspi2 - 5.0.0.1012.9
linux-image-snapdragon - 5.0.0.1016.9
linux-image-virtual - 5.0.0.20.21
Ubuntu 18.10
linux-image-4.18.0-1015-gcp - 4.18.0-1015.16
linux-image-4.18.0-1016-kvm - 4.18.0-1016.17
linux-image-4.18.0-1018-raspi2 - 4.18.0-1018.21
linux-image-4.18.0-1020-aws - 4.18.0-1020.24
linux-image-4.18.0-1023-azure - 4.18.0-1023.24
linux-image-4.18.0-25-generic - 4.18.0-25.26
linux-image-4.18.0-25-generic-lpae - 4.18.0-25.26
linux-image-4.18.0-25-lowlatency - 4.18.0-25.26
linux-image-4.18.0-25-snapdragon - 4.18.0-25.26
linux-image-aws - 4.18.0.1020.20
linux-image-azure - 4.18.0.1023.25
linux-image-gcp - 4.18.0.1015.15
linux-image-generic - 4.18.0.25.26
linux-image-generic-lpae - 4.18.0.25.26
linux-image-gke - 4.18.0.1015.15
linux-image-kvm - 4.18.0.1016.16
linux-image-lowlatency - 4.18.0.25.26
linux-image-powerpc-e500mc - 4.18.0.25.26
linux-image-powerpc-smp - 4.18.0.25.26
linux-image-powerpc64-emb - 4.18.0.25.26
linux-image-powerpc64-smp - 4.18.0.25.26
linux-image-raspi2 - 4.18.0.1018.15
linux-image-snapdragon - 4.18.0.25.26
linux-image-virtual - 4.18.0.25.26
Ubuntu 18.04 LTS
linux-image-4.15.0-1017-oracle - 4.15.0-1017.19
linux-image-4.15.0-1036-gcp - 4.15.0-1036.38
linux-image-4.15.0-1036-gke - 4.15.0-1036.38
linux-image-4.15.0-1038-kvm - 4.15.0-1038.38
linux-image-4.15.0-1040-raspi2 - 4.15.0-1040.43
linux-image-4.15.0-1043-aws - 4.15.0-1043.45
linux-image-4.15.0-1045-oem - 4.15.0-1045.50
linux-image-4.15.0-1057-snapdragon - 4.15.0-1057.62
linux-image-4.15.0-54-generic - 4.15.0-54.58
linux-image-4.15.0-54-generic-lpae - 4.15.0-54.58
linux-image-4.15.0-54-lowlatency - 4.15.0-54.58
linux-image-4.18.0-1023-azure - 4.18.0-1023.24~18.04.1
linux-image-4.18.0-25-generic - 4.18.0-25.26~18.04.1
linux-image-4.18.0-25-generic-lpae - 4.18.0-25.26~18.04.1
linux-image-4.18.0-25-lowlatency - 4.18.0-25.26~18.04.1
linux-image-4.18.0-25-snapdragon - 4.18.0-25.26~18.04.1
linux-image-aws - 4.15.0.1043.42
linux-image-azure - 4.18.0.1023.21
linux-image-gcp - 4.15.0.1036.38
linux-image-generic - 4.15.0.54.56
linux-image-generic-hwe-18.04 - 4.18.0.25.74
linux-image-generic-lpae - 4.15.0.54.56
linux-image-generic-lpae-hwe-18.04 - 4.18.0.25.74
linux-image-gke - 4.15.0.1036.39
linux-image-gke-4.15 - 4.15.0.1036.39
linux-image-kvm - 4.15.0.1038.38
linux-image-lowlatency - 4.15.0.54.56
linux-image-lowlatency-hwe-18.04 - 4.18.0.25.74
linux-image-oem - 4.15.0.1045.49
linux-image-oracle - 4.15.0.1017.20
linux-image-powerpc-e500mc - 4.15.0.54.56
linux-image-powerpc-smp - 4.15.0.54.56
linux-image-powerpc64-emb - 4.15.0.54.56
linux-image-powerpc64-smp - 4.15.0.54.56
linux-image-raspi2 - 4.15.0.1040.38
linux-image-snapdragon - 4.15.0.1057.60
linux-image-snapdragon-hwe-18.04 - 4.18.0.25.74
linux-image-virtual - 4.15.0.54.56
linux-image-virtual-hwe-18.04 - 4.18.0.25.74
Ubuntu 16.04 LTS
linux-image-4.15.0-1017-oracle - 4.15.0-1017.19~16.04.2
linux-image-4.15.0-1036-gcp - 4.15.0-1036.38~16.04.1
linux-image-4.15.0-1043-aws - 4.15.0-1043.45~16.04.1
linux-image-4.15.0-1049-azure - 4.15.0-1049.54
linux-image-4.15.0-54-generic - 4.15.0-54.58~16.04.1
