Canonical Patches Four Security Flaws in Ubuntu 15.04 and 14.04 LTS
Canonical has released an important security patch for the kernel packages of Ubuntu 15.04 (Vivid Vervet) and Ubuntu 14.04 LTS (Trusty Tahr) operating systems.
The Linux 3.19 and Linux 3.13 kernel packages of Ubuntu 15.04 and Ubuntu 14.04 LTS are published to patch four security vulnerabilities. These include:
CVE-2015-0272: It was discovered that the Linux kernel did not check if a new IPv6 MTU set by a user space application was valid. A remote attacker could forge a route advertisement with an invalid MTU that a user space daemon like NetworkManager would honor and apply to the kernel, causing a denial of service.
CVE-2015-5156: It was discovered that virtio networking in the Linux kernel did not handle fragments correctly, leading to kernel memory corruption. A remote attacker could use this to cause a denial of service (system crash) or possibly execute code with administrative privileges.
CVE-2015-6937: It was discovered that the Reliable Datagram Sockets (RDS) implementation in the Linux kernel did not verify sockets were properly bound before attempting to send a message, which could cause a NULL pointer dereference. An attacker could use this to cause a denial of service (system crash).
CVE-2015-7312: Ben Hutchings discovered that the Advanced Union Filesystem (aufs) for the Linux kernel did not correctly handle references of memory mapped files from an aufs mount. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges.
The kernel update also affects derivatives of the respective Ubuntu OSes, including Kubuntu, Xubuntu, Lubuntu, Ubuntu GNOME, Ubuntu MATE, Ubuntu Studio, Ubuntu Kylin, Ubuntu Core, Ubuntu Server, and Edubuntu.
Canonical urges all users of the Ubuntu 15.04 and Ubuntu 14.04 LTS to update their kernel packages immediately. The new kernels are now live in the default software repositories of the respective OSes.