Slashdot Mirror

← Back to Stories (view on slashdot.org)

Canonical Patches Two Kernel Vulnerabilities In Ubuntu 14.04 (softpedia.com)

Posted by Soulskill on from the onward-and-upward dept.

jones_supa writes: Canonical has announced that a new kernel update is now live in the default software repositories for the Ubuntu 14.04 operating system. According to the security notice, two Linux kernel vulnerabilities have been fixed. The first security flaw was discovered in the SCTP (Stream Control Transmission Protocol) implementation, which conducted a wrong sequence of protocol-initialization steps. The second kernel vulnerability (discovered by Dmitry Vyukov) was in the Linux kernel's keyring handler, which tried to garbage collect incompletely instantiated keys. Both vulnerabilities allow a local attacker to crash the system by causing a denial of service. To fix the issues mentioned above, Canonical urges all users of Ubuntu 14.04 to update their kernel packages on all platforms.

33 comments

  1. how much do we exaggerate their importance? by sittingnut · · Score: 0

    is the effort required to update these in many systems by many people really worthwhile? just asking. are there any studies on this

    1. Re:how much do we exaggerate their importance? by hcs_$reboot · · Score: 2

      It depends if all systems are remotely attackable, even if only http/ssh is opened, for instance. Basically if you are using SCTP, instead of TCP/UDP you may be at risk. But not so many applications are using that protocol.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:how much do we exaggerate their importance? by mlts · · Score: 1

      I wouldn't be surprised to find more clients using it because it is a TCP/UDP mishmash that is good for multicasting, IPTV, and telco stuff. Of course, it will require new firewalls, since most will look at the packets, go, "is it TCP/UDP/IGMP/ICMP... if not, just drop them."

      As for local attacks, I'm glad they are taken care of. Although not as show-stopping as a remote root bug, with containerization becoming mainstream, a bug that panics a kernel and drops a compute node can cause some headaches, even if the services are redundant.

    3. Re:how much do we exaggerate their importance? by Anonymous Coward · · Score: 0

      The sctp issue is not remotely attackable. Attacker must have shell on local system.

  2. Updating a kernel by Anonymous Coward · · Score: 0

    Is that safe?

    1. Re:Updating a kernel by hcs_$reboot · · Score: 1

      Is that safe?

      Safer than not, in this case :-)

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re: Updating a kernel by WarJolt · · Score: 1

      I use the wily kernels with 14.04 and I haven't ran into any issues. Using patched kernels is probably safer than what I do.

  3. Does anyone use SCTP? by Viol8 · · Score: 1

    It was supposed to be the successor to TCP with 1 -> N connection abilities IIRC, but to be blunt it seems to have died on its arse.

  4. And how does that relate to the kernel? by gweihir · · Score: 2

    Which versions have the vulnerabilities and where are they fixed? Did Ubuntu use an old, out-of-date kernel?

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:And how does that relate to the kernel? by Anonymous Coward · · Score: 1

      It's the Ubuntu kernel - which is also used by Linux.

    2. Re:And how does that relate to the kernel? by gweihir · · Score: 1

      Ah, no? Ubuntu may well maintain their own patch-set, as, for example, Red Hat is doing. And they may be way behind the official kernels.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:And how does that relate to the kernel? by Anonymous Coward · · Score: 0

      Which versions have the vulnerabilities and where are they fixed?

      Linux 3.13, up to Ubuntu's kernel version 3.13.0-71.114 where it was fixed.

      Did Ubuntu use an old, out-of-date kernel?

      No, they used the then-current kernel for Ubuntu 14.04 LTS, and have been maintaining it ever since, because that's how LTS works. Why do you ask?

    4. Re:And how does that relate to the kernel? by gweihir · · Score: 1

      So it is an Ubuntu problem, not a kernel problem.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:And how does that relate to the kernel? by Zero__Kelvin · · Score: 1

      No, moron, it's an Ubuntu kernel problem.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    6. Re:And how does that relate to the kernel? by gweihir · · Score: 1

      Thanks and moron yourself. It is an Ubuntu problem.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    7. Re:And how does that relate to the kernel? by Zero__Kelvin · · Score: 1

      "It is an Ubuntu problem."

      No it isn't. It is a kernel problem for all Linux systems and distributions everywhere on the planet that use the versions of the kernel that have the vulnerabilities. Ubuntu is but one of thousands of unique Linux based OS systems, and this is simply stating that they have done so. People not on Ubuntu might also care, and the issue is certainly not specific to Ubuntu; only the fix is Ubuntu specific. Ubuntu has now patched their version of the Linux kernel. It is a kernel problem, in this case with Ubuntu ergo an Ubuntu kernel problem, and this is how Ubuntu has handled it. Saying it is an Ubuntu problem suggests that only Ubuntu has this issue, when nothing could be further from the truth.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  5. Uh? Who will update? by aglider · · Score: 0

    They patched a 2+ years old kernel. This is good and due (as they claim it's LTS).
    But who will update? A kernel patch requires a reboot.
    I think that those who still run 14.04 are running servers. And I hardly think a lot will update and reboot.

