Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2378 USN-4041-1, USN-4041-2: Linux kernel updates 1 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: linux kernel Publisher: Ubuntu Operating System: Ubuntu Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-11479 Reference: ASB-2019.0172 ESB-2019.2293 ESB-2019.2292 ESB-2019.2132.3 Original Bulletin: https://usn.ubuntu.com/4041-1/ https://usn.ubuntu.com/4041-2/ Comment: This bulletin contains two (2) Ubuntu security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- USN-4041-1: Linux kernel update 29 June 2019 linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon update A security issue affects these releases of Ubuntu and its derivatives: o Ubuntu 19.04 o Ubuntu 18.10 o Ubuntu 18.04 LTS o Ubuntu 16.04 LTS Summary Several security issues were fixed in the Linux kernel. Software Description o linux - Linux kernel o linux-aws - Linux kernel for Amazon Web Services (AWS) systems o linux-azure - Linux kernel for Microsoft Azure Cloud systems o linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems o linux-kvm - Linux kernel for cloud environments o linux-raspi2 - Linux kernel for Raspberry Pi 2 o linux-snapdragon - Linux kernel for Snapdragon processors o linux-gke-4.15 - Linux kernel for Google Container Engine (GKE) systems o linux-hwe - Linux hardware enablement (HWE) kernel o linux-oem - Linux kernel for OEM processors o linux-oracle - Linux kernel for Oracle Cloud systems o linux-aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems Details USN-4017-1 fixed vulnerabilities in the Linux kernel for Ubuntu. Unfortunately, the update introduced a regression that interfered with networking applications that setup very low SO_SNDBUF values. This update fixes the problem. We apologize for the inconvenience. Jonathan Looney discovered that the Linux kernel could be coerced into segmenting responses into multiple TCP segments. A remote attacker could construct an ongoing sequence of requests to cause a denial of service. Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 19.04 linux-image-5.0.0-1010-aws - 5.0.0-1010.11 linux-image-5.0.0-1010-azure - 5.0.0-1010.10 linux-image-5.0.0-1010-gcp - 5.0.0-1010.10 linux-image-5.0.0-1010-kvm - 5.0.0-1010.11 linux-image-5.0.0-1012-raspi2 - 5.0.0-1012.12 linux-image-5.0.0-1016-snapdragon - 5.0.0-1016.17 linux-image-5.0.0-20-generic - 5.0.0-20.21 linux-image-5.0.0-20-generic-lpae - 5.0.0-20.21 linux-image-5.0.0-20-lowlatency - 5.0.0-20.21 linux-image-aws - 5.0.0.1010.10 linux-image-azure - 5.0.0.1010.9 linux-image-gcp - 5.0.0.1010.10 linux-image-generic - 5.0.0.20.21 linux-image-generic-lpae - 5.0.0.20.21 linux-image-gke - 5.0.0.1010.10 linux-image-kvm - 5.0.0.1010.10 linux-image-lowlatency - 5.0.0.20.21 linux-image-raspi2 - 5.0.0.1012.9 linux-image-snapdragon - 5.0.0.1016.9 linux-image-virtual - 5.0.0.20.21 Ubuntu 18.10 linux-image-4.18.0-1015-gcp - 4.18.0-1015.16 linux-image-4.18.0-1016-kvm - 4.18.0-1016.17 linux-image-4.18.0-1018-raspi2 - 4.18.0-1018.21 linux-image-4.18.0-1020-aws - 4.18.0-1020.24 linux-image-4.18.0-1023-azure - 4.18.0-1023.24 linux-image-4.18.0-25-generic - 4.18.0-25.26 linux-image-4.18.0-25-generic-lpae - 4.18.0-25.26 linux-image-4.18.0-25-lowlatency - 4.18.0-25.26 linux-image-4.18.0-25-snapdragon - 4.18.0-25.26 linux-image-aws - 4.18.0.1020.20 linux-image-azure - 4.18.0.1023.25 linux-image-gcp - 4.18.0.1015.15 linux-image-generic - 4.18.0.25.26 linux-image-generic-lpae - 4.18.0.25.26 linux-image-gke - 4.18.0.1015.15 linux-image-kvm - 4.18.0.1016.16 linux-image-lowlatency - 4.18.0.25.26 linux-image-powerpc-e500mc - 