Ubuntu Security Notice USN-2428-1

3rd December, 2014

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software description

• thunderbird
  – Mozilla Open Source mail and newsgroup client

Details

Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, and Max Jonas
Werner discovered multiple memory safety issues in Thunderbird. If a user
were tricked in to opening a specially crafted message with scripting
enabled, an attacker could potentially exploit these to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Thunderbird. (CVE-2014-1587)

Joe Vennix discovered a crash when using XMLHttpRequest in some
circumstances. If a user were tricked in to opening a specially crafted
message with scripting enabled, an attacker could potentially exploit this
to cause a denial of service. (CVE-2014-1590)

Berend-Jan Wever discovered a use-after-free during HTML parsing. If a
user were tricked in to opening a specially crafted message with scripting
enabled, an attacker could potentially exploit this to cause a denial of
service via application crash or execute arbitrary code with the
privileges of the user invoking Thunderbird. (CVE-2014-1592)

Abhishek Arya discovered a buffer overflow when parsing media content. If
a user were tricked in to opening a specially crafted message with
scripting enabled, an attacker could potentially exploit this to cause a
denial of service via application crash or execute arbitrary code with the
privileges of the user invoking Thunderbird. (CVE-2014-1593)

Byoungyoung Lee, Chengyu Song, and Taesoo Kim discovered a bad cast in the
compositor. If a user were tricked in to opening a specially crafted
message, an attacker could potentially exploit this to cause undefined
behaviour, a denial of service via application crash or execute abitrary
code with the privileges of the user invoking Thunderbird. (CVE-2014-1594)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

thunderbird

1:31.3.0+build1-0ubuntu0.14.10.1

Ubuntu 14.04 LTS:

thunderbird

1:31.3.0+build1-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:

thunderbird

1:31.3.0+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

CVE-2014-1587,

CVE-2014-1590,

CVE-2014-1592,

CVE-2014-1593,

CVE-2014-1594

Ubuntu Security Notice USN-2431-1

3rd December, 2014

mod-wsgi vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

mod_wsgi could be made to run programs with incorrect privileges.

Software description

• mod-wsgi
  – Python WSGI adapter module for Apache

Details

It was discovered that mod_wsgi incorrectly handled errors when setting up
the working directory and group access rights. A malicious application
could possibly use this issue to cause a local privilege escalation when
using daemon mode.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

libapache2-mod-wsgi

3.5-1ubuntu0.1

libapache2-mod-wsgi-py3

3.5-1ubuntu0.1

Ubuntu 14.04 LTS:

libapache2-mod-wsgi

3.4-4ubuntu2.1.14.04.2

libapache2-mod-wsgi-py3

3.4-4ubuntu2.1.14.04.2

Ubuntu 12.04 LTS:

libapache2-mod-wsgi

3.3-4ubuntu0.2

libapache2-mod-wsgi-py3

3.3-4ubuntu0.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your web service to make
all the necessary changes.

References

CVE-2014-8583

Ubuntu Security Notice USN-2430-1

2nd December, 2014

openvpn vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

OpenVPN could be made to crash if it received specially crafted network
traffic.

Software description

• openvpn
  – virtual private network software

Details

Dragana Damjanovic discovered that OpenVPN incorrectly handled certain
control channel packets. An authenticated attacker could use this issue to
cause an OpenVPN server to crash, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

openvpn

2.3.2-9ubuntu1.1

Ubuntu 14.04 LTS:

openvpn

2.3.2-7ubuntu3.1

Ubuntu 12.04 LTS:

openvpn

2.2.1-8ubuntu1.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-8104

Ubuntu Security Notice USN-2424-1

2nd December, 2014

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software description

• firefox
  – Mozilla Open Source web browser

Details

Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, Max Jonas
Werner, Christian Holler, Jon Coppeard, Eric Rahm, Byron Campen, Eric
Rescorla, and Xidorn Quan discovered multiple memory safety issues in
Firefox. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit these to cause a denial of service
via application crash, or execute arbitrary code with the privileges of
the user invoking Firefox. (CVE-2014-1587, CVE-2014-1588)

Cody Crews discovered a way to trigger chrome-level XBL bindings from web
content in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
bypass security restrictions. (CVE-2014-1589)

Joe Vennix discovered a crash when using XMLHttpRequest in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service. (CVE-2014-1590)

