Patches the CVE-2018-15471 & CVE-2018-18021 vulnerabilities

Oct 9, 2018 19:21 GMT  ·  By

The Debian Project published a new linux security advisory to inform users of the Debian GNU/Linux 9 "Stretch" operating system series about a new kernel security patch that fixes two vulnerabilities.

Coming just a week after the latest major kernel security update for Debian GNU/Linux 9 "Stretch," the new Linux kernel security patch is here to address a flaw (CVE-2018-15471) discovered by Google Project Zero's Felix Wilhelm in the hash handling of Linux kernel's xen-netback module, which could result in information leaks, privilege escalation, as well as denial of service.

"Felix Wilhelm of Google Project Zero discovered a flaw in the hash handling of the xen-netback Linux kernel module. A malicious or buggy frontend may cause the (usually privileged) backend to make out of bounds memory accesses, potentially resulting in privilege escalation, denial of service, or information leaks," reads the security advisory published by Salvatore Bonaccorso.

All Debian Stretch users are urged to update their systems

The new kernel security patch also addresses a privilege escalation flaw (CVE-2018-18021) discovered in Linux kerne's Kernel-based Virtual Machine (KVM) subsystem on AArch64 (ARM64) architectures, which could let an attacker create a denial of service (hypervisor panic) or redirect the hypervisor flow of control with complete register control.

To fix these two security vulnerabilities, the Debian Project recommends all users of the Debian GNU/Linux 9 "Stretch" operating system series to update the kernel packages to version 4.9.110-3+deb9u6, which is now available for download from the main archives. To update your systems, run the "sudo apt-get update && sudo apt-get full-upgrade" command in a terminal emulator. The new kernel version will replace last week's 4.9.110-3+deb9u5 kernel, which fixed no less than 18 vulnerabilities.