Without a doubt, the most important news that we will publish today is that Canonical has released Ubuntu 19.10 Eoan Ermine. That we know the name of a system that will be launched in six months or that they have corrected various vulnerabilities in the Ubuntu kernel it will be in the background. But we cannot stand idly by waiting, the blogosphere must not stop, and the latter is what has happened in the last few hours.
In total, the new kernel version has fixed 9 vulnerabilities collected in the report USN-4157-1. At the time of this writing, the only affected operating system they mention is Ubuntu 19.04, but some of the bugs are marked as "pending" in Ubuntu 18.04 and Ubuntu 16.04. In all nine cases, Ubuntu 19.10 is listed as "unaffected".
Eoan Ermine kernel is not affected
The failures, labeled as low or medium priority, are as follows:
- CVE-2019-14814, CVE-2019-14815 y CVE-2019-14816: the Marvell Wi-Fi device driver in the Linux kernel was not performing the limits check correctly, causing a heap overflow. A local attacker could use this to cause a denial of service (system hang) or possibly execute arbitrary code.
- CVE-2019-14821François Bard's pictorial epiphany he implementation of the KVM hypervisor in the Linux kernel did not perform boundary checking correctly when handling merged MMIO write operations. A local attacker with write access to / dev / kvm could use this to cause a denial of service (system hang).
- CVE-2019-15504- The Wi-Fi 91x driver in the Linux kernel did not properly handle initialization error conditions, resulting in a doubly free vulnerability. A physically nearby attacker could use this to cause a denial of service (system hang).
- CVE-2019-15505: The Technisat DVB-S / S2 USB device driver in Linux kernel contained buffer overload. A physically nearby attacker could use this to cause a denial of service (system crash) or possibly expose sensitive information.
- CVE-2019-15902: orSpecter mitigation was incorrectly implemented in the Linux kernel ptrace subsystem. A local attacker could use this to expose sensitive information.
- CVE-2019-16714François Bard's pictorial epiphany The IPv6 RDS implementation in the Linux kernel was not correctly initializing fields in a data structure returned to user space. A local attacker could use this to expose sensitive information (kernel memory). Keep in mind that the RDS protocol is blacklisted in Ubuntu by default.
- CVE-2019-2181: An integer overflow existed in the Linux kernel implementation of Binder, leading to a buffer overflow. A local attacker could use this to escalate privileges.
Update now
Updates are already available in the different software centers (or in the updates app) of all official Ubuntu flavors. Once installed, you will need to restart your computer for the changes to take effect.