Ubuntu Security Notice USN-2340-1

4th September, 2014

procmail vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

formail could be made to crash or run programs if it processed specially
crafted mail.

Software description

• procmail
  – Versatile e-mail processor

Details

Tavis Ormandy discovered that the formail tool incorrectly handled certain
malformed mail headers. An attacker could use this flaw to cause formail to
crash, resulting in a denial of service, or possibly execute arbitrary
code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

procmail

3.22-21ubuntu0.1

Ubuntu 12.04 LTS:

procmail

3.22-19ubuntu0.1

Ubuntu 10.04 LTS:

procmail

3.22-18ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3618

Ubuntu Security Notice USN-2319-3

16th September, 2014

openjdk-7 update

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

This update provides stability updates for OpenJDK 7.

Software description

• openjdk-7
  – Open Source Java implementation

Details

USN-2319-1 fixed vulnerabilities in OpenJDK 7. This update provides
stability fixes for the arm64 and ppc64el architectures.

Original advisory details:

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-2483, CVE-2014-2490, CVE-2014-4216, CVE-2014-4219,
CVE-2014-4223, CVE-2014-4262)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-4209, CVE-2014-4244,
CVE-2014-4263)

Two vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-4218, CVE-2014-4266)

A vulnerability was discovered in the OpenJDK JRE related to availability.
An attacker could exploit this to cause a denial of service.
(CVE-2014-4264)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose sensitive
data over the network. (CVE-2014-4221, CVE-2014-4252, CVE-2014-4268)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

openjdk-7-jre-lib

7u65-2.5.2-3~14.04

openjdk-7-jre-zero

7u65-2.5.2-3~14.04

icedtea-7-jre-jamvm

7u65-2.5.2-3~14.04

openjdk-7-jre-headless

7u65-2.5.2-3~14.04

openjdk-7-jre

7u65-2.5.2-3~14.04

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References

LP: 1370307

Ubuntu Security Notice USN-2348-1

16th September, 2014

apt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in APT.

Software description

• apt
  – Advanced front-end for dpkg

Details

It was discovered that APT did not re-verify downloaded files when the
If-Modified-Since wasn’t met. (CVE-2014-0487)

It was discovered that APT did not invalidate repository data when it
switched from an unauthenticated to an authenticated state. (CVE-2014-0488)

It was discovered that the APT Acquire::GzipIndexes option caused APT to
skip checksum validation. This issue only applied to Ubuntu 12.04 LTS and
Ubuntu 14.04 LTS, and was not enabled by default. (CVE-2014-0489)

It was discovered that APT did not correctly validate signatures when
manually downloading packages using the download command. This issue only
applied to Ubuntu 12.04 LTS. (CVE-2014-0490)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

apt

1.0.1ubuntu2.3

Ubuntu 12.04 LTS:

apt

0.8.16~exp12ubuntu10.19

Ubuntu 10.04 LTS:

apt

0.7.25.3ubuntu9.16

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-0487,

CVE-2014-0488,

CVE-2014-0489,

CVE-2014-0490

Ubuntu Security Notice USN-2347-1

16th September, 2014

python-django vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in Django.

Software description

• python-django
  – High-level Python web development framework

Details

Florian Apolloner discovered that Django incorrectly validated URLs. A
remote attacker could use this issue to conduct phishing attacks.
(CVE-2014-0480)

David Wilson discovered that Django incorrectly handled file name
generation. A remote attacker could use this issue to cause Django to
consume resources, resulting in a denial of service. (CVE-2014-0481)

David Greisen discovered that Django incorrectly handled certain headers in
contrib.auth.middleware.RemoteUserMiddleware. A remote authenticated user
could use this issue to hijack web sessions. (CVE-2014-0482)

