Ubuntu has patched a number of vulnerabilities affecting the Linux kernel, it is urging users to apply the patch if they’re running 14.04 LTS or any derivative builds.
According to the security advisory issued by Ubuntu yesterday, the list of bugs includes a use-after-free vulnerability (CVE-2015-8812) and a timing side-channel vulnerability (CVE-2016-2085), and a couple of flaws that open the Kernen to denial of service.
The use-after-free flaw was reported by Venkatesh Pottem, an attacker can exploit it to crash the system or possibly execute arbitrary code.
The timing side-channel vulnerability in the Linux Kernel affects the Extended Verification Module (EVM), an attacker can trigger it to compromise the. The flaw was reported by Xiaofei Rex Guo.
A third vulnerability is caused by the failure in enforcing limits on data “allocated to buffer pipes” that would’ve exhausted resources.
Below the description provided for the remaining flaws fixed by the patch.
“David Herrmann discovered that the Linux kernel incorrectly accounted file descriptors to the original opener for in-flight file descriptors sent over a unix domain socket. A local attacker could use this to cause a denial of service (resource exhaustion). (CVE-2016-2550)” states the advisory. “It was discovered that the Linux kernel did not enforce limits on the amount of data allocated to buffer pipes. A local attacker could use this to cause a denial of service (resource exhaustion). (CVE-2016-2847)”
If you are using Ubuntu 12.04 LTS you urgently need to update it to fix the above vulnerabilities with the following package version:
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
(Security Affairs – Linux Kernel, Ubuntu 14.04 LTS)