Ubuntu Security Notice USN-3182-1

1st February, 2017

ntfs-3g vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10
• Ubuntu 16.04 LTS

Summary

NTFS-3G could be made to load kernel modules as an administrator.

Software description

• ntfs-3g
  – read/write NTFS driver for FUSE

Details

Jann Horn discovered that NTFS-3G incorrectly filtered environment variables
when using the modprobe utility. A local attacker could possibly use this issue
to load arbitrary kernel modules.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

ntfs-3g

1:2016.2.22AR.1-3ubuntu0.1

Ubuntu 16.04 LTS:

ntfs-3g

1:2015.3.14AR.1-1ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-0358

Ubuntu Security Notice USN-3185-1

1st February, 2017

libxpm vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

libXpm could be made to crash or run programs if it opened a specially
crafted file.

Software description

• libxpm
  – X11 pixmap library

Details

It was discovered that libXpm incorrectly handled certain XPM files. If a
user or automated system were tricked into opening a specially crafted XPM
file, a remote attacker could use this issue to cause libXpm to crash,
resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

libxpm4

1:3.5.11-1ubuntu0.16.10.1

Ubuntu 16.04 LTS:

libxpm4

1:3.5.11-1ubuntu0.16.04.1

Ubuntu 14.04 LTS:

libxpm4

1:3.5.10-1ubuntu0.1

Ubuntu 12.04 LTS:

libxpm4

1:3.5.9-4ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart your session to make
all the necessary changes.

References

CVE-2016-10164

Ubuntu Security Notice USN-3184-1

1st February, 2017

irssi vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Irssi.

Software description

• irssi
  – terminal based IRC client

Details

It was discovered that the Irssi buf.pl script set incorrect permissions. A
local attacker could use this issue to retrieve another user’s window
contents. (CVE-2016-7553)

Joseph Bisch discovered that Irssi incorrectly handled comparing nicks. A
remote attacker could use this issue to cause Irssi to crash, resulting in
a denial of service, or possibly execute arbitrary code. (CVE-2017-5193)

It was discovered that Irssi incorrectly handled invalid nick messages. A
remote attacker could use this issue to cause Irssi to crash, resulting in
a denial of service, or possibly execute arbitrary code. (CVE-2017-5194)

Joseph Bisch discovered that Irssi incorrectly handled certain incomplete
control codes. A remote attacker could use this issue to cause Irssi to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
(CVE-2017-5195)

Hanno Böck and Joseph Bisch discovered that Irssi incorrectly handled
certain incomplete character sequences. A remote attacker could use this
issue to cause Irssi to crash, resulting in a denial of service. This issue
only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2017-5196)

Hanno Böck discovered that Irssi incorrectly handled certain format
strings. A remote attacker could use this issue to cause Irssi to crash,
resulting in a denial of service. (CVE-2017-5356)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

irssi

0.8.19-1ubuntu2.1

Ubuntu 16.04 LTS:

irssi

0.8.19-1ubuntu1.3

Ubuntu 14.04 LTS:

irssi

0.8.15-5ubuntu3.1

Ubuntu 12.04 LTS:

irssi

0.8.15-4ubuntu3.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Irssi to make all the
necessary changes.

References

CVE-2016-7553,

CVE-2017-5193,

CVE-2017-5194,

CVE-2017-5195,

CVE-2017-5196,

CVE-2017-5356

Ubuntu Security Notice USN-3183-1

1st February, 2017

gnutls26, gnutls28 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in GnuTLS.

