LSN-0105-1: Kernel Live Patch Security Notice
16 July 2024
Several security issues were fixed in the kernel.
Releases
Software Description
- aws - Linux kernel for Amazon Web Services (AWS) systems - (>= 4.15.0-1054, >= 4.15.0-1159, >= 4.15.0-1119, >= 5.4.0-1009, >= 5.4.0-1061, >= 5.15.0-1000, >= 6.8.0-1008, >= 4.4.0-1098, >= 4.4.0-1129, >= 4.4.0-1159)
- aws-5.15 - Linux kernel for Amazon Web Services (AWS) systems - (>= 5.15.0-1000)
- aws-hwe - Linux kernel for Amazon Web Services (AWS-HWE) systems - (>= 4.15.0-1126)
- azure - Linux kernel for Microsoft Azure Cloud systems - (>= 5.4.0-1010, >= 6.8.0-1007, >= 4.15.0-1063, >= 4.15.0-1078, >= 4.15.0-1114)
- azure-4.15 - Linux kernel for Microsoft Azure Cloud systems - (>= 4.15.0-1115, >= 4.15.0-1168)
- gcp - Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.4.0-1009, >= 5.15.0-1000, >= 6.8.0-1007, >= 4.15.0-1118)
- gcp-4.15 - Linux kernel for Google Cloud Platform (GCP) systems - (>= 4.15.0-1121, >= 4.15.0-1154)
- gcp-5.15 - Linux kernel for Google Cloud Platform (GCP) systems - (>= 5.15.0-1000)
- generic-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-214, >= 4.15.0-69, >= 4.15.0-143, >= 4.15.0-143)
- generic-4.4 - Linux kernel - (>= 4.4.0-168, >= 4.4.0-168, >= 4.4.0-211, >= 4.4.0-243)
- generic-5.15 - Linux hardware enablement (HWE) kernel - (>= 5.15.0-0)
- generic-5.4 - Linux kernel - (>= 5.4.0-26, >= 5.4.0-150, >= 5.4.0-26)
- gke - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1033, >= 5.15.0-1000)
- gke-5.15 - Linux kernel for Google Container Engine (GKE) systems - (>= 5.15.0-1000)
- gkeop - Linux kernel for Google Container Engine (GKE) systems - (>= 5.4.0-1009)
- ibm - Linux kernel for IBM cloud systems - (>= 5.4.0-1009, >= 5.15.0-1000, >= 6.8.0-1005)
- ibm-5.15 - Linux kernel for IBM cloud systems - (>= 5.15.0-1000)
- linux - Linux kernel - (>= 5.15.0-71, >= 5.15.0-24, >= 6.8.0-1)
- lowlatency-4.15 - Linux hardware enablement (HWE) kernel - (>= 4.15.0-69, >= 4.15.0-214, >= 4.15.0-69, >= 4.15.0-143, >= 4.15.0-143)
- lowlatency-4.4 - Linux kernel - (>= 4.4.0-168, >= 4.4.0-168, >= 4.4.0-211, >= 4.4.0-243)
- lowlatency-5.15 - Linux hardware enablement (HWE) kernel - (>= 5.15.0-0)
- lowlatency-5.4 - Linux kernel - (>= 5.4.0-26, >= 5.4.0-150, >= 5.4.0-26)
- oracle - Linux kernel for Oracle Cloud systems - (>= 4.15.0-1129, >= 5.4.0-1121, >= 5.15.0-1055)
- oracle-5.15 - Linux kernel for Oracle Cloud systems - (>= 5.15.0-1055)
Details
It was discovered that the ATA over Ethernet (AoE) driver in the Linux
kernel contained a race condition, leading to a use-after-free
vulnerability. An attacker could use this to cause a denial of service or
possibly execute arbitrary code.(CVE-2023-6270)
It was discovered that the netfilter connection tracker for netlink in the
Linux kernel did not properly perform reference counting in some error
conditions. A local attacker could possibly use this to cause a denial of
service (memory exhaustion).(CVE-2023-7192)
In the Linux kernel, the following vulnerability has been
resolved: netfilter: nf_tables: disallow anonymous set with timeout flag
Anonymous sets are never used with timeout from userspace, reject this.
Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.(CVE-2024-26642)
In the Linux kernel, the following vulnerability has been
resolved: cifs: fix underflow in parse_server_interfaces() In this loop, we
step through the buffer and after each item we check if the size_left is
greater than the minimum size we need. However, the problem is that
'bytes_left' is type ssize_t while sizeof() is type size_t. That means that
because of type promotion, the comparison is done as an unsigned and if we
have negative bytes left the loop continues instead of ending.(CVE-2024-26828)
In the Linux kernel, the following vulnerability has been
resolved: netfilter: nft_set_pipapo: do not free live element (CVE-2024-26924)
Checking update status
The problem can be corrected in these Livepatch versions:
| Kernel type | 24.04 | 22.04 | 20.04 | 18.04 | 16.04 | 14.04 |
|---|---|---|---|---|---|---|
| aws | 105.1 | 105.1 | 105.1 | 105.1 | 105.1 | — |
| aws-5.15 | — | — | 105.1 | — | — | — |
| aws-hwe | — | — | — | — | 105.1 | — |
| azure | 105.1 | — | 105.1 | — | 105.1 | — |
| azure-4.15 | — | — | — | 105.1 | — | — |
| gcp | 105.1 | 105.1 | 105.1 | — | 105.1 | — |
| gcp-4.15 | — | — | — | 105.1 | — | — |
| gcp-5.15 | — | — | 105.1 | — | — | — |
| generic-4.15 | — | — | — | 105.1 | 105.1 | — |
| generic-4.4 | — | — | — | — | 105.1 | 105.1 |
| generic-5.15 | — | — | 105.2 | — | — | — |
| generic-5.4 | — | — | 105.1 | 105.1 | — | — |
| gke | — | 105.1 | 105.1 | — | — | — |
| gke-5.15 | — | — | 105.1 | — | — | — |
| gkeop | — | — | 105.1 | — | — | — |
| ibm | 105.1 | 105.1 | 105.1 | — | — | — |
| ibm-5.15 | — | — | 105.1 | — | — | — |
| linux | 105.1 | 105.2 | — | — | — | — |
| lowlatency-4.15 | — | — | — | 105.1 | 105.1 | — |
| lowlatency-4.4 | — | — | — | — | 105.1 | 105.1 |
| lowlatency-5.15 | — | — | 105.1 | — | — | — |
| lowlatency-5.4 | — | — | 105.1 | 105.1 | — | — |
| oracle | — | 105.1 | 105.1 | 105.1 | — | — |
| oracle-5.15 | — | — | 105.1 | — | — | — |
To check your kernel type and Livepatch version, enter this command:
canonical-livepatch status