Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2467-1: Linux kernel (Utopic HWE) vulnerabilities

January 14, 2015 007admin

Ubuntu Security Notice USN-2467-1

13th January, 2015

linux-lts-utopic vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-utopic
– Linux hardware enablement kernel from Utopic

Details

A null pointer dereference flaw was discovered in the the Linux kernel’s
SCTP implementation when ASCONF is used. A remote attacker could exploit
this flaw to cause a denial of service (system crash) via a malformed INIT
chunk. (CVE-2014-7841)

A race condition with MMIO and PIO transactions in the KVM (Kernel Virtual
Machine) subsystem of the Linux kernel was discovered. A guest OS user
could exploit this flaw to cause a denial of service (guest OS crash) via a
specially crafted application. (CVE-2014-7842)

Miloš Prchlík reported a flaw in how the ARM64 platform handles a single
byte overflow in __clear_user. A local user could exploit this flaw to
cause a denial of service (system crash) by reading one byte beyond a
/dev/zero page boundary. (CVE-2014-7843)

A stack buffer overflow was discovered in the ioctl command handling for
the Technotrend/Hauppauge USB DEC devices driver. A local user could
exploit this flaw to cause a denial of service (system crash) or possibly
gain privileges. (CVE-2014-8884)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.16.0-29-powerpc-smp

3.16.0-29.39~14.04.1; linux-image-3.16.0-29-generic-lpae

3.16.0-29.39~14.04.1; linux-image-3.16.0-29-powerpc-e500mc

3.16.0-29.39~14.04.1; linux-image-3.16.0-29-lowlatency

3.16.0-29.39~14.04.1; linux-image-3.16.0-29-powerpc64-emb

3.16.0-29.39~14.04.1; linux-image-3.16.0-29-powerpc64-smp

3.16.0-29.39~14.04.1; linux-image-3.16.0-29-generic

3.16.0-29.39~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

Ubuntu

USN-2466-1: Linux kernel vulnerabilities

January 14, 2015 007admin

Ubuntu Security Notice USN-2466-1

13th January, 2015

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux
– Linux kernel

Details

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: linux-image-3.13.0-44-powerpc-smp

3.13.0-44.73; linux-image-3.13.0-44-lowlatency

3.13.0-44.73; linux-image-3.13.0-44-powerpc64-smp

3.13.0-44.73; linux-image-3.13.0-44-powerpc-e500mc

3.13.0-44.73; linux-image-3.13.0-44-generic-lpae

3.13.0-44.73; linux-image-3.13.0-44-powerpc64-emb

3.13.0-44.73; linux-image-3.13.0-44-powerpc-e500

3.13.0-44.73; linux-image-3.13.0-44-generic

3.13.0-44.73

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2465-1: Linux kernel (Trusty HWE) vulnerabilities

January 14, 2015 007admin

Ubuntu Security Notice USN-2465-1

13th January, 2015

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-lts-trusty
– Linux hardware enablement kernel from Trusty

Details

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.13.0-44-generic-lpae

3.13.0-44.73~precise1; linux-image-3.13.0-44-generic

3.13.0-44.73~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2464-1: Linux kernel (OMAP4) vulnerabilities

January 14, 2015 007admin

Ubuntu Security Notice USN-2464-1

13th January, 2015

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

linux-ti-omap4
– Linux kernel for OMAP4

Details

Andy Lutomirski discovered that the Linux kernel does not properly handle
faults associated with the Stack Segment (SS) register in the x86
architecture. A local attacker could exploit this flaw to gain
administrative privileges. (CVE-2014-9322)

An information leak in the Linux kernel was discovered that could leak the
high 16 bits of the kernel stack address on 32-bit Kernel Virtual Machine
(KVM) paravirt guests. A user in the guest OS could exploit this leak to
obtain information that could potentially be used to aid in attacking the
kernel. (CVE-2014-8134)

The KVM (kernel virtual machine) subsystem of the Linux kernel
miscalculates the number of memory pages during the handling of a mapping
failure. A guest OS user could exploit this to cause a denial of service
(host OS page unpinning) or possibly have unspecified other impact by
leveraging guest OS privileges. (CVE-2014-8369)

Andy Lutomirski discovered that the Linux kernel does not properly handle
faults associated with the Stack Segment (SS) register on the x86
architecture. A local attacker could exploit this flaw to cause a denial of
service (panic). (CVE-2014-9090)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: linux-image-3.2.0-1458-omap4

3.2.0-1458.78

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2469-1: Django vulnerabilities

January 14, 2015 007admin

Ubuntu Security Notice USN-2469-1

13th January, 2015

python-django vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS
Ubuntu 10.04 LTS

Summary

Several security issues were fixed in Django.

