Ubuntu Security Notice USN-3128-1

11th November, 2016

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

• linux
  – Linux kernel

Details

Ondrej Kozina discovered that the keyring interface in the Linux kernel
contained a buffer overflow when displaying timeout events via the
/proc/keys interface. A local attacker could use this to cause a denial of
service (system crash).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:

linux-image-4.4.0-47-powerpc64-emb

4.4.0-47.68

linux-image-powerpc-e500mc

4.4.0.47.50

linux-image-4.4.0-47-lowlatency

4.4.0-47.68

linux-image-4.4.0-47-powerpc64-smp

4.4.0-47.68

linux-image-4.4.0-47-generic

4.4.0-47.68

linux-image-4.4.0-47-powerpc-smp

4.4.0-47.68

linux-image-powerpc-smp

4.4.0.47.50

linux-image-generic-lpae

4.4.0.47.50

linux-image-powerpc64-emb

4.4.0.47.50

linux-image-virtual

4.4.0.47.50

linux-image-4.4.0-47-generic-lpae

4.4.0-47.68

linux-image-generic

4.4.0.47.50

linux-image-lowlatency

4.4.0.47.50

linux-image-4.4.0-47-powerpc-e500mc

4.4.0-47.68

linux-image-powerpc64-smp

4.4.0.47.50

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-7042

Ubuntu Security Notice USN-3127-2

11th November, 2016

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux-lts-trusty
  – Linux hardware enablement kernel from Trusty for Precise

Details

USN-3127-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 LTS.

It was discovered that the compression handling code in the Advanced Linux
Sound Architecture (ALSA) subsystem in the Linux kernel did not properly
check for an integer overflow. A local attacker could use this to cause a
denial of service (system crash). (CVE-2014-9904)

Kirill A. Shutemov discovered that memory manager in the Linux kernel did
not properly handle anonymous pages. A local attacker could use this to
cause a denial of service or possibly gain administrative privileges.
(CVE-2015-3288)

Vitaly Kuznetsov discovered that the Linux kernel did not properly suppress
hugetlbfs support in X86 paravirtualized guests. An attacker in the guest
OS could cause a denial of service (guest system crash). (CVE-2016-3961)

Ondrej Kozina discovered that the keyring interface in the Linux kernel
contained a buffer overflow when displaying timeout events via the
/proc/keys interface. A local attacker could use this to cause a denial of
service (system crash). (CVE-2016-7042)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-generic-lpae-lts-trusty

3.13.0.101.92

linux-image-3.13.0-101-generic-lpae

3.13.0-101.148~precise1

linux-image-generic-lts-trusty

3.13.0.101.92

linux-image-3.13.0-101-generic

3.13.0-101.148~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2014-9904,

CVE-2015-3288,

CVE-2016-3961,

CVE-2016-7042

Ubuntu Security Notice USN-3127-1

11th November, 2016

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux
  – Linux kernel

Details

It was discovered that the compression handling code in the Advanced Linux
Sound Architecture (ALSA) subsystem in the Linux kernel did not properly
check for an integer overflow. A local attacker could use this to cause a
denial of service (system crash). (CVE-2014-9904)

Kirill A. Shutemov discovered that memory manager in the Linux kernel did
not properly handle anonymous pages. A local attacker could use this to
cause a denial of service or possibly gain administrative privileges.
(CVE-2015-3288)

Vitaly Kuznetsov discovered that the Linux kernel did not properly suppress
hugetlbfs support in X86 paravirtualized guests. An attacker in the guest
OS could cause a denial of service (guest system crash). (CVE-2016-3961)

Ondrej Kozina discovered that the keyring interface in the Linux kernel
contained a buffer overflow when displaying timeout events via the
/proc/keys interface. A local attacker could use this to cause a denial of
service (system crash). (CVE-2016-7042)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

linux-image-powerpc-smp

3.13.0.101.109

linux-image-3.13.0-101-powerpc-e500

3.13.0-101.148

linux-image-3.13.0-101-powerpc64-smp

3.13.0-101.148

linux-image-generic

3.13.0.101.109

linux-image-3.13.0-101-lowlatency

3.13.0-101.148

linux-image-3.13.0-101-powerpc-e500mc

3.13.0-101.148

linux-image-powerpc-e500mc

3.13.0.101.109

linux-image-powerpc64-emb

3.13.0.101.109

linux-image-3.13.0-101-generic-lpae

3.13.0-101.148

linux-image-powerpc-e500

3.13.0.101.109

linux-image-powerpc64-smp

3.13.0.101.109

linux-image-3.13.0-101-powerpc-smp

3.13.0-101.148

linux-image-generic-lpae

3.13.0.101.109

linux-image-3.13.0-101-powerpc64-emb

3.13.0-101.148

linux-image-lowlatency

3.13.0.101.109

linux-image-virtual

3.13.0.101.109

linux-image-3.13.0-101-generic

3.13.0-101.148

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2014-9904,

CVE-2015-3288,

CVE-2016-3961,

CVE-2016-7042

Ubuntu Security Notice USN-3129-2

11th November, 2016

linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10

Summary

The system could be made to crash under certain conditions.

