Monthly Archives: July 2016

Ubuntu

USN-3028-1: NSPR vulnerability

Ubuntu Security Notice USN-3028-1

11th July, 2016

nspr vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

NSPR could be made to crash or run programs if it received specially
crafted input.

Software description

  • nspr
    – NetScape Portable Runtime Library

Details

It was discovered that NSPR incorrectly handled memory allocation. A remote
attacker could use this issue to cause NSPR to crash, resulting in a denial
of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
libnspr4

2:4.12-0ubuntu0.16.04.1
Ubuntu 15.10:
libnspr4

2:4.12-0ubuntu0.15.10.1
Ubuntu 14.04 LTS:
libnspr4

2:4.12-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
libnspr4

4.12-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make all
the necessary changes.

References

CVE-2016-1951

Ubuntu

USN-3029-1: NSS vulnerability

Ubuntu Security Notice USN-3029-1

11th July, 2016

nss vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

NSS could be made to crash or run programs if it processed specially
crafted network traffic.

Software description

  • nss
    – Network Security Service library

Details

Tyson Smith and Jed Davis discovered that NSS incorrectly handled memory. A
remote attacker could use this issue to cause NSS to crash, resulting in a
denial of service, or possibly execute arbitrary code.

This update refreshes the NSS package to version 3.23 which includes
the latest CA certificate bundle. As a security improvement, this update
also modifies NSS behaviour to reject DH key sizes below 1024 bits,
preventing a possible downgrade attack.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
libnss3

2:3.23-0ubuntu0.16.04.1
Ubuntu 15.10:
libnss3

2:3.23-0ubuntu0.15.10.1
Ubuntu 14.04 LTS:
libnss3

2:3.23-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
libnss3

2:3.23-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.

References

CVE-2016-2834

Ubuntu

USN-3030-1: GD library vulnerabilities

Ubuntu Security Notice USN-3030-1

11th July, 2016

libgd2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.04 LTS
  • Ubuntu 15.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

The GD library could be made to crash or run programs if it processed a
specially crafted image file.

Software description

  • libgd2
    – GD Graphics Library

Details

It was discovered that the GD library incorrectly handled memory when using
gdImageScaleTwoPass(). A remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 14.04 LTS.
(CVE-2013-7456)

It was discovered that the GD library incorrectly handled certain malformed
XBM images. If a user or automated system were tricked into processing a
specially crafted XBM image, an attacker could cause a denial of service.
This issue only affected Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04
LTS. (CVE-2016-5116)

It was discovered that the GD library incorrectly handled memory when using
_gd2GetHeader(). A remote attacker could possibly use this issue to cause a
denial of service or possibly execute arbitrary code. (CVE-2016-5766)

It was discovered that the GD library incorrectly handled certain color
indexes. A remote attacker could possibly use this issue to cause a denial
of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 15.10 and
Ubuntu 16.04 LTS. (CVE-2016-6128)

It was discovered that the GD library incorrectly handled memory when
encoding a GIF image. A remote attacker could possibly use this issue to
cause a denial of service. (CVE-2016-6161)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:
libgd3

2.1.1-4ubuntu0.16.04.2
Ubuntu 15.10:
libgd3

2.1.1-4ubuntu0.15.10.2
Ubuntu 14.04 LTS:
libgd3

2.1.0-3ubuntu0.2
Ubuntu 12.04 LTS:
libgd2-xpm

2.0.36~rc1~dfsg-6ubuntu2.2
libgd2-noxpm

2.0.36~rc1~dfsg-6ubuntu2.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2013-7456,

CVE-2016-5116,

CVE-2016-5766,

CVE-2016-6128,

CVE-2016-6161

Checkpoint

Internet Explorer Malformed IFRAME Buffer Overflow (MS04-040: CVE-2004-1050; CVE-2004-1050)

Internet Explorer (IE) is a popular web browser developed by Microsoft corporation. A buffer overflow vulnerability has been reported in Microsoft Internet Explorer. The vulnerability is in the way Microsoft Internet Explorer parses certain parameters of an IFRAME tag. An attacker can exploit this vulnerability to create a denial of service condition or to execute arbitrary code in the context of the currently logged in user. Successful exploitation of this vulnerability may allow execution of arbitrary code on a vulnerable system.

Checkpoint

Microsoft Internet Explorer Memory Corruption (MS16-084: CVE-2016-3241; CVE-2016-3241)

A memory corruption vulnerability exists in Microsoft Internet Explorer. The vulnerability is due to an error while handling certain objects when processing HTML and script code. A remote attacker can exploit this issue by enticing a target victim to open a specially crafted web page that could cause memory corruption in a way that would allow attackers to execute code on the target system.

Checkpoint

Microsoft Internet Explorer Memory Corruption (MS16-084: CVE-2016-3240; CVE-2016-3240)

A memory corruption vulnerability exists in Microsoft Internet Explorer. The vulnerability is due to an error while handling certain objects when processing HTML and script code. A remote attacker can exploit this issue by enticing a target victim to open a specially crafted web page that could cause memory corruption in a way that would allow attackers to execute code on the target system.