== Ubuntu once again fails at a good kernel security update announcement

Ubuntu just sent out [[USN-2700-1
https://lists.ubuntu.com/archives/ubuntu-security-announce/2015-July/003069.html]],
a 14.04 LTS announcement about a kernel update for CVE-2015-3290,
CVE-2015-3291, and CVE-2015-5157. People with good memories may at
this point remember [[USN-2688-1
https://lists.ubuntu.com/archives/ubuntu-security-announce/2015-July/003057.html]],
a 14.04 LTS announcement about a kernel update for CVE-2015-3290,
CVE-2015-1333, CVE-2015-3291, and CVE-2015-5157. Gosh, that's a
familiar list of CVEs, and it sort of looks like the 'repeated CVEs'
thing [[Ubuntu has done before UselessKernelSecurityUpdates]].  If
you already applied the USN-2688-1 kernel and rebooted everything,
it certainly sounds like you can skip USN-2700-1.

That would be a mistake. What Ubuntu is not bothering to mention
in USN-2700-1 is that the 64-bit x86 kernels from USN-2688-1 had
[[a bad bug https://bugs.launchpad.net/bugs/1479093]]. In that
kernel, if a 32-bit program forks and then execs a 64-bit program
the 64-bit program segfaults on startup; for example, a 32-bit shell
will be unable to run any 64-bit programs (which will be most of
them). This bug is the sole reason USN-2700-1 was issued ([[literally
https://launchpad.net/ubuntu/+source/linux/3.13.0-61.100]]).

The USN-2700-1 text should come with a prominent notification to
the effect of 'the previous update introduced a serious bug on
64-bit systems; we are re-issuing corrected kernels without this
problem'. Ubuntu has put such notices on updates in the past so
the idea is not foreign to them; they just didn't bother doing
it this time around. As a result, people who may be affected by
this newly introduced kernel bug do not necessarily know that
this is their problem and they should update to the USN-2700-1
kernel to fix it.

(At best they may start doing a launchpad bug search and find [[the bug
report https://bugs.launchpad.net/bugs/1479093]]. But I don't think it's
necessarily all that likely, because the bug's title is not particularly
accurate about what it actually is; 'Segfault in ld-2.19.so while
starting Steam after upgrade to 3.13.0-59.98' does not point clearly to
a 32-bit on 64-bit issue. It doesn't even mention 'on 64-bit platforms'
in the description.)

~~Kernel update notices matter because people use them to decide
whether or not to go through the hassle of a system reboot~~. If a
notice is misleading, this goes wrong; people don't update and
reboot when they really should. When there are bugs in a kernel
update, as there were here, not telling people about them causes
them to try to troubleshoot a buggy system without realizing that
there is a simple solution.

(Lucky people noticed failures on the USN-2688-1 kernel right away, and
so were able to attribute them to the just-done kernel update.  But
unlucky people will only run into this once in a while, when they run
a rare lingering 32-bit program that does this, and so they may not
immediately realize that it was due to a kernel update that might now be
a week or two in the past.)

(See also [[a previous Ubuntu kernel update failure
UbuntuKernelUpdateFail]], from 2011.)