4.18.0.25.26 linux-image-powerpc-smp - 4.18.0.25.26 linux-image-powerpc64-emb - 4.18.0.25.26 linux-image-powerpc64-smp - 4.18.0.25.26 linux-image-raspi2 - 4.18.0.1018.15 linux-image-snapdragon - 4.18.0.25.26 linux-image-virtual - 4.18.0.25.26 Ubuntu 18.04 LTS linux-image-4.15.0-1017-oracle - 4.15.0-1017.19 linux-image-4.15.0-1036-gcp - 4.15.0-1036.38 linux-image-4.15.0-1036-gke - 4.15.0-1036.38 linux-image-4.15.0-1038-kvm - 4.15.0-1038.38 linux-image-4.15.0-1040-raspi2 - 4.15.0-1040.43 linux-image-4.15.0-1043-aws - 4.15.0-1043.45 linux-image-4.15.0-1045-oem - 4.15.0-1045.50 linux-image-4.15.0-1057-snapdragon - 4.15.0-1057.62 linux-image-4.15.0-54-generic - 4.15.0-54.58 linux-image-4.15.0-54-generic-lpae - 4.15.0-54.58 linux-image-4.15.0-54-lowlatency - 4.15.0-54.58 linux-image-4.18.0-1023-azure - 4.18.0-1023.24~18.04.1 linux-image-4.18.0-25-generic - 4.18.0-25.26~18.04.1 linux-image-4.18.0-25-generic-lpae - 4.18.0-25.26~18.04.1 linux-image-4.18.0-25-lowlatency - 4.18.0-25.26~18.04.1 linux-image-4.18.0-25-snapdragon - 4.18.0-25.26~18.04.1 linux-image-aws - 4.15.0.1043.42 linux-image-azure - 4.18.0.1023.21 linux-image-gcp - 4.15.0.1036.38 linux-image-generic - 4.15.0.54.56 linux-image-generic-hwe-18.04 - 4.18.0.25.74 linux-image-generic-lpae - 4.15.0.54.56 linux-image-generic-lpae-hwe-18.04 - 4.18.0.25.74 linux-image-gke - 4.15.0.1036.39 linux-image-gke-4.15 - 4.15.0.1036.39 linux-image-kvm - 4.15.0.1038.38 linux-image-lowlatency - 4.15.0.54.56 linux-image-lowlatency-hwe-18.04 - 4.18.0.25.74 linux-image-oem - 4.15.0.1045.49 linux-image-oracle - 4.15.0.1017.20 linux-image-powerpc-e500mc - 4.15.0.54.56 linux-image-powerpc-smp - 4.15.0.54.56 linux-image-powerpc64-emb - 4.15.0.54.56 linux-image-powerpc64-smp - 4.15.0.54.56 linux-image-raspi2 - 4.15.0.1040.38 linux-image-snapdragon - 4.15.0.1057.60 linux-image-snapdragon-hwe-18.04 - 4.18.0.25.74 linux-image-virtual - 4.15.0.54.56 linux-image-virtual-hwe-18.04 - 4.18.0.25.74 Ubuntu 16.04 LTS linux-image-4.15.0-1017-oracle - 4.15.0-1017.19~16.04.2 linux-image-4.15.0-1036-gcp - 4.15.0-1036.38~16.04.1 linux-image-4.15.0-1043-aws - 4.15.0-1043.45~16.04.1 linux-image-4.15.0-1049-azure - 4.15.0-1049.54 linux-image-4.15.0-54-generic - 4.15.0-54.58~16.04.1 linux-image-4.15.0-54-generic-lpae - 4.15.0-54.58~16.04.1 linux-image-4.15.0-54-lowlatency - 4.15.0-54.58~16.04.1 linux-image-4.4.0-1051-kvm - 4.4.0-1051.58 linux-image-4.4.0-1087-aws - 4.4.0-1087.98 linux-image-4.4.0-1114-raspi2 - 4.4.0-1114.123 linux-image-4.4.0-1118-snapdragon - 4.4.0-1118.124 linux-image-4.4.0-154-generic - 4.4.0-154.181 linux-image-4.4.0-154-generic-lpae - 4.4.0-154.181 linux-image-4.4.0-154-lowlatency - 4.4.0-154.181 linux-image-4.4.0-154-powerpc-e500mc - 4.4.0-154.181 linux-image-4.4.0-154-powerpc-smp - 4.4.0-154.181 linux-image-4.4.0-154-powerpc64-emb - 4.4.0-154.181 linux-image-4.4.0-154-powerpc64-smp - 4.4.0-154.181 linux-image-aws - 4.4.0.1087.90 linux-image-aws-hwe - 4.15.0.1043.43 linux-image-azure - 4.15.0.1049.52 linux-image-gcp - 4.15.0.1036.50 linux-image-generic - 4.4.0.154.162 linux-image-generic-hwe-16.04 - 4.15.0.54.75 linux-image-generic-lpae - 4.4.0.154.162 linux-image-generic-lpae-hwe-16.04 - 4.15.0.54.75 linux-image-gke - 4.15.0.1036.50 linux-image-kvm - 4.4.0.1051.51 linux-image-lowlatency - 4.4.0.154.162 linux-image-lowlatency-hwe-16.04 - 4.15.0.54.75 linux-image-oem - 4.15.0.54.75 linux-image-oracle - 4.15.0.1017.11 linux-image-powerpc-e500mc - 4.4.0.154.162 linux-image-powerpc-smp - 4.4.0.154.162 linux-image-powerpc64-emb - 4.4.0.154.162 linux-image-powerpc64-smp - 4.4.0.154.162 linux-image-raspi2 - 4.4.0.1114.114 