Ubuntu Security Notice USN-2347-1

16th September, 2014

python-django vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in Django.

Software description

• python-django
  – High-level Python web development framework

Details

Florian Apolloner discovered that Django incorrectly validated URLs. A
remote attacker could use this issue to conduct phishing attacks.
(CVE-2014-0480)

David Wilson discovered that Django incorrectly handled file name
generation. A remote attacker could use this issue to cause Django to
consume resources, resulting in a denial of service. (CVE-2014-0481)

David Greisen discovered that Django incorrectly handled certain headers in
contrib.auth.middleware.RemoteUserMiddleware. A remote authenticated user
could use this issue to hijack web sessions. (CVE-2014-0482)

Collin Anderson discovered that Django incorrectly checked if a field
represented a relationship between models in the administrative interface.
A remote authenticated user could use this issue to possibly obtain
sensitive information. (CVE-2014-0483)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

python-django

1.6.1-2ubuntu0.4

Ubuntu 12.04 LTS:

python-django

1.3.1-4ubuntu1.12

Ubuntu 10.04 LTS:

python-django

1.1.1-2ubuntu1.13

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-0480,

CVE-2014-0481,

CVE-2014-0482,

CVE-2014-0483

Ubuntu Security Notice USN-2348-1

16th September, 2014

apt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in APT.

Software description

• apt
  – Advanced front-end for dpkg

Details

It was discovered that APT did not re-verify downloaded files when the
If-Modified-Since wasn’t met. (CVE-2014-0487)

It was discovered that APT did not invalidate repository data when it
switched from an unauthenticated to an authenticated state. (CVE-2014-0488)

It was discovered that the APT Acquire::GzipIndexes option caused APT to
skip checksum validation. This issue only applied to Ubuntu 12.04 LTS and
Ubuntu 14.04 LTS, and was not enabled by default. (CVE-2014-0489)

It was discovered that APT did not correctly validate signatures when
manually downloading packages using the download command. This issue only
applied to Ubuntu 12.04 LTS. (CVE-2014-0490)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

apt

1.0.1ubuntu2.3

Ubuntu 12.04 LTS:

apt

0.8.16~exp12ubuntu10.19

Ubuntu 10.04 LTS:

apt

0.7.25.3ubuntu9.16

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-0487,

CVE-2014-0488,

CVE-2014-0489,

CVE-2014-0490

Ubuntu Security Notice USN-2319-3

16th September, 2014

openjdk-7 update

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

This update provides stability updates for OpenJDK 7.

Software description

• openjdk-7
  – Open Source Java implementation

Details

USN-2319-1 fixed vulnerabilities in OpenJDK 7. This update provides
stability fixes for the arm64 and ppc64el architectures.

Original advisory details:

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-2483, CVE-2014-2490, CVE-2014-4216, CVE-2014-4219,
CVE-2014-4223, CVE-2014-4262)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-4209, CVE-2014-4244,
CVE-2014-4263)

Two vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-4218, CVE-2014-4266)

A vulnerability was discovered in the OpenJDK JRE related to availability.
An attacker could exploit this to cause a denial of service.
(CVE-2014-4264)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose sensitive
data over the network. (CVE-2014-4221, CVE-2014-4252, CVE-2014-4268)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

openjdk-7-jre-lib

7u65-2.5.2-3~14.04

openjdk-7-jre-zero

7u65-2.5.2-3~14.04

icedtea-7-jre-jamvm

7u65-2.5.2-3~14.04

openjdk-7-jre-headless

7u65-2.5.2-3~14.04

openjdk-7-jre

7u65-2.5.2-3~14.04

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References

LP: 1370307

Ubuntu Security Notice USN-2349-1

17th September, 2014

libav vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

Libav could be made to crash or run programs as your login if it opened a
specially crafted file.

Software description

• libav
  – Multimedia player, server, encoder and transcoder

Details

It was discovered that Libav incorrectly handled certain malformed media
files. If a user were tricked into opening a crafted media file, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the
program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

libavformat53

4:0.8.16-0ubuntu0.12.04.1

libavcodec53

4:0.8.16-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

LP: 1370175

Ubuntu Security Notice USN-2350-1

22nd September, 2014

nss update

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

NSS was updated to refresh the CA certificates bundle.

Software description

• nss
  – Network Security Service library

Details

The NSS package contained outdated CA certificates. This update refreshes
the NSS package to version 3.17 which includes the latest CA certificate
bundle.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

libnss3

2:3.17-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:

libnss3

3.17-0ubuntu0.12.04.1

Ubuntu 10.04 LTS:

libnss3-1d

3.17-0ubuntu0.10.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.

References

LP: 1372410

Ubuntu Security Notice USN-2351-1

22nd September, 2014

nginx vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

nginx could be made to expose sensitive information over the network.