Software description

• gnutls26
  – GNU TLS library

• gnutls28
  – GNU TLS library

Details

Stefan Buehler discovered that GnuTLS incorrectly verified the serial
length of OCSP responses. A remote attacker could possibly use this issue
to bypass certain certificate validation measures. This issue only applied
to Ubuntu 16.04 LTS. (CVE-2016-7444)

Shi Lei discovered that GnuTLS incorrectly handled certain warning alerts.
A remote attacker could possibly use this issue to cause GnuTLS to hang,
resulting in a denial of service. This issue has only been addressed in
Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-8610)

It was discovered that GnuTLS incorrectly decoded X.509 certificates with a
Proxy Certificate Information extension. A remote attacker could use this
issue to cause GnuTLS to crash, resulting in a denial of service, or
possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS
and Ubuntu 16.10. (CVE-2017-5334)

It was discovered that GnuTLS incorrectly handled certain OpenPGP
certificates. A remote attacker could possibly use this issue to cause
GnuTLS to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2017-5335, CVE-2017-5336, CVE-2017-5337)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

libgnutls30

3.5.3-5ubuntu1.1

Ubuntu 16.04 LTS:

libgnutls30

3.4.10-4ubuntu1.2

Ubuntu 14.04 LTS:

libgnutls26

2.12.23-12ubuntu2.6

Ubuntu 12.04 LTS:

libgnutls26

2.12.14-5ubuntu3.13

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-7444,

CVE-2016-8610,

CVE-2017-5334,

CVE-2017-5335,

CVE-2017-5336,

CVE-2017-5337

Ubuntu Security Notice USN-3186-1

1st February, 2017

iucode-tool vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10
• Ubuntu 16.04 LTS

Summary

iucode-tool could be made to crash or run programs if it opened a specially
crafted file.

Software description

• iucode-tool
  – Intel processor microcode tool

Details

It was discovered that iucode-tool incorrectly handled certain microcodes
when using the -tr loader. If a user were tricked into processing a
specially crafted microcode, a remote attacker could use this issue to
cause iucode-tool to crash, resulting in a denial of service, or possibly
execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

iucode-tool

1.6.1-1ubuntu0.1

Ubuntu 16.04 LTS:

iucode-tool

1.5.1-1ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-0357

Ubuntu Security Notice USN-3181-1

31st January, 2017

openssl vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in OpenSSL.

Software description

• openssl
  – Secure Socket Layer (SSL) cryptographic library and tools

Details

Guido Vranken discovered that OpenSSL used undefined behaviour when
performing pointer arithmetic. A remote attacker could possibly use this
issue to cause OpenSSL to crash, resulting in a denial of service. This
issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS as other
releases were fixed in a previous security update. (CVE-2016-2177)

It was discovered that OpenSSL did not properly handle Montgomery
multiplication, resulting in incorrect results leading to transient
failures. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10.
(CVE-2016-7055)

It was discovered that OpenSSL did not properly use constant-time
operations when performing ECDSA P-256 signing. A remote attacker could
possibly use this issue to perform a timing attack and recover private
ECDSA keys. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04
LTS. (CVE-2016-7056)

Shi Lei discovered that OpenSSL incorrectly handled certain warning alerts.
A remote attacker could possibly use this issue to cause OpenSSL to stop
responding, resulting in a denial of service. (CVE-2016-8610)

Robert Święcki discovered that OpenSSL incorrectly handled certain
truncated packets. A remote attacker could possibly use this issue to cause
OpenSSL to crash, resulting in a denial of service. (CVE-2017-3731)

It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery
squaring procedure. While unlikely, a remote attacker could possibly use
this issue to recover private keys. This issue only applied to Ubuntu 16.04
LTS, and Ubuntu 16.10. (CVE-2017-3732)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

libssl1.0.0

1.0.2g-1ubuntu9.1

Ubuntu 16.04 LTS:

libssl1.0.0

1.0.2g-1ubuntu4.6

Ubuntu 14.04 LTS:

libssl1.0.0

1.0.1f-1ubuntu2.22

Ubuntu 12.04 LTS:

libssl1.0.0

1.0.1-4ubuntu5.39

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-2177,

CVE-2016-7055,

CVE-2016-7056,

CVE-2016-8610,

CVE-2017-3731,

CVE-2017-3732

Ubuntu Security Notice USN-3165-1

27th January, 2017

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Thunderbird.