Software description

python-django
– High-level Python web development framework

Details

Jedediah Smith discovered that Django incorrectly handled underscores in
WSGI headers. A remote attacker could possibly use this issue to spoof
headers in certain environments. (CVE-2015-0219)

Mikko Ohtamaa discovered that Django incorrectly handled user-supplied
redirect URLs. A remote attacker could possibly use this issue to perform a
cross-site scripting attack. (CVE-2015-0220)

Alex Gaynor discovered that Django incorrectly handled reading files in
django.views.static.serve(). A remote attacker could possibly use this
issue to cause Django to consume resources, resulting in a denial of
service. (CVE-2015-0221)

Keryn Knight discovered that Django incorrectly handled forms with
ModelMultipleChoiceField. A remote attacker could possibly use this issue
to cause a large number of SQL queries, resulting in a database denial of
service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2015-0222)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: python3-django

1.6.6-1ubuntu2.1; python-django

1.6.6-1ubuntu2.1
Ubuntu 14.04 LTS:: python-django

1.6.1-2ubuntu0.6
Ubuntu 12.04 LTS:: python-django

1.3.1-4ubuntu1.13
Ubuntu 10.04 LTS:: python-django

1.1.1-2ubuntu1.14

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-2470-1: Git vulnerability

January 14, 2015 007admin

Ubuntu Security Notice USN-2470-1

13th January, 2015

git vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Git could be made to run programs as your login if it received specially
crafted changes from a remote repository.

Software description

git
– fast, scalable, distributed revision control system

Details

Matt Mackall and Augie Fackler discovered that Git incorrectly handled certain
filesystem paths. A remote attacker could possibly use this issue to execute
arbitrary code if the Git tree is stored in an HFS+ or NTFS filesystem. The
remote attacker would need write access to a Git repository that the victim
pulls from.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: git

1:2.1.0-1ubuntu0.1
Ubuntu 14.04 LTS:: git

1:1.9.1-1ubuntu0.1
Ubuntu 12.04 LTS:: git

1:1.7.9.5-1ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to set the core.protectHFS and/or
core.protectNTFS Git configuration variables to “true” if you store Git trees
in HFS+ and/or NTFS filesystems. If you host Git trees, setting the
core.protectHFS, core.protectNTFS, and receive.fsckObjects Git configuration
variables to “true” will cause your Git server to reject objects containing
malicious paths intended to overwrite the Git metadata.

References

CVE-2014-9390

Ubuntu

USN-2461-3: PyYAML vulnerability

January 13, 2015 007admin

Ubuntu Security Notice USN-2461-3

12th January, 2015

pyyaml vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Applications using PyYAML could be made to crash if they received
specially crafted input.

Software description

pyyaml
– YAML parser and emitter for Python

Details

Stanisław Pitucha and Jonathan Gray discovered that PyYAML did not
properly handle wrapped strings. An attacker could create specially
crafted YAML data to trigger an assert, causing a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: python-yaml

3.11-1ubuntu0.1; python3-yaml

3.11-1ubuntu0.1
Ubuntu 14.04 LTS:: python-yaml

3.10-4ubuntu0.1; python3-yaml

3.10-4ubuntu0.1
Ubuntu 12.04 LTS:: python-yaml

3.10-2ubuntu0.1; python3-yaml

3.10-2ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart applications using
PyYAML to make all the necessary changes.

References

CVE-2014-9130

Ubuntu

USN-2459-1: OpenSSL vulnerabilities

January 13, 2015 007admin

Ubuntu Security Notice USN-2459-1

12th January, 2015

openssl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS
Ubuntu 10.04 LTS

Summary

Several security issues were fixed in OpenSSL.

