Security flaws in Linux are often few and far between, but the patch just released by Canonical shows that this is not always the case. The company that Mark Shuttleworth runs has released a kernel update for Ubuntu 16.04 LTS (Xenial Xerus) that fixes up to five bugs discovered by various security researchers in the 4.4 kernel, a kernel that is present in the operating system that Canonical released 3 years ago, in April 2016. All Ubuntu-based versions are also affected that use the same kernel.
The fix is already present in the Linux 4.15 HWE that includes Ubuntu 18.04 LTS, so other 9-month lifecycle releases, i.e. non-LTS seem to be affected as well. The fact is that Canonical has only made this update available to users whose operating system is compromised and who still enjoy official support. Ubuntu 14.04 will enjoy support until April 30 but its kernel is not affected by the 5 faults mentioned in this article.
Ubuntu 16.04 Kernel Update Fixes 5 Security Bugs
The five bugs that have been fixed are:
- El CVE-2017-18241- F2FS file system implementation failed incorrectly handling mount option noflush_merge.
- CVE-2018-7740: related to the previous error, but in this case in multiple overloads in the implementation hugetlbfs. This and the previous bug could allow a local malicious user to exploit the vulnerability through denial of service.
- El CVE-2018-1120 was discovered in the file system procfs and allowed a local malicious user to block certain tools used to examine the file system procfs to report the status of the operating system because it failed to correctly manage the mapping processes in the memory elements.
- CVE-2019-6133 it allowed a local malicious user to gain access to services that stored authorizations.
- CVE-2018-19985 it could allow a physically close attacker to cause a system crash.
Canonical recommends all affected users to update as soon as possible to the kernel version 4.4 that is already available in the official repositories. Personally, considering that all bugs should be exploited by a local attacker, I would update soon, but I wouldn't worry too much either. And you?