Software description

• nginx
  – small, powerful, scalable web/proxy server

Details

Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that nginx
incorrectly reused cached SSL sessions. An attacker could possibly use this
issue in certain configurations to obtain access to information from a
different virtual host.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

nginx-extras

1.4.6-1ubuntu3.1

nginx-full

1.4.6-1ubuntu3.1

nginx-core

1.4.6-1ubuntu3.1

nginx-light

1.4.6-1ubuntu3.1

nginx-naxsi

1.4.6-1ubuntu3.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3616

Ubuntu Security Notice USN-2352-1

22nd September, 2014

dbus vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in DBus.

Software description

• dbus
  – simple interprocess messaging system

Details

Simon McVittie discovered that DBus incorrectly handled the file
descriptors message limit. A local attacker could use this issue to cause
DBus to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only applied to Ubuntu 12.04 LTS and Ubuntu
14.04 LTS. (CVE-2014-3635)

Alban Crequy discovered that DBus incorrectly handled a large number of
file descriptor messages. A local attacker could use this issue to cause
DBus to stop responding, resulting in a denial of service. This issue only
applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3636)

Alban Crequy discovered that DBus incorrectly handled certain file
descriptor messages. A local attacker could use this issue to cause DBus
to maintain persistent connections, possibly resulting in a denial of
service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-3637)

Alban Crequy discovered that DBus incorrectly handled a large number of
parallel connections and parallel message calls. A local attacker could use
this issue to cause DBus to consume resources, possibly resulting in a
denial of service. (CVE-2014-3638)

Alban Crequy discovered that DBus incorrectly handled incomplete
connections. A local attacker could use this issue to cause DBus to fail
legitimate connection attempts, resulting in a denial of service.
(CVE-2014-3639)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

dbus

1.6.18-0ubuntu4.2

libdbus-1-3

1.6.18-0ubuntu4.2

Ubuntu 12.04 LTS:

dbus

1.4.18-1ubuntu1.6

libdbus-1-3

1.4.18-1ubuntu1.6

Ubuntu 10.04 LTS:

dbus

1.2.16-2ubuntu4.8

libdbus-1-3

1.2.16-2ubuntu4.8

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all
the necessary changes.

References

CVE-2014-3635,

CVE-2014-3636,

CVE-2014-3637,

CVE-2014-3638,

CVE-2014-3639

Ubuntu Security Notice USN-2353-1

23rd September, 2014

apt vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

APT could be made to crash or run programs if it received specially crafted
network traffic.

Software description

• apt
  – Advanced front-end for dpkg

Details

It was discovered that APT incorrectly handled certain http URLs. If a
remote attacker were able to perform a man-in-the-middle attack, this flaw
could be exploited to cause APT to crash, resulting in a denial of service,
or possibly execute arbitrary code. The default compiler options for
affected releases should reduce the vulnerability to a denial of service.
(CVE-2014-6273)

In addition, this update fixes regressions introduced by the USN-2348-1
security update: APT incorrectly handled file:/// sources on a different
partition, incorrectly handled Dir::state::lists set to a relative path,
and incorrectly handled cdrom: sources.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

apt

1.0.1ubuntu2.4.1

Ubuntu 12.04 LTS:

apt

0.8.16~exp12ubuntu10.20.1

Ubuntu 10.04 LTS:

apt

0.7.25.3ubuntu9.17.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-6273

Ubuntu Security Notice USN-2354-1

23rd September, 2014

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux
  – Linux kernel

Details

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:

linux-image-2.6.32-66-lpia

2.6.32-66.132

linux-image-2.6.32-66-generic-pae

2.6.32-66.132

linux-image-2.6.32-66-sparc64

2.6.32-66.132

linux-image-2.6.32-66-ia64

2.6.32-66.132

linux-image-2.6.32-66-386

2.6.32-66.132

linux-image-2.6.32-66-powerpc

2.6.32-66.132

linux-image-2.6.32-66-versatile

2.6.32-66.132

linux-image-2.6.32-66-generic

2.6.32-66.132

linux-image-2.6.32-66-powerpc64-smp

2.6.32-66.132

linux-image-2.6.32-66-preempt

2.6.32-66.132

linux-image-2.6.32-66-powerpc-smp

2.6.32-66.132

linux-image-2.6.32-66-server

2.6.32-66.132

linux-image-2.6.32-66-sparc64-smp

2.6.32-66.132

linux-image-2.6.32-66-virtual

2.6.32-66.132

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-5471,

CVE-2014-5472

Ubuntu Security Notice USN-2355-1

23rd September, 2014

linux-ec2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux-ec2
  – Linux kernel for EC2

Details

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:

linux-image-2.6.32-370-ec2

2.6.32-370.86

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-5471,

CVE-2014-5472