Software description

• linux-raspi2
  – Linux kernel for Raspberry Pi 2

Details

Ondrej Kozina discovered that the keyring interface in the Linux kernel
contained a buffer overflow when displaying timeout events via the
/proc/keys interface. A local attacker could use this to cause a denial of
service (system crash). (CVE-2016-7042)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

linux-image-4.8.0-1018-raspi2

4.8.0-1018.21

linux-image-raspi2

4.8.0.1018.21

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-7042

Ubuntu Security Notice USN-3129-1

11th November, 2016

linux vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10

Summary

The system could be made to crash under certain conditions.

Software description

• linux
  – Linux kernel

Details

Ondrej Kozina discovered that the keyring interface in the Linux kernel
contained a buffer overflow when displaying timeout events via the
/proc/keys interface. A local attacker could use this to cause a denial of
service (system crash).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

linux-image-powerpc-smp

4.8.0.27.36

linux-image-powerpc-e500mc

4.8.0.27.36

linux-image-4.8.0-27-lowlatency

4.8.0-27.29

linux-image-generic

4.8.0.27.36

linux-image-generic-lpae

4.8.0.27.36

linux-image-4.8.0-27-generic-lpae

4.8.0-27.29

linux-image-powerpc64-emb

4.8.0.27.36

linux-image-4.8.0-27-powerpc64-emb

4.8.0-27.29

linux-image-powerpc64-smp

4.8.0.27.36

linux-image-4.8.0-27-generic

4.8.0-27.29

linux-image-4.8.0-27-powerpc-e500mc

4.8.0-27.29

linux-image-lowlatency

4.8.0.27.36

linux-image-virtual

4.8.0.27.36

linux-image-4.8.0-27-powerpc-smp

4.8.0-27.29

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-7042

Ubuntu Security Notice USN-3128-3

11th November, 2016

linux-snapdragon vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

• linux-snapdragon
  – Linux kernel for Snapdragon Processors

Details

Ondrej Kozina discovered that the keyring interface in the Linux kernel
contained a buffer overflow when displaying timeout events via the
/proc/keys interface. A local attacker could use this to cause a denial of
service (system crash).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:

linux-image-snapdragon

4.4.0.1035.27

linux-image-4.4.0-1035-snapdragon

4.4.0-1035.39

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-7042

Ubuntu Security Notice USN-3128-2

11th November, 2016

linux-lts-xenial vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

• linux-lts-xenial
  – Linux hardware enablement kernel from Xenial for Trusty

Details

USN-3128-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

Ondrej Kozina discovered that the keyring interface in the Linux kernel
contained a buffer overflow when displaying timeout events via the
/proc/keys interface. A local attacker could use this to cause a denial of
service (system crash).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

linux-image-powerpc-smp-lts-xenial

4.4.0.47.34

linux-image-4.4.0-47-powerpc64-emb

4.4.0-47.68~14.04.1

linux-image-4.4.0-47-lowlatency

4.4.0-47.68~14.04.1

linux-image-4.4.0-47-powerpc64-smp

4.4.0-47.68~14.04.1

linux-image-4.4.0-47-generic

4.4.0-47.68~14.04.1

linux-image-generic-lpae-lts-xenial

4.4.0.47.34

linux-image-4.4.0-47-powerpc-smp

4.4.0-47.68~14.04.1

linux-image-lowlatency-lts-xenial

4.4.0.47.34

linux-image-generic-lts-xenial

4.4.0.47.34

linux-image-4.4.0-47-generic-lpae

4.4.0-47.68~14.04.1

linux-image-powerpc64-smp-lts-xenial

4.4.0.47.34

linux-image-powerpc64-emb-lts-xenial

4.4.0.47.34

linux-image-powerpc-e500mc-lts-xenial

4.4.0.47.34

linux-image-4.4.0-47-powerpc-e500mc

4.4.0-47.68~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-7042

Ubuntu Security Notice USN-3126-1

11th November, 2016

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux
  – Linux kernel

Details

Ondrej Kozina discovered that the keyring interface in the Linux kernel
contained a buffer overflow when displaying timeout events via the
/proc/keys interface. A local attacker could use this to cause a denial of
service (system crash). (CVE-2016-7042)

Dmitry Vyukov discovered a use-after-free vulnerability during error
processing in the recvmmsg(2) implementation in the Linux kernel. A remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-7117)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-3.2.0-115-generic