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
    1. Re:Uh? Who will update? by Anonymous Coward · · Score: 0

      I use 14.04 on my daily work machine. I use only LTS releases, since I have work to do and don't have the time to deal with all the bells and whistles changing location every half-year.

      And then even so, is a reboot that hard? takes all of 40 seconds on my servers.

      To be short, I don't really understand the point of your post. They did what they're supposed to do, but still it's somehow a bad thing?

    2. Re:Uh? Who will update? by Kidbro · · Score: 3, Interesting

      I think that those who still run 14.04 are running servers. And I hardly think a lot will update and reboot.

      That's an very strange assumtion. Of course server vulnerabilities are patched, and the machines rebooted if they need be. What did you expect? "Oh noes, my uptimes! I can't rebootz!"

      My client is currently in the process of rolling out a new line of products based on Ubuntu 14.04 (the choice of distribution was not mine). Of course we'll be using patched kernels for new machines we build. Simply upgrading to whatever happens to be the latest version of Ubuntu this week is not an option. This has been a year in testing. The next major update is likely two to four years down the line. The previous one (which is still being shipped) is based on Ubuntu 8.04 (Hardy Heron).

      --
      May we live long and die out
    3. Re:Uh? Who will update? by Gavagai80 · · Score: 1

      I'm running 14.04 on my desktop PC. But since these vulnerabilities are both to local attackers and the worst they do is force a reboot, I'm not rushing to reboot.

      --
      This space intentionally left blank
    4. Re:Uh? Who will update? by Anonymous Coward · · Score: 0

      Patched it, it didn't required a reboot.

    5. Re:Uh? Who will update? by Anonymous Coward · · Score: 0

      You need to reboot for the patch to go into effect.

    6. Re:Uh? Who will update? by PvtVoid · · Score: 1

      I think that those who still run 14.04 are running servers.

      14.04 is the most recent LTS release, so I would imagine that many desktop users are still running that version. Hell, 12.04 is still under support.

    7. Re:Uh? Who will update? by Anonymous Coward · · Score: 0

      And then even so, is a reboot that hard? takes all of 40 seconds on my servers.

      Wah! My process that takes weeks to run and I was too lazy to make have an occasional save to disk was interrupted by your reboot! Why would you do that?

      Because everyone has a process that takes weeks to run, and this was the maintenance window.

    8. Re:Uh? Who will update? by aglider · · Score: 1

      How many users do you have on your servers?
      well, my desktop PC (also running 14.04) takes about 15 seconds off its SSDs, 6 of which spent by the BIOS. But it's not definitely a server.
      And which hardware are you using? Mine takes 5+ minutes just for hardware initialization.
      Thanks to Zarquon I am not running virtual fluff as the reboot would downtime all virtual machines.
      I run an OCS on my ones and a reboot is to be planned with a couple of months in advance with a test on a clone system.
      A reboot is not a bad thing, especially if it's needed for security patches.
      But within next April we'll get the new LTS. Instead of planning a reboot we are working on a transition.
      Bottom line: that patch came too late in my opinion.

      --
      Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
    9. Re:Uh? Who will update? by Anonymous Coward · · Score: 0

      Thinks most recent LTS release of one of the most popular Linux distributions is old. Thinks nobody will reboot. What planet are you from, kid?

      In the real world, people called "adults" do things like earn a living, pay bills, etc. We don't use bleeding edge / untested software for business, nor do we use any software unless it has vendor support. Result: We usually wait and adopt long term support releases at least 1-2 years after they were released. Old? Hardly. There are a lot of people who recently upgraded to 12.04 LTS. The software that your growing mind undoubtedly considers "old and busted" is the same software that we think of as "almost stable enough to consider using."

      Why on earth do you think nobody will reboot? This isn't the first kernel patch for 14.04, and it won't be the last. Besides, there's such thing as monthly planned outages for security upgrades. Now get off my lawn, you little whipper snapper.

  6. Re:Linus is for Cows by aglider · · Score: 2

    Is that you, Bill?

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  7. Why is this posted? by What'sInAName · · Score: 1

    I've never been one to whine about stories being posted here, but this one has me particularly puzzled. Is there something novel about this particular set of patches? I ask because I've seen many, many kernel updates released by Canonical to my 14.04 boxes involving potential local exploits, since 14.04 was released. Anyone know why this one warrants a story, or is it just a slow news day?

    1. Re:Why is this posted? by chooks · · Score: 1

      I was wondering the same thing. My 14.04 laptop (my main work laptop) gets kernel updates from Canoncial not infrequently. Not sure why this one is special enough for /.

      --
      -- The Genesis project? What's that?
    2. Re:Why is this posted? by Anonymous Coward · · Score: 0

      Indeed. We don't need a whole fucking story for every kernel patch that hits a Linux distro.

  8. KDE password manager by Anonymous Coward · · Score: 0

    I'm waiting for the day when the KDE password manager actually remembers passwords.