by 
Canonical published new Ubuntu Linux kernel security updates for all of its supported releases to patch several vulnerabilities discovered lately by various security researchers.
Affecting the Linux 5.3 kernel in Ubuntu 19.10 and Ubuntu 18.04.4 LTS, Linux 5.0 and 4.15 kernels in Ubuntu 18.04 LTS, as well as Linux 4.15 and 4.4 kernels in Ubuntu 16.04 LTS, the new security patch fixes an issue found in the Intel Wi-Fi driver (CVE-2019-16234), which could allow a local attacker to crash the system by causing a denial of service.
Also fixed in the aforementioned Ubuntu kernels are a race condition (CVE-2020-8648) discovered in Linux kernel’s virtual terminal implementation and a flaw (CVE-2020-9383) discovered by Jordy Zomer in the floppy driver, and a race condition (CVE-2019-19768) discovered by Tristan Madani in the block I/O tracing implementation. All these issues could allow a local attacker to either crash the system or expose sensitive information.
Affecting the Linux 5.3 kernel in Ubuntu 19.10 and Ubuntu 18.04.4 LTS, as well as the Linux 4.15 kernel in Ubuntu 18.04 LTS and Ubuntu 16.04 LTS, the new kernel update patches a stack buffer overflow (CVE-2020-10942) discovered in the vhost net driver. This could allow a local attacker with the ability to perform ioctl() calls on /dev/vhost-net to cause a denial of service (system crash).
On Ubuntu 19.10 systems running Linux kernel 5.3, the new security patch addresses a flaw (CVE-2020-8992) discovered by Shijie Luo in Linux kernel’s EXT4 file system implementation, which apparently failed to check for too-large journal sizes. This could allow a local attacker to cause a denial of service (soft lockup) by mounting a malicious EXT4 image.
On Ubuntu 18.04 LTS and Ubuntu 16.04 LTS systems running Linux kernel 4.15, the security update fixes three other issues, namely CVE-2020-11608, CVE-2020-11609, and CVE-2020-11668, affecting the OV51x USB Camera device driver, STV06XX USB Camera device driver, and Xirlink C-It USB Camera device driver. These could allow a physically proximate attacker to cause a denial of service (system crash).
On Ubuntu 16.04 LTS and 14.04 ESM systems running Linux kernel 4.4, the security update addresses a NULL pointer dereference (CVE-2019-16233) discovered in the QLogic Fibre Channel driver. This could allow a local attacker to cause a denial of service (system crash).
Lastly, the new Ubuntu Linux kernel security update also fixes a flaw discovered by Al Viro and affecting s390x systems (CVE-2020-11884). The kernel was unable to properly perform page table upgrades for kernel sections using a secondary address mode, which could allow a local attacker to either crash the system by causing a denial of service or execute arbitrary code.
This security issue affects Ubuntu 19.10 and Ubuntu 18.04.4 LTS systems running Linux kernel 5.3, Ubuntu 18.04 LTS and Ubuntu 16.04 LTS systems running Linux kernel 4.15, and Ubuntu 20.04 LTS systems running Linux kernel 5.4.
Canonical urges all users to update their installations and install the new kernel versions (linux-image 5.3.0-51.44 on Ubuntu 19.10 64-bit, linux-image 5.3.0-51.44~18.04.2 on Ubuntu 18.04.4 LTS 64-bit and 32-bit, linux-image 4.15.0-99.100 on Ubuntu 18.04 LTS 64-bit and 32-bit, linux-image 4.15.0-99.100~16.04.1 on Ubuntu 16.04.6 LTS 64-bit and 32-bit, and linux-image 4.4.0-178.208 on Ubuntu 16.04 LTS 64-bit and 32-bit) as soon as possible.
New kernel versions are also available for Raspberry Pi devices, cloud environments, OEM processors, Snapdragon processors, as well as Amazon Web Services (AWS), Microsoft Azure Cloud, Oracle Cloud, Google Cloud Platform (GCP), and Google Container Engine (GKE) systems. A system reboot is required for the security issues to be corrected.
Last updated 4 years ago
