Category Archives: Ubuntu

Ubuntu Security Notices

USN-2344-1: PHP vulnerabilities

Ubuntu Security Notice USN-2344-1

9th September, 2014

php5 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

php5 could be made to crash or run programs if it received
specially crafted network traffic.

Software description

  • php5
    – HTML-embedded scripting language interpreter

Details

It was discovered that the Fileinfo component in php5 contains an integer
overflow. An attacker could use this flaw to cause a denial of service
or possibly execute arbitrary code via a crafted CDF file. (CVE-2014-3587)

It was discovered that the php_parserr function contains multiple buffer
overflows. An attacker could use this flaw to cause a denial of service
or possibly execute arbitrary code via crafted DNS records. (CVE-2014-3597)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
php5

5.5.9+dfsg-1ubuntu4.4
libapache2-mod-php5

5.5.9+dfsg-1ubuntu4.4
php5-fpm

5.5.9+dfsg-1ubuntu4.4
php5-cgi

5.5.9+dfsg-1ubuntu4.4
Ubuntu 12.04 LTS:
php5

5.3.10-1ubuntu3.14
libapache2-mod-php5

5.3.10-1ubuntu3.14
php5-fpm

5.3.10-1ubuntu3.14
php5-cgi

5.3.10-1ubuntu3.14
Ubuntu 10.04 LTS:
php5

5.3.2-1ubuntu4.27
libapache2-mod-php5

5.3.2-1ubuntu4.27
php5-cgi

5.3.2-1ubuntu4.27

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Apache or
php5-fpm to make all the necessary changes.

References

CVE-2014-3587,

CVE-2014-3597

USN-2343-1: NSS vulnerability

Ubuntu Security Notice USN-2343-1

9th September, 2014

nss vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

NSS could be made to crash or run programs as your login if it processed a
specially crafted certificate.

Software description

  • nss
    – Network Security Service library

Details

Tyson Smith and Jesse Schwartzentruber discovered that NSS contained a race
condition when performing certificate validation. An attacker could use
this issue to cause NSS to crash, resulting in a denial of service, or
possibly execute arbitrary code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
libnss3

2:3.15.4-1ubuntu7.1
Ubuntu 12.04 LTS:
libnss3

3.15.4-0ubuntu0.12.04.3
Ubuntu 10.04 LTS:
libnss3-1d

3.15.4-0ubuntu0.10.04.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any applications that
use NSS, such as Evolution and Chromium, to make all the necessary changes.

References

CVE-2014-1544

USN-2342-1: QEMU vulnerabilities

Ubuntu Security Notice USN-2342-1

8th September, 2014

qemu, qemu-kvm vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

Several security issues were fixed in QEMU.

Software description

  • qemu
    – Machine emulator and virtualizer

  • qemu-kvm
    – Machine emulator and virtualizer

Details

Michael S. Tsirkin, Anthony Liguori, and Michael Roth discovered multiple
issues with QEMU state loading after migration. An attacker able to modify
the state data could use these issues to cause a denial of service, or
possibly execute arbitrary code. (CVE-2013-4148, CVE-2013-4149,
CVE-2013-4150, CVE-2013-4151, CVE-2013-4526, CVE-2013-4527, CVE-2013-4529,
CVE-2013-4530, CVE-2013-4531, CVE-2013-4532, CVE-2013-4533, CVE-2013-4534,
CVE-2013-4535, CVE-2013-4536, CVE-2013-4537, CVE-2013-4538, CVE-2013-4539,
CVE-2013-4540, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182,
CVE-2014-3461)

Kevin Wolf, Stefan Hajnoczi, Fam Zheng, Jeff Cody, Stefan Hajnoczi, and
others discovered multiple issues in the QEMU block drivers. An attacker
able to modify disk images could use these issues to cause a denial of
service, or possibly execute arbitrary code. (CVE-2014-0142, CVE-2014-0143,
CVE-2014-0144, CVE-2014-0145, CVE-2014-0146, CVE-2014-0147, CVE-2014-0222,
CVE-2014-0223)