Muneaki Nishimura discovered that CSP violation reports did not remove
path information in some circumstances. If a user were tricked in to
opening a specially crafted website, an attacker could potentially
exploit this to obtain sensitive information. (CVE-2014-1591)

Berend-Jan Wever discovered a use-after-free during HTML parsing. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via
application crash or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2014-1592)

Abhishek Arya discovered a buffer overflow when parsing media content. If
a user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via
application crash or execute arbitrary code with the privileges of the
user invoking Firefox. (CVE-2014-1593)

Byoungyoung Lee, Chengyu Song, and Taesoo Kim discovered a bad cast in the
compositor. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause undefined
behaviour, a denial of service via application crash or execute abitrary
code with the privileges of the user invoking Firefox. (CVE-2014-1594)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

firefox

34.0+build2-0ubuntu0.14.10.2

Ubuntu 14.04 LTS:

firefox

34.0+build2-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:

firefox

34.0+build2-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

CVE-2014-1587,

CVE-2014-1588,

CVE-2014-1589,

CVE-2014-1590,

CVE-2014-1591,

CVE-2014-1592,

CVE-2014-1593,

CVE-2014-1594

Ubuntu Security Notice USN-2429-1

1st December, 2014

ppp vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

ppp could be made to crash or run programs as an administrator if it opened
a specially crafted file.

Software description

• ppp
  – Point-to-Point Protocol (PPP)

Details

It was discovered that ppp incorrectly handled certain options files. A
local attacker could possibly use this issue to escalate privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

ppp

2.4.5-5.1ubuntu3.1

Ubuntu 14.04 LTS:

ppp

2.4.5-5.1ubuntu2.1

Ubuntu 12.04 LTS:

ppp

2.4.5-5ubuntu1.1

Ubuntu 10.04 LTS:

ppp

2.4.5~git20081126t100229-0ubuntu3.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3158

Ubuntu Security Notice USN-2427-1

27th November, 2014

libksba vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Libksba could be made to crash or run programs if it opened a specially
crafted file.

Software description

• libksba
  – X.509 and CMS support library

Details

Hanno Böck discovered that Libksba incorrectly handled certain S/MIME
messages or ECC based OpenPGP data. An attacker could use this issue to
cause Libksba to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

libksba8

1.3.0-3ubuntu0.14.10.1

Ubuntu 14.04 LTS:

libksba8

1.3.0-3ubuntu0.14.04.1

Ubuntu 12.04 LTS:

libksba8

1.2.0-2ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-9087

Ubuntu Security Notice USN-2426-1

27th November, 2014

flac vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

FLAC could be made to crash or run programs as your login if it opened a
specially crafted file.

Software description

• flac
  – Free Lossless Audio Codec

Details

Michele Spagnuolo discovered that FLAC incorrectly handled certain
malformed audio files. An attacker could use this issue to cause FLAC to
crash, resulting in a denial of service, or possibly execute arbitrary
code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

libflac8

1.3.0-2ubuntu0.14.10.1

libflac++6

1.3.0-2ubuntu0.14.10.1

Ubuntu 14.04 LTS:

libflac8

1.3.0-2ubuntu0.14.04.1

libflac++6

1.3.0-2ubuntu0.14.04.1

Ubuntu 12.04 LTS:

libflac8

1.2.1-6ubuntu0.1

libflac++6

1.2.1-6ubuntu0.1

Ubuntu 10.04 LTS:

libflac8

1.2.1-2ubuntu0.1

libflac++6

1.2.1-2ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-8962,

CVE-2014-9028

Ubuntu Security Notice USN-2425-1

27th November, 2014

dbus vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

DBus could be made to stop responding under certain conditions.

Software description

• dbus
  – simple interprocess messaging system

Details

It was discovered that DBus incorrectly handled a large number of file
descriptor messages. A local attacker could use this issue to cause DBus to
stop responding, resulting in a denial of service. (CVE-2014-7824)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

dbus

1.8.8-1ubuntu2.1

libdbus-1-3

1.8.8-1ubuntu2.1

Ubuntu 14.04 LTS:

dbus

1.6.18-0ubuntu4.3

libdbus-1-3

1.6.18-0ubuntu4.3

Ubuntu 12.04 LTS:

dbus

1.4.18-1ubuntu1.7

libdbus-1-3

1.4.18-1ubuntu1.7

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all
the necessary changes.

