Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2391-1: php5 vulnerabilities

October 30, 2014 007admin

Ubuntu Security Notice USN-2391-1

30th October, 2014

php5 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS
Ubuntu 10.04 LTS

Summary

Several security issues were fixed in PHP.

Software description

php5
– HTML-embedded scripting language interpreter

Details

Symeon Paraschoudis discovered that PHP incorrectly handled the mkgmtime
function. A remote attacker could possibly use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2014-3668)

Symeon Paraschoudis discovered that PHP incorrectly handled unserializing
objects. A remote attacker could possibly use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2014-3669)

Otto Ebeling discovered that PHP incorrectly handled the exif_thumbnail
function. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2014-3670)

Francisco Alonso that PHP incorrectly handled ELF files in the fileinfo
extension. A remote attacker could possibly use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2014-3710)

It was discovered that PHP incorrectly handled NULL bytes when processing
certain URLs with the curl functions. A remote attacker could possibly use
this issue to bypass filename restrictions and obtain access to sensitive
files. (No CVE number)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: php5-cli

5.5.12+dfsg-2ubuntu4.1; php5-cgi

5.5.12+dfsg-2ubuntu4.1; php5-xmlrpc

5.5.12+dfsg-2ubuntu4.1; php5-curl

5.5.12+dfsg-2ubuntu4.1; libapache2-mod-php5

5.5.12+dfsg-2ubuntu4.1; php5-fpm

5.5.12+dfsg-2ubuntu4.1
Ubuntu 14.04 LTS:: php5-cli

5.5.9+dfsg-1ubuntu4.5; php5-cgi

5.5.9+dfsg-1ubuntu4.5; php5-xmlrpc

5.5.9+dfsg-1ubuntu4.5; php5-curl

5.5.9+dfsg-1ubuntu4.5; libapache2-mod-php5

5.5.9+dfsg-1ubuntu4.5; php5-fpm

5.5.9+dfsg-1ubuntu4.5
Ubuntu 12.04 LTS:: php5-cli

5.3.10-1ubuntu3.15; php5-cgi

5.3.10-1ubuntu3.15; php5-xmlrpc

5.3.10-1ubuntu3.15; php5-curl

5.3.10-1ubuntu3.15; libapache2-mod-php5

5.3.10-1ubuntu3.15; php5-fpm

5.3.10-1ubuntu3.15
Ubuntu 10.04 LTS:: php5-cli

5.3.2-1ubuntu4.28; php5-cgi

5.3.2-1ubuntu4.28; libapache2-mod-php5

5.3.2-1ubuntu4.28; php5-curl

5.3.2-1ubuntu4.28; php5-xmlrpc

5.3.2-1ubuntu4.28

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-2390-1: Pidgin vulnerabilities

October 28, 2014 007admin

Ubuntu Security Notice USN-2390-1

28th October, 2014

pidgin vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10
Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Pidgin.

Software description

pidgin
– graphical multi-protocol instant messaging client for X

Details

Jacob Appelbaum and an anonymous person discovered that Pidgin incorrectly
handled certificate validation. A remote attacker could exploit this to
perform a man in the middle attack to view sensitive information or alter
encrypted communications. (CVE-2014-3694)

Yves Younan and Richard Johnson discovered that Pidgin incorrectly handled
certain malformed MXit emoticons. A malicious remote server or a man in the
middle could use this issue to cause Pidgin to crash, resulting in a denial
of service. (CVE-2014-3695)

Yves Younan and Richard Johnson discovered that Pidgin incorrectly handled
certain malformed Groupwise messages. A malicious remote server or a man in
the middle could use this issue to cause Pidgin to crash, resulting in a
denial of service. (CVE-2014-3696)

Thijs Alkemade and Paul Aurich discovered that Pidgin incorrectly handled
memory when processing XMPP messages. A malicious remote server or user
could use this issue to cause Pidgin to disclosure arbitrary memory,
resulting in an information leak. (CVE-2014-3698)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: pidgin

1:2.10.9-0ubuntu7.1; libpurple0

1:2.10.9-0ubuntu7.1
Ubuntu 14.04 LTS:: pidgin

1:2.10.9-0ubuntu3.2; libpurple0

1:2.10.9-0ubuntu3.2
Ubuntu 12.04 LTS:: pidgin

1:2.10.3-0ubuntu1.6; libpurple0

1:2.10.3-0ubuntu1.6

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Pidgin to make all the
necessary changes.

References

Ubuntu

USN-2389-1: libxml2 vulnerability

October 27, 2014 007admin

Ubuntu Security Notice USN-2389-1

27th October, 2014

libxml2 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS
Ubuntu 12.04 LTS
Ubuntu 10.04 LTS

Summary

libxml2 could be made to consume resources if it processed a specially
crafted file.