3.2.0-115.157

linux-image-3.2.0-115-powerpc-smp

3.2.0-115.157

linux-image-powerpc

3.2.0.115.131

linux-image-3.2.0-115-virtual

3.2.0-115.157

linux-image-3.2.0-115-highbank

3.2.0-115.157

linux-image-3.2.0-115-omap

3.2.0-115.157

linux-image-highbank

3.2.0.115.131

linux-image-powerpc-smp

3.2.0.115.131

linux-image-virtual

3.2.0.115.131

linux-image-3.2.0-115-generic-pae

3.2.0-115.157

linux-image-powerpc64-smp

3.2.0.115.131

linux-image-generic-pae

3.2.0.115.131

linux-image-generic

3.2.0.115.131

linux-image-omap

3.2.0.115.131

linux-image-3.2.0-115-powerpc64-smp

3.2.0-115.157

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-7042,

CVE-2016-7117

Ubuntu Security Notice USN-3126-2

11th November, 2016

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux-ti-omap4
  – Linux kernel for OMAP4

Details

Ondrej Kozina discovered that the keyring interface in the Linux kernel
contained a buffer overflow when displaying timeout events via the
/proc/keys interface. A local attacker could use this to cause a denial of
service (system crash). (CVE-2016-7042)

Dmitry Vyukov discovered a use-after-free vulnerability during error
processing in the recvmmsg(2) implementation in the Linux kernel. A remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-7117)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-omap4

3.2.0.1493.88

linux-image-3.2.0-1493-omap4

3.2.0-1493.120

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-7042,

CVE-2016-7117

Ubuntu Security Notice USN-3125-1

9th November, 2016

qemu, qemu-kvm vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in QEMU.

Software description

• qemu
  – Machine emulator and virtualizer

• qemu-kvm
  – Machine emulator and virtualizer

Details

Zhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A
privileged attacker inside the guest could use this issue to cause QEMU to
consume resources, resulting in a denial of service. (CVE-2016-5403)

Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network
card emulation support. A privileged attacker inside the guest could use
this issue to cause QEMU to crash, resulting in a denial of service. This
issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-6833, CVE-2016-6834, CVE-2016-6888)

Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network
card emulation support. A privileged attacker inside the guest could use
this issue to cause QEMU to crash, resulting in a denial of service, or
possibly execute arbitrary code on the host. In the default installation,
when QEMU is used with libvirt, attackers would be isolated by the libvirt
AppArmor profile. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04
LTS and Ubuntu 16.10. (CVE-2016-6835)

Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network
card emulation support. A privileged attacker inside the guest could use
this issue to possibly to obtain sensitive host memory. This issue only
affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-6836)

Felix Wilhelm discovered that QEMU incorrectly handled Plan 9 File System
(9pfs) support. A privileged attacker inside the guest could use this issue
to possibly to obtain sensitive host files. (CVE-2016-7116)

Li Qiang and Tom Victor discovered that QEMU incorrectly handled VMWARE
PVSCSI paravirtual SCSI bus emulation support. A privileged attacker inside
the guest could use this issue to cause QEMU to crash, resulting in a
denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04
LTS and Ubuntu 16.10. (CVE-2016-7155)

Li Qiang discovered that QEMU incorrectly handled VMWARE PVSCSI paravirtual
SCSI bus emulation support. A privileged attacker inside the guest could
use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu
16.10. (CVE-2016-7156, CVE-2016-7421)

Tom Victor discovered that QEMU incorrectly handled LSI SAS1068 host bus
emulation support. A privileged attacker inside the guest could use this
issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.10. (CVE-2016-7157)

Hu Chaojian discovered that QEMU incorrectly handled xlnx.xps-ethernetlite
emulation support. A privileged attacker inside the guest could use this
issue to cause QEMU to crash, resulting in a denial of service, or possibly
execute arbitrary code on the host. In the default installation, when QEMU
is used with libvirt, attackers would be isolated by the libvirt AppArmor
profile. (CVE-2016-7161)

Qinghao Tang and Li Qiang discovered that QEMU incorrectly handled the
VMWare VGA module. A privileged attacker inside the guest could use this
issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-7170)

Qinghao Tang and Zhenhao Hong discovered that QEMU incorrectly handled the
Virtio module. A privileged attacker inside the guest could use this issue
to cause QEMU to crash, resulting in a denial of service. This issue only
affected Ubuntu 16.10. (CVE-2016-7422)

Li Qiang discovered that QEMU incorrectly handled LSI SAS1068 host bus
emulation support. A privileged attacker inside the guest could use this
issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.10. (CVE-2016-7423)

Li Qiang discovered that QEMU incorrectly handled USB xHCI controller
emulation support. A privileged attacker inside the guest could use this
issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7466)

Li Qiang discovered that QEMU incorrectly handled ColdFire Fast Ethernet
Controller emulation support. A privileged attacker inside the guest could
use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-7908)