Software description

• thunderbird
  – Mozilla Open Source mail and newsgroup client

Details

Multiple memory safety issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-9893, CVE-2017-5373)

Andrew Krasichkov discovered that event handlers on <marquee> elements
were executed despite a Content Security Policy (CSP) that disallowed
inline JavaScript. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2016-9895)

A memory corruption issue was discovered in WebGL in some circumstances.
If a user were tricked in to opening a specially crafted website in a
browsing context, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-9897)

A use-after-free was discovered when manipulating DOM subtrees in the
Editor. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9898)

A use-after-free was discovered when manipulating DOM events and audio
elements. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9899)

It was discovered that external resources that should be blocked when
loading SVG images can bypass security restrictions using data: URLs. An
attacker could potentially exploit this to obtain sensitive information.
(CVE-2016-9900)

Jann Horn discovered that JavaScript Map/Set were vulnerable to timing
attacks. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
obtain sensitive information across domains. (CVE-2016-9904)

A crash was discovered in EnumerateSubDocuments while adding or removing
sub-documents. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to execute arbitrary code. (CVE-2016-9905)

JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5375)

Nicolas Grégoire discovered a use-after-free when manipulating XSL in
XSLT documents in some circumstances. If a user were tricked in to opening
a specially crafted website in a browsing context, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5376)

Jann Horn discovered that an object’s address could be discovered through
hashed codes of JavaScript objects shared between pages. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit this to obtain sensitive
information. (CVE-2017-5378)

A use-after-free was discovered during DOM manipulation of SVG content in
some circumstances. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2017-5380)

Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to spoof the URL bar contents. (CVE-2017-5383)

Jerri Rice discovered insecure communication methods in the Dev Tools JSON
Viewer. An attacker could potentially exploit this to gain additional
privileges. (CVE-2017-5390)

Filipe Gomes discovered a use-after-free in the media decoder in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5396)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

thunderbird

1:45.7.0+build1-0ubuntu0.16.10.1

Ubuntu 16.04 LTS:

thunderbird

1:45.7.0+build1-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:

thunderbird

1:45.7.0+build1-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:

thunderbird

1:45.7.0+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

CVE-2016-9893,

CVE-2016-9895,

CVE-2016-9897,

CVE-2016-9898,

CVE-2016-9899,

CVE-2016-9900,

CVE-2016-9904,

CVE-2016-9905,

CVE-2017-5373,

CVE-2017-5375,

CVE-2017-5376,

CVE-2017-5378,

CVE-2017-5380,

CVE-2017-5383,

CVE-2017-5390,

CVE-2017-5396

Ubuntu Security Notice USN-3175-1

27th January, 2017

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software description

• firefox
  – Mozilla Open Source web browser

Details

Multiple memory safety issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5373, CVE-2017-5374)

JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-5375)

Nicolas Grégoire discovered a use-after-free when manipulating XSL in
XSLT documents in some circumstances. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5376)

Atte Kettunen discovered a memory corruption issue in Skia in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-5377)

Jann Horn discovered that an object’s address could be discovered through
hashed codes of JavaScript objects shared between pages. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to obtain sensitive information. (CVE-2017-5378)

A use-after-free was discovered in Web Animations in some circumstances.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit this to cause a denial of service via
application crash, or execute arbitrary code. (CVE-2017-5379)

A use-after-free was discovered during DOM manipulation of SVG content in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2017-5380)

Jann Horn discovered that the “export” function in the Certificate Viewer
can force local filesystem navigation when the Common Name contains
slashes. If a user were tricked in to exporting a specially crafted
certificate, an attacker could potentially exploit this to save content
with arbitrary filenames in unsafe locations. (CVE-2017-5381)

Jerri Rice discovered that the Feed preview for RSS feeds can be used to
capture errors and exceptions generated by privileged content. An attacker
could potentially exploit this to obtain sensitive information.
(CVE-2017-5382)

Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. An attacker could potentially exploit this to spoof the
URL bar contents. (CVE-2017-5383)