Software description

libxml2
– GNOME XML library

Details

It was discovered that libxml2 would incorrectly perform entity
substitution even when requested not to. If a user or automated system were
tricked into opening a specially crafted document, an attacker could
possibly cause resource consumption, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: libxml2

2.9.1+dfsg1-3ubuntu4.4
Ubuntu 12.04 LTS:: libxml2

2.7.8.dfsg-5.1ubuntu4.11
Ubuntu 10.04 LTS:: libxml2

2.7.6.dfsg-1ubuntu1.15

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2014-3660

Ubuntu

USN-2388-2: OpenJDK 7 vulnerabilities

October 24, 2014 007admin

Ubuntu Security Notice USN-2388-2

23rd October, 2014

openjdk-7 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.10

Summary

Several security issues were fixed in OpenJDK 7.

Software description

openjdk-7
– Open Source Java implementation

Details

USN-2388-1 fixed vulnerabilities in OpenJDK 7 for Ubuntu 14.04 LTS. This
update provides the corresponding updates for Ubuntu 14.10.

Original advisory details:

A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to expose
sensitive data over the network. (CVE-2014-6457)

Several vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-6502, CVE-2014-6512, CVE-2014-6519, CVE-2014-6527,
CVE-2014-6558)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose sensitive
data over the network. (CVE-2014-6504, CVE-2014-6511, CVE-2014-6517,
CVE-2014-6531)

Two vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-6506, CVE-2014-6513)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:: openjdk-7-jre-lib

7u71-2.5.3-0ubuntu1; openjdk-7-jre-zero

7u71-2.5.3-0ubuntu1; icedtea-7-jre-jamvm

7u71-2.5.3-0ubuntu1; openjdk-7-jre-headless

7u71-2.5.3-0ubuntu1; openjdk-7-jre

7u71-2.5.3-0ubuntu1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

This update contains known regressions in the JamVM alternative Java
Virtual Machine and a future update will correct these issues. See
https://launchpad.net/bugs/1382205 for details. We apologize for the
inconvenience.

References

Ubuntu

USN-2388-1: OpenJDK 7 vulnerabilities

October 23, 2014 007admin

Ubuntu Security Notice USN-2388-1

22nd October, 2014

openjdk-7 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in OpenJDK 7.

Software description

openjdk-7
– Open Source Java implementation

Details

A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to expose
sensitive data over the network. (CVE-2014-6457)

Several vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-6502, CVE-2014-6512, CVE-2014-6519, CVE-2014-6527,
CVE-2014-6558)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: openjdk-7-jre-lib

7u71-2.5.3-0ubuntu0.14.04.1; openjdk-7-jre-zero

7u71-2.5.3-0ubuntu0.14.04.1; icedtea-7-jre-jamvm

7u71-2.5.3-0ubuntu0.14.04.1; openjdk-7-jre-headless

7u71-2.5.3-0ubuntu0.14.04.1; openjdk-7-jre

7u71-2.5.3-0ubuntu0.14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References

Ubuntu

USN-2387-1: pollinate update

October 23, 2014 007admin

Ubuntu Security Notice USN-2387-1

22nd October, 2014

pollinate update

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS

Summary

The certificate bundled with pollinate has been refreshed.

Software description

pollinate
– seed the pseudo random number generator in virtual machines

Details

The pollinate package bundles the certificate for entropy.ubuntu.com. This
update refreshes the certificate to match the one currently used on the
server.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: pollinate

4.7-0ubuntu1.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1381359

Ubuntu

USN-2386-1: OpenJDK 6 vulnerabilities

October 17, 2014 007admin

Ubuntu Security Notice USN-2386-1

16th October, 2014

openjdk-6 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 12.04 LTS
Ubuntu 10.04 LTS

Summary

Several security issues were fixed in OpenJDK 6.

Software description

openjdk-6
– Open Source Java implementation

Details

A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to expose
sensitive data over the network. (CVE-2014-6457)

Several vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-6502, CVE-2014-6512, CVE-2014-6519, CVE-2014-6558)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:: icedtea-6-jre-cacao

6b33-1.13.5-1ubuntu0.12.04; icedtea-6-jre-jamvm

6b33-1.13.5-1ubuntu0.12.04; openjdk-6-jre

6b33-1.13.5-1ubuntu0.12.04; openjdk-6-jre-headless

6b33-1.13.5-1ubuntu0.12.04; openjdk-6-jre-zero

6b33-1.13.5-1ubuntu0.12.04; openjdk-6-jre-lib

6b33-1.13.5-1ubuntu0.12.04
Ubuntu 10.04 LTS:: openjdk-6-jre-headless

6b33-1.13.5-1ubuntu0.10.04; openjdk-6-jre-lib

6b33-1.13.5-1ubuntu0.10.04; icedtea-6-jre-cacao

6b33-1.13.5-1ubuntu0.10.04; openjdk-6-jre

6b33-1.13.5-1ubuntu0.10.04; openjdk-6-jre-zero

6b33-1.13.5-1ubuntu0.10.04

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

This update contains known regressions in the community supported JamVM
alternative Java Virtual Machine and a future update will correct these
issues. See https://launchpad.net/bugs/1382205 for details. We apologize
for the inconvenience.

