Ubuntu

USN-3254-1: Django vulnerabilities

April 5, 2017 007admin

Ubuntu Security Notice USN-3254-1

4th April, 2017

python-django vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Django.

Software description

python-django
– High-level Python web development framework

Details

It was discovered that Django incorrectly handled numeric redirect URLs. A
remote attacker could possibly use this issue to perform XSS attacks, and
to use a Django server as an open redirect. (CVE-2017-7233)

Phithon Gong discovered that Django incorrectly handled certain URLs when
the jango.views.static.serve() view is being used. A remote attacker could
possibly use a Django server as an open redirect. (CVE-2017-7234)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: python3-django

1.8.7-1ubuntu8.2; python-django

1.8.7-1ubuntu8.2
Ubuntu 16.04 LTS:: python3-django

1.8.7-1ubuntu5.5; python-django

1.8.7-1ubuntu5.5
Ubuntu 14.04 LTS:: python-django

1.6.11-0ubuntu1.1
Ubuntu 12.04 LTS:: python-django

1.3.1-4ubuntu1.23

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-7233,

CVE-2017-7234

Ubuntu

USN-3255-1: LightDM vulnerability

April 5, 2017 007admin

Ubuntu Security Notice USN-3255-1

4th April, 2017

lightdm vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS

Summary

LightDM could be made to run programs as an administrator.

Software description

lightdm
– Display Manager

Details

It was discovered that LightDM incorrectly handled home directory creation for
guest users. A local attacker could use this issue to gain ownership of
arbitrary directory paths and possibly gain administrative privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: lightdm

1.19.5-0ubuntu1.1
Ubuntu 16.04 LTS:: lightdm

1.18.3-0ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-7358

Ubuntu

USN-3256-1: Linux kernel vulnerability

April 5, 2017 007admin

Ubuntu Security Notice USN-3256-1

4th April, 2017

linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux-ti-omap4 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

linux
– Linux kernel
linux-aws
– Linux kernel for Amazon Web Services (AWS) systems
linux-gke
– Linux kernel for Google Container Engine (GKE) systems
linux-raspi2
– Linux kernel for Raspberry Pi 2
linux-snapdragon
– Linux kernel for Snapdragon Processors
linux-ti-omap4
– Linux kernel for OMAP4

Details

Andrey Konovalov discovered that the AF_PACKET implementation in the Linux
kernel did not properly validate certain block-size data. A local attacker
could use this to cause a denial of service (system crash).

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:: linux-image-powerpc-smp 4.8.0.46.58; linux-image-powerpc-e500mc 4.8.0.46.58; linux-image-generic 4.8.0.46.58; linux-image-4.8.0-46-lowlatency

4.8.0-46.49; linux-image-4.8.0-46-generic-lpae

4.8.0-46.49; linux-image-4.8.0-46-powerpc-smp

4.8.0-46.49; linux-image-4.8.0-1033-raspi2

4.8.0-1033.36; linux-image-4.8.0-46-powerpc-e500mc

4.8.0-46.49; linux-image-generic-lpae 4.8.0.46.58; linux-image-4.8.0-46-powerpc64-emb

4.8.0-46.49; linux-image-4.8.0-46-generic

4.8.0-46.49; linux-image-lowlatency 4.8.0.46.58; linux-image-raspi2 4.8.0.1033.37; linux-image-powerpc64-smp 4.8.0.46.58
Ubuntu 16.04 LTS:: linux-image-powerpc-e500mc 4.4.0.72.78; linux-image-4.4.0-72-lowlatency

4.4.0-72.93; linux-image-4.4.0-72-powerpc-smp

4.4.0-72.93; linux-image-4.4.0-72-powerpc-e500mc

4.4.0-72.93; linux-image-4.4.0-1055-snapdragon

4.4.0-1055.59; linux-image-powerpc64-smp-lts-utopic 4.4.0.72.78; linux-image-4.4.0-72-generic

4.4.0-72.93; linux-image-4.4.0-72-generic-lpae

4.4.0-72.93; linux-image-powerpc64-smp-lts-xenial 4.4.0.72.78; linux-image-4.4.0-72-powerpc64-smp

4.4.0-72.93; linux-image-gke 4.4.0.1010.12; linux-image-powerpc64-smp-lts-vivid 4.4.0.72.78; linux-image-generic 4.4.0.72.78; linux-image-snapdragon 4.4.0.1055.48; linux-image-aws 4.4.0.1013.16; linux-image-raspi2 4.4.0.1052.53; linux-image-powerpc-smp 4.4.0.72.78; linux-image-4.4.0-1052-raspi2

4.4.0-1052.59; linux-image-generic-lpae 4.4.0.72.78; linux-image-powerpc64-smp-lts-wily 4.4.0.72.78; linux-image-4.4.0-1013-aws

4.4.0-1013.22; linux-image-4.4.0-1010-gke

4.4.0-1010.10; linux-image-powerpc64-smp 4.4.0.72.78; linux-image-lowlatency 4.4.0.72.78
Ubuntu 14.04 LTS:: linux-image-powerpc-smp