Paul Stone and Alex Chapman discovered that the full URL path is exposed
to JavaScript functions specified by Proxy Auto-Config (PAC) files. If a
user has enabled Web Proxy Auto Detect (WPAD), an attacker could
potentially exploit this to obtain sensitive information. (CVE-2017-5384)

Muneaki Nishimura discovered that data sent in multipart channels will
ignore the Referrer-Policy response headers. An attacker could potentially
exploit this to obtain sensitive information. (CVE-2017-5385)

Muneaki Nishimura discovered that WebExtensions can affect other
extensions using the data: protocol. If a user were tricked in to
installing a specially crafted addon, an attacker could potentially
exploit this to obtain sensitive information or gain additional
privileges. (CVE-2017-5386)

Mustafa Hasan discovered that the existence of local files can be
determined using the <track> element. An attacker could potentially
exploit this to obtain sensitive information. (CVE-2017-5387)

Cullen Jennings discovered that WebRTC can be used to generate large
amounts of UDP traffic. An attacker could potentially exploit this to
conduct Distributed Denial-of-Service (DDOS) attacks. (CVE-2017-5388)

Kris Maglione discovered that WebExtensions can use the mozAddonManager
API by modifying the CSP headers on sites with the appropriate permissions
and then using host requests to redirect script loads to a malicious site.
If a user were tricked in to installing a specially crafted addon, an
attacker could potentially exploit this to install additional addons
without user permission. (CVE-2017-5389)

Jerri Rice discovered insecure communication methods in the Dev Tools JSON
Viewer. An attacker could potentially exploit this to gain additional
privileges. (CVE-2017-5390)

Jerri Rice discovered that about: pages used by content can load
privileged about: pages in iframes. An attacker could potentially exploit
this to gain additional privileges, in combination with a
content-injection bug in one of those about: pages. (CVE-2017-5391)

Stuart Colville discovered that mozAddonManager allows for the
installation of extensions from the CDN for addons.mozilla.org, a publicly
accessible site. If a user were tricked in to installing a specially
crafted addon, an attacker could potentially exploit this, in combination
with a cross-site scripting (XSS) attack on Mozilla’s AMO sites, to
install additional addons. (CVE-2017-5393)

Filipe Gomes discovered a use-after-free in the media decoder in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code. (CVE-2017-5396)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

firefox

51.0.1+build2-0ubuntu0.16.10.1

Ubuntu 16.04 LTS:

firefox

51.0.1+build2-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:

firefox

51.0.1+build2-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:

firefox

51.0.1+build2-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

CVE-2017-5373,

CVE-2017-5374,

CVE-2017-5375,

CVE-2017-5376,

CVE-2017-5377,

CVE-2017-5378,

CVE-2017-5379,

CVE-2017-5380,

CVE-2017-5381,

CVE-2017-5382,

CVE-2017-5383,

CVE-2017-5384,

CVE-2017-5385,

CVE-2017-5386,

CVE-2017-5387,

CVE-2017-5388,

CVE-2017-5389,

CVE-2017-5390,

CVE-2017-5391,

CVE-2017-5393,

CVE-2017-5396

Ubuntu Security Notice USN-3179-1

25th January, 2017

openjdk-8 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 16.10
• Ubuntu 16.04 LTS

Summary

Several security issues were fixed in OpenJDK 8.

Software description

• openjdk-8
  – Open Source Java implementation

Details

Karthik Bhargavan and Gaetan Leurent discovered that the DES and
Triple DES ciphers were vulnerable to birthday attacks. A remote
attacker could possibly use this flaw to obtain clear text data from
long encrypted sessions. This update moves those algorithms to the
legacy algorithm set and causes them to be used only if no non-legacy
algorithms can be negotiated. (CVE-2016-2183)

It was discovered that OpenJDK accepted ECSDA signatures using
non-canonical DER encoding. An attacker could use this to modify or
expose sensitive data. (CVE-2016-5546)

