Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Ubuntu Security Linux

Canonical Patches Two Kernel Vulnerabilities In Ubuntu 14.04 (softpedia.com) 33

jones_supa writes: Canonical has announced that a new kernel update is now live in the default software repositories for the Ubuntu 14.04 operating system. According to the security notice, two Linux kernel vulnerabilities have been fixed. The first security flaw was discovered in the SCTP (Stream Control Transmission Protocol) implementation, which conducted a wrong sequence of protocol-initialization steps. The second kernel vulnerability (discovered by Dmitry Vyukov) was in the Linux kernel's keyring handler, which tried to garbage collect incompletely instantiated keys. Both vulnerabilities allow a local attacker to crash the system by causing a denial of service. To fix the issues mentioned above, Canonical urges all users of Ubuntu 14.04 to update their kernel packages on all platforms.
This discussion has been archived. No new comments can be posted.

Canonical Patches Two Kernel Vulnerabilities In Ubuntu 14.04

Comments Filter:
  • It was supposed to be the successor to TCP with 1 -> N connection abilities IIRC, but to be blunt it seems to have died on its arse.

  • by gweihir ( 88907 ) on Wednesday December 02, 2015 @05:27AM (#51039557)

    Which versions have the vulnerabilities and where are they fixed? Did Ubuntu use an old, out-of-date kernel?

    • by Anonymous Coward

      It's the Ubuntu kernel - which is also used by Linux.

      • by gweihir ( 88907 )

        Ah, no? Ubuntu may well maintain their own patch-set, as, for example, Red Hat is doing. And they may be way behind the official kernels.

  • They patched a 2+ years old kernel. This is good and due (as they claim it's LTS).
    But who will update? A kernel patch requires a reboot.
    I think that those who still run 14.04 are running servers. And I hardly think a lot will update and reboot.
    • by Kidbro ( 80868 ) on Wednesday December 02, 2015 @08:40AM (#51040057)

      I think that those who still run 14.04 are running servers. And I hardly think a lot will update and reboot.

      That's an very strange assumtion. Of course server vulnerabilities are patched, and the machines rebooted if they need be. What did you expect? "Oh noes, my uptimes! I can't rebootz!"

      My client is currently in the process of rolling out a new line of products based on Ubuntu 14.04 (the choice of distribution was not mine). Of course we'll be using patched kernels for new machines we build. Simply upgrading to whatever happens to be the latest version of Ubuntu this week is not an option. This has been a year in testing. The next major update is likely two to four years down the line. The previous one (which is still being shipped) is based on Ubuntu 8.04 (Hardy Heron).

    • I'm running 14.04 on my desktop PC. But since these vulnerabilities are both to local attackers and the worst they do is force a reboot, I'm not rushing to reboot.

    • I think that those who still run 14.04 are running servers.

      14.04 is the most recent LTS release, so I would imagine that many desktop users are still running that version. Hell, 12.04 is still under support.

  • I've never been one to whine about stories being posted here, but this one has me particularly puzzled. Is there something novel about this particular set of patches? I ask because I've seen many, many kernel updates released by Canonical to my 14.04 boxes involving potential local exploits, since 14.04 was released. Anyone know why this one warrants a story, or is it just a slow news day?

    • by chooks ( 71012 )

      I was wondering the same thing. My 14.04 laptop (my main work laptop) gets kernel updates from Canoncial not infrequently. Not sure why this one is special enough for /.

The best defense against logic is ignorance.