It was discovered that QEMU incorrectly handled certain PCIe bus hotplug
operations. A malicious guest could use this issue to crash the QEMU host,
resulting in a denial of service. (CVE-2014-3471)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
qemu-system-misc

2.0.0+dfsg-2ubuntu1.3
qemu-system

2.0.0+dfsg-2ubuntu1.3
qemu-system-aarch64

2.0.0+dfsg-2ubuntu1.3
qemu-system-x86

2.0.0+dfsg-2ubuntu1.3
qemu-system-sparc

2.0.0+dfsg-2ubuntu1.3
qemu-system-arm

2.0.0+dfsg-2ubuntu1.3
qemu-system-ppc

2.0.0+dfsg-2ubuntu1.3
qemu-system-mips

2.0.0+dfsg-2ubuntu1.3
Ubuntu 12.04 LTS:
qemu-kvm

1.0+noroms-0ubuntu14.17
Ubuntu 10.04 LTS:
qemu-kvm

0.12.3+noroms-0ubuntu9.24

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2013-4148,

CVE-2013-4149,

CVE-2013-4150,

CVE-2013-4151,

CVE-2013-4526,

CVE-2013-4527,

CVE-2013-4529,

CVE-2013-4530,

CVE-2013-4531,

CVE-2013-4532,

CVE-2013-4533,

CVE-2013-4534,

CVE-2013-4535,

CVE-2013-4536,

CVE-2013-4537,

CVE-2013-4538,

CVE-2013-4539,

CVE-2013-4540,

CVE-2013-4541,

CVE-2013-4542,

CVE-2013-6399,

CVE-2014-0142,

CVE-2014-0143,

CVE-2014-0144,

CVE-2014-0145,

CVE-2014-0146,

CVE-2014-0147,

CVE-2014-0182,

CVE-2014-0222,

CVE-2014-0223,

CVE-2014-3461,

CVE-2014-3471

USN-2351-1: nginx vulnerability

Ubuntu Security Notice USN-2351-1

22nd September, 2014

nginx vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

nginx could be made to expose sensitive information over the network.

Software description

  • nginx
    – small, powerful, scalable web/proxy server

Details

Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that nginx
incorrectly reused cached SSL sessions. An attacker could possibly use this
issue in certain configurations to obtain access to information from a
different virtual host.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
nginx-extras

1.4.6-1ubuntu3.1
nginx-full

1.4.6-1ubuntu3.1
nginx-core

1.4.6-1ubuntu3.1
nginx-light

1.4.6-1ubuntu3.1
nginx-naxsi

1.4.6-1ubuntu3.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3616

USN-2341-1: CUPS vulnerabilities

Ubuntu Security Notice USN-2341-1

8th September, 2014

cups vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

CUPS could be made to expose sensitive information, leading to privilege
escalation.

Software description

  • cups
    – Common UNIX Printing System(tm)

Details

Salvatore Bonaccorso discovered that the CUPS web interface incorrectly
validated permissions and incorrectly handled symlinks. An attacker could
possibly use this issue to bypass file permissions and read arbitrary
files, possibly leading to a privilege escalation.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
cups

1.7.2-0ubuntu1.2
Ubuntu 12.04 LTS:
cups

1.5.3-0ubuntu8.5
Ubuntu 10.04 LTS:
cups

1.4.3-1ubuntu1.13

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-5029,

CVE-2014-5030,

CVE-2014-5031

USN-2350-1: NSS update

Ubuntu Security Notice USN-2350-1

22nd September, 2014

nss update

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

NSS was updated to refresh the CA certificates bundle.

Software description

  • nss
    – Network Security Service library

Details

The NSS package contained outdated CA certificates. This update refreshes
the NSS package to version 3.17 which includes the latest CA certificate
bundle.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
libnss3

2:3.17-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
libnss3

3.17-0ubuntu0.12.04.1
Ubuntu 10.04 LTS:
libnss3-1d

3.17-0ubuntu0.10.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.

