Ubuntu Security Notice USN-2371-1

8th October, 2014

exuberant-ctags vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

Exuberant Ctags could be made to consume resources.

Software description

• exuberant-ctags
  – build tag file indexes of source code definitions

Details

It was discovered that Exuberant Ctags incorrectly handled certain minified
js files. An attacker could use this issue to possibly cause Exuberant
Ctags to consume resources, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

exuberant-ctags

1:5.9~svn20110310-7ubuntu0.1

Ubuntu 12.04 LTS:

exuberant-ctags

1:5.9~svn20110310-3ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7204

Ubuntu Security Notice USN-2370-1

8th October, 2014

apt vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

APT could be made to overwrite files.

Software description

• apt
  – Advanced front-end for dpkg

Details

Guillem Jover discovered that APT incorrectly created a temporary file when
handling the changelog command. A local attacker could use this issue to
overwrite arbitrary files. In the default installation of Ubuntu, this
should be prevented by the kernel link restrictions.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

apt

1.0.1ubuntu2.5

Ubuntu 12.04 LTS:

apt

0.8.16~exp12ubuntu10.21

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-7206

Ubuntu Security Notice USN-2369-1

2nd October, 2014

file vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

file could be made to crash or run programs as your login if it
opened a specially crafted file.

Software description

• file
  – Tool to determine file types

Details

It was discovered that file incorrectly handled certain CDF documents. A
attacker could use this issue to cause file to hang or crash, resulting
in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

file

1:5.14-2ubuntu3.2

Ubuntu 12.04 LTS:

file

5.09-2ubuntu0.5

Ubuntu 10.04 LTS:

file

5.03-5ubuntu1.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3587

Ubuntu Security Notice USN-2381-1

9th October, 2014

rsyslog vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS
• Ubuntu 10.04 LTS

Summary

Rsyslog could be made to crash if it received specially crafted input.

Software description

• rsyslog
  – Enhanced syslogd

Details

It was discovered that Rsyslog incorrectly handled invalid PRI values. An
attacker could use this issue to send malformed messages to the Rsyslog
server and cause it to stop responding, resulting in a denial of service
and possibly message loss. (CVE-2014-3634, CVE-2014-3683)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:

rsyslog

7.4.4-1ubuntu2.3

Ubuntu 12.04 LTS:

rsyslog

5.8.6-1ubuntu8.9

Ubuntu 10.04 LTS:

rsyslog

4.2.0-2ubuntu8.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-3634,

CVE-2014-3683