Ubuntu Security Notice USN-2438-1

10th December, 2014

nvidia-graphics-drivers-304, nvidia-graphics-drivers-304-updates, nvidia-graphics-drivers-331, nvidia-graphics-drivers-331-updates vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the NVIDIA graphics drivers.

Software description

• nvidia-graphics-drivers-304
  – NVIDIA binary Xorg driver

• nvidia-graphics-drivers-304-updates
  – NVIDIA binary Xorg driver

• nvidia-graphics-drivers-331
  – NVIDIA binary Xorg driver

• nvidia-graphics-drivers-331-updates
  – NVIDIA binary Xorg driver

Details

It was discovered that the NVIDIA graphics drivers incorrectly handled GLX
indirect rendering support. An attacker able to connect to an X server,
either locally or remotely, could use these issues to cause the X server to
crash or execute arbitrary code resulting in possible privilege escalation.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

nvidia-331-updates 331.113-0ubuntu0.1

nvidia-331 331.113-0ubuntu0.1

nvidia-304-updates 304.125-0ubuntu0.1

nvidia-304 304.125-0ubuntu0.1

Ubuntu 14.04 LTS:

nvidia-331-updates 331.113-0ubuntu0.0.4

nvidia-331 331.113-0ubuntu0.0.4

nvidia-304-updates 304.125-0ubuntu0.0.1

nvidia-304 304.125-0ubuntu0.0.1

Ubuntu 12.04 LTS:

nvidia-331-updates 331.113-0ubuntu0.0.0.3

nvidia-331 331.113-0ubuntu0.0.0.3

nvidia-304-updates 304.125-0ubuntu0.0.0.1

nvidia-304 304.125-0ubuntu0.0.0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2014-8091,

CVE-2014-8098,

CVE-2014-8298

Ubuntu Security Notice USN-2436-2

9th December, 2014

xorg-server, xorg-server-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

USN-2436-1 contained incomplete fixes for the X.Org X server.

Software description

• xorg-server
  – X.Org X11 server

• xorg-server-lts-trusty
  – Xorg X server – source files

Details

USN-2436-1 fixed vulnerabilities in the X.Org X server. Since publication,
additional fixes have been made available for these issues. This update
adds the additional fixes.

Original advisory details:

Ilja van Sprundel discovered a multitude of security issues in the X.Org X
server. An attacker able to connect to an X server, either locally or
remotely, could use these issues to cause the X server to crash or execute
arbitrary code resulting in possible privilege escalation.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

xserver-xorg-core

2:1.16.0-1ubuntu1.2

Ubuntu 14.04 LTS:

xserver-xorg-core

2:1.15.1-0ubuntu2.5

Ubuntu 12.04 LTS:

xserver-xorg-core

2:1.11.4-0ubuntu10.16

xserver-xorg-core-lts-trusty

2:1.15.1-0ubuntu2~precise4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

LP: 1400942

Ubuntu Security Notice USN-2437-1

9th December, 2014

bind9 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Bind could be made to crash if it received specially crafted network
traffic.

Software description

• bind9
  – Internet Domain Name Server

Details

Florian Maury discovered that Bind incorrectly handled delegation. A remote
attacker could possibly use this issue to cause Bind to consume resources
and crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

bind9

1:9.9.5.dfsg-4.3ubuntu0.1

Ubuntu 14.04 LTS:

bind9

1:9.9.5.dfsg-3ubuntu0.1

Ubuntu 12.04 LTS:

bind9

1:9.8.1.dfsg.P1-4ubuntu0.9

Ubuntu 10.04 LTS:

bind9

1:9.7.0.dfsg.P1-1ubuntu0.12

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-8500

Ubuntu Security Notice USN-2436-1

9th December, 2014

xorg-server, xorg-server-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the X.Org X server.

Software description

• xorg-server
  – X.Org X11 server

• xorg-server-lts-trusty
  – X.Org X11 server

Details

Ilja van Sprundel discovered a multitude of security issues in the X.Org X
server. An attacker able to connect to an X server, either locally or
remotely, could use these issues to cause the X server to crash or execute
arbitrary code resulting in possible privilege escalation.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

xserver-xorg-core

2:1.16.0-1ubuntu1.1

Ubuntu 14.04 LTS:

xserver-xorg-core

2:1.15.1-0ubuntu2.4

Ubuntu 12.04 LTS:

xserver-xorg-core

2:1.11.4-0ubuntu10.15

xserver-xorg-core-lts-trusty

2:1.15.1-0ubuntu2~precise3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2014-8091,

CVE-2014-8092,

CVE-2014-8093,

CVE-2014-8094,

CVE-2014-8095,

CVE-2014-8096,

CVE-2014-8097,

CVE-2014-8098,

CVE-2014-8099,

CVE-2014-8100,

CVE-2014-8101,

CVE-2014-8102,

CVE-2014-8103

Ubuntu Security Notice USN-2435-1

8th December, 2014

graphviz vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

graphviz could be made to crash or run programs if it opened a specially
crafted file.

Software description

• graphviz
  – rich set of graph drawing tools

Details

It was discovered that graphviz incorrectly handled parsing errors. An
attacker could use this issue to cause graphviz to crash or possibly
execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

graphviz

2.38.0-5ubuntu0.1

Ubuntu 14.04 LTS:

graphviz

2.36.0-0ubuntu3.1

Ubuntu 12.04 LTS:

graphviz

2.26.3-10ubuntu1.2

Ubuntu 10.04 LTS:

graphviz

2.20.2-8ubuntu3.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-9157

Ubuntu Security Notice USN-2434-1

8th December, 2014

jasper vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

JasPer could be made to crash or run programs as your login if it opened a
specially crafted file.