linux-image-4.15.0-54-generic-lpae - 4.15.0-54.58~16.04.1
linux-image-4.15.0-54-lowlatency - 4.15.0-54.58~16.04.1
linux-image-4.4.0-1051-kvm - 4.4.0-1051.58
linux-image-4.4.0-1087-aws - 4.4.0-1087.98
linux-image-4.4.0-1114-raspi2 - 4.4.0-1114.123
linux-image-4.4.0-1118-snapdragon - 4.4.0-1118.124
linux-image-4.4.0-154-generic - 4.4.0-154.181
linux-image-4.4.0-154-generic-lpae - 4.4.0-154.181
linux-image-4.4.0-154-lowlatency - 4.4.0-154.181
linux-image-4.4.0-154-powerpc-e500mc - 4.4.0-154.181
linux-image-4.4.0-154-powerpc-smp - 4.4.0-154.181
linux-image-4.4.0-154-powerpc64-emb - 4.4.0-154.181
linux-image-4.4.0-154-powerpc64-smp - 4.4.0-154.181
linux-image-aws - 4.4.0.1087.90
linux-image-aws-hwe - 4.15.0.1043.43
linux-image-azure - 4.15.0.1049.52
linux-image-gcp - 4.15.0.1036.50
linux-image-generic - 4.4.0.154.162
linux-image-generic-hwe-16.04 - 4.15.0.54.75
linux-image-generic-lpae - 4.4.0.154.162
linux-image-generic-lpae-hwe-16.04 - 4.15.0.54.75
linux-image-gke - 4.15.0.1036.50
linux-image-kvm - 4.4.0.1051.51
linux-image-lowlatency - 4.4.0.154.162
linux-image-lowlatency-hwe-16.04 - 4.15.0.54.75
linux-image-oem - 4.15.0.54.75
linux-image-oracle - 4.15.0.1017.11
linux-image-powerpc-e500mc - 4.4.0.154.162
linux-image-powerpc-smp - 4.4.0.154.162
linux-image-powerpc64-emb - 4.4.0.154.162
linux-image-powerpc64-smp - 4.4.0.154.162
linux-image-raspi2 - 4.4.0.1114.114
linux-image-snapdragon - 4.4.0.1118.110
linux-image-virtual - 4.4.0.154.162
linux-image-virtual-hwe-16.04 - 4.15.0.54.75
To update your system, please follow these instructions: https://
wiki.ubuntu.com/Security/Upgrades .
After a standard system update you need to reboot your computer to make all the
necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have been given
a new version number, which requires you to recompile and reinstall all third
party kernel modules you might have installed. Unless you manually uninstalled
the standard kernel metapackages (e.g. linux-generic,
linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system
upgrade will automatically perform this as well.
References
o CVE-2019-11479
o https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic
- --------------------------------------------------------------------------------
USN-4041-2: Linux kernel (HWE) update
29 June 2019
linux-lts-xenial, linux-aws, linux-azure update
A security issue affects these releases of Ubuntu and its derivatives:
o Ubuntu 14.04 ESM
Summary
Several security issues were fixed in the Linux kernel.
Software Description
o linux-aws - Linux kernel for Amazon Web Services (AWS) systems
o linux-azure - Linux kernel for Microsoft Azure Cloud systems
o linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty
Details
USN-4041-1 provided updates for the Linux kernel in Ubuntu. This update
provides the corresponding updates for the Linux kernel for Ubuntu 16.04 ESM.
USN-4017-2 fixed vulnerabilities in the Linux kernel. Unfortunately, the update
introduced a regression that interfered with networking applications that setup
very low SO_SNDBUF values. This update fixes the problem.
