Ubuntu – New Zero-day exploit reportedly found affecting Linux/Android (CVE-2016-0728)

kernelSecurity

Russia Today reports (20 January 2016) that there is a new zero-day exploit that has been discovered affecting Linux and all Linux-based OSes for computers and phones.

What is the deal; how does it affect Ubuntu; and when can we expect security updates that will close this security hole?

Best Answer

It has been patched already.

Quoting the article:

[...] "Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges," reads today's Ubuntu Security Notice USN-2872-1 for Ubuntu 15.10. [...]

and

[...] patches are now available for the Ubuntu 15.10 (Wily Werewolf), Ubuntu 15.04 (Vivid Vervet), and Ubuntu 14.04 LTS (Trusty Tahr) distributions. [...]

and

[...] you are urged to upgrade the kernel packages to linux-image-4.2.0-25 (4.2.0-25.30) for Ubuntu 15.10 (Wily Werewolf), linux-image-4.2.0-1020-raspi2 4.2.0-1020.27 for Ubuntu 15.10 (Raspberry Pi 2), linux-image-3.19.0-47 (3.19.0-47.53) for Ubuntu 15.04 (Vivid Vervet), and linux-image-3.13.0-76 (3.13.0-76.120) for Ubuntu 14.04 LTS (Trusty Tahr). [...]

So users of the patched releases (15.10 / 15.04 / 14.04, and according to Canonical also 12.04) may (and should) upgrade right away by running:

sudo apt-get update && sudo apt-get dist-upgrade

and rebooting the computer afterwards.