Software description

• jasper
  – Library for manipulating JPEG-2000 files

Details

Jose Duart discovered that JasPer incorrectly handled certain malformed
JPEG-2000 image files. If a user were tricked into opening a specially
crafted JPEG-2000 image file, a remote attacker could cause JasPer to crash
or possibly execute arbitrary code with user privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

libjasper1

1.900.1-debian1-2ubuntu0.1

Ubuntu 14.04 LTS:

libjasper1

1.900.1-14ubuntu3.1

Ubuntu 12.04 LTS:

libjasper1

1.900.1-13ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-9029

Ubuntu Security Notice USN-2434-2

8th December, 2014

ghostscript vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 10.04 LTS

Summary

Ghostscript could be made to crash or run programs as your login if it
opened a specially crafted file.

Software description

• ghostscript
  – PostScript and PDF interpreter

Details

USN-2434-1 fixed a vulnerability in JasPer. This update provides the
corresponding fix for the JasPer library embedded in the Ghostscript
package.

Original advisory details:

Jose Duart discovered that JasPer incorrectly handled certain malformed
JPEG-2000 image files. If a user were tricked into opening a specially
crafted JPEG-2000 image file, a remote attacker could cause JasPer to crash
or possibly execute arbitrary code with user privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:

libgs8

8.71.dfsg.1-0ubuntu5.6

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-9029

Ubuntu Security Notice USN-2433-1

4th December, 2014

tcpdump vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in tcpdump.

Software description

• tcpdump
  – command-line network traffic analyzer

Details

Steffen Bauch discovered that tcpdump incorrectly handled printing OSLR
packets. A remote attacker could use this issue to cause tcpdump to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2014-8767)

Steffen Bauch discovered that tcpdump incorrectly handled printing GeoNet
packets. A remote attacker could use this issue to cause tcpdump to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only applied to Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-8768)

Steffen Bauch discovered that tcpdump incorrectly handled printing AODV
packets. A remote attacker could use this issue to cause tcpdump to crash,
resulting in a denial of service, reveal sensitive information, or possibly
execute arbitrary code. (CVE-2014-8769)

It was discovered that tcpdump incorrectly handled printing PPP packets. A
remote attacker could use this issue to cause tcpdump to crash, resulting
in a denial of service, or possibly execute arbitrary code.
(CVE-2014-9140)

In the default installation, attackers would be isolated by the tcpdump
AppArmor profile.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

tcpdump

4.6.2-1ubuntu1.1

Ubuntu 14.04 LTS:

tcpdump

4.5.1-2ubuntu1.1

Ubuntu 12.04 LTS:

tcpdump

4.2.1-1ubuntu2.1

Ubuntu 10.04 LTS:

tcpdump

4.0.0-6ubuntu3.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-8767,

CVE-2014-8768,

CVE-2014-8769,

CVE-2014-9140

Ubuntu Security Notice USN-2431-2

4th December, 2014

maas regression

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

USN-2431-1 caused a regression in the MAAS package.

Software description

• maas
  – Ubuntu MAAS Server

Details

USN-2431-1 fixed vulnerabilities in mod_wsgi. The security update exposed
an issue in the MAAS package, causing a regression. This update fixes the
problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that mod_wsgi incorrectly handled errors when setting up
the working directory and group access rights. A malicious application
could possibly use this issue to cause a local privilege escalation when
using daemon mode.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

maas-region-controller-min

1.7.0~beta8+bzr3272-0ubuntu1.2

Ubuntu 14.04 LTS:

maas-region-controller-min

1.5.4+bzr2294-0ubuntu1.2

Ubuntu 12.04 LTS:

maas-region-controller

1.2+bzr1373+dfsg-0ubuntu1~12.04.6

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1399016

Ubuntu Security Notice USN-2432-1

3rd December, 2014

eglibc, glibc vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

The GNU C Library could be made to crash or run programs.

Software description

• eglibc
  – GNU C Library

• glibc
  – GNU C Library

Details

Siddhesh Poyarekar discovered that the GNU C Library incorrectly handled
certain multibyte characters when using the iconv function. An attacker
could possibly use this issue to cause applications to crash, resulting in
a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu
12.04 LTS. (CVE-2012-6656)

Adhemerval Zanella Netto discovered that the GNU C Library incorrectly
handled certain multibyte characters when using the iconv function. An
attacker could possibly use this issue to cause applications to crash,
resulting in a denial of service. (CVE-2014-6040)

Tim Waugh discovered that the GNU C Library incorrectly enforced the
WRDE_NOCMD flag when handling the wordexp function. An attacker could
possibly use this issue to execute arbitrary commands. (CVE-2014-7817)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

libc6

2.19-10ubuntu2.1

Ubuntu 14.04 LTS:

libc6

2.19-0ubuntu6.4

Ubuntu 12.04 LTS:

libc6

2.15-0ubuntu10.9

Ubuntu 10.04 LTS:

libc6

2.11.1-0ubuntu7.19

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all
the necessary changes.

References

CVE-2012-6656,

CVE-2014-6040,

CVE-2014-7817