It was discovered that OpenJDK did not properly verify object
identifier (OID) length when reading Distinguished Encoding Rules
(DER) records, as used in x.509 certificates and elsewhere. An
attacker could use this to cause a denial of service (memory
consumption). (CVE-2016-5547)

It was discovered that covert timing channel vulnerabilities existed
in the DSA and ECDSA implementations in OpenJDK. A remote attacker
could use this to expose sensitive information. (CVE-2016-5548,
CVE-2016-5549)

It was discovered that the URLStreamHandler class in OpenJDK did not
properly parse user information from a URL. A remote attacker could
use this to expose sensitive information. (CVE-2016-5552)

It was discovered that the URLClassLoader class in OpenJDK did not
properly check access control context when downloading class files. A
remote attacker could use this to expose sensitive information.
(CVE-2017-3231)

It was discovered that the Remote Method Invocation (RMI)
implementation in OpenJDK performed deserialization of untrusted
inputs. A remote attacker could use this to execute arbitrary
code. (CVE-2017-3241)

It was discovered that the Java Authentication and Authorization
Service (JAAS) component of OpenJDK did not properly perform user
search LDAP queries. An attacker could use a specially constructed
LDAP entry to expose or modify sensitive information. (CVE-2017-3252)

It was discovered that the PNGImageReader class in OpenJDK did not
properly handle iTXt and zTXt chunks. An attacker could use this to
cause a denial of service (memory consumption). (CVE-2017-3253)

It was discovered that integer overflows existed in the
SocketInputStream and SocketOutputStream classes of OpenJDK. An
attacker could use this to expose sensitive information.
(CVE-2017-3261)

It was discovered that the atomic field updaters in the
java.util.concurrent.atomic package in OpenJDK did not properly
restrict access to protected field members. An attacker could use
this to specially craft a Java application or applet that could bypass
Java sandbox restrictions. (CVE-2017-3272)

It was discovered that a vulnerability existed in the class
construction implementation in OpenJDK. An attacker could use this
to specially craft a Java application or applet that could bypass
Java sandbox restrictions. (CVE-2017-3289)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:

openjdk-8-jdk

8u121-b13-0ubuntu1.16.10.2

openjdk-8-jre-headless

8u121-b13-0ubuntu1.16.10.2

openjdk-8-jre

8u121-b13-0ubuntu1.16.10.2

openjdk-8-jdk-headless

8u121-b13-0ubuntu1.16.10.2

openjdk-8-jre-zero

8u121-b13-0ubuntu1.16.10.2

openjdk-8-jre-jamvm

8u121-b13-0ubuntu1.16.10.2

Ubuntu 16.04 LTS:

openjdk-8-jdk

8u121-b13-0ubuntu1.16.04.2

openjdk-8-jre-headless

8u121-b13-0ubuntu1.16.04.2

openjdk-8-jre

8u121-b13-0ubuntu1.16.04.2

openjdk-8-jdk-headless

8u121-b13-0ubuntu1.16.04.2

openjdk-8-jre-zero

8u121-b13-0ubuntu1.16.04.2

openjdk-8-jre-jamvm

8u121-b13-0ubuntu1.16.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

CVE-2016-2183,

CVE-2016-5546,

CVE-2016-5547,

CVE-2016-5548,

CVE-2016-5549,

CVE-2016-5552,

CVE-2017-3231,

CVE-2017-3241,

CVE-2017-3252,

CVE-2017-3253,

CVE-2017-3261,

CVE-2017-3272,

CVE-2017-3289

Ubuntu Security Notice USN-3178-1

24th January, 2017

icoutils vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

icoutils could be made to crash or run programs as your login if it opened
a specially crafted file.

Software description

• icoutils
  – Create and extract MS Windows icons and cursors

Details

It was discovered that icoutils incorrectly handled memory when processing
certain files. If a user or automated system were tricked into opening a
specially crafted file, an attacker could cause icoutils to crash,
resulting in a denial of service, or possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

icoutils

0.29.1-2ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2017-5208,

CVE-2017-5331,

CVE-2017-5332,

CVE-2017-5333