3.13.0.116.126; linux-image-powerpc-e500mc

3.13.0.116.126; linux-image-generic

3.13.0.116.126; linux-image-generic-lpae

3.13.0.116.126; linux-image-3.13.0-116-powerpc64-smp

3.13.0-116.163; linux-image-3.13.0-116-powerpc-e500mc

3.13.0-116.163; linux-image-3.13.0-116-lowlatency

3.13.0-116.163; linux-image-powerpc-e500

3.13.0.116.126; linux-image-3.13.0-116-generic

3.13.0-116.163; linux-image-3.13.0-116-powerpc-e500

3.13.0-116.163; linux-image-3.13.0-116-powerpc-smp

3.13.0-116.163; linux-image-powerpc64-smp

3.13.0.116.126; linux-image-lowlatency

3.13.0.116.126; linux-image-3.13.0-116-generic-lpae

3.13.0-116.163
Ubuntu 12.04 LTS:: linux-image-3.2.0-126-virtual

3.2.0-126.169; linux-image-3.2.0-126-highbank

3.2.0-126.169; linux-image-3.2.0-1504-omap4

3.2.0-1504.131; linux-image-3.2.0-126-generic-pae

3.2.0-126.169; linux-image-powerpc-smp 3.2.0.126.141; linux-image-generic 3.2.0.126.141; linux-image-3.2.0-126-omap

3.2.0-126.169; linux-image-3.2.0-126-generic

3.2.0-126.169; linux-image-generic-pae 3.2.0.126.141; linux-image-highbank 3.2.0.126.141; linux-image-3.2.0-126-powerpc64-smp

3.2.0-126.169; linux-image-powerpc64-smp 3.2.0.126.141; linux-image-omap4 3.2.0.1504.99; linux-image-3.2.0-126-powerpc-smp

3.2.0-126.169; linux-image-omap 3.2.0.126.141; linux-image-virtual 3.2.0.126.141

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2017-7308

Ubuntu

USN-3256-2: Linux kernel (HWE) vulnerability

April 5, 2017 007admin

Ubuntu Security Notice USN-3256-2

4th April, 2017

linux-hwe, linux-lts-trusty, linux-lts-xenial vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

The system could be made to crash under certain conditions.

Software description

linux-hwe
– Linux hardware enablement (HWE) kernel
linux-lts-trusty
– Linux hardware enablement kernel from Trusty for Precise
linux-lts-xenial
– Linux hardware enablement kernel from Xenial for Trusty

Details

USN-3256-1 fixed vulnerabilities in the Linux kernel for Ubuntu
14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. This update provides
the corresponding updates for the Linux Hardware Enablement (HWE)
kernel for each of the respective prior Ubuntu LTS releases.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.04 LTS:: linux-image-4.8.0-46-lowlatency

4.8.0-46.49~16.04.1; linux-image-lowlatency-hwe-16.04

4.8.0.46.18; linux-image-4.8.0-46-generic-lpae

4.8.0-46.49~16.04.1; linux-image-generic-hwe-16.04

4.8.0.46.18; linux-image-4.8.0-46-generic

4.8.0-46.49~16.04.1; linux-image-generic-lpae-hwe-16.04

4.8.0.46.18
Ubuntu 14.04 LTS:: linux-image-powerpc-smp-lts-xenial

4.4.0.72.59; linux-image-4.4.0-72-generic

4.4.0-72.93~14.04.1; linux-image-4.4.0-72-powerpc-smp

4.4.0-72.93~14.04.1; linux-image-4.4.0-72-powerpc-e500mc

4.4.0-72.93~14.04.1; linux-image-generic-lpae-lts-xenial

4.4.0.72.59; linux-image-4.4.0-72-generic-lpae

4.4.0-72.93~14.04.1; linux-image-4.4.0-72-lowlatency

4.4.0-72.93~14.04.1; linux-image-lowlatency-lts-xenial

4.4.0.72.59; linux-image-generic-lts-xenial

4.4.0.72.59; linux-image-powerpc64-smp-lts-xenial

4.4.0.72.59; linux-image-4.4.0-72-powerpc64-smp

4.4.0-72.93~14.04.1; linux-image-powerpc-e500mc-lts-xenial

4.4.0.72.59
Ubuntu 12.04 LTS:: linux-image-generic-lpae-lts-trusty

3.13.0.116.107; linux-image-3.13.0-116-generic

3.13.0-116.163~precise1; linux-image-generic-lts-trusty

3.13.0.116.107; linux-image-3.13.0-116-generic-lpae

3.13.0-116.163~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-7308

Kaspersky

A Record Number of Partners Join the Global No More Ransom Initiative

April 5, 2017 007admin

Nine months after the launch of the No More Ransom (NMR) project, the initiative is continuing momentum with 76 supporting partners and the platform now available in 14 different languages, containing 39 free decryption tools.

NVD

CVE-2017-2671

April 5, 2017 007admin

The ping_unhash function in net/ipv4/ping.c in the Linux kernel through 4.10.8 is too late in obtaining a certain lock and consequently cannot ensure that disconnect function calls are safe, which allows local users to cause a denial of service (panic) by leveraging access to the protocol value of IPPROTO_ICMP in a socket system call.

NVD

CVE-2017-7358

April 5, 2017 007admin

In LightDM through 1.22.0, a directory traversal issue in debian/guest-account.sh allows local attackers to own arbitrary directory path locations and escalate privileges to root when the guest user logs out.

Security Focus

Vuln: IETF IPv6 Protocol CVE-2016-10142 Denial of Service Vulnerability

April 4, 2017 007admin

IETF IPv6 Protocol CVE-2016-10142 Denial of Service Vulnerability

Security Focus

Vuln: Linux kernel CVE-2017-6345 Local Denial of Service Vulnerability

April 4, 2017 007admin

Linux kernel CVE-2017-6345 Local Denial of Service Vulnerability

Security Focus

Vuln: Linux Kernel CVE-2017-2636 Local Privilege Escalation Vulnerability

April 4, 2017 007admin

Linux Kernel CVE-2017-2636 Local Privilege Escalation Vulnerability

Ubuntu Security Notice USN-3254-1

python-django vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3255-1

lightdm vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3256-1

linux, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, linux-ti-omap4 vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-3256-2

linux-hwe, linux-lts-trusty, linux-lts-xenial vulnerability

Summary

Software description

Details

Update instructions

References

Software and Security Information