Li Qiang discovered that QEMU incorrectly handled AMD PC-Net II emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2016-7909)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU support. A
privileged attacker inside the guest could use this issue to cause QEMU to
consume resources, resulting in a denial of service. This issue only
affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7994)

Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to consume resources, resulting in a denial of service. This
issue only affected Ubuntu 16.10. (CVE-2016-7995)

Li Qiang discovered that QEMU incorrectly handled USB xHCI controller
support. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-8576)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs)
support. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-8577, CVE-2016-8578)

It was discovered that QEMU incorrectly handled Rocker switch emulation
support. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. This issue only
affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-8668)

It was discovered that QEMU incorrectly handled Intel HDA controller
emulation support. A privileged attacker inside the guest could use this
issue to cause QEMU to consume resources, resulting in a denial of service.
(CVE-2016-8909)

Andrew Henderson discovered that QEMU incorrectly handled RTL8139 ethernet
controller emulation support. A privileged attacker inside the guest could
use this issue to cause QEMU to consume resources, resulting in a denial of
service. (CVE-2016-8910)

Li Qiang discovered that QEMU incorrectly handled Intel i8255x ethernet
controller emulation support. A privileged attacker inside the guest could
use this issue to cause QEMU to consume resources, resulting in a denial of
service. (CVE-2016-9101)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs)
support. A privileged attacker inside the guest could use this issue to
cause QEMU to consume resources, resulting in a denial of service.
(CVE-2016-9102, CVE-2016-9104, CVE-2016-9105)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs)
support. A privileged attacker inside the guest could use this issue to
possibly to obtain sensitive host memory. (CVE-2016-9103)

Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs)
support. A privileged attacker inside the guest could use this issue to
cause QEMU to consume resources, resulting in a denial of service. This
issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2016-9106)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

qemu-system-misc

1:2.6.1+dfsg-0ubuntu5.1

qemu-system-s390x

1:2.6.1+dfsg-0ubuntu5.1

qemu-system

1:2.6.1+dfsg-0ubuntu5.1

qemu-system-aarch64

1:2.6.1+dfsg-0ubuntu5.1

qemu-system-x86

1:2.6.1+dfsg-0ubuntu5.1

qemu-system-sparc

1:2.6.1+dfsg-0ubuntu5.1

qemu-system-arm

1:2.6.1+dfsg-0ubuntu5.1

qemu-system-ppc

1:2.6.1+dfsg-0ubuntu5.1

qemu-system-mips

1:2.6.1+dfsg-0ubuntu5.1

Ubuntu 16.04 LTS:

qemu-system-misc

1:2.5+dfsg-5ubuntu10.6

qemu-system-s390x

1:2.5+dfsg-5ubuntu10.6

qemu-system

1:2.5+dfsg-5ubuntu10.6

qemu-system-aarch64

1:2.5+dfsg-5ubuntu10.6

qemu-system-x86

1:2.5+dfsg-5ubuntu10.6

qemu-system-sparc

1:2.5+dfsg-5ubuntu10.6

qemu-system-arm

1:2.5+dfsg-5ubuntu10.6

qemu-system-ppc

1:2.5+dfsg-5ubuntu10.6

qemu-system-mips

1:2.5+dfsg-5ubuntu10.6

Ubuntu 14.04 LTS:

qemu-system-misc

2.0.0+dfsg-2ubuntu1.30

qemu-system

2.0.0+dfsg-2ubuntu1.30

qemu-system-aarch64

2.0.0+dfsg-2ubuntu1.30

qemu-system-x86

2.0.0+dfsg-2ubuntu1.30

qemu-system-sparc

2.0.0+dfsg-2ubuntu1.30

qemu-system-arm

2.0.0+dfsg-2ubuntu1.30

qemu-system-ppc

2.0.0+dfsg-2ubuntu1.30

qemu-system-mips

2.0.0+dfsg-2ubuntu1.30

Ubuntu 12.04 LTS:

qemu-kvm

1.0+noroms-0ubuntu14.31

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References

CVE-2016-5403,

CVE-2016-6833,

CVE-2016-6834,

CVE-2016-6835,

CVE-2016-6836,

CVE-2016-6888,

CVE-2016-7116,

CVE-2016-7155,

CVE-2016-7156,

CVE-2016-7157,

CVE-2016-7161,

CVE-2016-7170,

CVE-2016-7421,

CVE-2016-7422,

CVE-2016-7423,

CVE-2016-7466,

CVE-2016-7908,

CVE-2016-7909,

CVE-2016-7994,

CVE-2016-7995,

CVE-2016-8576,

CVE-2016-8577,

CVE-2016-8578,

CVE-2016-8668,

CVE-2016-8909,

CVE-2016-8910,

CVE-2016-9101,

CVE-2016-9102,

CVE-2016-9103,

CVE-2016-9104,

CVE-2016-9105,

CVE-2016-9106