Ubuntu Security Notice USN-2364-1

27th September, 2014

bash vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in Bash.

Software description

• bash
  – GNU Bourne Again SHell

Details

Florian Weimer and Todd Sabin discovered that the Bash parser incorrectly
handled memory. An attacker could possibly use this issue to bypass certain
environment restrictions and execute arbitrary code. (CVE-2014-7186,
CVE-2014-7187)

In addition, this update introduces a hardening measure which adds prefixes
and suffixes around environment variable names which contain shell
functions.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

bash

4.3-7ubuntu1.4

Ubuntu 12.04 LTS:

bash

4.2-2ubuntu2.5

Ubuntu 10.04 LTS:

bash

4.1-2ubuntu3.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7186,

CVE-2014-7187

Ubuntu Security Notice USN-2355-1

23rd September, 2014

linux-ec2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux-ec2
  – Linux kernel for EC2

Details

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:

linux-image-2.6.32-370-ec2

2.6.32-370.86

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-5471,

CVE-2014-5472

Ubuntu Security Notice USN-2363-2

25th September, 2014

bash vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS

Summary

Bash allowed bypassing environment restrictions in certain environments.

Software description

• bash
  – GNU Bourne Again SHell

Details

USN-2363-1 fixed a vulnerability in Bash. Due to a build issue, the patch
for CVE-2014-7169 didn’t get properly applied in the Ubuntu 14.04 LTS
package. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

Tavis Ormandy discovered that the security fix for Bash included in
USN-2362-1 was incomplete. An attacker could use this issue to bypass
certain environment restrictions. (CVE-2014-7169)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

bash

4.3-7ubuntu1.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7169

Ubuntu Security Notice USN-2354-1

23rd September, 2014

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux
  – Linux kernel

Details

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image either via a CD/DVD drive or a loopback mount could cause a
denial of service (system crash or reboot). (CVE-2014-5471)

Chris Evans reported an flaw in the Linux kernel’s handling of iso9660
(compact disk filesystem) images. An attacker who can mount a custom
iso9660 image, with a self-referential CL entry, either via a CD/DVD drive
or a loopback mount could cause a denial of service (unkillable mount
process). (CVE-2014-5472)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:

linux-image-2.6.32-66-lpia

2.6.32-66.132

linux-image-2.6.32-66-generic-pae

2.6.32-66.132

linux-image-2.6.32-66-sparc64

2.6.32-66.132

linux-image-2.6.32-66-ia64

2.6.32-66.132

linux-image-2.6.32-66-386

2.6.32-66.132

linux-image-2.6.32-66-powerpc

2.6.32-66.132

linux-image-2.6.32-66-versatile

2.6.32-66.132

linux-image-2.6.32-66-generic

2.6.32-66.132

linux-image-2.6.32-66-powerpc64-smp

2.6.32-66.132

linux-image-2.6.32-66-preempt

2.6.32-66.132

linux-image-2.6.32-66-powerpc-smp

2.6.32-66.132

linux-image-2.6.32-66-server

2.6.32-66.132

linux-image-2.6.32-66-sparc64-smp

2.6.32-66.132

linux-image-2.6.32-66-virtual

2.6.32-66.132

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed. If
you use linux-restricted-modules, you have to update that package as
well to get modules which work with the new kernel version. Unless you
manually uninstalled the standard kernel metapackages (e.g. linux-generic,
linux-server, linux-powerpc), a standard system upgrade will automatically
perform this as well.

References

CVE-2014-5471,

CVE-2014-5472

Ubuntu Security Notice USN-2363-1

25th September, 2014

bash vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Bash allowed bypassing environment restrictions in certain environments.

Software description

• bash
  – GNU Bourne Again SHell

Details

Tavis Ormandy discovered that the security fix for Bash included in
USN-2362-1 was incomplete. An attacker could use this issue to bypass
certain environment restrictions. (CVE-2014-7169)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

bash

4.3-7ubuntu1.2

Ubuntu 12.04 LTS:

bash

4.2-2ubuntu2.3

Ubuntu 10.04 LTS:

bash

4.1-2ubuntu3.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7169

Ubuntu Security Notice USN-2353-1

23rd September, 2014

apt vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

APT could be made to crash or run programs if it received specially crafted
network traffic.

