Category Archives: Ubuntu

Ubuntu Security Notices

Ubuntu

USN-2306-3: GNU C Library regression

Leave a comment

Ubuntu Security Notice USN-2306-3

8th September, 2014

eglibc regression

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 10.04 LTS

Summary

USN-2306-1 introduced a regression in the GNU C Library.

Software description

  • eglibc
    – GNU C Library

Details

USN-2306-1 fixed vulnerabilities in the GNU C Library. On Ubuntu 10.04 LTS,
the fix for CVE-2013-4357 introduced a memory leak in getaddrinfo. This
update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Maksymilian Arciemowicz discovered that the GNU C Library incorrectly
handled the getaddrinfo() function. An attacker could use this issue to
cause a denial of service. This issue only affected Ubuntu 10.04 LTS.
(CVE-2013-4357)

It was discovered that the GNU C Library incorrectly handled the
getaddrinfo() function. An attacker could use this issue to cause a denial
of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
(CVE-2013-4458)

Stephane Chazelas discovered that the GNU C Library incorrectly handled
locale environment variables. An attacker could use this issue to possibly
bypass certain restrictions such as the ForceCommand restrictions in
OpenSSH. (CVE-2014-0475)

David Reid, Glyph Lefkowitz, and Alex Gaynor discovered that the GNU C
Library incorrectly handled posix_spawn_file_actions_addopen() path
arguments. An attacker could use this issue to cause a denial of service.
(CVE-2014-4043)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:
libc6

2.11.1-0ubuntu7.17

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

LP: 1364584

Ubuntu

USN-2349-1: Libav vulnerabilities

Leave a comment

Ubuntu Security Notice USN-2349-1

17th September, 2014

libav vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Libav could be made to crash or run programs as your login if it opened a
specially crafted file.

Software description

  • libav
    – Multimedia player, server, encoder and transcoder

Details

It was discovered that Libav incorrectly handled certain malformed media
files. If a user were tricked into opening a crafted media file, an
attacker could cause a denial of service via application crash, or possibly
execute arbitrary code with the privileges of the user invoking the
program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
libavformat53

4:0.8.16-0ubuntu0.12.04.1
libavcodec53

4:0.8.16-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

LP: 1370175

Ubuntu

USN-2340-1: procmail vulnerability

Leave a comment

Ubuntu Security Notice USN-2340-1

4th September, 2014

procmail vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

formail could be made to crash or run programs if it processed specially
crafted mail.

Software description

  • procmail
    – Versatile e-mail processor

Details

Tavis Ormandy discovered that the formail tool incorrectly handled certain
malformed mail headers. An attacker could use this flaw to cause formail to
crash, resulting in a denial of service, or possibly execute arbitrary
code.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
procmail

3.22-21ubuntu0.1
Ubuntu 12.04 LTS:
procmail

3.22-19ubuntu0.1
Ubuntu 10.04 LTS:
procmail

3.22-18ubuntu1.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3618

Ubuntu

USN-2319-3: OpenJDK 7 update

Leave a comment

Ubuntu Security Notice USN-2319-3

16th September, 2014

openjdk-7 update

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

This update provides stability updates for OpenJDK 7.

Software description

  • openjdk-7
    – Open Source Java implementation

Details

USN-2319-1 fixed vulnerabilities in OpenJDK 7. This update provides
stability fixes for the arm64 and ppc64el architectures.

Original advisory details:

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-2483, CVE-2014-2490, CVE-2014-4216, CVE-2014-4219,
CVE-2014-4223, CVE-2014-4262)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure and data integrity. An attacker could exploit these
to expose sensitive data over the network. (CVE-2014-4209, CVE-2014-4244,
CVE-2014-4263)

Two vulnerabilities were discovered in the OpenJDK JRE related to data
integrity. (CVE-2014-4218, CVE-2014-4266)

A vulnerability was discovered in the OpenJDK JRE related to availability.
An attacker could exploit this to cause a denial of service.
(CVE-2014-4264)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose sensitive
data over the network. (CVE-2014-4221, CVE-2014-4252, CVE-2014-4268)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
openjdk-7-jre-lib

7u65-2.5.2-3~14.04
openjdk-7-jre-zero

7u65-2.5.2-3~14.04
icedtea-7-jre-jamvm

7u65-2.5.2-3~14.04
openjdk-7-jre-headless

7u65-2.5.2-3~14.04
openjdk-7-jre

7u65-2.5.2-3~14.04

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References

LP: 1370307

Ubuntu

USN-2358-1: Linux kernel (Trusty HWE) vulnerabilities

Leave a comment

Ubuntu Security Notice USN-2358-1

23rd September, 2014

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-trusty
    – Linux hardware enablement kernel from Trusty

