Canonical Outs New Kernel Live Patch for Ubuntu 18.04 and 16.04 LTS


Canonical released today a new Linux kernel live patch (rebootless) for all of its long-term supported (LTS) Ubuntu releases to address various security vulnerabilities already patched last week through regular kernel updates.

Probably the most important vulnerability addressed by the new kernel live patch for Ubuntu Linux is CVE-2019-14615, a flaw affecting certain Intel graphics processors. This could allow a local attacker to expose sensitive information.

The new kernel live patch addresses several heap-based buffer overflow vulnerabilities discovered in Linux kernel’s Marvell WiFi-Ex driver (CVE-2019-14895 and CVE-2019-14901) and Marvell Libertas WLAN driver (CVE-2019-14896 and CVE-2019-14897). These flaws could allow physically proximate attackers to cause a system crash or execute arbitrary code.

Also patched is a flaw (CVE-2019-18885) discovered in Linux kernel’s Btrfs file system, which could lead to a NULL pointer dereference and allow an attacker to crash the system by using a specially crafted file system image, as well as an issue (CVE-2019-2214) in the binder IPC implementation that could allow a local attacker to crash the system or execute arbitrary code.

How to update your kernel live patches

If you’re using the Canonical Livepatch Service on your machines powered by the Ubuntu 18.04 LTS (Bionic Beaver) or Ubuntu 16.04 LTS (Xenial Xerus) operating systems, you can correct all these issues by updating the kernel live patches to version 62.2 without rebooting your systems.

Canonical provides its live patching services only for Linux 5.0, 4.15, and 4.4 for generic and lowlatency, AWS (Amazon Web Services), GCP (Google Cloud Platform), Microsoft Azure, and OEM 64-bit (amd64) kernel flavors.

This new kernel live patch is also available for Ubuntu 14.04 ESM (Extended Security Maintenance) users running Linux kernel 4.4 on 64-bit (generic or lowlatency) systems.

To update your systems to the new kernel live patch version, run the command below in a terminal emulator.

sudo canonical-livepatch refresh

Last updated 4 years ago

Buy Me a Coffee at