Software description

• apt
  – Advanced front-end for dpkg

Details

It was discovered that APT incorrectly handled certain http URLs. If a
remote attacker were able to perform a man-in-the-middle attack, this flaw
could be exploited to cause APT to crash, resulting in a denial of service,
or possibly execute arbitrary code. The default compiler options for
affected releases should reduce the vulnerability to a denial of service.
(CVE-2014-6273)

In addition, this update fixes regressions introduced by the USN-2348-1
security update: APT incorrectly handled file:/// sources on a different
partition, incorrectly handled Dir::state::lists set to a relative path,
and incorrectly handled cdrom: sources.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

apt

1.0.1ubuntu2.4.1

Ubuntu 12.04 LTS:

apt

0.8.16~exp12ubuntu10.20.1

Ubuntu 10.04 LTS:

apt

0.7.25.3ubuntu9.17.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-6273

Ubuntu Security Notice USN-2360-2

24th September, 2014

thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Fraudulent security certificates could allow sensitive information to
be exposed when accessing the Internet.

Software description

• thunderbird
  – Mozilla Open Source mail and newsgroup client

Details

USN-2360-1 fixed vulnerabilities in Firefox. This update provides the
corresponding updates for Thunderbird.

Original advisory details:

Antoine Delignat-Lavaud and others discovered that NSS incorrectly handled
parsing ASN.1 values. An attacker could use this issue to forge RSA
certificates.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

thunderbird

1:31.1.2+build1-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:

thunderbird

1:31.1.2+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

CVE-2014-1568

Ubuntu Security Notice USN-2352-1

22nd September, 2014

dbus vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Several security issues were fixed in DBus.

Software description

• dbus
  – simple interprocess messaging system

Details

Simon McVittie discovered that DBus incorrectly handled the file
descriptors message limit. A local attacker could use this issue to cause
DBus to crash, resulting in a denial of service, or possibly execute
arbitrary code. This issue only applied to Ubuntu 12.04 LTS and Ubuntu
14.04 LTS. (CVE-2014-3635)

Alban Crequy discovered that DBus incorrectly handled a large number of
file descriptor messages. A local attacker could use this issue to cause
DBus to stop responding, resulting in a denial of service. This issue only
applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-3636)

Alban Crequy discovered that DBus incorrectly handled certain file
descriptor messages. A local attacker could use this issue to cause DBus
to maintain persistent connections, possibly resulting in a denial of
service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-3637)

Alban Crequy discovered that DBus incorrectly handled a large number of
parallel connections and parallel message calls. A local attacker could use
this issue to cause DBus to consume resources, possibly resulting in a
denial of service. (CVE-2014-3638)

Alban Crequy discovered that DBus incorrectly handled incomplete
connections. A local attacker could use this issue to cause DBus to fail
legitimate connection attempts, resulting in a denial of service.
(CVE-2014-3639)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

dbus

1.6.18-0ubuntu4.2

libdbus-1-3

1.6.18-0ubuntu4.2

Ubuntu 12.04 LTS:

dbus

1.4.18-1ubuntu1.6

libdbus-1-3

1.4.18-1ubuntu1.6

Ubuntu 10.04 LTS:

dbus

1.2.16-2ubuntu4.8

libdbus-1-3

1.2.16-2ubuntu4.8

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all
the necessary changes.

References

CVE-2014-3635,

CVE-2014-3636,

CVE-2014-3637,

CVE-2014-3638,

CVE-2014-3639

Ubuntu Security Notice USN-2360-1

24th September, 2014

firefox vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Fraudulent security certificates could allow sensitive information to
be exposed when accessing the Internet.

Software description

• firefox
  – Mozilla Open Source web browser

Details

Antoine Delignat-Lavaud and others discovered that NSS incorrectly handled
parsing ASN.1 values. An attacker could use this issue to forge RSA
certificates.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

firefox

32.0.3+build1-0ubuntu0.14.04.1

Ubuntu 12.04 LTS:

firefox

32.0.3+build1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

CVE-2014-1568

Ubuntu Security Notice USN-2369-1

2nd October, 2014

file vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

file could be made to crash or run programs as your login if it
opened a specially crafted file.

Software description

• file
  – Tool to determine file types

Details

It was discovered that file incorrectly handled certain CDF documents. A
attacker could use this issue to cause file to hang or crash, resulting
in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

file

1:5.14-2ubuntu3.2

Ubuntu 12.04 LTS:

file

5.09-2ubuntu0.5

Ubuntu 10.04 LTS:

file

5.03-5ubuntu1.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3587