linux-image-snapdragon - 4.4.0.1118.110 linux-image-virtual - 4.4.0.154.162 linux-image-virtual-hwe-16.04 - 4.15.0.54.75 To update your system, please follow these instructions: https:// wiki.ubuntu.com/Security/Upgrades . After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References o CVE-2019-11479 o https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic - -------------------------------------------------------------------------------- USN-4041-2: Linux kernel (HWE) update 29 June 2019 linux-lts-xenial, linux-aws, linux-azure update A security issue affects these releases of Ubuntu and its derivatives: o Ubuntu 14.04 ESM Summary Several security issues were fixed in the Linux kernel. Software Description o linux-aws - Linux kernel for Amazon Web Services (AWS) systems o linux-azure - Linux kernel for Microsoft Azure Cloud systems o linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty Details USN-4041-1 provided updates for the Linux kernel in Ubuntu. This update provides the corresponding updates for the Linux kernel for Ubuntu 16.04 ESM. USN-4017-2 fixed vulnerabilities in the Linux kernel. Unfortunately, the update introduced a regression that interfered with networking applications that setup very low SO_SNDBUF values. This update fixes the problem. We apologize for the inconvenience. Jonathan Looney discovered that the Linux kernel could be coerced into segmenting responses into multiple TCP segments. A remote attacker could construct an ongoing sequence of requests to cause a denial of service. (CVE-2019-11479) Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 ESM linux-image-4.15.0-1049-azure - 4.15.0-1049.54~14.04.1 linux-image-4.4.0-1048-aws - 4.4.0-1048.52 linux-image-4.4.0-154-generic - 4.4.0-154.181~14.04.1 linux-image-4.4.0-154-generic-lpae - 4.4.0-154.181~14.04.1 linux-image-4.4.0-154-lowlatency - 4.4.0-154.181~14.04.1 linux-image-4.4.0-154-powerpc-e500mc - 4.4.0-154.181~14.04.1 linux-image-4.4.0-154-powerpc-smp - 4.4.0-154.181~14.04.1 linux-image-4.4.0-154-powerpc64-emb - 4.4.0-154.181~14.04.1 linux-image-4.4.0-154-powerpc64-smp - 4.4.0-154.181~14.04.1 linux-image-aws - 4.4.0.1048.49 linux-image-azure - 4.15.0.1049.36 linux-image-generic-lpae-lts-xenial - 4.4.0.154.135 linux-image-generic-lts-xenial - 4.4.0.154.135 linux-image-lowlatency-lts-xenial - 4.4.0.154.135 linux-image-powerpc-e500mc-lts-xenial - 4.4.0.154.135 linux-image-powerpc-smp-lts-xenial - 4.4.0.154.135 linux-image-powerpc64-emb-lts-xenial - 4.4.0.154.135 linux-image-powerpc64-smp-lts-xenial - 4.4.0.154.135 linux-image-virtual-lts-xenial - 4.4.0.154.135 To update your system, please follow these instructions: https:// wiki.ubuntu.com/Security/Upgrades . After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References o USN-4041-1 o CVE-2019-11479 o https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXRmTLmaOgq3Tt24GAQh84Q/8C0kkCjHShtDzkaXe7aqBSeeyKcp9VB7N 0uBDuxdaRhomkuvaYVBgFg330Byt5wPywVq+xIVxnLI/ZepBDUeAS8hzCnzhl/2w uPoD5T32tzmzmqgNpAbygn0+jTiZPDsWsfEiTHri8W8FFJm2wu7sjXoKHmvfMJaU wu2IYEzF0aDCV/d2j96RSKJkbgXJtquzfBGWxo/kyfxplra+8vZnM4A1irEFxfd6 872sStuil4p/MEVppiZIz8iJcRe6G/1dU3LFyGxb9XGFznQpWcs60+7hlTmNYK68 8zaWPu4FMmHy3KD6hDJeFMuaR4F3tXg1v9KMmBnROxZyGyaG8zFoe3KQ/xCnjeI1 0ShI2YpsIvedx8B4NOfrFGRSG4o6rdaPPmujMP2lrtW0dMA5K0+6AuI3qUvQv0hm Snge6etRd4FLj/Naf5keKu+eLXvDOhtI/Eryq8/QTUZzzD2UgpvDs9YzF2K/HTCV rvh/cjoCtzjD/dfvakPNlWCudoSd2Gq9/b3O6sg4qHJkSMg8OWI6R+r7bj0tEW5Y KkL38ArQWZQOQbtgbyYYobq6NVA7P3yJnXAtigjFdhwwJ9oV6eSUkBppbuwslfe7 lmS2SnOB/Ce5I3DGHGOn6FxbEQYjmnZ85HfntbohfCSJDkJuLIKC1J7iwLf/ZcPS jUii0ptr70E= =Xjn5 -----END PGP SIGNATURE-----