Canonical Voices

Posts tagged with '16.04'

Canonical

Ubuntu updates for TCP SACK Panic vulnerabilities

Issues have been identified in the way the Linux kernel’s TCP implementation processes Selective Acknowledgement (SACK) options and handles low Maximum Segment Size (MSS) values. These TCP SACK Panic vulnerabilities could expose servers to a denial of service attack, so it is crucial to have systems patched.

Updated versions of the Linux kernel packages are being published as part of the standard Ubuntu security maintenance of Ubuntu releases 16.04 LTS, 18.04 LTS, 18.10, 19.04 and as part of the extended security maintenance for Ubuntu 14.04 ESM users.

It is recommended to update to the latest kernel packages and consult Ubuntu Security Notices for further updates.

Ubuntu Advantage for Infrastructure subscription customers can find the latest status information in our Knowledge Base and file a support case with Canonical support for any additional questions or concerns around SACK Panic.

Canonical’s Kernel Livepatch updates for security vulnerabilities related to TCP SACK processing in the Linux kernel have been released and are described by CVEs 2019-11477 and 2019-11478, with details of the patch available in LSN-0052-1.

These CVEs have a Livepatch fix available, however, a minimum kernel version is required for Livepatch to install the fix as denoted by the table in LSN-0052-1, reproduced here:

| Kernel                   | Version | flavors           |
|--------------------------+----------+--------------------------|
| 4.4.0-148.174            | 52.3 | generic, lowlatency      |
| 4.4.0-150.176            | 52.3 | generic, lowlatency      |
| 4.15.0-50.54             | 52.3 | generic, lowlatency      |
| 4.15.0-50.54~16.04.1     | 52.3 | generic, lowlatency      |
| 4.15.0-51.55             | 52.3 | generic, lowlatency      |
| 4.15.0-51.55~16.04.1     | 52.3 | generic, lowlatency      |

Livepatch fixes for CVEs 2019-11477 and 2019-11478 are not available for prior kernels, and an upgrade and reboot to the appropriate minimum version is necessary. These kernel versions correspond to the availability of mitigations for the MDS series of CVEs (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130 and CVE-2019-11091).

Additionally, a third SACK related issue, CVE-2019-11479, does not have a Livepatch fix available because it is not technically feasible to apply the changes via Livepatch. Mitigation information is available at the Ubuntu Security Team Wiki.

If you have any questions and want to learn more about these patches, please do not hesitate to get in touch.

The post Ubuntu updates for TCP SACK Panic vulnerabilities appeared first on Ubuntu Blog.

Read more
Daniel Holbach

Ubuntu 16.04 is out!

Ubuntu 16.04 – yet another LTS?

Ubuntu 16.04 LTS, aka the Xenial Xerus, has just been released. It’s incredible that it’s already the 24th Ubuntu release and the 6th LTS release. If you have been around for a while and need a blast from the past, check out this video:

Click here to view it on youtube. It’s available in /usr/share/example-content on a default desktop install as well.

You would think that after such a long time releases get somewhat inflationary and less important and while I’d very likely always say on release day “yes, this one is the best of all so far”, Ubuntu 16.04 is indeed very special to me.

Snappy snappy snappy

Among the many pieces of goodness to come to your way is the snapd package. It’s installed by default on many flavours of Ubuntu including Ubuntu Desktop and is your snappy connection to myApps.

Snappy Ubuntu Core 2.0 landing just in time for the 16.04 LTS release only happened due to the great and very hard work of many teams and individuals. I also see it as the implementation of lots of feedback we have been getting from third party app developers, ISVs and upstream projects over the years. Basically what all of them wanted was in a nutshell: a solid Ubuntu base, flexibility in handling their app and the relevant stack, independence from distro freezes, dead-simple packaging, bullet-proof upgrades and rollbacks, and an app store model established with the rise of the smartphones. Snappy Ubuntu Core is exactly that and more. What it also brings to Ubuntu is a clear isolation between apps and a universal trust model.

As most of you know, I’ve been trying to teach people how to do packaging for Ubuntu for years and it continued to improve and get easier, but all in all, it still is hard to get right. snapcraft makes this so much easier. It’s just beautiful. If you have been doing some packaging in the past, just take a look at some of the examples.

Landing a well-working and stable snapd with clear-cut and stable set of APIs was the most important aspect, especially considering that almost everyone will be basing their work on 16.04 LTS, which is going to be supported for five years. This includes being able to use snapcraft on the LTS.

Today you can build a snap, upload it to the store using snapcraft upload, having it automatically reviewed and published by the store and Desktop users can install it on their system. This brings you in a position where you can easily share your software with millions of users, without having to wait for somebody to upload it to the distro for you, without having your users add yet another PPA, etc.

So, what’s still missing? Quite a few things actually. Because you have to bundle your dependencies, packages are still quite big. This will change as soon as the specifics of OS and library snaps are figured out. Apart from that many new interfaces will need to be added to make Ubuntu Core really useful and versatile. There are also still a few bugs which need figuring out.

If you generally like what you’re reading here, come and talk to us. Introduce yourselves, talk to us and we’ll figure out if anything you need it still missing.

If you’re curious you can also check out some blog posts written by people who worked on this relentlessly in the last weeks:

Thanks a lot everyone – I thoroughly enjoyed working with you on this and I’m looking forward to all the great things we are going to deliver together!

Bring your friends, bring your questions!

The Community team moved the weekly Ubuntu Community Q&A to be tomorrow, Friday 2016-04-22 15:00 UTC on https://ubuntuonair.com as usual. If you have questions, tune in and bring your friends as well!

Read more
Daniel Holbach

It’s been a while since our last Snappy Clinic, so we asked for your input on which topics to cover. Thanks for the feedback so far.

In our next session Sergio Schvezov is going to talk about what’s new in Snapcraft and the changes in the 2.x series. Be there and you are going to be up-to-date on how to publish your software on Snappy Ubuntu Core. There will be time for questions afterwards.

Join us on the 12th February 2016 at 16:00 UTC on http://ubuntuonair.com.

Read more