We apologize for the inconvenience.
Jonathan Looney discovered that the Linux kernel could be coerced into
segmenting responses into multiple TCP segments. A remote attacker could
construct an ongoing sequence of requests to cause a denial of service.
(CVE-2019-11479)
Update instructions
The problem can be corrected by updating your system to the following package
versions:
Ubuntu 14.04 ESM
linux-image-4.15.0-1049-azure - 4.15.0-1049.54~14.04.1
linux-image-4.4.0-1048-aws - 4.4.0-1048.52
linux-image-4.4.0-154-generic - 4.4.0-154.181~14.04.1
linux-image-4.4.0-154-generic-lpae - 4.4.0-154.181~14.04.1
linux-image-4.4.0-154-lowlatency - 4.4.0-154.181~14.04.1
linux-image-4.4.0-154-powerpc-e500mc - 4.4.0-154.181~14.04.1
linux-image-4.4.0-154-powerpc-smp - 4.4.0-154.181~14.04.1
linux-image-4.4.0-154-powerpc64-emb - 4.4.0-154.181~14.04.1
linux-image-4.4.0-154-powerpc64-smp - 4.4.0-154.181~14.04.1
linux-image-aws - 4.4.0.1048.49
linux-image-azure - 4.15.0.1049.36
linux-image-generic-lpae-lts-xenial - 4.4.0.154.135
linux-image-generic-lts-xenial - 4.4.0.154.135
linux-image-lowlatency-lts-xenial - 4.4.0.154.135
linux-image-powerpc-e500mc-lts-xenial - 4.4.0.154.135
linux-image-powerpc-smp-lts-xenial - 4.4.0.154.135
linux-image-powerpc64-emb-lts-xenial - 4.4.0.154.135
linux-image-powerpc64-smp-lts-xenial - 4.4.0.154.135
linux-image-virtual-lts-xenial - 4.4.0.154.135
To update your system, please follow these instructions: https://
wiki.ubuntu.com/Security/Upgrades .
After a standard system update you need to reboot your computer to make all the
necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have been given
a new version number, which requires you to recompile and reinstall all third
party kernel modules you might have installed. Unless you manually uninstalled
the standard kernel metapackages (e.g. linux-generic,
linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system
upgrade will automatically perform this as well.
References
o USN-4041-1
o CVE-2019-11479
o https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXRmTLmaOgq3Tt24GAQh84Q/8C0kkCjHShtDzkaXe7aqBSeeyKcp9VB7N
0uBDuxdaRhomkuvaYVBgFg330Byt5wPywVq+xIVxnLI/ZepBDUeAS8hzCnzhl/2w
uPoD5T32tzmzmqgNpAbygn0+jTiZPDsWsfEiTHri8W8FFJm2wu7sjXoKHmvfMJaU
wu2IYEzF0aDCV/d2j96RSKJkbgXJtquzfBGWxo/kyfxplra+8vZnM4A1irEFxfd6
872sStuil4p/MEVppiZIz8iJcRe6G/1dU3LFyGxb9XGFznQpWcs60+7hlTmNYK68
8zaWPu4FMmHy3KD6hDJeFMuaR4F3tXg1v9KMmBnROxZyGyaG8zFoe3KQ/xCnjeI1
0ShI2YpsIvedx8B4NOfrFGRSG4o6rdaPPmujMP2lrtW0dMA5K0+6AuI3qUvQv0hm
Snge6etRd4FLj/Naf5keKu+eLXvDOhtI/Eryq8/QTUZzzD2UgpvDs9YzF2K/HTCV
rvh/cjoCtzjD/dfvakPNlWCudoSd2Gq9/b3O6sg4qHJkSMg8OWI6R+r7bj0tEW5Y
KkL38ArQWZQOQbtgbyYYobq6NVA7P3yJnXAtigjFdhwwJ9oV6eSUkBppbuwslfe7
lmS2SnOB/Ce5I3DGHGOn6FxbEQYjmnZ85HfntbohfCSJDkJuLIKC1J7iwLf/ZcPS
jUii0ptr70E=
=Xjn5
-----END PGP SIGNATURE-----