References

Ubuntu

USN-2385-1: OpenSSL vulnerabilities

October 17, 2014 007admin

Ubuntu Security Notice USN-2385-1

16th October, 2014

openssl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS
Ubuntu 12.04 LTS
Ubuntu 10.04 LTS

Summary

Several security issues were fixed in OpenSSL.

Software description

openssl
– Secure Socket Layer (SSL) cryptographic library and tools

Details

It was discovered that OpenSSL incorrectly handled memory when parsing
DTLS SRTP extension data. A remote attacker could possibly use this issue
to cause OpenSSL to consume resources, resulting in a denial of service.
This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-3513)

It was discovered that OpenSSL incorrectly handled memory when verifying
the integrity of a session ticket. A remote attacker could possibly use
this issue to cause OpenSSL to consume resources, resulting in a denial of
service. (CVE-2014-3567)

In addition, this update introduces support for the TLS Fallback Signaling
Cipher Suite Value (TLS_FALLBACK_SCSV). This new feature prevents protocol
downgrade attacks when certain applications such as web browsers attempt
to reconnect using a lower protocol version for interoperability reasons.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: libssl1.0.0

1.0.1f-1ubuntu2.7
Ubuntu 12.04 LTS:: libssl1.0.0

1.0.1-4ubuntu5.20
Ubuntu 10.04 LTS:: libssl0.9.8

0.9.8k-7ubuntu8.22

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all
the necessary changes.

References

CVE-2014-3513,

CVE-2014-3567

Ubuntu

USN-2384-1: MySQL vulnerabilities

October 16, 2014 007admin

Ubuntu Security Notice USN-2384-1

15th October, 2014

mysql-5.5 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in MySQL.

Software description

mysql-5.5
– MySQL database

Details

Multiple security issues were discovered in MySQL and this update includes
a new upstream MySQL version to fix these issues. MySQL has been updated to
5.5.40.

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-39.html
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-40.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: mysql-server-5.5

5.5.40-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: mysql-server-5.5

5.5.40-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

Ubuntu

USN-2373-1: Thunderbird vulnerabilities

October 16, 2014 007admin

Ubuntu Security Notice USN-2373-1

15th October, 2014

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

Ubuntu 14.04 LTS
Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software description

thunderbird
– Mozilla Open Source mail and newsgroup client

Details

Bobby Holley, Christian Holler, David Bolter, Byron Campen and Jon
Coppeard discovered multiple memory safety issues in Thunderbird. If a
user were tricked in to opening a specially crafted message with scripting
enabled, an attacker could potentially exploit these to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking Thunderbird. (CVE-2014-1574)

Atte Kettunen discovered a buffer overflow during CSS manipulation. If a
user were tricked in to opening a specially crafted message, an attacker
could potentially exploit this to cause a denial of service via
application crash or execute arbitrary code with the privileges of the
user invoking Thunderbird. (CVE-2014-1576)

Holger Fuhrmannek discovered an out-of-bounds read with Web Audio. If a
user were tricked in to opening a specially crafted message with scripting
enabled, an attacker could potentially exploit this to steal sensitive
information. (CVE-2014-1577)

Abhishek Arya discovered an out-of-bounds write when buffering WebM video
in some circumstances. If a user were tricked in to opening a specially
crafted message with scripting enabled, an attacker could potentially
exploit this to cause a denial of service via application crash or execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2014-1578)

A use-after-free was discovered during text layout in some circumstances.
If a user were tricked in to opening a specially crafted message with
scripting enabled, an attacker could potentially exploit this to cause a
denial of service via application crash or execute arbitrary code with
the privileges of the user invoking Thunderbird. (CVE-2014-1581)

Eric Shepherd and Jan-Ivar Bruaroey discovered issues with video sharing
via WebRTC in iframes, where video continues to be shared after being
stopped and navigating to a new site doesn’t turn off the camera. An
attacker could potentially exploit this to access the camera without the
user being aware. (CVE-2014-1585, CVE-2014-1586)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:: thunderbird

1:31.2.0+build2-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:: thunderbird

1:31.2.0+build2-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

Ubuntu Security Notice USN-2391-1

php5 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2390-1

pidgin vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2389-1

libxml2 vulnerability

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2388-2

openjdk-7 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2388-1

openjdk-7 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2387-1

pollinate update

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2386-1

openjdk-6 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2385-1

openssl vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2384-1

mysql-5.5 vulnerabilities

Summary

Software description

Details

Update instructions

References

Ubuntu Security Notice USN-2373-1

thunderbird vulnerabilities

Summary

Software description

Details

Update instructions

References

Software and Security Information