Collin Anderson discovered that Django incorrectly checked if a field
represented a relationship between models in the administrative interface.
A remote authenticated user could use this issue to possibly obtain
sensitive information. (CVE-2014-0483)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

python-django

1.6.1-2ubuntu0.4

Ubuntu 12.04 LTS:

python-django

1.3.1-4ubuntu1.12

Ubuntu 10.04 LTS:

python-django

1.1.1-2ubuntu1.13

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-0480,

CVE-2014-0481,

CVE-2014-0482,

CVE-2014-0483

Ubuntu Security Notice USN-2356-1

23rd September, 2014

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux
  – Linux kernel

Details

Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl
Virtual Machine) subsystem in the Linux kernel. A guest OS user could
exploit this flaw to cause a denial of service (host OS memory corruption)
or possibly have other unspecified impact on the host OS. (CVE-2014-3601)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:

linux-image-3.2.0-69-powerpc64-smp

3.2.0-69.103

linux-image-3.2.0-69-powerpc-smp

3.2.0-69.103

linux-image-3.2.0-69-generic-pae

3.2.0-69.103

linux-image-3.2.0-69-virtual

3.2.0-69.103

linux-image-3.2.0-69-highbank

3.2.0-69.103

linux-image-3.2.0-69-omap

3.2.0-69.103

linux-image-3.2.0-69-generic

3.2.0-69.103

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-3601,

CVE-2014-5471,

CVE-2014-5472

Ubuntu Security Notice USN-2364-1

27th September, 2014

bash vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in Bash.

Software description

• bash
  – GNU Bourne Again SHell

Details

Florian Weimer and Todd Sabin discovered that the Bash parser incorrectly
handled memory. An attacker could possibly use this issue to bypass certain
environment restrictions and execute arbitrary code. (CVE-2014-7186,
CVE-2014-7187)

In addition, this update introduces a hardening measure which adds prefixes
and suffixes around environment variable names which contain shell
functions.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

bash

4.3-7ubuntu1.4

Ubuntu 12.04 LTS:

bash

4.2-2ubuntu2.5

Ubuntu 10.04 LTS:

bash

4.1-2ubuntu3.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7186,

CVE-2014-7187

Ubuntu Security Notice USN-2355-1

23rd September, 2014

linux-ec2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux-ec2
  – Linux kernel for EC2

Details

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:

linux-image-2.6.32-370-ec2

2.6.32-370.86

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-5471,

CVE-2014-5472

Ubuntu Security Notice USN-2363-2

25th September, 2014

bash vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

Bash allowed bypassing environment restrictions in certain environments.

Software description

• bash
  – GNU Bourne Again SHell

Details

USN-2363-1 fixed a vulnerability in Bash. Due to a build issue, the patch
for CVE-2014-7169 didn’t get properly applied in the Ubuntu 14.04 LTS
package. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Tavis Ormandy discovered that the security fix for Bash included in
USN-2362-1 was incomplete. An attacker could use this issue to bypass
certain environment restrictions. (CVE-2014-7169)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

bash

4.3-7ubuntu1.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7169

Ubuntu Security Notice USN-2354-1

23rd September, 2014

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux
  – Linux kernel

Details

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:

linux-image-2.6.32-66-lpia

2.6.32-66.132

linux-image-2.6.32-66-generic-pae

2.6.32-66.132

linux-image-2.6.32-66-sparc64

2.6.32-66.132

linux-image-2.6.32-66-ia64

2.6.32-66.132

linux-image-2.6.32-66-386

2.6.32-66.132

linux-image-2.6.32-66-powerpc

2.6.32-66.132

linux-image-2.6.32-66-versatile

2.6.32-66.132

linux-image-2.6.32-66-generic

2.6.32-66.132

linux-image-2.6.32-66-powerpc64-smp

2.6.32-66.132

linux-image-2.6.32-66-preempt

2.6.32-66.132

linux-image-2.6.32-66-powerpc-smp

2.6.32-66.132

linux-image-2.6.32-66-server

2.6.32-66.132

linux-image-2.6.32-66-sparc64-smp

2.6.32-66.132

linux-image-2.6.32-66-virtual

2.6.32-66.132

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-5471,

CVE-2014-5472

Ubuntu Security Notice USN-2363-1

25th September, 2014

bash vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Bash allowed bypassing environment restrictions in certain environments.

Software description

• bash
  – GNU Bourne Again SHell

Details

Tavis Ormandy discovered that the security fix for Bash included in
USN-2362-1 was incomplete. An attacker could use this issue to bypass
certain environment restrictions. (CVE-2014-7169)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

bash

4.3-7ubuntu1.2

Ubuntu 12.04 LTS:

bash

4.2-2ubuntu2.3

Ubuntu 10.04 LTS:

bash

4.1-2ubuntu3.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7169