Ubuntu – Are the systems vulnerable from CVE-2016-5696

aptpackage-managementSecurityserverupdates

I have a request from my network security colleague to investigate the threat of this CVE for our environment and I'm having a hard time figuring it out. When I look on the CVE tracker for that CVE:
https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5696.html

It lists the package versions as well as the release versions. Which confuses me. Like it seems to imply that you can run the Trusty source on the Precise OS?

But that's besides the point. Our environment is predominantly Precise servers with a handful of Trusty servers and I need to know if this vulnerability applies to me. Is there a command I can run to determine if I'm using one of these packages that is listed. The package names actually specified in the tracker like "linux-lts-trusty" are not apt-get packages so "apt-cache show" doesn't help.

Best Answer

First of all, the package that it refers to linux-lts-trusty refers to the kernels images. They are named differently in the repositories. If you do apt-cache search linux-.* | grep 'trusty' you will find packages like linux-image-virtual-lts-trusty or linux-image-virtual-lts-wily. In addition , if you open the launchpad link, git.kernel.org link and others from the CVE report you have there all point that this is Linux kernel vulnerability.

So, for linux-lts-trusty, for which Launchpad latest version at the time of me writing this is 3.13.0-93.140-precise1 lists that only for Ubuntu 12.04 fix is needed, for other versions bug DNE(does not exist):

For linux-lts-wily , which is version 4.2.0-42.49-14.04.1 , only trusty (14.04 ) is at risk.

So it really depends on the kernel version you are running. Of course, the best approach would be that your server is upgraded to the latest version, 16.04 LTS , and have newer kernel versions. You didn't provide us with your kernel version so we don't know if you are at risk for this or not.

It lists the package versions as well as the release versions. Which confuses me. Like it seems to imply that you can run the Trusty source on the Precise OS?

Technically you can run older kernel on newer OS version and vice versa, so yes, that is correct.

NOTES:

Wily Werewolf (15.10) has already reached End of Life and no longer supported. If you are running this version, I strongly suggest you upgrade.
linux-lts-saucy kernel version appears that it doesn't have that vulnerability . That's version 3.11.0-26.45-precise1 . I would suggest any 3.11.x version, but this is still not ideal ; newer versions are preferable.
Tracking linux in the tracker for this CVE for a given release will track the base kernel shipped in that release. Tracking linux-lts-* in the tracker for this CVE will track an HWE kernel, available only in LTS editions which get HWE updates. Until all of them are "released" or "fixed", for all Source packages and all relevant distributions on the Tracker, you are not going to be able to 'avoid' the CVE.

Related Solutions

Ubuntu – Does Ubuntu generally post timely security updates

Ubuntu is currently divided into four components: main, restricted, universe and multiverse. Packages in main and restricted are supported by the Ubuntu Security team for the life of an Ubuntu release, while packages in universe and multiverse are supported by the Ubuntu community. See the security team FAQ for more information.

Since nginx is in the Universe component, it does not get updates from the security team. It is up to the community to fix security issues in that package. See here for the exact procedure.

You can use Software Center or the ubuntu-support-status command line tool to determine which packages are officially supported, and for how long.

Update from the future: Nginx is moving to main so will receive support from the Ubuntu Security Team at that point. If you're unsure whether your version will, just look at apt-cache show nginx and look for the "Section" tag. When that's in Main, you're getting Canonical support for it.

Ubuntu – Packages are not available for installation

Please, open-up update-manager or Software Sources depending on your distro then add/tick universe repository from the software sources.

Read https://help.ubuntu.com/community/Repositories/Ubuntu "Adding Repositories in Ubuntu"

GUI-based repository management is normally accomplished via "Software Sources". This interface can be accessed via several methods. For the latest versions of Ubuntu, the easiest way is to go through the "Ubuntu Software Center". Open the software center, then from the Edit menu select "Software Sources". You will have to enter your password to change settings in this window.

For older versions of ubuntu, there are several options:
Main Menu: System > Administration > Software Sources.

Synaptic : System > Administration > Synaptic Package Manager : >> Settings >> Repositories.

Main Menu: Ubuntu Software Center : >> Edit, Software Sources. 

Ubuntu Software Tab

Best Answer

NOTES:

Related Solutions

Ubuntu – Does Ubuntu generally post timely security updates

Ubuntu – Packages are not available for installation

Related Question