References

LP: 1372410

USN-2306-3: GNU C Library regression

Ubuntu Security Notice USN-2306-3

8th September, 2014

eglibc regression

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 10.04 LTS

Summary

USN-2306-1 introduced a regression in the GNU C Library.

Software description

  • eglibc
    – GNU C Library

Details

USN-2306-1 fixed vulnerabilities in the GNU C Library. On Ubuntu 10.04 LTS,
the fix for CVE-2013-4357 introduced a memory leak in getaddrinfo. This
update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Maksymilian Arciemowicz discovered that the GNU C Library incorrectly
handled the getaddrinfo() function. An attacker could use this issue to
cause a denial of service. This issue only affected Ubuntu 10.04 LTS.
(CVE-2013-4357)

It was discovered that the GNU C Library incorrectly handled the
getaddrinfo() function. An attacker could use this issue to cause a denial
of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
(CVE-2013-4458)

Stephane Chazelas discovered that the GNU C Library incorrectly handled
locale environment variables. An attacker could use this issue to possibly
bypass certain restrictions such as the ForceCommand restrictions in
OpenSSH. (CVE-2014-0475)

David Reid, Glyph Lefkowitz, and Alex Gaynor discovered that the GNU C
Library incorrectly handled posix_spawn_file_actions_addopen() path
arguments. An attacker could use this issue to cause a denial of service.
(CVE-2014-4043)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:
libc6

2.11.1-0ubuntu7.17

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

LP: 1364584

USN-2349-1: Libav vulnerabilities

Ubuntu Security Notice USN-2349-1

17th September, 2014

libav vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Libav could be made to crash or run programs as your login if it opened a
specially crafted file.

Software description

  • libav
    – Multimedia player, server, encoder and transcoder

Details

It was discovered that Libav incorrectly handled certain malformed media
files. If a user were tricked into opening a crafted media file, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the
program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
libavformat53

4:0.8.16-0ubuntu0.12.04.1
libavcodec53

4:0.8.16-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

LP: 1370175

USN-2340-1: procmail vulnerability

Ubuntu Security Notice USN-2340-1

4th September, 2014

procmail vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

formail could be made to crash or run programs if it processed specially
crafted mail.

Software description

  • procmail
    – Versatile e-mail processor

Details

Tavis Ormandy discovered that the formail tool incorrectly handled certain
malformed mail headers. An attacker could use this flaw to cause formail to
crash, resulting in a denial of service, or possibly execute arbitrary
code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
procmail

3.22-21ubuntu0.1
Ubuntu 12.04 LTS:
procmail

3.22-19ubuntu0.1
Ubuntu 10.04 LTS:
procmail

3.22-18ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3618

USN-2319-3: OpenJDK 7 update

Ubuntu Security Notice USN-2319-3

16th September, 2014

openjdk-7 update

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

This update provides stability updates for OpenJDK 7.

Software description

  • openjdk-7
    – Open Source Java implementation

Details

USN-2319-1 fixed vulnerabilities in OpenJDK 7. This update provides
stability fixes for the arm64 and ppc64el architectures.

Original advisory details:

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-2483, CVE-2014-2490, CVE-2014-4216, CVE-2014-4219,
CVE-2014-4223, CVE-2014-4262)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-4209, CVE-2014-4244,
CVE-2014-4263)

Two vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-4218, CVE-2014-4266)

A vulnerability was discovered in the OpenJDK JRE related to availability.
An attacker could exploit this to cause a denial of service.
(CVE-2014-4264)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose sensitive
data over the network. (CVE-2014-4221, CVE-2014-4252, CVE-2014-4268)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
openjdk-7-jre-lib

7u65-2.5.2-3~14.04
openjdk-7-jre-zero

7u65-2.5.2-3~14.04
icedtea-7-jre-jamvm

7u65-2.5.2-3~14.04
openjdk-7-jre-headless

7u65-2.5.2-3~14.04
openjdk-7-jre

7u65-2.5.2-3~14.04

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References

LP: 1370307