Software description

openssl
– Secure Socket Layer (SSL) cryptographic library and tools

Details

Pieter Wuille discovered that OpenSSL incorrectly handled Bignum squaring.
(CVE-2014-3570)

Markus Stenberg discovered that OpenSSL incorrectly handled certain crafted
DTLS messages. A remote attacker could use this issue to cause OpenSSL to
crash, resulting in a denial of service. (CVE-2014-3571)

Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain
handshakes. A remote attacker could possibly use this issue to downgrade to
ECDH, removing forward secrecy from the ciphersuite. (CVE-2014-3572)

Antti Karjalainen, Tuomo Untinen and Konrad Kraszewski discovered that
OpenSSL incorrectly handled certain certificate fingerprints. A remote
attacker could possibly use this issue to trick certain applications that
rely on the uniqueness of fingerprints. (CVE-2014-8275)

Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled certain
key exchanges. A remote attacker could possibly use this issue to downgrade
the security of the session to EXPORT_RSA. (CVE-2015-0204)

Karthikeyan Bhargavan discovered that OpenSSL incorrectly handled client
authentication. A remote attacker could possibly use this issue to
authenticate without the use of a private key in certain limited scenarios.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-0205)

Chris Mueller discovered that OpenSSL incorrect handled memory when
processing DTLS records. A remote attacker could use this issue to cause
OpenSSL to consume resources, resulting in a denial of service. This issue
only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2015-0206)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: libssl1.0.0

1.0.1f-1ubuntu9.1
Ubuntu 14.04 LTS:: libssl1.0.0

1.0.1f-1ubuntu2.8
Ubuntu 12.04 LTS:: libssl1.0.0

1.0.1-4ubuntu5.21
Ubuntu 10.04 LTS:: libssl0.9.8

0.9.8k-7ubuntu8.23

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

Ubuntu

USN-2461-2: libyaml-libyaml-perl vulnerability

January 13, 2015 007admin

Ubuntu Security Notice USN-2461-2

12th January, 2015

libyaml-libyaml-perl vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Applications using libyaml-libyaml-perl could be made to crash if
they received specially crafted input.

Software description

libyaml-libyaml-perl
– Perl interface to libyaml, a YAML implementation

Details

Stanisław Pitucha and Jonathan Gray discovered that
libyaml-libyaml-perl did not properly handle wrapped strings. An
attacker could create specially crafted YAML data to trigger an assert,
causing a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: libyaml-libyaml-perl

0.41-5ubuntu0.14.10.1
Ubuntu 14.04 LTS:: libyaml-libyaml-perl

0.41-5ubuntu0.14.04.1
Ubuntu 12.04 LTS:: libyaml-libyaml-perl

0.38-2ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart applications using
libyaml-libyaml-perl to make all the necessary changes.

References

CVE-2014-9130

Ubuntu

USN-2461-1: LibYAML vulnerability

January 13, 2015 007admin

Ubuntu Security Notice USN-2461-1

12th January, 2015

libyaml vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Applications using LibYAML could be made to crash if they received
specially crafted input.

Software description

libyaml
– Fast YAML 1.1 parser and emitter library

Details

Stanisław Pitucha and Jonathan Gray discovered that LibYAML did not
properly handle wrapped strings. An attacker could create specially
crafted YAML data to trigger an assert, causing a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: libyaml-0-2

0.1.6-1ubuntu0.1
Ubuntu 14.04 LTS:: libyaml-0-2

0.1.4-3ubuntu3.1
Ubuntu 12.04 LTS:: libyaml-0-2

0.1.4-2ubuntu0.12.04.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart applications using
LibYAML to make all the necessary changes.

References

CVE-2014-9130

Ubuntu Security Notice USN-2467-1

linux-lts-utopic vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2466-1

linux vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2465-1

linux-lts-trusty vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2464-1

linux-ti-omap4 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2469-1

python-django vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2470-1

git vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2461-3

pyyaml vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2459-1

openssl vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2461-2

libyaml-libyaml-perl vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2461-1

libyaml vulnerability

Summary

Software description

Details

Update instructions

References

Software and Security Information