Monthly Archives: December 2015

Ubuntu

USN-2829-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-2829-1

4th December, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04

Summary

Several security issues were fixed in the kernel.

Software description

  • linux
    – Linux kernel

Details

It was discovered that the SCTP protocol implementation in the Linux kernel
performed an incorrect sequence of protocol-initialization steps. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2015-5283)

Dmitry Vyukov discovered that the Linux kernel’s keyring handler attempted
to garbage collect incompletely instantiated keys. A local unprivileged
attacker could use this to cause a denial of service (system crash).
(CVE-2015-7872)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
linux-image-3.19.0-39-powerpc64-emb

3.19.0-39.44
linux-image-3.19.0-39-powerpc64-smp

3.19.0-39.44
linux-image-3.19.0-39-generic

3.19.0-39.44
linux-image-3.19.0-39-powerpc-smp

3.19.0-39.44
linux-image-3.19.0-39-generic-lpae

3.19.0-39.44
linux-image-3.19.0-39-powerpc-e500mc

3.19.0-39.44
linux-image-3.19.0-39-lowlatency

3.19.0-39.44

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-5283,

CVE-2015-7872

Ubuntu

USN-2829-2: Linux kernel (Vivid HWE) vulnerabilities

Ubuntu Security Notice USN-2829-2

4th December, 2015

linux-lts-vivid vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-vivid
    – Linux hardware enablement kernel from Vivid

Details

It was discovered that the SCTP protocol implementation in the Linux kernel
performed an incorrect sequence of protocol-initialization steps. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2015-5283)

Dmitry Vyukov discovered that the Linux kernel’s keyring handler attempted
to garbage collect incompletely instantiated keys. A local unprivileged
attacker could use this to cause a denial of service (system crash).
(CVE-2015-7872)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
linux-image-3.19.0-39-powerpc64-emb

3.19.0-39.44~14.04.1
linux-image-3.19.0-39-powerpc64-smp

3.19.0-39.44~14.04.1
linux-image-3.19.0-39-generic

3.19.0-39.44~14.04.1
linux-image-3.19.0-39-powerpc-smp

3.19.0-39.44~14.04.1
linux-image-3.19.0-39-generic-lpae

3.19.0-39.44~14.04.1
linux-image-3.19.0-39-powerpc-e500mc

3.19.0-39.44~14.04.1
linux-image-3.19.0-39-lowlatency

3.19.0-39.44~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2015-5283,

CVE-2015-7872

Security

Ubuntu Security Notice USN-2829-1

Ubuntu Security Notice 2829-1 – It was discovered that the SCTP protocol implementation in the Linux kernel performed an incorrect sequence of protocol-initialization steps. A local attacker could use this to cause a denial of service (system crash). Dmitry Vyukov discovered that the Linux kernel’s keyring handler attempted to garbage collect incompletely instantiated keys. A local unprivileged attacker could use this to cause a denial of service (system crash). Various other issues were also addressed.

Security

Red Hat Security Advisory 2015-2548-01

Red Hat Security Advisory 2015-2548-01 – Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. The Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.

Security

Red Hat Security Advisory 2015-2547-01

Red Hat Security Advisory 2015-2547-01 – JBoss Operations Network provides an integrated solution for managing JBoss middleware, other network infrastructure, and applications built on Red Hat Enterprise Application Platform. The Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.

Security

Debian Security Advisory 3412-1

Debian Linux Security Advisory 3412-1 – Luca Bruno discovered an integer overflow flaw leading to a stack-based buffer overflow in redis, a persistent key-value database. A remote attacker can use this flaw to cause a denial of service (application crash).