Details

Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl
Virtual Machine) subsystem in the Linux kernel. A guest OS user could
exploit this flaw to cause a denial of service (host OS memory corruption)
or possibly have other unspecified impact on the host OS. (CVE-2014-3601)

Jason Gunthorpe reported a flaw with SCTP authentication in the Linux
kernel. A remote attacker could exploit this flaw to cause a denial of
service (NULL pointer dereference and OOPS). (CVE-2014-5077)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
linux-image-3.13.0-36-generic-lpae

3.13.0-36.63~precise1
linux-image-3.13.0-36-generic

3.13.0-36.63~precise1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-3601,

CVE-2014-5077,

CVE-2014-5471,

CVE-2014-5472

Ubuntu

USN-2357-1: Linux kernel (OMAP4) vulnerabilities

Leave a comment

Ubuntu Security Notice USN-2357-1

23rd September, 2014

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-ti-omap4
    – Linux kernel for OMAP4

Details

Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl
Virtual Machine) subsystem in the Linux kernel. A guest OS user could
exploit this flaw to cause a denial of service (host OS memory corruption)
or possibly have other unspecified impact on the host OS. (CVE-2014-3601)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
linux-image-3.2.0-1453-omap4

3.2.0-1453.73

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-3601,

CVE-2014-5471,

CVE-2014-5472

Ubuntu

USN-2356-1: Linux kernel vulnerabilities

Leave a comment

Ubuntu Security Notice USN-2356-1

23rd September, 2014

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux
    – Linux kernel

Details

Jack Morgenstein reported a flaw in the page handling of the KVM (Kerenl
Virtual Machine) subsystem in the Linux kernel. A guest OS user could
exploit this flaw to cause a denial of service (host OS memory corruption)
or possibly have other unspecified impact on the host OS. (CVE-2014-3601)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
linux-image-3.2.0-69-powerpc64-smp

3.2.0-69.103
linux-image-3.2.0-69-powerpc-smp

3.2.0-69.103
linux-image-3.2.0-69-generic-pae

3.2.0-69.103
linux-image-3.2.0-69-virtual

3.2.0-69.103
linux-image-3.2.0-69-highbank

3.2.0-69.103
linux-image-3.2.0-69-omap

3.2.0-69.103
linux-image-3.2.0-69-generic

3.2.0-69.103

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-3601,

CVE-2014-5471,

CVE-2014-5472

Ubuntu

USN-2364-1: Bash vulnerabilities

Leave a comment

Ubuntu Security Notice USN-2364-1

27th September, 2014

bash vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

Several security issues were fixed in Bash.

Software description

  • bash
    – GNU Bourne Again SHell

Details

Florian Weimer and Todd Sabin discovered that the Bash parser incorrectly
handled memory. An attacker could possibly use this issue to bypass certain
environment restrictions and execute arbitrary code. (CVE-2014-7186,
CVE-2014-7187)

In addition, this update introduces a hardening measure which adds prefixes
and suffixes around environment variable names which contain shell
functions.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
bash

4.3-7ubuntu1.4
Ubuntu 12.04 LTS:
bash

4.2-2ubuntu2.5
Ubuntu 10.04 LTS:
bash

4.1-2ubuntu3.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7186,

CVE-2014-7187

Ubuntu

USN-2355-1: Linux kernel (EC2) vulnerabilities

Leave a comment

Ubuntu Security Notice USN-2355-1

23rd September, 2014

linux-ec2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 10.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-ec2
    – Linux kernel for EC2

Details

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:
linux-image-2.6.32-370-ec2

2.6.32-370.86

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-5471,

CVE-2014-5472

Ubuntu

USN-2363-2: Bash vulnerability

Leave a comment

Ubuntu Security Notice USN-2363-2

25th September, 2014

bash vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

Bash allowed bypassing environment restrictions in certain environments.

Software description

  • bash
    – GNU Bourne Again SHell

Details

USN-2363-1 fixed a vulnerability in Bash. Due to a build issue, the patch
for CVE-2014-7169 didn’t get properly applied in the Ubuntu 14.04 LTS
package. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Tavis Ormandy discovered that the security fix for Bash included in
USN-2362-1 was incomplete. An attacker could use this issue to bypass
certain environment restrictions. (CVE-2014-7169)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
bash

4.3-7ubuntu1.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7169