Canonical recently released a Linux Kernel security update for all Ubuntu versions that are still under maintenance, which resolves more than 20 security vulnerabilities and urges all Ubuntu users to update.
The most important vulnerability patched in this major Linux Kernel update of Ubuntu is a CVE-2020-25704 vulnerability discovered in the perf subsystem, which could allow a privileged attacker to cause a denial of service (exhaustion of kernel memory), and PowerPC A security issue in the implementation of RTAS (CVE-2020-27777), the vulnerability could allow a privileged local attacker to arbitrarily modify the kernel memory and bypass the kernel lock restriction.
The new Ubuntu Kernel security update also fixes a race condition in the console keyboard driver (CVE-2020-25656) and a race condition in the TTY driver/subsystem (CVE-2020-25668) And a RAF vulnerability (CVE-2020-29660), an information disclosure (CVE-2020-28588) found in the syscall implementation on a 32-bit system, and a vulnerability in the framebuffer console driver (CVE-2020-28974) ). All these vulnerabilities may allow local attackers to expose sensitive information (kernel memory).
In addition to the above-mentioned vulnerabilities, this update also fixes vulnerabilities that may allow local attackers to cause a denial of service or may execute arbitrary code. These vulnerabilities include a UAF vulnerability in the Sun keyboard driver (CVE-2020-25669), an out-of-bounds read vulnerability in the JFS file system implementation (CVE-2020-27815), and two vulnerabilities in the Speakup screen reader driver (CVE-2020-27830 and CVE-2020-28941), a UAF vulnerability in the InfiniBand HFI1 device driver (CVE-2020-27835), and another race condition vulnerability in the TTY subsystem (CVE-2020-29661).
The Ubuntu Kernel security update also fixes four other vulnerabilities that affect cloud users. These vulnerabilities may allow an attacker to cause a denial of service of the host operating system in the guest virtual machine.
The new kernel security update resolves a conditional race (CVE-2020-35508) that may allow local attackers to send signals to arbitrary processes. The vulnerability only affects Ubuntu 20.10 and 20.04.2 LTS users running Linux Kernel 5.8. In addition, a vulnerability (CVE-2021-20177) found in the netfilter subsystem has been patched, which only affects Ubuntu 20.04 LTS and Ubuntu 18.04.5 LTS users running Linux Kernel 5.4, and may allow local attacks with CAP_NET_ADMIN functionality The person causes a denial of service.
The last vulnerability (CVE-2020-29374) was discovered in the memory management subsystem of Linux Kernel. This vulnerability may allow a local attacker to gain unexpected write access to read-only memory pages. This vulnerability only affects the operation Linux Kernel 4.15 or 4.4 LTS Ubuntu 18.04 LTS, Ubuntu 16.04 LTS and Ubuntu 14.04 ESM users.
In addition to these security fixes, Canonical today also released an OEM kernel update for the Ubuntu 20.04 LTS system running Linux Kernel 5.10 OEM, which fixes the vulnerability (CVE-2020-28374) found in the realization of the LIO SCSI target. It is a LUN that may allow an attacker to access at least one LUN in multiple backstore environments, thereby exposing sensitive information or modifying data.
Canonical urges all Ubuntu users to install this update as soon as possible. To update Ubuntu system to a new kernel version, you need to run in the Terminal application sudo apt update && sudo apt full-upgradecommand or using the Software Update utility. After successfully installing the new kernel version, don't forget to restart your computer.