References

CVE-2014-7824

Ubuntu Security Notice USN-2423-1

26th November, 2014

clamav vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

ClamAV could be made to crash or run programs if it processed a specially
crafted file.

Software description

• clamav
  – Anti-virus utility for Unix

Details

Kurt Seifried discovered that ClamAV incorrectly handled certain JavaScript
files. An attacker could possibly use this issue to cause ClamAV to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2013-6497)

Damien Millescamp discovered that ClamAV incorrectly handled certain PE
files. An attacker could possibly use this issue to cause ClamAV to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2014-9050)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:

clamav

0.98.5+dfsg-0ubuntu0.14.10.1

Ubuntu 14.04 LTS:

clamav

0.98.5+addedllvm-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:

clamav

0.98.5+addedllvm-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

CVE-2013-6497,

CVE-2014-9050

Ubuntu Security Notice USN-2418-1

24th November, 2014

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux-ti-omap4
  – Linux kernel for OMAP4

Details

Nadav Amit reported that the KVM (Kernel Virtual Machine) mishandles
noncanonical addresses when emulating instructions that change the rip
(Instruction Pointer). A guest user with access to I/O or the MMIO can use
this flaw to cause a denial of service (system crash) of the guest.
(CVE-2014-3647)

A flaw was discovered with the handling of the invept instruction in the
KVM (Kernel Virtual Machine) subsystem of the Linux kernel. An unprivileged
guest user could exploit this flaw to cause a denial of service (system
crash) on the guest. (CVE-2014-3646)

A flaw was discovered with invept instruction support when using nested EPT
in the KVM (Kernel Virtual Machine). An unprivileged guest user could
exploit this flaw to cause a denial of service (system crash) on the guest.
(CVE-2014-3645)

Lars Bull reported a race condition in the PIT (programmable interrupt
timer) emulation in the KVM (Kernel Virtual Machine) subsystem of the Linux
kernel. A local guest user with access to PIT i/o ports could exploit this
flaw to cause a denial of service (crash) on the host. (CVE-2014-3611)

Lars Bull and Nadav Amit reported a flaw in how KVM (the Kernel Virtual
Machine) handles noncanonical writes to certain MSR registers. A privileged
guest user can exploit this flaw to cause a denial of service (kernel
panic) on the host. (CVE-2014-3610)

A flaw in the handling of malformed ASCONF chunks by SCTP (Stream Control
Transmission Protocol) implementation in the Linux kernel was discovered. A
remote attacker could exploit this flaw to cause a denial of service
(system crash). (CVE-2014-3673)

A flaw in the handling of duplicate ASCONF chunks by SCTP (Stream Control
Transmission Protocol) implementation in the Linux kernel was discovered. A
remote attacker could exploit this flaw to cause a denial of service
(panic). (CVE-2014-3687)

It was discovered that excessive queuing by SCTP (Stream Control
Transmission Protocol) implementation in the Linux kernel can cause memory
pressure. A remote attacker could exploit this flaw to cause a denial of
service. (CVE-2014-3688)

A flaw was discovered in how the Linux kernel’s KVM (Kernel Virtual
Machine) subsystem handles the CR4 control register at VM entry on Intel
processors. A local host OS user can exploit this to cause a denial of
service (kill arbitrary processes, or system disruption) by leveraging
/dev/kvm access. (CVE-2014-3690)

Don Bailey discovered a flaw in the LZO decompress algorithm used by the
Linux kernel. An attacker could exploit this flaw to cause a denial of
service (memory corruption or OOPS). (CVE-2014-4608)

It was discovered the Linux kernel’s implementation of IPv6 did not
properly validate arguments in the ipv6_select_ident function. A local user
could exploit this flaw to cause a denial of service (system crash) by
leveraging tun or macvtap device access. (CVE-2014-7207)

Andy Lutomirski discovered that the Linux kernel was not checking the
CAP_SYS_ADMIN when remounting filesystems to read-only. A local user could
exploit this flaw to cause a denial of service (loss of writability).
(CVE-2014-7975)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-3.2.0-1456-omap4

3.2.0-1456.76

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-3610,

CVE-2014-3611,

CVE-2014-3645,

CVE-2014-3646,

CVE-2014-3647,

CVE-2014-3673,

CVE-2014-3687,

CVE-2014-3688,

CVE-2014-3690,

CVE-2014-4608,

CVE-2014-7207,

CVE-2014-7975