Canonical releases many minor Ubuntu kernel updates to fix various security flaws. Many of these bugs appear in non-LTS versions of the kernel, and is that Canonical releases news at least twice every year, in April and October. The operating system on which it is based is more robust, in part because it introduces new features more slowly. But that does not mean that it is free from flaws and Debian launched yesterday new kernel versions for your operating system.
Debian 10 was released earlier this month and you have already received your first kernel security update. This is a bug discovered by Jann Horn of Google Project Zero, a security initiative of the search engine company that, honestly, I do not know if it is more famous for helping to find security flaws or for publishing them before the creators of the search engine. software in question have corrected the bug. In any case, the flaw discovered by Horn has been cataloged as high severity.
Debian 10 receives its first kernel security update
The bug that the new kernel version fixes is the CVE-2018-13272 and describes a security problem that «a local attacker could use to gain super user (root) access by taking advantage of certain scenarios with a parent-child process relationship, where the parent drops privileges and calls execve (potentially allowing an attacker control)«. Failure affects Buster, Stretch and Jessie.
The new kernel versions are 19.37-5 + deb10u1 in «Buster», 4.9.168-1 + deb9u4 in "Stretch" and 3.16.70-1 + deb8u1 Jessie. Debian version 10 also includes a patch for a regression introduced in the original patch for vulnerability CVE-2019-11478 in the implementation of the TCP retransmission queue. As we can expect on a critical severity bug, Debian Project recommends updating as soon as possible.