Canonical has released a new kernel security update for Ubuntu 16.10 (Yakkety Yak), 16.04 (Xenial Xerus) and 14.04 LTS (Trusty Tahr). The new update follows the recent release that patched six critical vulnerabilities for Ubuntu 17.04 (Zesty Zapus).
The first flaw that Canonical has fixed through the update is an import stack-based buffer overflow issue that lies in generic SCSI of the Linux kernel behind Ubuntu 16.04 LTS and 16.04.1 LTS. The issue could let the local attacker gain full access of sg device and subsequently crash the affected system.
Canonical has also patched the second vulnerability (CVE-2017-7261) that was discovered in NULL pointer dereference in Direct Rendering Manager (DRM) driver for VMware devices. The local attacker could cause DDoS attack using this vulnerability. Similarily, the third vulnerability (CVE-2017-7616) is an information leak in kernel’s set_mempolicy and mind compat syscalls.
The fourth flaw in Ubuntu 16.04 LTS and 16.04.1 LTS is an integer overflow issue in Direct Rendering Manager (DRM) drivers for VMWare devices. The vulnerability could let an attacker gain remote access and execute arbitrary code to cause DDoS attack.
Fix for heap overflow loophole
Additionally, Canonical has released patched heap overflow issue (CVE-2017-7477) for Ubuntu 16.10 and Ubuntu 14.04 LTS users. The issue could let an attacker cause DDoS attack or crash the system.
The Ubuntu maker has also patched the kernel for Ubuntu 16.04.2 LTS users via hardware enablement HWE kernel. Ubuntu 14.04 LTS (Trusty Tahr) users, on the other hand, have received an update that carries fix for a security flaw (CVE-2016-8645) that fixes TCP implementation of the kernel.
All the users on Ubuntu 16.10, 16.04 and 14.04 are advised to update their kernel package at the earliest.