An Ubuntu update released on Wednesday fixes bug in a Linux kernel driver that could be used to take control of a machine.
Canonical has released an update that patches four bugs that, including one that could cause an attacker to execute code.
Ubuntu users have been notified of a reasonably pressing update to install that addresses four security issues, though none are remotely exploitable. The bugs affect Ubuntu 14.04 Long Term Support (LTS), which gets five years of coverage.
The
most serious is a use-after-free flaw in a Linux kernel driver. The
medium priority bug, found by Venkatesh Pottem last year, could allow a
local attacker to cause a system crash and may allow them to execute
code on the system.
"A flaw was found in the CXGB3 kernel driver
when the network was considered congested. The kernel would incorrectly
misinterpret the congestion as an error condition and incorrectly
free/clean up the skb. When the device would then send the skb's queued,
these structures would be referenced and may panic the system or allow
an attacker to escalate privileges in a use-after-free scenario,"
Canonical notes in an advisory.
It
also fixes a low-priority timing side-channel vulnerability in the
Linux Extended Verification Module, which an attacker could use to
compromise system integrity.
A local attacker could also trigger a
denial-of-service due to the Linux kernel incorrectly accounting file
descriptors. This is considered a medium priority issue.
The fourth issue, a low priority, could also be used to cause a
denial-of-service due to the Linux kernel not enforce limits on the data
allocated to buffer pipes.
The references for the bugs are CVE-2015-8812, CVE-2016-2085, CVE-2016-2550, CVE-2016-2847.
No comments:
Post a Comment